A forum for reverse engineering, OS internals and malware analysis 

NgrBot (aka Win32/Dorkbot.gen!A)

Forum for analysis and discussion about malware.

Re: NgrBot (aka Win32/Dorkbot.gen!A)

 #23975  by unixfreaxjp
 Tue Sep 23, 2014 6:59 am
One sample, from Malekal. compiled by AutoIt then "packed" using Rar-SFX
VT: https://www.virustotal.com/en/file/360f ... 411399665/
SFX extract the AutoIt3 runtime file camouflaged as BAT: "FKMQT.bat" to exec AutoIt obfs script file: "DKGXE-ESB" with data below, to start the Dorkbot activities.
Code: Select all
If String('True') <> @MIN  Then
$uZ299Q9kD4910=@SystemDir
$p81BR01pyCWg=@ComSpec
$1w3MZy916P82Nz=@AppDataCommonDir
$03Qx9fn1t7Q8=@AutoItExe
Else
Sleep(1)
$152178Qs799BKA2mj=@MIN
$uH3LHO418fQ=@ScriptFullPath
$dR8qDU490zrCqL79ysD=@AutoItVersion
$7H71L39zTe3r706PgPH=@SEC
EndIf

While 'BOnDm419s7' = 'uz9O6cms4Ue34'
$5Q1C5ctx3vx14=@SEC
$q05k3xD1qWLs7Wg5=@WindowsDir
$jKxXO3h5q425H97eD81=@ScriptDir
$7Y92067EJ1=@DesktopCommonDir
$pVFNmz97zD8FqW8Pl2=@AppDataDir
$Y0K1eKWV9h1=@DesktopDir
$b3d3dgAn43vVM1iT3=@AppDataDir
$IC0e47q5SRg=@AutoItExe
Wend

While '7fI1t7vn3i18w' = '3598G23P6M'
$0V612g4HMv5f61q=@WindowsDir
$QZd0f7gLP0XO0h710c7=@ComSpec
$K1Mtbs8381=@SEC
$62Qg8tR5vr09ai=@FavoritesDir
$Q391WN8jY7H7w5=@AppDataDir
$052z8HT4B2Qha8CX6U=@HOUR
$1IBuIK57O4t14bJ6B86=@DesktopDir
$38NB374v4E=@HOUR
Wend

While '5208463l0BZ' = 'V3xqv5Q1X5z8'
$1E81oq86M4m276371qN0=@FavoritesDir
$QzMN1P90r9O96o5B=@AutoItExe
$Llob43WhsdM683l9=@HOUR
$4UF28O8bSHc1k8us=@AutoItVersion
$A8qgcQ41I184CS9J48C9=@FavoritesDir
$p0zlBq3c9d3dg806804=@ScriptDir
$4D5gcB13i8U=@AppDataDir
$756l4542kD0=@AppDataDir
Wend

If String('True') <> @AppDataCommonDir  Then
$42S890P553=@WindowsDir
$9CPk8953Jk331=@WindowsDir
$34YUfpei2O=@ScriptDir
$n19X67g4He86QmskH=@SEC
Else
Sleep(1)
$ap35ov4Q0yc7W970=@AppDataCommonDir
$911JS32894=@MIN
$26739s4a0I7Q2Ib=@HOUR
$1m5706L0ba20h=@DesktopDir
EndIf

For  $z75123e2270=230 To 6072 
$930E01lrge9417f0O=@ScriptDir
$ETJon1A2y9f39zp=@ScriptFullPath
$m0n5070982042f=@MON
$690rg7d2M6D78d3m7s=@FavoritesDir
Next

$3v9G1R447566f3ZH6LFU67f41Qnc30v4n5W33Xj1 = "00nV40B3ju370j75a97x4WAw1fR4252NxtfBq0K19fHsP039C6h69zTdb013053C3"
$9w01p23O8609PS91D0Nk58692443qquaXeiW914Q8A16 = "xM8s39b2s076Ww8g7167g2C7"
$18PKt725QuW8QQUMM8NmP4i4027S2ay63pCt = "c6Q2MA450Y2CP3x0593367K6424lWl1I8fp9z276sO68rZ83vgXHSvn6N929FU5J3j66z3r8g8ao"
$Z3w3R153oun0HRd5153o0U70WDw3CG5qFj666 = "9UZq5ul0eH504U7sg77B19YI880C3"
$Z90596b573ns7I56jRJ0YI401761XchK05nJ44c108d05 = "u731F6Q73OpB68a8ZDt6j2Ai6T3K6s5Dk43h21vP950vE9Z7J74c0tiWbcm71d"
$F5u86VaIp1L2516LCJX5961L2R2P95MtDk35 = "30m8R314122p4059c5UTK31w6AYa149"
$nrsz46i1I6py0XS3563lO8Pgat686f = "fhX930ln6Nz73YR3PV7rpsSn35E6D8MlDWpH642ohKx71Isnl4c60h7rm7025jE"
$2hL83y0pf9c68sY0TXX24CM3980O5nv86jc701U12yqwZ739f2 = "M0bjD2c3T4Laan24o85j3G4w813Q7c3KZ9808OXjy4x67TXv"
$17JHF1V02Tz8yb9Lds59 = "70865xVm5U5AF4Y5iz1yE5ndE4ayT888siNNO7BBn0BeJE05591G3C8q9M1Zw0ga062w8cyvXR0zMb19yz88455AhDE2K1t5z08D3"
$980PP8j81T5jo9j22v5M3SJ = "F8hH533Tdo03Md31wE0jA01yd"
$lV4Jt0HC4N40d7769x079z2Qf1Q61SV7wz606662WtGs3Zh = "Dt6s6La3e0m3J3c7D2244G8SUf525z60EXvZ2m8t42o0TIRk739nFbSD2G"
$10l66mF2ruBL405P = "D49Rxo303y8062XwS7599qIUPsEjk5397313U9h702087631"
$122r54EqZ682f82zX = "3K5j6y32T48Iqh53Hn9u840K15Z448nRrL61wT50qO668r0X5P2C12Gs62O5Yx8Q1q0v33ATusBfEG54"
$160G4U58a1bRFn03N9X66519A3pE8244E = "y345957rI9C1N582"
$aq8LT6t6j04bbjh05D12T7hKfV5pGy578D978a810239377 = "z8514Ct0K11eop0U1ve7Z190E3Jy36k4p47YVF788du76P5WjX22r1v5Jtx031Sc50ml89mh4sL6lsQCIg0V5j5X092Gbo9bh8Oj7Js"
$82i8qvk9W47TqZ927P0M3q5DDjGRT12X6E4M91114HR84 = "2XYe9J806usu9V26fF7X90W354XS6dE99bb7"
$1V2g15NhX0w80J2e8 = "73T9587q72uMxid8Hu0M0jX1Mab807KF7y92T9776227q35S3ppdW41SLJ5fGie00t95da21047uy0JK90X15"
$id3Wd425Suq01B88O1I6r4V29HOb4H90306B = "d16aEfAs7F6ku"
$80Nk83M8KWOvB4d2vXD4mRIVvUzcpin10B0HyVn5E7FTg = "17R137b28YI660DV4RP2M8n9S49NkFAC10gpjiMHFL72pHB6wHO25960v45y56tfZWL8uhGV7i5W2SWP4CX5u0lkiz8eI596O6Z6W"
$f4782M6990497470awNv93U808o57E675648 = "9f93RZ8Y0zs62Er61i4Xm080G1He1zK9"
$46it77WPCQ5x120965653L1zl50NL9Y1ofMU3SX26u = "D123831t302hz5bo7u8P4D5VIQ256X95Z3Jn698vh42q75t36E8GE63b399630yp35c25azGcRty8W5Khc57OFg988"
$5369zZy267B6cvF6r5t0mu1ZSJ = "20m84bEl6T"
$P9ShRnqG42vFw2 = "h53Id68Q599F81OvpX8f7054v7a1dUVy663M7y2uNE86G064oJU84kH3c645V5b91z093Q4NEb9fW0308P9hA1XAO4K"
$CY7r6u16B56XjR71N307I2368rJD7jY02WnVJQU4GRYz7 = "51jA4m8Rni4fS7U1Qr9X53L6kxF1G60n11xJ021"
$v14711qx371k4eh2Y6N4q66T25PH22602 = "lXY91fN38I4P7751Sv2O7s5h27D66507F5rw77j1o2M0Wiey30x7yxfyvw50I0L6qi54Y2ej8by0d7P6tz0Eq436k"
$2YjN898asC32 = "25a4X286Y30q3DE1IB3855R5C"
$07z88ffJhG793O8y7145Ph10HVvg22xY55409s5wQ869A7wn61 = "0z22t6AL786zxG8yP25tZ6s4ME13h8n992Ib7TG6KMeQ4069J54Px8vs1r3z0828z9p9KQl5N2N7Y1uS98n4BXeQ103E0S5U19K9530z"
$Xt7y86I0E1z0Hn5vU29rJ806zv2Av0868z = "o4d495Z7ba7B6K8R2Pf5"
$WF38A7f3H8 = "qinz819I2jxOU663hmX8QN5mk51t2K712j833B54M70Z4i55q1JSE6Zm2hO90m6tg27zM1WB8Z143IJP9R2e389OP95"
$68Na6952908639394 = "w576VwA23BIgBnj36ZO91312n1pki6YY6iz"
#NoTrayIcon
$yFkYbE4KUpJ3b608uy6Hz5W68YEupH31mi8ae8 = "8457v1w51x22WA009FtE40Cvu7gf7shFSrfc15Q620"
;
$UB1RT8F9Tx3n6LCvYZ7Ir01Jgob8 = "AoS58x3M190qjbpB9ufC3Qk6J2SF2v3554F3m50k6OuC"
;
; (REDACTED)
;
$v7k51394sNY8VlBc9Dj1r0327h7xdk25x11 = "5be297T0F5500"
;
$9Pm0D3x77Y = "N88e5EMdUb1We"
;
CNC (Ircd) : 62.75.202.19:7000 (http://www.saudicool.org)
Code: Select all
00000000 85 66 01 00 00 01 00 00 00 00 00 00 03 77 77 77 .f...... .....www
00000010 09 73 61 75 64 69 63 6f 6f 6c 03 6f 72 67 00 00 .saudico ol.org..
00000020 01 00 01
To drops RegSvs: https://www.virustotal.com/en/file/dd52 ... 409001780/
ALIVE CNC Comm as evidence:
Code: Select all
<== :get.lost NOTICE AUTH :*** eh...
==> PASS secret
==> NICK n{GB|VISa}yumsipr
<== USER yumsipr 0 0 :yumsipr
<==:get.lost 001 n{GB|VISa}yumsipr
<==:get.lost 002 n{GB|VISa}yumsipr
<==:get.lost 003 n{GB|VISa}yumsipr
<==:get.lost 004 n{GB|VISa}yumsipr
<==:get.lost 005 n{GB|VISa}yumsipr
<==:get.lost 005 n{GB|VISa}yumsipr
<==:get.lost 005 n{GB|VISa}yumsipr
<==:get.lost 422 n{GB|VISa}yumsipr :MOTD File is missing
<==:n{GB|VISa}yumsipr MODE n{GB|VISa}yumsipr :+iw
==> JOIN #k kx
==> JOIN #k kx
<== :n{GB|VISa}yumsipr!yumsipr@manning2.torservers.net JOIN :#k
Attachments
7z,pwd:infected
(745.87 KiB) Downloaded 89 times

Re: NgrBot (aka Win32/Dorkbot.gen!A)

 #24015  by EP_X0FF
 Tue Sep 30, 2014 6:48 am
Dorkbot extracted from infected machine. Was running well together with updated Kaspersky 6 MP.

Attracted the attention because of the endless loop of ntdll access violation messages when this malware tried enumerate and infect card reader available disks.

https://www.virustotal.com/en/file/3d08 ... /analysis/

MD5 46b13c47e6ce95fc5817156d166d3edf
SHA1 e8273516c85fdd992cc249982419e7acdd538e94
SHA256 3d08244c91d19c003c6264bebd9c5a6f9ef8b2cbe487e8fd87a3ff28cf78094f

For unpacking set break on CreateProcess.
Attachments
pass: infected
(100.12 KiB) Downloaded 77 times
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8
 Return to “Malware”