Hi community, as independent researcher of malware i got a submit of hacked server issue.
At the time of forensics i found a FUD tool ( when installed in system ) that restored an admin account when it was deleted.
So there's quite overview and samples:
In attach next files:
RDP_ADMIN_RESTORE.exe is a dropper of this malware. It is a SFX-archive...
unddisrw.dropped.exe2 - it was dropped to %Windir%\PreInstall\uddisrw.exe ( packed by UPX )
uddisrw.unpacked.exe2 - unpacked version of uddisrw.exe
reset_p.bat - was found near RDP_ADMIN_RESTORE. It forces UAC window for privilege elevation
It is written in Delphi using VCL.
SFX writes it in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger
As i understand as debugger for being launched with sticky keys ( sethc is a windows tool launched with sticky keys )
I found this string in the body of malware:
"CODE:0045401C 0000006B C Bad Password! If you want to buy \"RPD Admin Restore\" write to official developer! E-mail: sllrdp@yahoo.com"
So i see author is not hidding and sells it in a lot hands.
So this malware is stupid and noobie in fact, but stills FUD. I know there're a lot of antivirus vendors, so please add to databases
Well, that's all from me
Dropper got small amount of detects, but, erhm, dropped tool is not detected anyway by almost antiviruses
uddisrw.unpacked.exe2 https://virustotal.com/en/file/c0b3382c ... 480173219/
RDP_ADMIN_RESTORE.exe https://virustotal.com/en/file/44b77b8e ... 480173234/
At the time of forensics i found a FUD tool ( when installed in system ) that restored an admin account when it was deleted.
So there's quite overview and samples:
In attach next files:
RDP_ADMIN_RESTORE.exe is a dropper of this malware. It is a SFX-archive...
unddisrw.dropped.exe2 - it was dropped to %Windir%\PreInstall\uddisrw.exe ( packed by UPX )
uddisrw.unpacked.exe2 - unpacked version of uddisrw.exe
reset_p.bat - was found near RDP_ADMIN_RESTORE. It forces UAC window for privilege elevation
It is written in Delphi using VCL.
SFX writes it in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger
As i understand as debugger for being launched with sticky keys ( sethc is a windows tool launched with sticky keys )
I found this string in the body of malware:
"CODE:0045401C 0000006B C Bad Password! If you want to buy \"RPD Admin Restore\" write to official developer! E-mail: sllrdp@yahoo.com"
So i see author is not hidding and sells it in a lot hands.
So this malware is stupid and noobie in fact, but stills FUD. I know there're a lot of antivirus vendors, so please add to databases
Well, that's all from me
Dropper got small amount of detects, but, erhm, dropped tool is not detected anyway by almost antiviruses
uddisrw.unpacked.exe2 https://virustotal.com/en/file/c0b3382c ... 480173219/
RDP_ADMIN_RESTORE.exe https://virustotal.com/en/file/44b77b8e ... 480173234/
Attachments
infected
(638.11 KiB) Downloaded 67 times
(638.11 KiB) Downloaded 67 times
