If some malware samples remain simple padding:5px 10px"> From: [email protected] To: [redacted] Subject: New Catalogue #2017 Date: 14 Mar 2017 03:12:51 -0700 Dear, FYI! Please submit the file to me asap. Thank you. Best Regards Rachel Lo Ufficio Commerciale Vimin Box S.r.l. Via Emanuele T. DAzeglio, 2 12030 Lagnasco - CUNEO - ITALY Tel. +39 0175 282082-3 Fax +39 0175282059 P. Iva 02281230041
There was a file attached to this email. A RAR archive Catalogue Request.rar(MD5:9556abef02749c65eba8acf80c83598a). The archive contained a PE file Catalogue Request.exe (MD5:913858642d0f28cef3736519d6a50ea6). When the file was submitted to VT for the first time, it got a nice score of 8/58! When executed, the malicious PE dropped three artefacts on the victim padding:5px 10px"> Set a9arfG4Fhjq = CreateObject(Shell.Application):a9arfG4Fhjq.ShellExecute rundll32,8ylb.dll ab1ksnp
During the execution, another VBS file is created in C:\9arfG4Fhjq9arfG4Fhjq (MD5:b82a33bd326050d4587eda1855a41223) and a RunOnce key is created to execute it at next reboot. However, the process crashed in my sandbox and the malware installation was not successful.
The file x looked suspicious. It is a rogue BMP width:600px" />
Thanks to padding:5px 10px"> $ hexdump -C x.bmp|head -20 00000000 42 4d 66 b5 16 00 00 00 00 00 36 00 00 00 28 00 |BMf.......6...(.| 00000010 00 00 72 03 00 00 32 02 00 00 01 00 18 00 00 00 |..r...2.........| 00000020 00 00 30 b5 16 00 c4 0e 00 00 c4 0e 00 00 00 00 |..0.............| 00000030 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff |................| 00000040 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| * 00000120 ff 6d 65 67 61 70 65 73 74 72 63 2c 35 71 52 23 |.megapestrc,5qR#| 00000130 51 7f 79 66 21 76 9a 8e 50 23 e9 7f 7d 66 2e 76 |Q.yf!v..P#..}f.v| 00000140 65 71 10 23 4b 7f 7d 66 2e 76 65 71 50 23 51 7f |eq.#K.}f.veqP#Q.| 00000150 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 |}f.veqP#Q.}f.veq| 00000160 50 23 51 7f 7d 66 2e 77 65 71 ea 33 51 71 62 d2 |P#Q.}f.weq.3Qqb.| 00000170 27 bb 44 c9 51 6f 9c 5e ed f6 7a 1e 0c 02 70 53 | padding:5px 10px"> ff 6d 65 67 61 70 65 73 74 72 63 2c 35 71 52 23 51 7f 79 66 21 76 9a 8e 50 23 e9 7f 7d 66 2e 76 65 71 10 23 4b 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 77 65 71 ea 33 51 71 62 d2 27 bb 44 c9 51 6f 9c 5e ed f6 7a 1e 0c 02 70 53 23 10 1a 14 4f 1b 45 1c 25 50 25 5f 1f 03 0e 04 10 1f 70 56 3f 1b 18 14 0e 21 0c 1f 63 11 5c 75 59 51 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76
The file is XORd with the following key: 0x2e 0x76 0x65 0x71 0x50 0x23 0x51 0x7f 0x7d 0x66. Once decoded, when have now a PE file packed with UPX (MD5:a9bc758fe544e229884eb3e0df483677). The final decoded file is a classic Fareit trojan (MD5: padding:5px 10px"> hxxp://23.249.166.175/star/gate.php

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status