[EPB]

Hi,
I have find this document in my inbox from one of my customers it's seems to be malware according virustotal scan but i'm not sure
i need expert guys in forum to check it out

[aleksandrgrub]

Hi.I managed to unprotect. I opened the shellcode there. I still understand this a little. I need a professional to see it.

Malware Dropper.7z

(2.74 MiB) Downloaded 17 times

password : infected

[epicness1o1]

Yeah, I'm also a pretty big noob. I attempted to disassemble it. There's a lot of decoding going on, so I RE'd their decoder and came up with this JS implementation:

Code: Select all

function decode(b){
	var o="",
	c=0,
	r=1;
	while(r<16777215){
		r*=45;c++;
	}
	for(var i=1;i<=b.length;i++){
		var X=X*45+b.charCodeAt(i-1)-40;
		if(i%c===0){
			while(X>0){
				v=X%256;
				if(v>0)o=String.fromCharCode(v)+o;
				X=Math.floor(X/256)
			}
			X=0
		}
	}
	return o;
}

I'll go decode as much as I can and get back with results.
Doesn't seem to be the most reliable thing (I'm constantly getting truncated results back), so I may just throw the decompiled function into an online VB tester.

[epicness1o1]

Managed to extract the EXE file. I looked at the VBA, saw a giant string array, shoved it into HxD and saved it, meddled around with Windows Defender, realized it was UPX packed, then unpacked the binary. Threw it into IDA, and low and behold, actually got some stuff!
Here's the binary. Password is infected. I'll see what this does later.

[epicness1o1]

Here's what I can gather from this binary:
- Two IPs 2.5.29.17 and 2.5.29.14
- Compiled with Delphi (I see a TON of references to Delphi in strings)
IDA is also telling me something about "BDS 2005-2007 and Delphi6-7 Visual Component Library" in the comments next to the disassembly.
- Seems to disable proxies, and empties the proxy server in the registry.
- References to the URL "amazo0n.serveftp.com" (I googled serveftp.com and this site is associated with A TON of malware)
Looks like the first reference to this malware that I saw was here: https://twitter.com/HONKONE_K/status/10 ... 2643042305.
Later, it did get replied to (https://twitter.com/VK_Intel/status/1086132317922488320), and it actually drops a PowerShell payload! https://pastebin.com/V3gE4xJc
The payload does this:
- Gets some ID (presumably generated beforehand by the program?)
- gathers time, machine name, username, domain name, OS details, IP, network shares, environment variables, installed applications, and running services
- sends this info off to amazo0n.serveftp.com/users.php?tname=(text file name)&path=Data. The text file name is "T_" then the ID.