[Xylitol]

Stegoloader: A Stealthy Information Stealer ~ http://www.secureworks.com/cyber-threat ... n-stealer/

Threat indicators:
71afcffe1bdc68bb18c3ba6a3b10f832 >> 41/57
8afd74209101185e1fc2e444673f871b >> 41/57
dae1884cae15bc336fdbf29b2368be7f >> 42/57
02e47d668bce0b7deb6c9208d22d148a >> 40/57
1a035c679d5636a702e6a39cc0ba2153 >> 40/55
a2cc7fc2534cfa299042a219924b862e >> 34/48
4ffc3983146d76dd76060f728f3db40e >> 40/56
4598cddad40091326f2f35ab53522180 >> 40/57
a5ee3322263a199c86c53a24665bf9c5 >> 37/56
0c3bd774d8fb3bbb4e62a203b8e2aa76 >> 42/56
ea6249149f34811aacd9c7ae98518a05 >> 40/56

Additional modules:
9d999629df3cb1a0789c4cc8ddde16b3 (Host geolocation)
d88dbbd008786f880a64a756b27cce46 (List recently opened documents)
d04b13bb1d237f11e55c748d8915a16d (IDA-stealing module)
266e1e6ee6259901feb0546f5a6f96e8 (Pony password stealer)

[sysopfb]

Here's the loader, it has some very frequently updated anti-analysis lists of running processes and file access times. The shellcode layers it runs at the end after injection harvest quite a lot of data.

Domains from the loader

Code: Select all

http://www.cnn.com
http://hostthenpost.org/uploads/1d5a7815c356eef6c0cfa945d32df29c.png
http://vmx13321.hosting24.com.au/report_N_0030_
http://vmx13321.hosting24.com.au/report_N_0030_
www.google.com

First check it does is to see if MpStartProcess exists in kernel32



After that it checks the output from a call to SystemFunction036

Checks the access time from a FindFirstFileA call in C:\Windows\

Checks the access time from a FindFirstFileA call for C:\pagefile.sys

Checks for the following running processes

Code: Select all

SWIS.exe
tPEiD.exe
ipfs.exe
Lamer.exe
Aegis.exe
prince.exe
WinSAT.exe
rpcapd.exe
METSVC.EXE
windbg.exe
RMMSvc.exe
AFMain.exe
tmfehcs.exe
dumpcap.exe
HRSword.exe
Georgie.exe
Regshot.exe
Fibbler.exe
pr0c3xp.exe
Georgie.exe
InCtrl5.exe
ghmon32.exe
dumpcap.exe
HttpLog.exe
HttpLog.exe
Tcpview.exe
Procmon.exe
Teprocexp.exe
Fiddler.exe
sysutilw.exe
win_dump.exe
HipsTray.exe
savedump.exe
wireshark.exe
winexesvc.exe
Winalysis.exe
MaxMerger.exe
wireshark.exe
sniff_hit.exe
BDKVBHSvc.exe
GoatCasper.exe
anti-virus.EXE
MiniUAhost.exe
syscntr.exe.exe
sysAnalyzer.exe
BKMSEmulator.exe
sunshineApp.exe
FortiTracer.exe
InstallRite.exe
XzRaptorClient.exe
PProcessHacker.exe
METSVC-SERVER.EXE
aswVBoxClient.exe
ProcessHacker.exe
StartupMonitor.exe
IAgentSimulator.exe
E91AssistV3Proxy.exe
TorGuardService.exe
GPython-Portable.exe
MinervaListener.exe
ImmunityDebugger.exe
MimicButtonClick.exe
hiClicker-release.exe
ByteCodeGenerator.exe
FileWatcherService.exe
ReplicationControl.exe
SandboxieDcomLaunch.exe

Also checks for any process with Olly in the name

Looks for Software\Wine key in registry

Then gathers some data up and writes it to a temp file, the md5 hash of itself on disk, the name of itself on disk, the converted return from PSAPI.GetProcessImageFileNameW on it's process parental hierarchy.

Checks if Shell_TrayWnd exists with FindWindowA and GetWindowThreadProcessId
Then it injects into explorer using createremotethread


The injected code then begins going through it's checklist and sending a lot of status updates to the domains from earlier.

Status updates:

Code: Select all

ForceRemove
watch2_err_1
image_size_not_ok
image_type_not_ok
image_not_ok
gdiplus_ok
gdiplus_not_ok
image_type_ok
image_size_ok
payload_not_ok
payload_mem_not_ok
payload_executed
payload_mem_ok
payload_type_shell
payload_type_exe
payload_file_delete_ok
payload_file_wait_ok
payload_file_run_ok
payload_file_write_ok
payload_file_name_ok
payload_type_exe_wait_del
payload_type_bad
payload_size_ok
payload_ok
mark_not_setted
mark_setted
executed_ok
except_detail_
already_active
mark_already
started_ext_
already_ok

Eventually it downloads the png file which contains data that when RC4 decrypted (with a 16 byte key from near the top of the domains in memory) it CRC checks the decrypted data. The first four bytes in the decrypted data is the offset to find the checksum, but I've also seen the checksum passed as the first 4 bytes. This decrypted data has the gatak payload along with it's C2 list near the top.