rkhunter wrote:Another Ursnif dropper with x32/x64 payload.wrong password!
SHA1: 7bf57ccfde72a77d568e135c35ec7f41b68a0470
MD5: 79696dbcecbbaa9eda18e05805635fa5
Decrypted dropper with x32/x64 dlls in attach.
Dll registered via HKLM\System\CurrentControlSet\Session Manager\AppCertDlls
epic detection
dropper 16 / 42 https://www.virustotal.com/file/4f48554 ... /analysis/
decrypted 12 / 42 https://www.virustotal.com/file/3e4c5c9 ... /analysis/
x32 dll 5/42 https://www.virustotal.com/file/4df4099 ... 342278900/
x64 dll 1 / 42 https://www.virustotal.com/file/3f2bfd2 ... 342278955/
A forum for reverse engineering, OS internals and malware analysis
I have a terrible headache with the trojan payload provided by exploit kit,
the infected download url is here:
(↑just checked, still up..may God curse the lazy tax money eater involved to a frog for not shut this ASAP..)
Just in case overall sample is here with all exploit data.
And the binary is attached in this message.
Virus Total report is here
I saw this sample from 0 detection ratio until now becoming 15 or more.
Most of the infection work I figured it well, like I wrote here
But there's no networking happens.. yet I have a strong hunch this is a PWS for sure,
Honestly, I am not so sure to state this as Cridex since none of the Cridex I know work like this, but, since I can't find other threat for PWS kindly forgive me to post this case here for a start.
After restarting the explorer the binary itself always quit and never came to be resident in memory in my test case, PS: the log of the file process & registry process is here
I mean what's the real purpose of this infection?
Any help to solve this mistery will be highly appreciated, and thank you in advance.
the infected download url is here:
(↑just checked, still up..may God curse the lazy tax money eater involved to a frog for not shut this ASAP..)
Just in case overall sample is here with all exploit data.
And the binary is attached in this message.
Virus Total report is here
I saw this sample from 0 detection ratio until now becoming 15 or more.
Most of the infection work I figured it well, like I wrote here
But there's no networking happens.. yet I have a strong hunch this is a PWS for sure,
Honestly, I am not so sure to state this as Cridex since none of the Cridex I know work like this, but, since I can't find other threat for PWS kindly forgive me to post this case here for a start.
After restarting the explorer the binary itself always quit and never came to be resident in memory in my test case, PS: the log of the file process & registry process is here
I mean what's the real purpose of this infection?
Any help to solve this mistery will be highly appreciated, and thank you in advance.
Attachments
Filename dune.exe in 7z pwd=infected
(158.17 KiB) Downloaded 87 times
(158.17 KiB) Downloaded 87 times
This is Ursnif variant. Take decrypted payload dll. Posts moved.
Attachments
pass: malware
(45.35 KiB) Downloaded 90 times
(45.35 KiB) Downloaded 90 times
Ring0 - the source of inspiration
Thank you so much.
EP_X0FF wrote:This is Ursnif variant. Take decrypted payload dll. Posts moved.out of curiosity, how do you know it ursnif?
kmd wrote:1. The same set and combination of hooked API (CreateProcess/CreateProcessAsUser/TranslateMessage etc)EP_X0FF wrote:This is Ursnif variant. Take decrypted payload dll. Posts moved.out of curiosity, how do you know it ursnif?
2. Same dll structure, including set of used constants, e.g "NEWGRAB SCREENSHOT PROCESS HIDDEN". The same AppCertDll compatible "client.dll", exporting required function CreateProcessNotify, see http://www.kernelmode.info/forum/viewto ... 552#p16552, however this feature seems unused by this dropper.
Ring0 - the source of inspiration
In attach a collection of files detected as TrojanSpy.Win32Ursnif.gen!M by Microsoft.
https://www.virustotal.com/en/file/6e07 ... 366566437/
https://www.virustotal.com/en/file/0e61 ... 366566442/ (can be found here)
https://www.virustotal.com/en/file/4bfe ... 366566444/
https://www.virustotal.com/en/file/4ec5 ... 366566447/
https://www.virustotal.com/en/file/5fb5 ... 366566450/
https://www.virustotal.com/en/file/6698 ... 366566462/
https://www.virustotal.com/en/file/4909 ... 366566464/
https://www.virustotal.com/en/file/2313 ... 366566468/
https://www.virustotal.com/en/file/a781 ... 366566471/
https://www.virustotal.com/en/file/16eb ... 366566475/
https://www.virustotal.com/en/file/d4ec ... 366566492/
https://www.virustotal.com/en/file/ba7d ... 366566496/
https://www.virustotal.com/en/file/bebd ... 366566498/
https://www.virustotal.com/en/file/c20c ... 366566501/
https://www.virustotal.com/en/file/cb04 ... 366566506/
https://www.virustotal.com/en/file/ea2d ... 366566513/
https://www.virustotal.com/en/file/d8a9 ... 366566518/
https://www.virustotal.com/en/file/d8d0 ... 366566522/
https://www.virustotal.com/en/file/e7bc ... 366566525/
https://www.virustotal.com/en/file/6e07 ... 366566437/
https://www.virustotal.com/en/file/0e61 ... 366566442/ (can be found here)
https://www.virustotal.com/en/file/4bfe ... 366566444/
https://www.virustotal.com/en/file/4ec5 ... 366566447/
https://www.virustotal.com/en/file/5fb5 ... 366566450/
https://www.virustotal.com/en/file/6698 ... 366566462/
https://www.virustotal.com/en/file/4909 ... 366566464/
https://www.virustotal.com/en/file/2313 ... 366566468/
https://www.virustotal.com/en/file/a781 ... 366566471/
https://www.virustotal.com/en/file/16eb ... 366566475/
https://www.virustotal.com/en/file/d4ec ... 366566492/
https://www.virustotal.com/en/file/ba7d ... 366566496/
https://www.virustotal.com/en/file/bebd ... 366566498/
https://www.virustotal.com/en/file/c20c ... 366566501/
https://www.virustotal.com/en/file/cb04 ... 366566506/
https://www.virustotal.com/en/file/ea2d ... 366566513/
https://www.virustotal.com/en/file/d8a9 ... 366566518/
https://www.virustotal.com/en/file/d8d0 ... 366566522/
https://www.virustotal.com/en/file/e7bc ... 366566525/
Attachments
infected
(3.06 MiB) Downloaded 122 times
(3.06 MiB) Downloaded 122 times
I coded a little tool to extract dlls (x64 + x86) from unpacked ursnif samples.
I advise you to read the readme before using it, it's a bit demanding about the dumps.
I included the source code (masm) as well.
I advise you to read the readme before using it, it's a bit demanding about the dumps.
I included the source code (masm) as well.
Attachments
(55.96 KiB) Downloaded 86 times
In attach a Papras I found on a BH EK this morning.
In the archive : dropper + unpacked, x86 dll + unpacked, x64 dll
Config :
00BEB438 ; Client initialization file for ISFB 2.2....; Default C&C hosts
00BEB478 ..Hosts = illnessofthesociety.ru ilvariantodelsalko.ru ilcambogi
00BEB4B8 acyprustax.ru....; RC6-key used for obfuscating server requests.
00BEB4F8 .ServerKey = 0123456789ABCDEF....; Time interval to check new co
00BEB538 nfig (seconds)..ConfigTimeout = 900....; Time interval to check
00BEB578 new task (seconds)..TaskTimeout = 130....; Current group index..
00BEB5B8 Group = 2003....; Time interval to send BC request (seconds)..Bc
00BEB5F8 Timeout = 30....
In the archive : dropper + unpacked, x86 dll + unpacked, x64 dll
Config :
00BEB438 ; Client initialization file for ISFB 2.2....; Default C&C hosts
00BEB478 ..Hosts = illnessofthesociety.ru ilvariantodelsalko.ru ilcambogi
00BEB4B8 acyprustax.ru....; RC6-key used for obfuscating server requests.
00BEB4F8 .ServerKey = 0123456789ABCDEF....; Time interval to check new co
00BEB538 nfig (seconds)..ConfigTimeout = 900....; Time interval to check
00BEB578 new task (seconds)..TaskTimeout = 130....; Current group index..
00BEB5B8 Group = 2003....; Time interval to send BC request (seconds)..Bc
00BEB5F8 Timeout = 30....
I modified my previous tool to create a new one able to extract and uncompress the config file of the bot from the unpacked dlls.
Like for the first one, you should read the readme before using it ; and the source code is included.
Like for the first one, you should read the readme before using it ; and the source code is included.