Showing posts with label azorult. Show all posts
Showing posts with label azorult. Show all posts

Monday, February 18, 2019

malware yara rules 

/* -------------------------
------ NanoCore ------------
--------------------------- */

rule NanoCoreByName
{
meta:
 author = "@neonprimetime"
 description = "NanoCore"
strings:
 $string0 = "NanoCore Client" nocase
 $string1 = "NanoCore.Client" nocase
 $string2 = "NanoCoreBase" nocase
 $string5 = "NanoCoreSwiss" nocase
 $string6 = "NanoCoreStressTester" nocase
condition:
 1 of them
}

rule NanoCoreByKeyword
{
meta:
 author = "@neonprimetime"
 description = "NanoCore"
strings:
 $string1 = "NanoBrowser" nocase
 $string2 = "NanoScript" nocase
 $string3 = "SurveillanceEx" nocase
 $string4 = "NanoCoreStressTester" nocase
 $string5 = "accident-investigation.aero" nocase
 $string6 = "KeyboardLogging" nocase
condition:
 3 of them
}

/* -------------------------
------ Remcos RAT-----------
--------------------------- */

rule RemcosRATByName
{
meta:
 author = "@neonprimetime"
 description = "Remcos RAT"
strings:
 $string0 = "Software\\Remcos" nocase
 $string1 = "\\remcos\\" nocase
 $string2 = "REMCOS v" nocase
 $string4 = "Remcos_" nocase
condition:
 1 of them
}

rule RemcosRATByKeyword
{
meta:
 author = "@neonprimetime"
 description = "Remcos RAT"
strings:
 $string1 = "Keylogger Started" nocase
 $string2 = "Connected to C&C" nocase
 $string3 = "Screenshots" nocase
 $string4 = "OpenCamera" nocase
 $string5 = "Uploading file to C&C" nocase
 $string6 = "Initializing connection to C&C" nocase
 $string7 = "cleared!]" nocase
 $string8 = "EnableLUA /t REG_DWORD /d 0" nocase
 $string9 = "RemWatchdog" nocase
 $string10 = "restarted by watchdog" nocase
condition:
 3 of them
}

/* -------------------------
------ Revil/Sodinokibi Ransomware-----------
--------------------------- */

rule RevilRansomwareByName
{
meta:
 author = "@neonprimetime"
 description = "Revil/Sodinokibi Ransomware"
strings:
 $string1 = "Sodinokibi" nocase
 $string2 = "For google: Revil" nocase
condition:
 any of them
}


rule RevilRansomwareByKeyword
{
meta:
 author = "@neonprimetime"
 description = "Revil/Sodinokibi Ransomware"
strings:
 $string1 = "decryptor.top" nocase
 $string2 = "nbody" nocase
 $string3 = "bedbg" nocase
condition:
 3 of them
}

/* -------------------------
------ NjRat -------------
--------------------------- */

rule NjRatByKeyword
{
meta:
 author = "@neonprimetime"
 description = "NjRat"
strings:

 $string0 = "vitimas_" nocase

$string1 = "|'|'||'|'|" nocase
condition:

 1 of them
}

/* -------------------------
------ Lokibot -------------
--------------------------- */

rule LokibotByKeyword
{
meta:
 author = "@neonprimetime"
 description = "Lokibot"
strings:
 $string0a = "five/fre.php" nocase
 $string0b = "Panel/five" nocase
 $string1 = "fre.php" nocase
 $string2 = "Yandex\\YandexBrowser" nocase
 $string3 = "\\Mozilla\\SeaMonkey\\profiles.ini" nocase
 $string4 = "POP3 Password" nocase
 $string5 = "Software\\SimonTatham\\PuTTY\\Sessions" nocase
 $string6 = "EasyFTP\\data" nocase
 $string7 = "aPLib v1.01" nocase
 $string8 = "wcx_ftp.ini" nocase
condition:
 $string0a or $string0b or ($string1 and ($string2 or $string3 or $string4 or $string5 or $string6 or $string7 or $string8))
}
/* -------------------------
------ Revenge RAT -------------
--------------------------- */

rule RevengeRATByName
{
meta:
 author = "@neonprimetime"
 description = "Revenge RAT"
strings:

 $string0 = "Revenge-RAT" nocase

condition:

 1 of them
}

rule RevengeRATByKeyword
{
meta:
 author = "@neonprimetime"
 description = "Revenge RAT"
strings:

 $capture1 = "Start Capture" nocase

 $capture2 = "CaptureScreen" nocase

 $dotnet1 = ".NET" nocase

 $agent1 = "FirewallProduct" nocase

 $agent2 = "AntiVirusProduct" nocase

 $exfil1 = "USERDOMAIN=" nocase

condition:

 $dotnet1 and ($capture1 or $capture2) and ($agent1 or $agent2) and $exfil1
}



/* -------------------------
------ BrushaLoader -------------
--------------------------- */

rule BrushaLoaderByKeyword
{
meta:
 author = "@neonprimetime"
 description = "BrushaLoader"
strings:
 $vbe = ".shellexecute" nocase
 $xyzdomain = "xyz" nocase
 $google = "www.google.com" nocase
condition:
 $vbe and $xyzdomain and $google
}


/* -------------------------
------ Agent Tesla -------------
--------------------------- */

rule AgentTeslaByKeyword
{
meta:
 author = "@neonprimetime"
 description = "Agent Tesla"
strings:
 $checkip1 = "checkip.aws" nocase
 $checkip2 = "checkip.amazon" nocase
 $smtpexfil1 = "smtp." nocase
 $smtpexfil2 = ":587" nocase
 $dotnet1 = ".net" nocase
condition:
 ($checkip1 or $checkip2) and ($smtpexfil1 or $smtpexfil2) and $dotnet1
}



/* -------------------------
------ Trickbot ------------
--------------------------- */

rule TrickbotByKeyword
{
meta:
 author = "@neonprimetime"
 description = "Trickbot"
strings:
 $string1 = "serialNumber=" nocase
 $string2 = "emailAddress=" nocase
 $string3 = "/snapshot/" nocase
 $string4 = "Login Data.bak" nocase
 $string5 = "Grab_Passwords_Chrome" nocase
 $string6 = "Dinkumware" nocase
 $string7 = "tablecredit_cards" nocase
 $string8 = "server_addresses" nocase
condition:
 3 of them
}


/* -------------------------
------ Azorult -------------
--------------------------- */

rule AzorultByKeyword
{
meta:
 author = "@neonprimetime"
 description = "Azorult"
strings:
 $string1 = "wallet.dat" nocase
 $string2 = "PasswordsList.txt" nocase
 $string3 = "timeout.exe" nocase
 $string4 = "Wscript.Shell" nocase
 $string5 = "dotbit.me" nocase
condition:
 3 of them
}
/* -------------------------
------ Netwire -------------
--------------------------- */

rule NetwireByName
{
meta:
 author = "@neonprimetime"
 description = "Netwire"
strings:
 $string1 = "SOFTWARE\\NetWire" nocase
condition:
 1 of them
}




/* ------------------------------


  -------- Emotete by Keyword -----


 -------------------------- */




rule EmotetByKeyword


{


 meta:
  author = "@neonprimetime"


  description = "Emotet Keyword"


 strings:


  $string1 = "acquiremailbox.exe" nocase
  $string2 = "fillmailbox.exe" nocase
  $string3 = "inboxmailbox.exe" nocase
  $string4 = "mailboxacquire.exe" nocase
  $string5 = "mailboxinbox.exe" nocase
  $string6 = "mailboxmailbox.exe" nocase
  $string7 = "manualmailbox.exe" nocase
  $string8 = "monthlymailbox.exe" nocase
  $string9 = "pdfmailbox.exe" nocase
  $string10 = "publishmailbox.exe" nocase
  $string11 = "deployinbox.exe" nocase
  $string12 = "inboxinbox.exe" nocase
  $string13 = "inboxnetsh.exe" nocase
  $string14 = "mailboxinbox.exe" nocase
  $string15 = "netshinbox.exe" nocase
  $string16 = "createatargets.exe" nocase
  $string17 = "ducktargets.exe" nocase
  $string18 = "restoretargets.exe" nocase
  $string19 = "sendtargets.exe" nocase


 condition:



   1 of them


}


/* -------------------------
------ Phoenix Keylogger -------------
--------------------------- */

rule PhoenixKeyloggerByName
{
meta:
 author = "@neonprimetime"
 description = "Phoenix Keylogger"
strings:
 $string1 = "Phoenix Keylogger" nocase
condition:
 1 of them
}



/* -------------------------
------ BetaBot -------------
--------------------------- */

rule BetaBotByKeyword
{
meta:
 author = "@neonprimetime"
 description = "BetaBot"
strings:
 $string1 = "OnAsyncDestroy" nocase

 $string2 = "OnDestroySubject" nocase

 $string3 = "OnRemoveExisting" nocase

 $string4 = "ccnumber" nocase
condition:
 all of them
}




/* -------------------------
------ Generic Malware -------------
--------------------------- */

rule GenericDotNetFramework

{

meta:
 author = "@neonprimetime"
 description = "Generic .NET Framework detection"


strings:

 $string1 = ".NETFramework"

condition:
 1 of them

}


rule GenericBitcoinStealer

{
meta:
 author = "@neonprimetime"
 description = "Generic Bitcoin Stealer"
strings:
 $string1 = "wallet.dat" nocase

 $string2 = "\\wallets\\" nocase

 $string3 = "\\Electrum" nocase

 $string4 = "Coins\\" nocase

 $string5 = "\\bitcoin" nocase

 $string6 = "\\monero" nocase

 $string7 = "electrum.dat" nocase

 $string8 = "wallet_path" nocase

condition:

 1 of them

}



rule GenericUPXPacker

{
meta:
 author = "@neonprimetime"
 description = "Generic UpX packet"
strings:
 $string1 = "UPX" nocase

condition:

 1 of them


}



rule GenericAutoItPacker

{
meta:
 author = "@neonprimetime"
 description = "Generic AutoItPacker"
strings:
 $string1 = "AutoIt" nocase

 $string2 = "Auto-It" nocase

condition:

 1 of them


}




rule GenericCreditCardStealer
{
meta:
 author = "@neonprimetime"
 description = "Generic Credit Card Stealer"
strings:
 $string1 = "ccnumber" nocase
 $string2 = "expirationmonth" nocase

 $string3 = "monthexpiration" nocase

 $string4 = "card_number" nocase

 $string5 = "securitycode=" nocase

 $string6 = "=amex" nocase

 $string7 = "=visa" nocase

 $string8 = "cardnumber" nocase

condition:
 1 of them
}

rule GenericWebTraffic
{
meta:
 author = "@neonprimetime"
 description = "Generic Web Traffic"
strings:
 $string1 = "Server: lighttpd" nocase
 $string2 = "Host: %s" nocase
 $string3 = "POST %s" nocase
 $string4 = ".php" nocase
condition:
 1 of them
}

rule GenericNetworkTraffic
{
meta:
 author = "@neonprimetime"
 description = "Generic Network Traffic"
strings:
 $string1 = /\..{2,3}\:\d+/ nocase
condition:

 1 of them
}


rule GenericScheduledTask
{
meta:
 author = "@neonprimetime"
 description = "Generic Scheduled Task"
strings:
 $string1 = "schtasks" nocase
condition:


 1 of them
}



rule GenericDomainFlag
{
meta:
 author = "@neonprimetime"
 description = "Generic Domain Flag from AD"
strings:
 $string1 = "/domain" nocase
condition:


 1 of them
}



rule GenericCreateFlag
{
meta:
 author = "@neonprimetime"
 description = "Generic Create Flag from AD"
strings:
 $string1 = "/create" nocase
condition:


 1 of them
}




rule GenericAddFlag
{
meta:
 author = "@neonprimetime"
 description = "Generic Add Flag from AD"
strings:
 $string1 = "/add" nocase
condition:


 1 of them
}






rule GenericSpamMailer
{
meta:
 author = "@neonprimetime"
 description = "Generic Spam Mailer"
strings:
 $string1 = "SEND FROM:" nocase
 $string2 = ":587" nocase
 $string3 = "smtp." nocase
condition:
 1 of them
}

rule GenericIPLookup
{
meta:
 author = "@neonprimetime"
 description = "Generic IP Lookup"
strings:
 $string1 = "checkip.amazonaws.com" nocase
 $string2 = "check-ip.aws." nocase


  $string3 = "ipecho.net" nocase
condition:
 1 of them
}

rule GenericWebcamAccess
{
meta:
 author = "@neonprimetime"
 description = "Generic Webcam Access"
strings:
 $string1 = "webcam" nocase
 $string2 = "OpenCamera" nocase
 $string3 = "CloseCamera" nocase
condition:
 1 of them
}
rule GenericScreenCapture
{
meta:
 author = "@neonprimetime"
 description = "Generic Screen Capture"
strings:
 $string1 = "CaptureScreen" nocase
condition:
 1 of them
}

rule GenericCredentialStealer
{
meta:
 author = "@neonprimetime"
 description = "Generic Credential Stealer"
strings:
 $string1 = "Profiles\\Outlook" nocase
 $string2 = "Login Data" nocase
 $string3 = "encryptedPassword" nocase
 $string4 = "HTTP Password" nocase
 $string5 = "\\profiles.ini" nocase
 $string6 = "\\POP3 Password" nocase
 $string7 = "PuTTY\\Sessions" nocase
 $string8 = "EasyFTP\\data" nocase
 $string9 = "Ftplist.txt" nocase
 $string10 = "\\Login Data" nocase
 $string11 = "\\ws_ftp.ini" nocase
 $string13 = "\\accounts.ini" nocase
 $string14 = "\\accounts.dat" nocase
 $string15 = "CREATE TABLE logins" nocase
 $string16 = "CREATE INDEX logins_signon" nocase
 $string17 = "DecryptIePassword" nocase
 $string18 = "GetSavedPasswords" nocase
 $string19 = "\\Passwords\\" nocase
 $string20 = "WinSCP 2\\Sessions" nocase
 $string21 = "\\HTTP Password" nocase
 $string22 = "\\IMAP Password" nocase
 $string23 = "\\SMTP Password" nocase
 $string24 = "\\HTTP Password" nocase
 $string25 = "[passwords]" nocase
 $string26 = "login-form" nocase
 $string27 = "recentservers.xml" nocase
 $string28 = "type=passwords" nocase
 $string29 = "user-password" nocase
 $string30 = "PasswordsList.txt" nocase
condition:


 1 of them
}
rule GenericBrowserHistoryStealer
{
meta:
 author = "@neonprimetime"
 description = "Generic Browser History Stealer"
strings:

 $string1 = "from urls" nocase

 $string2 = "from moz_places" nocase

condition:

 1 of them

}


rule GenericDataStealer
{
meta:
 author = "@neonprimetime"
 description = "Generic Data Stealer"
strings:
 $string0 = "\\User Data" nocase
 $string1 = "360Chrome\\" nocase
 $string2 = "7Star\\" nocase
 $string3 = "Cyberfox\\" nocase
 $string4 = "Amigo\\" nocase
 $string5 = "Apple Computer\\" nocase
 $string6 = "BraveSoftware\\" nocase
 $string7 = "CatalinaGroup\\" nocase
 $string8 = "CentBrowser\\" nocase
 $string9 = "Chedot\\" nocase
 $string10 = "Chromium\\" nocase
 $string11 = "Claws-mail\\" nocase
 $string12 = "CocCoc\\" nocase
 $string13 = "Comodo\\" nocase
 $string14 = "Coowon\\" nocase
 $string15 = "CoreFTP\\" nocase
 $string16 = "Elements Browser\\" nocase
 $string17 = "Epic Privacy Browser\\" nocase
 $string18 = "falkon\\" nocase
 $string19 = "Fenrir Inc\\" nocase
 $string20 = "FileZilla\\" nocase
 $string21 = "Flock\\" nocase
 $string22 = "FTPGetter\\" nocase
 $string23 = "Google\\" nocase
 $string24 = "Ipswitch\\" nocase
 $string25 = "Iridium\\" nocase
 $string26 = "K-Meleon\\" nocase
 $string27 = "Kometa\\" nocase
 $string28 = "liebao\\" nocase
 $string29 = "MapleStudio\\" nocase
 $string31 = "Moonchild Productions\\" nocase
 $string32 = "Mozilla\\" nocase
 $string35 = "NETGATE Technologies\\" nocase
 $string36 = "Opera Mail\\" nocase
 $string37 = "Opera Software\\" nocase
 $string38 = "Orbitum\\" nocase
 $string39 = "Pocomail\\" nocase
 $string40 = "Postbox\\" nocase
 $string41 = "Psi\\" nocase
 $string42 = "Psi+\\" nocase
 $string43 = "QIP Surf\\" nocase
 $string45 = "SmartFTP\\" nocase
 $string46 = "Sputnik\\" nocase
 $string47 = "Tencent\\" nocase
 $string48 = "The Bat!" nocase
 $string49 = "Thunderbird\\" nocase
 $string50 = "Torch\\" nocase
 $string51 = "Trillian\\" nocase
 $string52 = "UCBrowser\\" nocase
 $string53 = "uCozMedia\\" nocase
 $string54 = "VirtualStore\\" nocase
 $string55 = "Vivaldi\\" nocase
 $string56 = "Waterfox\\" nocase
 $string57 = "Yandex\\" nocase
 $string58 = "keychain.plist" nocase
 $string59 = "GetSavedCookies" nocase
 $string60 = "wcx_ftp.ini" nocase

$string61 = "Start Capture" nocase
 $string62 = "\\accounts.xml" nocase
 $string63 = "\\places.sqlite" nocase
 $string67 = "cookies.sqlite" nocase
condition:
 1 of them
}


rule GenericDeletesItself
{
meta:
 author = "@neonprimetime"
 description = "Generic Deletes Itself"
strings:
 $string1 = "DEL /s" nocase
 $string2 = "cmd /c del" nocase
 $string3 = "deleteSelf" nocase
 $string4 = "/c del %s" nocase
 $string5 = "%del" nocase
 $string6 = "& del" nocase
condition:


 1 of them
}




rule GenericMaliciousCommand
{
meta:
 author = "@neonprimetime"
 description = "Generic Malicious Command"
strings:
 $string1 = "CompSpec" nocase
condition:


 1 of them
}



rule GenericKeylogger
{
meta:
 author = "@neonprimetime"
 description = "Generic Keylogger"
strings:
 $string1 = "Keylog" nocase
 $string2 = "KeyboardLogging" nocase
 $string3 = "[Enter]" nocase
 $string4 = "[Ctrl + C]" nocase
 $string5 = "[Ctrl + V]" nocase
condition:
 1 of them
}



rule GenericDelay
{
meta:
 author = "@neonprimetime"
 description = "Generic Delay"
strings:
 $string1 = "ping 192" nocase
 $string2 = "ping 127" nocase
condition:
 1 of them
}
rule GenericSecurityToolDetection
{
meta:
 author = "@neonprimetime"
 description = "Generic Security Tool Detection"
strings:
 $string1 = "FROM FirewallProduct" nocase
 $string2 = "from AntiVirusProduct" nocase
condition:
 1 of them

}




rule GenericDisableAntivirus


{

meta:
 author = "@neonprimetime"
 description = "Generic Disable AntiVirus"
strings:
 $string1 = "DisableBehaviorMonitoring" nocase
 $string2 = "DisableOnAccessProtection" nocase


 $string3 = "DisableScanOnRealtime" nocase


 $string4 = "DisableRealtimeMonitoring" nocase


 $string5 = "DisableBlockAtFirstSeen" nocase


 $string6 = "DisableIOAVProtection" nocase


 $string7 = "DisableAntiSpyware" nocase


 $string8 = "DisableArchiveScanning" nocase


 $string9 = "DisableScriptScanning" nocase


 $string10 = "Set-MpPreference" nocase
condition:
 1 of them


}


rule GenericFirewallModification

{
meta:
 author = "@neonprimetime"
 description = "Generic Firewall Modifiction"
strings:
 $string1 = "netsh advfirewall" nocase
 $string2 = "firewall add" nocase
condition:
 1 of them

}


rule GenericPHPPanel
{
meta:
 author = "@neonprimetime"
 description = "Generic PHP Panel"
strings:

 $string1 = "/gate.php" nocase

 $string2 = "/fre.php" nocase

condition:

 1 of them

}

rule GenericBase64

{
meta:
 author = "@neonprimetime"
 description = "Generic PHP Panel"
strings:

 $string1 = /\=\=\r\n/ nocase

condition:

 1 of them

}



rule GenericDynamicDns


{
meta:
 author = "@neonprimetime"
 description = "Generic Dynamic DNS"
strings:

 $string1 = ".duckdns.org" nocase

condition:

 1 of them

}

rule GenericVisualBasicScript
{
meta:
 author = "@neonprimetime"
 description = "Generic Visual Basic Script"
strings:
 $string1 = ".shellexecute" nocase
 $string2 = "shell.application" nocase
 $string3 = "Wscript.Sleep" nocase
 $string4 = "ExecuteGlobal" nocase
 $string5 = "Shell.run" nocase
 $string6 = "Scripting.FileSystemObject" nocase
 $string7 = ":::const " nocase
 $string8 = "vbscontent" nocase
 $string9 = "Execute(" nocase
 $string10 = "ChrW(48) & ChrW(" nocase
 $string11 = "ChrW(48)&ChrW(" nocase
condition:
 1 of them
}

rule GenericHackerTerms
{

meta:
 author = "@neonprimetime"
 description = "Generic Hacker Terms"
strings:
 $string1 = "payloadpath" nocase
 $string2 = "payloadexist" nocase

condition:
 1 of them

}

rule GenericAntiDebug
{
meta:
 author = "@neonprimetime"
 description = "Generic Anti Debug techniques"
strings:
 $string1 = "CheckRemoteDebuggerPresent" nocase
condition:
 1 of them

}


rule GenericTor
{
meta:
 author = "@neonprimetime"
 description = "Generic Tor Dark Web"
strings:
 $string1 = "torproject.org" nocase
 $string2 = ".onion" nocase
 $string3 = "TOR browser" nocase
 
condition:
 1 of them

}






rule GenericPasswordList
{
meta:
 author = "@neonprimetime"
 description = "Generic Password List"
strings:
 $string1 = "peternorth" nocase
 $string2 = "motherfucker" nocase
 $string3 = "pimpdaddy" nocase
 $string4 = "ihavenopass" nocase
 $string5 = "fuckoff" nocase


 $string6 = "dickhead" nocase


 $string7 = "passw0rd" nocase


 $string8 = "changeme" nocase

condition:
 1 of them

}





rule GenericUserAgent


{


 meta:


  author = "@neonprimetime"
  description = "Generic User Agents oddities"


 strings:
  $string1 = "User-Agent: curl" nocase


  $string2 = "User-Agent: wget" nocase


 condition: 


  1 of them


}






rule GenericWebServer


{


 meta: 


  author = "@neonprimetime"


  description = "Generic Web Server info"


 strings: 


  $string1 = "nginx"


  $string2 = "apache"


 condition:
  1 of them


}










Posted by



at





No comments:
  


















Labels:
,
,
,
,
,
,
,
,
,

















          

        

          

        

Monday, February 11, 2019


          

        









#azorult










#azorult

------------------------------

5/29/2019

https://app.any.run/tasks/0504a290-18be-4d18-ae00-e03d03b5ae4a/

https://www.virustotal.com/gui/file/ee45336a135108347af89122705d24b97c583ee2d18ec67152441f58a540f34a/detection



Running behavior: (RUN AS ADMINISTRATOR)

program crashed, did not seem to complete



Memory strings while running

0xdb136 (12): PVAULT_CRED8 
0xdb4e5 (12): outlookDecrU 
0xdc928 (84): Software\Martin Prikryl\WinSCP 2\Sessions\ 
0xdc99c (20): PortNumber 
0xdd3a4 (26): \accounts.xml 
0xdd6d4 (10): <password> 
0xdd6e8 (11): </password> 
0xdd778 (60): %APPDATA%\.purple\accounts.xml 
0xddec0 (34): %TEMP%\curbuf.dat 
0xe2874 (253): SELECT DATETIME(moz_historyvisits.visit_date/1000000, "unixepoch", "localtime"),moz_places.title,moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id ORDER By moz_historyvisits.visit_date DESC LIMIT 0, 10000 
0xe32a8 (28): \places.sqlite 
0xe4084 (16): Browsers\Cookies 
0xe40ac (16): Browsers\History 
0xe43fd (12): uFileFinderU 
0xe4ea8 (30): %APPDATA%\Skype 
0xe51d8 (40): Software\Valve\Steam 
0xe522c (26): \Config\*.vdf 
0xe5de4 (20): %APPDATA%\ 
0xe5e14 (20): \autoscan\ 
0xe5e48 (24): .address.txt 
0xe8100 (20): https://dotbit.me/a/ 
0xe8600 (12): User-agent: 
0xe8618 (51): Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 
0xea1d4 (17): PasswordsList.txt 
0xea258 (66): %appdata%\Telegram Desktop\tdata\ 
0xea360 (22): http://ip-api.com/json 
0xea3d4 (10): System.txt 
0xea450 (84): /c %WINDIR%\system32\timeout.exe 3 & del " 
0xeb7c0 (30): http://77.222.55.225/index.php





2/11/2019



https://app.any.run/tasks/7323be7e-daad-4ac7-8500-b905f7dcfaba

https://www.virustotal.com/#/file/cd4f41d81ec1f3ac046df3193e1445994c8e4a6eaaf57748faef5ada77791bf2/detection



Compiler: 

- Nullsoft Scriptable Install System(3.0)[zlib]

- Microsoft Linker(6.0)[EXE32,signed]



Running behavior: (RUN AS ADMINISTRATOR)

- launches a copy of itself, then disappears from task manager

- dns lookup 3124322.pw.md-in-82.webhostbox.net (43.225.55.117)

- POST to 3124322.pw.md-in-82.webhostbox.net/index.php, (sent data is short, has a bunch of &, and . in it)

- CreateFile api calls to Login data folders (FireFox, Waterfox, IceDragon, Chrome, Pale Moon, Yandex)

- CreateFile api calls to cookie data folders (Yandex, 360Browser, Opera, TorBro, CentBrowser)

- CreateFile api calls to WebData folders (Yandex, 360Browser, Opera, TorBro, CentBrowser)

- CreateFile api calls to bitcoin folders (wallet.dat, electrum.dat, Ethereum)







Memory strings while Running:



- original exe has Nullsoft Install System v3.0 and some actual C looking lines of code with kernel32::CreateFile, user32::wsprintf, ntdll::NtMapViewOfSection, kernel32::CloseHandle



- re-spawned exe had much more



--- Network activity like 3124322.pw.md-in-82.webhostbox.net/index.php, 43.225.55.117



--- bunch of function names that all start with "Crypt"

--- internet related function names (InternetOpenA, HttpSendRequestA, etc.)

--- bunch of decimal numbers prefixed with "Gu, Du, Cu, FCu, Fu, ZGu"







IDA Pro Behavior (RUN AS ADMINISTRATOR)



- start function had "Error writing temporary file", SetErrorMode, GetVersion, etc.



- While in IDA I see process launch a child of itself, then IDA closes with "process has exited (exit code 0)", so it appears everything in IDA ran good and did not kill itself or error out at all





------------------------------

2/11/2019



https://app.any.run/tasks/6fad55c1-52c5-4dd3-89e0-7ac3a9117464

https://www.virustotal.com/#/file/ef0725492607f9f5adb086a67153f705531f98b91aec7f9d864c5fe04c7db0c1/detection



Compiler:

- Borland Delphi(2006)[-]



Running behavior: (RUN AS ADMINISTRATOR)

- i saw a task for cmd.exe launching timeout.exe, then exes closed in task manager

- original file was deleted

- POST to 23.227.206.245/Panel/index.php , sent data is short, has a bunch of /, (, >, and . in it)

- CreateFile api calls to Login data folders (FireFox, Waterfox, IceDragon, Chrome, Pale Moon, Yandex)

- CreateFile api calls to cookie data folders (Yandex, 360Browser, Opera, TorBro, CentBrowser)

- CreateFile api calls to WebData folders (Yandex, 360Browser, Opera, TorBro, CentBrowser)

- CreateFile api calls to bitcoin folders (wallet.dat, electrum.dat, Ethereum)



Memory strings while Running:

- wasn't running long enough to grab



IDA Pro Behavior (RUN AS ADMINISTRATOR)

- WinMain has GetCommandLineA, GetModuleHandleA, DialogBoxParamA, "Selected Process", "Count of GDI objects", "Count of USER object", etc.

- In WinMain, the DialogBoxParamA call shows this message, 73ED3C62: The instruction at 0x73ED3C62 referenced memory at 0x74. The memory could not be read -> 00000074 (exc.code c000005, tid 388)



------------------------------

2/5/2019



https://www.virustotal.com/#/file/5691a24d176090bc059f91f3d05d2e9e39ee071652b4c41dd85ffb8961cb8b03/community



hxxp://modexcommunications[.]eu/jeff/jeff.exe



Notes: I think this run failed because C2 host was taken down



Compiler: 
Borland Delphi(7)[-]



Running behavior: (RUN AS ADMINISTRATOR)

- writes jeffie[.exe to %appdata%\roaming\jefery

- dns lookup wp.icf-fx[.]kz (185.255.91[.]82:80)

- POST to /Panel/index[.]php  

- then disappears off task manager



Memory strings while Running:

- very small file, not much in there

- network activity like (wp.icf-fx[.]kz , 185.255.91[.]82:80, /Panel/index[.]php   )

- bunch of function names that all start with "Crypt"

- internet related function names (InternetOpenA, HttpSendRequestA, etc.)

- bunch of decimal numbers prefixed with "Gu, Du, Cu, FCu, Fu, ZGu"



IDA Pro Behavior (RUN AS ADMINISTRATOR)

- follow into @Sysinit@@InitExe, @System@@StartExe, @System@_16705

- loops in there for a while, with "call eax" that appears to subtract, i break on the exit from the loop, but instead IDA errors with "0: The instruction 0x0 referenced memory at 0x0. The memory could not be executed -> 00000000 (exc.code c0000006 tid 2748)"





------------------------------

1/23/2019



https://www.virustotal.com/#/file/8a8c2c4563a1f1cbd82f4f8aa5e43fb7adb83197b594bad2dd83dd8a7a2e4692/detection

https://app.any.run/tasks/09cb8551-a11b-4a51-974f-2c5a4cfcac79



hxxp://pioneerfitting[.]com/http/asok.exe



Compiler:

- Microsoft Visual Basic(6.0)[P-code]



Running behavior: (RUN AS ADMINISTRATOR)

- writes filename.exe & filename.vbs to %appdata%\local\temp\subfolder\

- filename.exe runs a copy of itself (hollowing?)

- POST to /trial/index.php (5.34.244.250:8080) , sent data is short, has a bunch of /, (, >, and . in it)

- %appdata%\local\temp\subfolder\filename.vbs added as autorun

- then disappears from task manager



Memory strings while Running:

- asok.exe & the parent filename.exe almost nothing in it of interest

- the copy of itself, child filename.exe, contains

--- network activity like (5.34.244.250:8080/trail.index.php)

--- bitcoin filenames like (wallet.dat, electrum.data, BitcoinCore, monero-core, Ethereum)

--- cred filenames like (accounts.xml, PasswordsList.txt, <password>, PVAULT_CRED8)

--- internet related function names (InternetOpenA, HttpSendRequestA, etc.)

--- vbs script code (WScript.Shell, Wscript.Sleep, Wscript.Quit, WshShell.RegWrite)

--- bunch of function names that all start with "Crypt"

--- bunch of decimal numbers prefixed with "Gu, Du, Cu, FCu, Fu, ZGu"

--- other software names like (Skype, Steam, Outlook, WinSCP)

--- urls (dotbit.me, ip-api.com)

--- commands (%windir%\system32\timeout.exe & del)



IDA Pro Behavior: (RUN AS ADMINISTRATOR)

- Inside ThunRtMain, a jmp if you step into goes into MSVBM60, a "call near ptr unk_7294AA4C2" throws error 755FC54F: Floating point inexact result (exc.code c000008f, tid 1008)












Posted by



at





1 comment:
  


















Labels:

















        

      









Subscribe to:
Posts (Atom)