A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #32474  by EPB
 Thu Jan 17, 2019 10:55 pm
Hi,
I have find this document in my inbox from one of my customers it's seems to be malware according virustotal scan but i'm not sure
i need expert guys in forum to check it out
Attachments
password : infected
(2.2 MiB) Downloaded 43 times
 #32619  by epicness1o1
 Sun Feb 24, 2019 3:36 am
Yeah, I'm also a pretty big noob. I attempted to disassemble it. There's a lot of decoding going on, so I RE'd their decoder and came up with this JS implementation:
Code: Select all
function decode(b){
	var o="",
	c=0,
	r=1;
	while(r<16777215){
		r*=45;c++;
	}
	for(var i=1;i<=b.length;i++){
		var X=X*45+b.charCodeAt(i-1)-40;
		if(i%c===0){
			while(X>0){
				v=X%256;
				if(v>0)o=String.fromCharCode(v)+o;
				X=Math.floor(X/256)
			}
			X=0
		}
	}
	return o;
}
I'll go decode as much as I can and get back with results.
Doesn't seem to be the most reliable thing (I'm constantly getting truncated results back), so I may just throw the decompiled function into an online VB tester.
 #32620  by epicness1o1
 Sun Feb 24, 2019 4:22 am
Managed to extract the EXE file. I looked at the VBA, saw a giant string array, shoved it into HxD and saved it, meddled around with Windows Defender, realized it was UPX packed, then unpacked the binary. Threw it into IDA, and low and behold, actually got some stuff!
Here's the binary. Password is infected. I'll see what this does later.
Attachments
(418.37 KiB) Downloaded 14 times
 #32621  by epicness1o1
 Sun Feb 24, 2019 4:42 am
Here's what I can gather from this binary:
- Two IPs 2.5.29.17 and 2.5.29.14
- Compiled with Delphi (I see a TON of references to Delphi in strings)
IDA is also telling me something about "BDS 2005-2007 and Delphi6-7 Visual Component Library" in the comments next to the disassembly.
- Seems to disable proxies, and empties the proxy server in the registry.
- References to the URL "amazo0n.serveftp.com" (I googled serveftp.com and this site is associated with A TON of malware)
Looks like the first reference to this malware that I saw was here: https://twitter.com/HONKONE_K/status/10 ... 2643042305.
Later, it did get replied to (https://twitter.com/VK_Intel/status/1086132317922488320), and it actually drops a PowerShell payload! https://pastebin.com/V3gE4xJc
The payload does this:
- Gets some ID (presumably generated beforehand by the program?)
- gathers time, machine name, username, domain name, OS details, IP, network shares, environment variables, installed applications, and running services
- sends this info off to amazo0n.serveftp.com/users.php?tname=(text file name)&path=Data. The text file name is "T_" then the ID.