Power Loader (blast, alias Alureon)

Forum for analysis and discussion about malware.

Power Loader (blast, alias Alureon)

Postby kmd » Wed Mar 27, 2013 5:19 pm

1) trojan inside spam attachment
2) SHA1: fc265634d8628ef3b47bdcb0658714ea66977dc4
3) http://www.sophos.com/en-us/threat-cent ... lysis.aspx

ty
User avatar
kmd
 
Posts: 268
Joined: Mon Mar 15, 2010 4:09 am
Location: Russian Federation
Reputation point: 17

Re: Troj/Agent-AAXB request

Postby r2nwcnydc » Wed Mar 27, 2013 5:38 pm

Here you go.
You do not have the required permissions to view the files attached to this post.
r2nwcnydc
 
Posts: 66
Joined: Mon Dec 06, 2010 3:28 pm
Reputation point: 27

Re: Troj/Agent-AAXB request

Postby Horgh » Thu Mar 28, 2013 12:40 am

I took a quick glance at it, it's the Power Loader eset mentionned. Lame stuff.

In attach unpacked + dropper x64.

Config :
srvurls=http://seantit.ru/power/c1.php;http://programcam.ru/power/c1.php;
srvdelay=15
srvretry=2
buildid=test

Power.zip
You do not have the required permissions to view the files attached to this post.
Horgh
 
Posts: 37
Joined: Fri Dec 07, 2012 9:48 am
Location: France
Reputation point: 40

Re: Troj/Agent-AAXB request

Postby EP_X0FF » Thu Mar 28, 2013 2:31 am

Part of Win32/Alureon family with Gapz style inject (see @004049C0 and @004045D0). Moved.

Expect more and more copy-paste, see this trojan development topic as example (and for original inject method author see post #4)
hxxp://wasm.ru/forum/viewtopic.php?id=47590
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Power Loader (alias Alureon)

Postby grum » Thu Mar 28, 2013 7:16 am

:D cracked public now

annloader_1d 2011

http://goo.gl/wUIBl

pass: gangcash@jabber.org


PowerLoader_v2.0

http://goo.gl/LLJXT

pass: gangcash@jabber.org
grum
 
Posts: 38
Joined: Tue Nov 06, 2012 12:16 pm
Reputation point: -9

Re: Power Loader (alias Alureon)

Postby EP_X0FF » Wed Apr 17, 2013 6:44 am

@readyde

You chose wrong forum to post this. Solve your malware "business" problems elsewhere. We do not create/support malware here and this forum is not script-kiddie malware marketplace for this kind of "blacklisting". This behaviour is not welcomed and furthermore, next time whoever gonna try to do this again, will be immediatelly and permanently banned.

Posts disapproved.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Power Loader (alias Alureon)

Postby EP_X0FF » Wed Apr 17, 2013 6:55 am

Another power loader + payload (bitcoin miner). Both in attach.

SHA256: 9507b7eabaf22758ad6724f4e63c6772e04992f42b56e1281571b3fbeba00a3a
SHA1: 9d9ae3d4d8a0f0959e84a098483debe19811adf6
MD5: 06708d4bb90b6d3761b62302dbf96f36

https://www.virustotal.com/en/file/9507b7eabaf22758ad6724f4e63c6772e04992f42b56e1281571b3fbeba00a3a/analysis/

SHA256: 10bfd9746863fd90e7c7b204a2a0a0c529f12b5a7dea51858e81f32698c168f8
SHA1: 745fbaf750124630f9c440f24d7753c582a748ad
MD5: 5c99411fa8a11691771a476ff52a9344

https://www.virustotal.com/en/file/10bfd9746863fd90e7c7b204a2a0a0c529f12b5a7dea51858e81f32698c168f8/analysis/
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Power Loader (alias Alureon)

Postby rinn » Wed Apr 17, 2013 8:02 pm

grum wrote::D cracked public now

annloader_1d 2011

http://goo.gl/wUIBl

pass: gangcash@jabber.org


PowerLoader_v2.0

http://goo.gl/LLJXT

pass: gangcash@jabber.org


It is a bit out-dated. Power Loader available since last autumn and except using public explorer.exe ACE bug in addition has a specific code against Outpost product. Well, it is using same trick I've been using last 2 years in penetration testing toolkit (alongside with couple of other still private unseen in itw malware methods), mentioned here viewtopic.php?f=15&t=1485&start=60

Code: Select all
   PCLIENT_ID pcid;
   OBJECT_ATTRIBUTES obja;
   DWORD fOldProtect;

   if (IsProcessRunning(L"op_mon.exe")) {

      pcid = (CLIENT_ID *)VirtualAlloc(NULL, PAGE_SIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
      pcid->UniqueProcess = ExplorerPID;
      VirtualProtect(pcid, PAGE_SIZE, PAGE_READWRITE | PAGE_GUARD, &fOldProtect);
      InitializeObjectAttributes(&obja, 0, 0, 0, NULL);
      NtStatus = NtOpenProcess(&hProcess, PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, &obja, pcid);
      if ( !NT_SUCCESS(NtStatus) ) {
         hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, ExplorerPID);
      }
   }


Idea of this method - abuse badly written handler of SDT hook. When Outpost will try to access NtOpenProcess parameters it will catch a exception because CLIENT_ID is memory marked with PAGE_GUARD flag. Once exception occurred Outpost transfers control to original Windows service, thinking all OK. This is a example of mindless coding style, so often seen in security drivers. Lack of professionalism as it is.

Attached loader retrieved from from EP_X0FF sample. For code I mention look at function located at address 0x00404830.

Best Regards,
-rin
You do not have the required permissions to view the files attached to this post.
rinn
 
Posts: 91
Joined: Thu Nov 15, 2012 6:14 am
Location: Japan
Reputation point: 67

Re: Power Loader (alias Alureon)

Postby EP_X0FF » Wed May 15, 2013 10:10 am

SHA256: a5d9b4226432b63eac41b5e47e1e277730fcd31d00d25bec31095de12c7777b3
SHA1: c2b50af1220aeaf076ada73665a734634d15ec5d
MD5: 2dff72099f977da97672e01e7f4ca2e1

https://www.virustotal.com/en/file/a5d9b4226432b63eac41b5e47e1e277730fcd31d00d25bec31095de12c7777b3/analysis/

Original, decrypted dropper + extracted x64 binary in attach.

x86-32
https://www.virustotal.com/en/file/4b886e0089a2f28b52f13bd10523f39059dcdc04dfebbf7cde5bfdd611877bed/analysis/1368612442/

x64
https://www.virustotal.com/en/file/53e1e42489d0d6256763566f71003739fa5ca74d46fe87c374d94fb018045871/analysis/1368612443/

x86-32 quote (OutputDebugString)
Is what you've seen too much to take, or are you blind and seeing nothing? Through senses, what can we explain? Not joy, not guilt, not pain So run my baby run my baby run


x64 quote (OutputDebugString)
I'm tired holding up the weight,the weight of the motherfucking world! Am I too last to be saved? Am I too last? The boys wanna fight
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Malware spreading by skype

Postby kekieres » Mon May 20, 2013 7:00 pm

I've recently received a malware sample .

Spreading mechanisms: you receive a chat message from an skype contact saying (in spanish)
"esta es una foto muy amable de tu parte "
(It's gramatically correct but it doesn't sound natural in spanish)
And the the following URL:
hXXp://goo.gl/lLGdM?png=<your_skype_contact_name>
In fact parameters are irelevant.
Independently to the parameters it allways expands to:
hXXp://dc663.4shared.com/download/arUNC ... e=BASE_WEB

The malware comes into a ZIP file and inside the EXE named: fotos_facebook-20052013-png.exe
SHA1: 882da1b7838bc087c753a14b0dd1e40cd3db78d3
Here you have the sample.
Right now it's almost undetected in virustotal (3/47).
I'm not good at reverse engineering and deep malware analysis, but I've used malwr.com to do a dynamic analysis (https://malwr.com/analysis/ZDdkOWViY2Qy ... TJjZTU5N2E)
Obviously it's nothing good. It tries to contact hXXp://r.gigaionjumbie.biz/images/gx.php

Is it a known malware?
You do not have the required permissions to view the files attached to this post.
User avatar
kekieres
 
Posts: 10
Joined: Tue Feb 26, 2013 11:48 am
Reputation point: 0

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 9 guests