[cjbi]

Korean targeted banker from China

String(s)

CretClient.exe
cmd /c echo %s http://www.kbstar.com kbstar.com obank.kbstar.com banking.nonghyup.com http://www.wooribank.com wooribank.com pib.wooribank.com bank.keb.co.kr http://www.keb.co.kr > C:\\WINDOWS\\system32\\drivers\\etc\\hosts
error
RunPach
SoftWare\\HDSoft
RegQueryValueEx
RegOpenKeyEx failue
\\drivers\\etc\\hosts
DisableSecuritySettingsCheck
Software\\Policies\\Microsoft\\Internet Explorer\\Security
S-1-5-21-1085031214-651377827-1417001333-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy Objects\\{19178698-7CBB-437F-8DC4-656B041FF525}Machine\\Software\\Policies\\Microsoft\\Internet Explorer\\Security
RegSetValueEx
RegOpenKeyEx failue1
1201
Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3
RegDeleteKey
RegOpenKeyEx failue3
HDSoft
Software
127.0.0.1 localhost\r\n
HDExpress.exe
start
SERVER
Error
%s\\CONFIG.INI
open
cmd /c del C:\\WINDOWS\\system32\\drivers\\etc\\hosts
@ echo off\r\ndel %%1\r\ndel %%0

SignCert.der
SignPri.key
%s%sSignPri.key
%s%sCaPubs
%d.CaPubs
%d.Pwd
%d.der
%d.key
*.der)|*.der
\\*.*
USER
.der
C:\\NPKI\\yessign\\user
C:\\Program Files\\NPKI\\yessign\\user
C:\\Users\\
C:\\Program Files\\NPKI\\yessign\\user\\local
\\Application Data\\NPKI\\yessign\\user
C:\\Program Files\\NPKI\\KISA\\user
%c:\\
\\\\.\\%c:
%s\\CONFIG.INI
c:\\windows\\config.ini
Error
SERVER
start
e:\\Code\\ok_code\\CretClient\\release\\CretClient.pdb

VirusTotal result(s)

Install_LiveManagerPlayer.exe(Dropper): VT 8/40 https://www.virustotal.com/file/91d8e75 ... 339426531/
HDSetup.exe: VT 10/42 https://www.virustotal.com/file/337ee64 ... 339426788/
CretClient.exe: VT 6/41 https://www.virustotal.com/file/0f7ba59 ... 339426815/

[cjbi]

Very interesting Korean targeted banker from China.
Binaries attached.
No analysis available yet.

Strings:

Strings image
KRBanker_20130523_Strings.gif (7.42 KiB) Viewed 779 times

VirusTotal result(s):
a5c2...edf.jpg 7/46 https://www.virustotal.com/en/file/72fa ... /analysis/

[cjbi]

Analysis by AhnLab.
Cybercrimes against the Korean online banking systems

[360Tencent]

hello, Can you upload the file in PDF? Thanks

[cjbi]

Here you are.

[cjbi]

Recent sample (a5c2...edf.jpg) analysis by Symantec
South Korean Financial Companies Targeted by Castov