If some malware samples remain simple padding:5px 10px">
From: admintmseals@telkomsa.net
To: [redacted]
Subject: New Catalogue #2017
Date: 14 Mar 2017 03:12:51 -0700
Dear,
FYI!
Please submit the file to me asap.
Thank you.
Best Regards
Rachel Lo
Ufficio Commerciale
Vimin Box S.r.l.
Via Emanuele T. DAzeglio, 2
12030 Lagnasco - CUNEO - ITALY
Tel. +39 0175 282082-3 Fax +39 0175282059
P. Iva 02281230041
There was a file attached to this email. A RAR archive Catalogue Request.rar(MD5:9556abef02749c65eba8acf80c83598a). The archive contained a PE file Catalogue Request.exe (MD5:913858642d0f28cef3736519d6a50ea6). When the file was submitted to VT for the first time, it got a nice score of 8/58! When executed, the malicious PE dropped three artefacts on the victim padding:5px 10px">
Set a9arfG4Fhjq = CreateObject(Shell.Application):a9arfG4Fhjq.ShellExecute rundll32,8ylb.dll ab1ksnp
During the execution, another VBS file is created in C:\9arfG4Fhjq9arfG4Fhjq (MD5:b82a33bd326050d4587eda1855a41223) and a RunOnce key is created to execute it at next reboot. However, the process crashed in my sandbox and the malware installation was not successful.
The file x looked suspicious. It is a rogue BMP width:600px" />
Thanks to padding:5px 10px">
$ hexdump -C x.bmp|head -20
00000000 42 4d 66 b5 16 00 00 00 00 00 36 00 00 00 28 00 |BMf.......6...(.|
00000010 00 00 72 03 00 00 32 02 00 00 01 00 18 00 00 00 |..r...2.........|
00000020 00 00 30 b5 16 00 c4 0e 00 00 c4 0e 00 00 00 00 |..0.............|
00000030 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff |................|
00000040 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
00000120 ff 6d 65 67 61 70 65 73 74 72 63 2c 35 71 52 23 |.megapestrc,5qR#|
00000130 51 7f 79 66 21 76 9a 8e 50 23 e9 7f 7d 66 2e 76 |Q.yf!v..P#..}f.v|
00000140 65 71 10 23 4b 7f 7d 66 2e 76 65 71 50 23 51 7f |eq.#K.}f.veqP#Q.|
00000150 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 |}f.veqP#Q.}f.veq|
00000160 50 23 51 7f 7d 66 2e 77 65 71 ea 33 51 71 62 d2 |P#Q.}f.weq.3Qqb.|
00000170 27 bb 44 c9 51 6f 9c 5e ed f6 7a 1e 0c 02 70 53 | padding:5px 10px">
ff 6d 65 67 61 70 65 73 74 72
63 2c 35 71 52 23 51 7f 79 66
21 76 9a 8e 50 23 e9 7f 7d 66
2e 76 65 71 10 23 4b 7f 7d 66
2e 76 65 71 50 23 51 7f 7d 66
2e 76 65 71 50 23 51 7f 7d 66
2e 76 65 71 50 23 51 7f 7d 66
2e 77 65 71 ea 33 51 71 62 d2
27 bb 44 c9 51 6f 9c 5e ed f6
7a 1e 0c 02 70 53 23 10 1a 14
4f 1b 45 1c 25 50 25 5f 1f 03
0e 04 10 1f 70 56 3f 1b 18 14
0e 21 0c 1f 63 11 5c 75 59 51
2e 76 65 71 50 23 51 7f 7d 66
2e 76 65 71 50 23 51 7f 7d 66
2e 76 65 71 50 23 51 7f 7d 66
2e 76 65 71 50 23 51 7f 7d 66
2e 76 65 71 50 23 51 7f 7d 66
2e 76 65 71 50 23 51 7f 7d 66
2e 76
The file is XORd with the following key: 0x2e 0x76 0x65 0x71 0x50 0x23 0x51 0x7f 0x7d 0x66. Once decoded, when have now a PE file packed with UPX (MD5:a9bc758fe544e229884eb3e0df483677). The final decoded file is a classic Fareit trojan (MD5: padding:5px 10px">
hxxp://23.249.166.175/star/gate.php
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key