A forum for reverse engineering, OS internals and malware analysis 

Proxy Banker (target Korean banks)

Forum for analysis and discussion about malware.

Proxy Banker (target Korean banks)

 #19307  by r3shl4k1sh
 Fri May 17, 2013 10:49 am
Banking trojan that targets Korean banks, change the hosts file to the follwing:
Code: Select all
127.0.0.1    lOcalhOSt
125.194.227.6 BaNKiNG.NONGhYUp.cOM
125.194.227.6 WWW.BaNKiNG.NOnGhyUp.cOM
125.194.227.6 NoNGhYup.cOM
125.194.227.6 ibz.nonghyup.com
125.194.227.6 WWW.NoNghyUp.cOM
125.194.227.6 WOOriBANK.coM
125.194.227.6 WWW.WOoRiBAnK.cOM
125.194.227.6 piB.WOOriBaNk.cOM
125.194.227.6 sPD.WoORiBaNK.cOM
125.194.227.6 U.WOORiBanK.cOM
125.194.227.6 pot.wooribank.com
125.194.227.6 WOOriBANK.coM
125.194.227.6 OBaNK.KBStaR.cOM
125.194.227.6 WWW.KBStaR.cOM
125.194.227.6 KBStaR.cOM
125.194.227.6 ObiZ.KbStaR.cOm
125.194.227.6 WWW.ShiNhaN.coM
125.194.227.6 BaNKiNg.SHiNHAN.cOM
125.194.227.6 bIZBanK.ShinhaN.cOm
125.194.227.6 easy.Shinhan.CoM
125.194.227.6 OpEn.Shinhan.CoM
125.194.227.6 WWW.KeB.CO.Kr
125.194.227.6 baNK.KEb.cO.kR
125.194.227.6 fx.KeB.CO.Kr
125.194.227.6 WWW.StaNdarDChartErED.cO.KR
125.194.227.6 Www.IbK.co.kR
125.194.227.6 MyBanK.ibK.CO.Kr
125.194.227.6 KIUP.ibK.CO.kR
125.194.227.6 open.ibK.CO.kR
125.194.227.6 haNABank.cOM
125.194.227.6 WwW.hanaBANk.coM
125.194.227.6 corp.hanaBANk.coM
125.194.227.6 www.keb.co.kr
125.194.227.6 bank.keb.co.kr
125.194.227.6 fx.keb.co.kr
125.194.227.6 ebank.keb.co.kr
125.194.227.6 online.keb.co.kr
change the hosts file using a BATCH file.
drops another unknown exe (emedhtml.exe) file, it doesn't run it but read from it and decrypt the content.
i can't detect what is the decrypted content but i assume it is some kind of certification.

mk.exe VT 28/45 https://www.virustotal.com/en/file/9304 ... /analysis/
dropped exe (emedhtml.exe) VT 0/47 https://www.virustotal.com/en/file/0c89 ... /analysis/
.bat file VT 5/47 https://www.virustotal.com/en/file/ed62 ... 368787379/

In attached packed and unpacked sample as well as the dropped files + memory dump of the decrypted buffer.
Attachments
pass: infected
(126.03 KiB) Downloaded 64 times

Re: Proxy Banker (target Korean banks)

 #19319  by reverser
 Sun May 19, 2013 2:04 am
conime.exe handles IME (=Input Method Editor) input for console programs. In this case it means Korean text. I suspect that if it's killed you can't enter any Korean in console (e.g. a CMD shell), or maybe even no text at all.
 Return to “Malware”