[sugar]

hi, im looking for

* MD5: f1f48360f95e1b43e9fba0fec5a2afb8
* SHA1: 70ceb467db7b0161d22e4545479f747417b9705a
* SHA-256: 2bc5ce39dd9afe2157448d3f6d8cb9c549ed39543d159616e38480b9e6c11c49

http://circl.lu/pub/tr-12/
http://circl.lu/files/tr-12/tr-12-circl ... sis-v1.pdf

[r2nwcnydc]

Here you go

[Dmitry Varshavsky]

Found today.

mw2.png (36.03 KiB) Viewed 730 times

mw3.png (48.51 KiB) Viewed 730 times

Drops legitimate McAfee binary to C:\ProgramData\MC\, also creates 2 files - mcutil.dll and mcutil.dll.url.

mw1.png (8.77 KiB) Viewed 730 times

First one - simple proxy, written in MSVC ( non-packed, non-crypted ) which loads second file on DLL_PROCESS_ATTACH and transfer an execution to it. Second file - raw crypted binary file ( not PE, at least loader ). Didn't bother myself with decryption, but seems to be pretty easy to unpack.
Creates remote threads in svchost.exe and msiexec.exe ( no dll mappings )

Does anyone know about this ?

UPD: Did the unpack. Russian keylogger with debug output :D Unpacked image scan here

[t4L]

This technique was used in a Chinese APT backdoor (NVIDIA bin iirc).

[ardeeology]

this is common to plugx variants, dll hijacking..by the way, what is the sha1 of the main dropper?

[cjbi]

It's PlugX malware.

Analysis: http://www.kernelmode.info/forum/viewto ... =16&t=2664
Old sample: http://www.kernelmode.info/forum/viewto ... =21&t=2638

[Dmitry Varshavsky]

Here is actual droppers ( pretty much the same )