Showing posts with label Malware. Show all posts
Showing posts with label Malware. Show all posts

Thursday, February 16, 2023

Redline Malware Malware Analysis Feb 16 2023

Started with this redline malware sample 

https://www.joesandbox.com/analysis/808971/0/html

Which the sandbox says dumps a bunch of child-processes and eventually drops these 2 payloads

AV killer

https://www.virustotal.com/gui/file/850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

Healer.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0

SHA-1 421a7167da01c8da4dc4d5234ca3dd84e319e762



Infostealer

https://www.virustotal.com/gui/file/dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3 

The Infostealer looks a lot like this blog ( https://securityscorecard.com/research/detailed-analysis-redline-stealer/ )

Franchise.exe

MD5 dd0c9e110c68ce1fa5308979ef718f7b

SHA-1 473deb8069f0841d47b74b7f414dacc6f96eca78


C2: 193.233.20.13:4136


It is stored in a self extracting .CAB file (microsoft cabinet)

It unpacks itself 4 times actually before we finally see the payload.

Each time the child .CAB file is stored in a Resource named "CABINET"

Each time there is 2 .exes inside the .CAB .

Each of the repeated dumps the "RUNPROGRAM" resource launches another child .CAB extractor.







Eventually though on the last extract it's 2 .NET executables instead of X86 and .CAB extrator.



The first .NET executable is an AV killer that turns off defender, windows updates, etc.



The 2nd .nET executable is the infostealer that grabs wallets, vpn , discord, and much more








                                            
There are some Russian characters and nearby region country names



There is also code for the c2 command and control traffic that is Xor'd with a key "Sigma" and base64 encoded. 193.233.20.13:4136











Posted by at 3 comments:
Labels: , , , , , , , , , , ,

Thursday, April 29, 2021

Threat Library - Agent Tesla

 Agent Tesla

---------------------------------------------------

date: 5/5/2021

delivery: Unknown

persistence: scheduled Task, \Updates\SPjSKjh, c:\users\<userid>\appdata\roaming\spjskih.exe

capabilities (per memory strings): Keylogger (KeyDown, KeyboardState, StartKeyLogger), Credential Theft (UCBrowser, Vivaldi, Thunderbird, etc.)

c2s: unknown

identification method: filname similar to previous (vbc.exe) and other patterns match like re-launch EXE after 1min45sec, smtp type c2 possible, etc.

special notes: .net executable, starts execution at about ~14 to 15mb initially, waits about 1 min 45 seconds, then relaunched itself, new pid, 2nd executable waits several minutes to do anything, then checks for credentials (chrome, qqbrowser, ultravnc, thunderbird, waterfox, etc.) through disk and registry, in memory strings on 2nd end up including the credential theft, also this has "Snake Keylogger" inside it per strings, as well as API.Telegram.org connections and possible SMTP c2 with email address

samples: 

EXE - https://www.virustotal.com/gui/file/089d065fe8e39f8b19a726cb15ac216e352a5576f446c5fc38486f1fbb7a1d9c/detection

links: 

https://twitter.com/neonprimetime/status/1389964247942279168

screenshots: 













---------------------------------------------------


date: 4/29/2021

delivery: email [Subject: New PO#422328, ISO (PO#0422328.pdf.iso) w/ EXE inside (PO#04222328.pdf.exe)]

persistence: startup registry entry (hkcu\software\microsoft\currentversion\run, gqxRqe, c:\users\<userid>appdata\roaming\gqxRqe\gqxRqe.exe)

capabilities (per memory strings): Keylogger (KeyDown, KeyboardState), Credential Theft (UCBrowser, Vivaldi, Thunderbird, etc.)

c2s: unknown

identification method: strings in memory matching previously seen ( %mailaddres%%password%%smtp%%toemail% )

special notes: .net executable, link to torproject.org download in .net code, code for webrequest and smtpclient, double file extension (PO#04222328.pdf.exe), starts execution at about ~14 to 15mb initially, waits about 1 min 45 seconds, then relaunched itself, new pid, 2nd executable waits several minutes to do anything, only gets to ~17mb or 18mb, then checks for credentials (chrome, qqbrowser, ultravnc, thunderbird, waterfox, etc.) through disk and registry, in memory strings on 2nd end up including the credential theft

samples: 

ISO - https://www.virustotal.com/gui/file/f07b343d5a7b752a5b396b06174428a66ab98d8bb28bf33e9ea911797c32af2d/detection

EXE - https://www.virustotal.com/gui/file/83bcf31fc0d06b39c6cce6bc074cde9033f5e378f0104da887ec3f924f73376a/detection

links: 

https://twitter.com/neonprimetime/status/1387837559531786243

screenshots: 










---------------------------------------------------

 date: 10/13/2020

delivery: email [Subject: Request for Quotation, Link to DOC (http://107.173.219[.]56/document ), downloads EXE from same domain ( http://107.173.219[.]56/tmt.exe ), runs Equation Editor exploit (EQNEDT32.EXE)]

persistence: unknown

capabilities (per memory strings): unknown

c2s: smtp.yandex[.]ru

identification method: twitter replies

special notes: child processes of "vbc.exe" and "RegAsm.exe"

samples: 

DOC - https://app.any.run/tasks/0410129a-646d-4c19-8207-081679403171/

links: 

https://twitter.com/neonprimetime/status/1316107602942668800

screenshots: 








---------------------------------------------------

Posted by at 6 comments:
Labels: , ,

Threat Library - Hagga / Aggah

 Hagga / Aggah

 date: 11/18/2020

delivery: email [Subject: Order-PO500-18, Attachment: .PPT Powerpoint creates scheduled task]

persistence: scheduled task "lunkicharkhi" that runs downloads VBS script inside blogspot url (madarjaaatresearchers.blogspot[.com/p/thirdsaint3.html) and runs it with MSHTA)

capabilities (per memory strings): unknown

c2s: unknown

special notes: Powerpoint, scheduled task that connects to blogspot url runs VBS with MSHTA

samples: 

PPT - https://app.any.run/tasks/c896710d-c2e3-4bba-ba7a-cf801e9544cf/

VB Script - https://app.any.run/tasks/f6b585e9-e906-4882-942c-1bfb6cca666d/

links: 

https://twitter.com/neonprimetime/status/1330905903562940427

screenshots: 


















---------------------------------------------------

Posted by at 4 comments:
Labels: , , ,

Threat Library - Dridex

 Dridex

 date: 11/23/2020

delivery: email [Subject: Payment Advice, Attachment: .DOC with Office 365 logo, downloads more from hxxps://redin[.]redsla[.]com/laravelRedin/vendor/webmozart/assert/qDqNRqo3hREb.php]

persistence: unknown

capabilities (per memory strings): unknown

c2s: 173.249.20.233:8043

identification method: twitter replies

special notes: uses rundll32.exe to run a DLL it saved (c:\windows\temp\qtxzf.dll)

samples: 

DOC - https://app.any.run/tasks/92d94699-7ab0-4acc-8752-3bf23e662c7b/

links: 

https://twitter.com/neonprimetime/status/1330969313294028804

screenshots: 
















---------------------------------------------------

Posted by at 5 comments:
Labels: , ,

Threat Library - Zloader

Zloader

 date: 2/26/2021

delivery: email [Subject: Invoicing info294564, Attachment: .DOC with plain text body asking to enable editing, downloads from findinglala[.]com]

persistence: unknown

capabilities (per memory strings): unknown

c2s: 

hxxps://timemeaning[.]com/post.php

hxxps://timeremain[.]com/post.php

hxxps://cacesatansingmilk[.]tk/post.php

hxxps://tenlapatevaj[.]tk/post.php

hxxps://toclylene[.]tk/post.php

identification method: twitter replies

special notes: user agent was "MSFrontPage/12.0"

samples: 

DOC - https://app.any.run/tasks/4df98427-fb86-4c7f-a082-1a2eb179e214/

links: 

https://twitter.com/neonprimetime/status/1365328294674112513

https://tria.ge/210219-g8t2kxnh8e

screenshots: 














---------------------------------------------------

Posted by at 5 comments:
Labels: , ,

Threat Library - NJRAT / Bladabindi

NJRAT / Bladabindi

 date: 2/26/2021

delivery: email [Subject: Lease Agreement, Attachment: Zip (Lease Agreement.zip) w/ VBS Script inside (Lease Agreement.vbs), downloads from paste.ee/r/bsKo9 site]

persistence: unknown

capabilities (per memory strings): Keylogger ([ENTER], [TAP], get_CtrlKeyDown)

c2s: xxxcarldon.duckns[.]org

identification method: twitter replies

special notes: powershell with Unicode (airplanes and envelopes), url was reversed in code

samples: 

Zip - https://app.any.run/tasks/0874b873-2dde-4540-85f5-7ede1a1bfaf6/

links: 

https://twitter.com/neonprimetime/status/1365351048525791232

screenshots: 
















---------------------------------------------------

Posted by at 4 comments:
Labels: , , ,

Threat Library - Qakbot / Qbot

Qakbot / Qbot

 date: 4/15/2021

delivery: email [Link to Zip w/ XLSM inside , "Docusign logo themed", links ( บางสะพาน[.]com/hGQC4/catalogue-93.zip , xn--72c0bbr3dtble[.]com/hGQC4/catalogue-93.zip )

persistence: unknown

capabilities (per memory strings): unknown

c2s: 

rosenbaum-milan15y[.]ru[.]com/body.html

boehm-kavon15lc[.]ru[.]com/body.html

identification method: twitter replies

special notes: url was unicode/punycode

samples: 

XLSM - https://www.joesandbox.com/analysis/387819/0/html

links: 

https://twitter.com/neonprimetime/status/1382743458494902274

screenshots: 












---------------------------------------------------

Posted by at 4 comments:
Labels: , , ,
Subscribe to: Posts (Atom)