xors wrote:The first file looks like a common keylogger-stealer. Will look at it more later. Unpacked in the attachment.
https://www.hybrid-analysis.com/sample/ ... mentId=100 (the unpacked)
That's a gozi/isfb variant
The URL can be turned into the structure you would expect by reversing how the bot transforms it, first it prepends a random %s=%s& to the URI encrypts the URI using Serpent in CBC mode. The string is then base64 encoded, next the bot turns all '/' chars into _2F and all '+' chars into _2B and then adds in random '/' characters affixs a static .bmp in this case and removes the base64 padding at the end. The Serpent key in this case is 77694321POIRYTRI
If we take your URI and strip off the .bmp
Revert the conversions we get:
Base64 decoding and then serpent decryption using the aforementioned key gives us:
If you APLib decompress the dll out of the .mem file you uploaded to hybrid analysis and then decode the strings you should see most of the relevant strings you would expect including 'ISFB'