Brad from Malware-Traffic-Analysis found some new malware in a traffic dump from RIG EK: http://www.malware-traffic-analysis.net ... index.html
I had a look, gave it a name and posted some info on VirusTotal (https://www.virustotal.com/en/file/ba47 ... /analysis/).
If somebody already gave it a name or you know the real name, please let me know.
Attached you can find the dumps and also the decrypted strings (with RVAs where the string is created in the code of the according module).
CirhashBot (uses "^#" (circumflex hash) as newline escape sequence in crypto strings)
Consists of:
hxxp://grentromz.com/blog.php
hxxp://truemoondez.com/img.php
RC4-key for POST data and response: "j76TRADHOj7yg54ihkbGQ1"
Base64-string replacements for POST data and response: "+" -> "-", "/" -> "_", "=" -> "."
I had a look, gave it a name and posted some info on VirusTotal (https://www.virustotal.com/en/file/ba47 ... /analysis/).
If somebody already gave it a name or you know the real name, please let me know.
Attached you can find the dumps and also the decrypted strings (with RVAs where the string is created in the code of the according module).
CirhashBot (uses "^#" (circumflex hash) as newline escape sequence in crypto strings)
Consists of:
- complex.dll: main component. Possible tasks seem to be "LINK" (download and execute) and "FILE" (execute from provided buffer). DLLs seem to be executed in memory, EXE files will be dropped to disk and started via CreateProcess
- stealer_component.dll: Steals email/FTP/WebDrive accounts
- detects_component.dll: Checks for analysis system and some AV products
hxxp://grentromz.com/blog.php
hxxp://truemoondez.com/img.php
RC4-key for POST data and response: "j76TRADHOj7yg54ihkbGQ1"
Base64-string replacements for POST data and response: "+" -> "-", "/" -> "_", "=" -> "."
Attachments
pw: infected
(212.26 KiB) Downloaded 106 times
(212.26 KiB) Downloaded 106 times
