Forum for analysis and discussion about malware.


Postby mkroll » Fri Jan 27, 2017 10:29 am

Brad from Malware-Traffic-Analysis found some new malware in a traffic dump from RIG EK: ... index.html

I had a look, gave it a name and posted some info on VirusTotal ( ... /analysis/).
If somebody already gave it a name or you know the real name, please let me know.
Attached you can find the dumps and also the decrypted strings (with RVAs where the string is created in the code of the according module).

CirhashBot (uses "^#" (circumflex hash) as newline escape sequence in crypto strings)

Consists of:
  • complex.dll: main component. Possible tasks seem to be "LINK" (download and execute) and "FILE" (execute from provided buffer). DLLs seem to be executed in memory, EXE files will be dropped to disk and started via CreateProcess
  • stealer_component.dll: Steals email/FTP/WebDrive accounts
  • detects_component.dll: Checks for analysis system and some AV products


RC4-key for POST data and response: "j76TRADHOj7yg54ihkbGQ1"

Base64-string replacements for POST data and response: "+" -> "-", "/" -> "_", "=" -> "."
You do not have the required permissions to view the files attached to this post.
Posts: 9
Joined: Wed Jul 13, 2016 7:43 pm
Reputation point: 1

Re: CirhashBot

Postby tildedennis » Tue Feb 07, 2017 6:29 pm

etpro is calling this "snatch loader", but it looks very similar to h1n1 loader based on: ... ies-part-2 ... g_h1n1.pdf

the c2s from your post were down for me, but ... /analysis/ looks to be the same and is live. no name on the panel login page:

Code: Select all
Posts: 28
Joined: Mon Jun 17, 2013 7:57 pm
Reputation point: 15

Return to Malware

Who is online

Users browsing this forum: No registered users and 6 guests