A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #29892  by mkroll
 Fri Jan 27, 2017 10:29 am
Brad from Malware-Traffic-Analysis found some new malware in a traffic dump from RIG EK: http://www.malware-traffic-analysis.net ... index.html

I had a look, gave it a name and posted some info on VirusTotal (https://www.virustotal.com/en/file/ba47 ... /analysis/).
If somebody already gave it a name or you know the real name, please let me know.
Attached you can find the dumps and also the decrypted strings (with RVAs where the string is created in the code of the according module).

CirhashBot (uses "^#" (circumflex hash) as newline escape sequence in crypto strings)

Consists of:
  • complex.dll: main component. Possible tasks seem to be "LINK" (download and execute) and "FILE" (execute from provided buffer). DLLs seem to be executed in memory, EXE files will be dropped to disk and started via CreateProcess
  • stealer_component.dll: Steals email/FTP/WebDrive accounts
  • detects_component.dll: Checks for analysis system and some AV products
CnCs:
hxxp://grentromz.com/blog.php
hxxp://truemoondez.com/img.php

RC4-key for POST data and response: "j76TRADHOj7yg54ihkbGQ1"

Base64-string replacements for POST data and response: "+" -> "-", "/" -> "_", "=" -> "."
Attachments
pw: infected
(212.26 KiB) Downloaded 107 times
 #29933  by tildedennis
 Tue Feb 07, 2017 6:29 pm
etpro is calling this "snatch loader", but it looks very similar to h1n1 loader based on:

http://blogs.cisco.com/security/h1n1-te ... ies-part-2
https://www.arbornetworks.com/blog/aser ... g_h1n1.pdf

the c2s from your post were down for me, but https://www.virustotal.com/en/file/a24d ... /analysis/ looks to be the same and is live. no name on the panel login page:
Code: Select all
hxxp://185.70.184.85/admin.php
 #30947  by tildedennis
 Wed Oct 25, 2017 6:14 pm
this thing has resurfaced: https://twitter.com/dvk01uk/status/898431354873851904. my notes are up at https://www.arbornetworks.com/blog/aser ... -reloaded/, samples attached.

edit: oops, those zip command line options are tricky...added non-empty .zip
Attachments
(1.02 MiB) Downloaded 22 times
Last edited by tildedennis on Wed Oct 25, 2017 7:38 pm, edited 1 time in total.