H1N1 loader (aka Win32/Zlader)

Forum for analysis and discussion about malware.
User avatar
EP_X0FF
Global Moderator
Posts: 4889
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Tue Mar 15, 2016 4:30 pm

Thanks for analysis. It seems author of this crapware stuck somewhere in the middle of 200x with his constant attempts to patch system files with shellcode. Well actually expectations for this loader were too high since beginning.
Ring0 - the source of inspiration
User avatar
R136a1
Forum Admin
Posts: 231
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Wed Mar 16, 2016 9:14 am

I have realized that new H1N1 loader isn't the first malware which used the trick with WMI console to elevate privileges. Radamant ransomware used it since the end of December (2015), more of it here.
User avatar
0x16/7ton
Posts: 50
Joined: Fri Apr 20, 2012 12:59 pm
Location: Russian Federation
Contact:

Fri Mar 18, 2016 7:21 pm

Ironically, I found AV "bypass" functionality in that crap.
Early samples have av name hash table
hash_table.png
Old sample hash function:

Code: Select all

 for char_ in str_:
        char_int = ord(char_)
        hash_ = (rol(hash_,3) & 0xFFFFFFFF)
        hash_ = (hash_&0xFFFFFF00)|((hash_&0x000000ff)^char_int)
Malware enumerate processes list and check presence of AV processes via hash table. If malware founds any AV processes, it launches process in suspended state and injects payload in it.
Injected payload code is again enumerating AV processes and suspends their threads.
dumb_code.png
So basically it is a lame proxy injecting attack. In new samples AFAIK the hash table is cutted.
You do not have the required permissions to view the files attached to this post.
Cause and effect
ikolor
Posts: 328
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Thu May 19, 2016 3:13 pm

You do not have the required permissions to view the files attached to this post.
benkow_
Posts: 85
Joined: Sat Jan 24, 2015 12:14 pm

Thu May 19, 2016 3:22 pm

h1n1 loader
Panel: hxxp://johnnebifi.com/h/admin.php?do=auth
ikolor
Posts: 328
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Wed May 25, 2016 3:24 pm

You do not have the required permissions to view the files attached to this post.
benkow_
Posts: 85
Joined: Sat Jan 24, 2015 12:14 pm

Wed May 25, 2016 3:31 pm

User avatar
xors
Posts: 163
Joined: Mon May 23, 2016 2:01 am

Fri May 27, 2016 10:55 pm

comak
Posts: 43
Joined: Mon Oct 14, 2013 8:25 am
Contact:

Tue Jun 07, 2016 2:00 pm

xors wrote:https://malwr.com/analysis/ZTJlOWU4OGFk ... c4MDVhZmU/

from hxxp://orhislighmi.com

Code: Select all

rc4key: xHjj488vs873hGGevvctRWTvc
urls	orhislighmi.com:80/h/gate.php,sofrofhatpa.ru:80/h/gate.php,wasshedtonhar.ru:80/h/gate.php
User avatar
teddybear
Posts: 16
Joined: Tue Sep 24, 2013 11:06 am

Wed Jun 15, 2016 8:38 am

Recent sample distributed in Italy via spam:

https://www.virustotal.com/en/file/6875 ... /analysis/

Lots of info in VT comments (not my own work):

Code: Select all

estero .pw/065n2azk.php
halinanos .online/065n2azk.php
ipuzu .site/065n2azk.php

Code: Select all

"botnet":	"new",
"check_config":	327685,
"send_report":	327685,
"check_update":	327685,
"url_config":	"https:// sakovel .xyz/1bahimyegowidezehutez.dat",
"url_webinjects":	"https:// sakovel .xyz/webinjects.dat",
"url_update":	"https:// sakovel .xyz/1bahimyegowidezehutez.exe",
"url_plugin_vnc32":	"https:// sakovel .xyz/vnc32.bin",
"url_plugin_vnc64":	"https:// sakovel .xyz/vnc64.bin",
"url_plugin_vnc_backserver":	"tQwxNuA2+fHsa/puvn94fz6T",
"url_plugin_backsocks":	"https:// sakovel .xyz/backsocks.bin",
"url_plugin_backsocks_backserver":	"tQwxNuA2+fHsa/puvn94fz6T",
"url_plugin_grabber":	"https:// sakovel .xyz/grabber.bin",
"grab_pass":	1,
"grab_form":	1,
"grab_cert":	1,
"grab_cookie":	1,
"grab_del_cookie":	0,
You do not have the required permissions to view the files attached to this post.
Post Reply