found by Angel Hun @SeraphimDomain mosbussum[.]nl/a3.exe I *think* its EvilAmmy: https://twitter.com/SeraphimDomain/status/980811174399819781 https://www.hybrid-analysis.com/sample/47f8893dfd5477783d016f397db0f37697e535b0d8f0117ee525eff76707e232/5ac3d92b7ca3e1522c5f96d4 ------------- interesting api calls ------------- CreateFileA ( "C:\Users\xxx\AppData\Local\Temp\1.bat", GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, 0, NULL ) CreateProcessA ( NULL, "C:\Users\xxx\AppData\Local\Temp\1.bat", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, 0x002ee290, 0x002e9c58 ) CreateProcessW ( "C:\Windows\system32\PING.EXE", "ping localhost -n 2 ", NULL, NULL, TRUE, EXTENDED_STARTUPINFO_PRESENT, NULL, "C:\Users\Win732\AppData\Local\Temp", 0x0020e7fc, 0x0020e848 )
Friday, April 6, 2018
evilammy sample
quantloader sample
found by @James_inthe_box #quantloader #malspam run: "Emailing: <characters>", zip (is muffed, base64 file) -> smblink -> js -> #quantloader https://twitter.com/James_inthe_box/status/980808229260161024 https://www.hybrid-analysis.com/sample/00ca7e9e61a3ceaa4b9250866aface8af63e5ae71435d4fd6c770a8c9a167f22/5ac21b077ca3e10c8716fbc0 downloads EvilAmmy ( https://pastebin.com/teJp9PtS ) ------------------------ interesting api calls ------------------------ strcat ( "", "http://200.7.111.128/e6/index.php" ) WININET.DLL StrCmpNICA ( "https", "https://bdns.at/r/biberonata.bit", 5 ) strlen ( "http://biberonata.bit/e6/index.php" ) CreateFileA ( "c:\users\xxx\appdata\roaming\16643456\dwm.exe", 0, FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_NO_BUFFERING | FILE_FLAG_SEQUENTIAL_SCAN, NULL ) CreateProcessA ( NULL, "netsh advfirewall firewall add rule name="Quant" program="c:\users\xxx\desktop\[removed].exe" dir=Out action=allow", NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, 0x0012ec10, 0x0012ec00 ) CreateProcessA ( NULL, "cmd /c echo Y|CACLS "c:\users\xxx\appdata\roaming\16643456\dwm.exe" /P "xxx:R"", NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, 0x0012ec10, 0x0012ec00 )
nymaim sample
found by My Online Security @dvk01uk https://twitter.com/dvk01uk/status/981918736729899009 Fake HSBC “Action needed: Activity confirmation” delivers Nymaim https://myonlinesecurity.co.uk/fake-hsbc-action-needed-activity-confirmation-delivers-nymaim/ https://www.hybrid-analysis.com/sample/49bdb07f05725b4de83c08c42100a5d9ce505685e5d040821de2cefe66d3fee6?environmentId=100 terminates quickly ---------- ---------- interesting api calls ---------- RPCRT4.dll RegOpenKeyExA ( HKEY_LOCAL_MACHINE, "Software\Microsoft\Rpc", 0, KEY_READ, 0x0012f574 ) SspiCli.dll RtlInitUnicodeString ( 0x0012f4d4, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED" ) SspiCli.dll RpcBindingFromStringBindingW ( "ncalrpc:[lsasspirpc]", 0x0012f444 ) PDB: c:\Cold\Property\Best\key\Stood\Wide\SecondEarly.pdb
pandabanker sample
found by James @James_inthe_box incoming #hancitor run: "Notice from UPS", details coming: Still dropping #pandabanker https://twitter.com/James_inthe_box/status/981911568089661440 https://pastebin.com/ebKNgcqj https://www.hybrid-analysis.com/sample/6cefef0e50aea5c4d5c0f56911704090570b9b1dcdb4f234d5336c40311462b9 ----------- ----------- interesting strings ----------- <?xml ... name="Nullsoft.NSIS.exehead" type="win32"/><description> ... --------- interesting api calls --------- CreateFile C:\Users\xxx\AppData\Local\Temp\upda8ecf17f.bat | push eax | eax:L"\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Users\\xxx\\AppData\\Local\\Temp\\updeb8421b2.bat\"" | call dword ptr ds:[<&CreateProcessW>] | ------- interesting child process ------- Command line: "C:\Windows\system32\cmd.exe" /c "C:\Users\xxx\AppData\Local\Temp\upda8ecf17f.bat" ------- batch file contents ------- @echo off :d del /F /Q "C:\Users\xxx\Desktop\panda.exe" if exist "C:\Users\xxx\Desktop\panda.exe" goto d del /F "C:\Users\xxx\AppData\Local\Temp\upd40883b35.bat"
Thursday, April 5, 2018
Infosec quotes - fake updates RaT
Are your orgs users used to downloading and updating their own software? Then this could be a problem.
“... payload was NetSupport RAT ... spread by fake updates masquerading as Adobe Flash, Chrome, and FireFox updates...”
https://www.fireeye.com/blog/threat-research/2018/04/fake-software-update-abuses-netsupport-remote-access-tool.html
Infosec quotes - Cisco vuln
“... enables an attacker to remotely execute arbitrary code without authentication. So it allows getting full control over a vulnerable network equipment....”
https://embedi.com/blog/cisco-smart-install-remote-code-execution/
Wednesday, April 4, 2018
Infosec quotes - phish university
“... used phishing attacks to harvest credentials from affected staff members and used these to gain access...”
Subscribe to:
Posts (Atom)