Page 4 of 6

Re: WinNT/Ursnif

PostPosted:Thu Jun 18, 2015 1:14 pm
by teddybear
Two recent samples:
https://www.virustotal.com/file/a13d50f ... /analysis/
https://www.virustotal.com/file/523cbdf ... /analysis/
Code: Select all
a13d50fbde76bfc3f3d7725df6d214863fc4aacd85362728c09871b2d0e80ae2
523cbdfb1657bcbc34830f9cf41c2e91e72222a3d78ff00e489f3216628fd6ce

Re: Malware collection

PostPosted:Thu Oct 08, 2015 2:33 pm
by ikolor

Re: Malware collection

PostPosted:Fri Jan 15, 2016 1:38 pm
by ikolor

Re: WinNT/Ursnif

PostPosted:Mon Apr 18, 2016 10:22 am
by rkhunter

Re: Malware collection

PostPosted:Thu Jul 07, 2016 1:45 pm
by ikolor
next malware .

Please about comment what it is.!!!

Re: Malware collection

PostPosted:Thu Jul 07, 2016 2:14 pm
by nullptr
ikolor wrote: Please about comment what it is.!!!
The one named "sprawa 07072016 t_fdp.rar" is Win32/Ursnif.HP according to MS. Unpacked attached.
The other one is Ransom Shade aka Troldesh. Also attached.

Re: Malware collection

PostPosted:Thu Jul 07, 2016 2:41 pm
by xors
The first file looks like a common keylogger-stealer. Will look at it more later. Unpacked in the attachment.

https://www.hybrid-analysis.com/sample/ ... mentId=100 (the unpacked)

Re: Malware collection

PostPosted:Fri Jul 08, 2016 3:52 am
by nullptr
Ransom Shade/Troldesh listed above targets the following extensions:
Code: Select all
wb2|cdr|srw|p7b|odm|mdf|p7c|3fr|der|odb|arw|rwl|cer|xlk|pdd|rw2|crt|dx|r3d|pem|bay|ptx|pfx|indd|nrw|p12|bd|backup|torrent|kwm|pwm|safe|xl|xls|xlsx|xlsm|xlsb
|xltm|xlt|xlam|xla|mdb|rtf|txt|xml|csv|pdf|prn|dif|slk|ods|xltx|xlm|odc|xlw|uxdc|pm|udl|dsn|iqy|dqy|rqy|oqy|cub|bak|xsn|xsf|xtp|xtp2|accdb|adb|adp|mda|accda|
mde|accde|accdw|accdt|accdc|mdw|dbf|tab|asc|frm|opt|myd|myi|db|onetoc2|one|onepkg|vcs|ics|pst|oft|msg|pptx|ppt|pptm|pps|ppsm|pot|potx|potm|odp|thmx|wpd|
wps|ppa|ppam|wmf|emf|pub|ps|xps|vsd|vdx|vss|vsx|vst|vtx|vsw|vdw|emz|dwg|dxf|docx|doc|docm|dotx|dot|dotm|djvu|chm|htm|html|mht|mhtml|shtml|shtm|asp|
aspx|dwt|stm|cs|css|psd|pdd|3ds|max|crw|nef|raf|orf|mrw|dcr|mos|pef|srf|dng|x3f|cr2|erf|sr2|kdc|mfw|mef|cin|sdpx|dpx|fido|dae|dcm|dc3|dic|eps|kmz|iff|tdi|
exr|pcx|pdp|pxr|sct|u3d|obj|ai3|ai4|ai5|ai6|ai7|ai8|ai|epsp|epsf|hdr|rgbe|xyze|flm|pbm|pgm|ppm|pnm|pfm|pam|pct|pict|psb|fxg|swf|hta|htc|ssi|as|asr|xsl|xsd|dtd|
xslt|rss|rdf|lbi|asa|ascx|asmx|config|cfm|cfml|cfc|tld|phtml|jsp|wml|tpl|lasso|jsf|vb|vbs|vtm|vtml|edml|raw|jpg|jpeg|jpe|bmp|png|tif|tiff|dib|gif|svg|svgz|rle|tga|
vda|icb|wbm|wbmp|jpf|jpx|jp2|j2k|j2c|jpc|avi|mkv|mov|mp4|wmv|3gp|mpg|mpeg|m4v|divx|mpv|m1v|dat|anim|m4a|qt|3g2|f4v|mkidx|mka|avs|vdr|flv|bin|mp3|wav|
asx|pls|zip|7z|rar|tar|gz|bz2|wim|xz|c|h|hpp|cpp|php|php3|php4|php5|py|pl|sln|js|json|inc|sql|java|class|ini|asm|clx|tbb|tbi|tbk|pst|dbx|cbf|crypted|tib|eml|fld|vbm|
vbk|vib|vhd|mtr|vault|1cd|dt|cf|cfu|mxl|epf|vrp|grs|geo|elf|lgf|lgp|log|st|pff|mft|efd|md|dmp|fdb|lst|fbk
Encrypted files have the extension .da_vinci_code or .magic_software_syndicate

Re: Malware collection

PostPosted:Sat Jul 09, 2016 1:01 am
by sysopfb
xors wrote:The first file looks like a common keylogger-stealer. Will look at it more later. Unpacked in the attachment.

https://www.hybrid-analysis.com/sample/ ... mentId=100 (the unpacked)

That's a gozi/isfb variant

The URL can be turned into the structure you would expect by reversing how the bot transforms it, first it prepends a random %s=%s& to the URI encrypts the URI using Serpent in CBC mode. The string is then base64 encoded, next the bot turns all '/' chars into _2F and all '+' chars into _2B and then adds in random '/' characters affixs a static .bmp in this case and removes the base64 padding at the end. The Serpent key in this case is 77694321POIRYTRI

If we take your URI and strip off the .bmp
07cQjh78k/h9_2F7Bko9MXaAhDpedg/nuZyGeOKKI2LsDNQQF_/2BchxOxhOXrqgnPAATLfeB/9jQkF4RR3sJVr/7rWAOT48/5anqeUiMzjqdcswwKNtn9ps/cKWpK_2FRF/saO8k83UR6VeLIC6o/QJsgGGfOax/iDJZi

Revert the conversions we get:
07cQjh78kh9/7Bko9MXaAhDpedgnuZyGeOKKI2LsDNQQF+chxOxhOXrqgnPAATLfeB9jQkF4RR3sJVr7rWAOT485anqeUiMzjqdcswwKNtn9pscKWpK/RFsaO8k83UR6VeLIC6oQJsgGGfOaxiDJZi==

Base64 decoding and then serpent decryption using the aforementioned key gives us:
ufihdhdto=ptpb&soft=1&version=214721&user=00283f5318307646a07fd209ec95398a&server=12&id=1009&crc=3b284a

If you APLib decompress the dll out of the .mem file you uploaded to hybrid analysis and then decode the strings you should see most of the relevant strings you would expect including 'ISFB'

Re: Malware collection

PostPosted:Sat Jul 09, 2016 6:13 pm
by ikolor