Here's what I can gather from this binary:
- Two IPs 220.127.116.11 and 18.104.22.168
- Compiled with Delphi (I see a TON of references to Delphi in strings)
IDA is also telling me something about "BDS 2005-2007 and Delphi6-7 Visual Component Library" in the comments next to the disassembly.
- Seems to disable proxies, and empties the proxy server in the registry.
- References to the URL "amazo0n.serveftp.com" (I googled serveftp.com and this site is associated with A TON of malware)
Looks like the first reference to this malware that I saw was here: https://twitter.com/HONKONE_K/status/10 ... 2643042305
Later, it did get replied to (https://twitter.com/VK_Intel/status/1086132317922488320
), and it actually drops a PowerShell payload! https://pastebin.com/V3gE4xJc
The payload does this:
- Gets some ID (presumably generated beforehand by the program?)
- gathers time, machine name, username, domain name, OS details, IP, network shares, environment variables, installed applications, and running services
- sends this info off to amazo0n.serveftp.com/users.php?tname=(text file name)&path=Data. The text file name is "T_" then the ID.