H1N1 loader (aka Win32/Zlader)

Forum for analysis and discussion about malware.
User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: H1N1 loader (aka Win32/Zlader)

Post by EP_X0FF » Tue Mar 15, 2016 4:30 pm

Thanks for analysis. It seems author of this crapware stuck somewhere in the middle of 200x with his constant attempts to patch system files with shellcode. Well actually expectations for this loader were too high since beginning.
Ring0 - the source of inspiration

User avatar
R136a1
Forum Admin
Posts: 218
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Re: H1N1 loader (aka Win32/Zlader)

Post by R136a1 » Wed Mar 16, 2016 9:14 am

I have realized that new H1N1 loader isn't the first malware which used the trick with WMI console to elevate privileges. Radamant ransomware used it since the end of December (2015), more of it here.

User avatar
0x16/7ton
Posts: 50
Joined: Fri Apr 20, 2012 12:59 pm
Location: Russian Federation
Contact:

Re: H1N1 loader (aka Win32/Zlader)

Post by 0x16/7ton » Fri Mar 18, 2016 7:21 pm

Ironically, I found AV "bypass" functionality in that crap.
Early samples have av name hash table
hash_table.png
Old sample hash function:

Code: Select all

 for char_ in str_:
        char_int = ord(char_)
        hash_ = (rol(hash_,3) & 0xFFFFFFFF)
        hash_ = (hash_&0xFFFFFF00)|((hash_&0x000000ff)^char_int)
Malware enumerate processes list and check presence of AV processes via hash table. If malware founds any AV processes, it launches process in suspended state and injects payload in it.
Injected payload code is again enumerating AV processes and suspends their threads.
dumb_code.png
So basically it is a lame proxy injecting attack. In new samples AFAIK the hash table is cutted.
You do not have the required permissions to view the files attached to this post.
Cause and effect

ikolor
Posts: 322
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Thu May 19, 2016 3:13 pm

You do not have the required permissions to view the files attached to this post.

benkow_
Posts: 85
Joined: Sat Jan 24, 2015 12:14 pm

Re: Malware collection

Post by benkow_ » Thu May 19, 2016 3:22 pm

h1n1 loader
Panel: hxxp://johnnebifi.com/h/admin.php?do=auth

ikolor
Posts: 322
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Wed May 25, 2016 3:24 pm

You do not have the required permissions to view the files attached to this post.

benkow_
Posts: 85
Joined: Sat Jan 24, 2015 12:14 pm

Re: Malware collection

Post by benkow_ » Wed May 25, 2016 3:31 pm


User avatar
xors
Posts: 163
Joined: Mon May 23, 2016 2:01 am

Re: H1N1 loader (aka Win32/Zlader)

Post by xors » Fri May 27, 2016 10:55 pm


comak
Posts: 43
Joined: Mon Oct 14, 2013 8:25 am
Contact:

Re: H1N1 loader (aka Win32/Zlader)

Post by comak » Tue Jun 07, 2016 2:00 pm

xors wrote:https://malwr.com/analysis/ZTJlOWU4OGFk ... c4MDVhZmU/

from hxxp://orhislighmi.com

Code: Select all

rc4key: xHjj488vs873hGGevvctRWTvc
urls	orhislighmi.com:80/h/gate.php,sofrofhatpa.ru:80/h/gate.php,wasshedtonhar.ru:80/h/gate.php

User avatar
teddybear
Posts: 16
Joined: Tue Sep 24, 2013 11:06 am

Re: H1N1 loader (aka Win32/Zlader)

Post by teddybear » Wed Jun 15, 2016 8:38 am

Recent sample distributed in Italy via spam:

https://www.virustotal.com/en/file/6875 ... /analysis/

Lots of info in VT comments (not my own work):

Code: Select all

estero .pw/065n2azk.php
halinanos .online/065n2azk.php
ipuzu .site/065n2azk.php

Code: Select all

"botnet":	"new",
"check_config":	327685,
"send_report":	327685,
"check_update":	327685,
"url_config":	"https:// sakovel .xyz/1bahimyegowidezehutez.dat",
"url_webinjects":	"https:// sakovel .xyz/webinjects.dat",
"url_update":	"https:// sakovel .xyz/1bahimyegowidezehutez.exe",
"url_plugin_vnc32":	"https:// sakovel .xyz/vnc32.bin",
"url_plugin_vnc64":	"https:// sakovel .xyz/vnc64.bin",
"url_plugin_vnc_backserver":	"tQwxNuA2+fHsa/puvn94fz6T",
"url_plugin_backsocks":	"https:// sakovel .xyz/backsocks.bin",
"url_plugin_backsocks_backserver":	"tQwxNuA2+fHsa/puvn94fz6T",
"url_plugin_grabber":	"https:// sakovel .xyz/grabber.bin",
"grab_pass":	1,
"grab_form":	1,
"grab_cert":	1,
"grab_cookie":	1,
"grab_del_cookie":	0,
You do not have the required permissions to view the files attached to this post.

Post Reply