Saw this downloader show up as a payload to Chanitor/Hancitor which is used to download IcedID/BokBot banking trojan.
Has some code share with the banking trojan as they share the same manner of string encryption.
Attached is the hancitor download - 4 the decoded and decompressed object 4.decoded and the unpacked 4_unpack1~Rip.exe
All addresses this point forward are in reference to the unpacked binary in IDA mapped at 0x400000 base
Decoded strings:
https://twitter.com/maciekkotowicz/stat ... 2990735361
Some of the other strings are used in what appears to be two UAC bypass functions when comparing with EP_X0FFs stuff on github
0x401D89 - CMSTPLUA COM UAC bypass compared to https://gist.github.com/hfiref0x/196af7 ... 28b5a5d68d
0x40154F - Looks like Tyranid from https://github.com/hfiref0x/UACME/blob/ ... /tyranid.c
Also of note looks like trying to add exe to a file extension exclusion list in Windows Defender at 0x40134B
String decode -> 0x40233E
RC4 -> 401A1D
Has some code share with the banking trojan as they share the same manner of string encryption.
Attached is the hancitor download - 4 the decoded and decompressed object 4.decoded and the unpacked 4_unpack1~Rip.exe
All addresses this point forward are in reference to the unpacked binary in IDA mapped at 0x400000 base
Decoded strings:
Code: Select all
So the bot pulls a fake gzip file from the encoded URL agaratas.com/docs/new?id=bc%0.8X and mak posted a quick one liner on twitter for decoding it:0x40126eL
explorer.exe
0x4013bbL
root\Microsoft\Windows\Defender
0x401404L
MSFT_MpPreference
0x4014aaL
ExclusionExtension
0x401503L
MSFT_MpPreference
0x40157eL
wusa.exe
0x401ab1L
\%0.8X.exe
0x401afcL
http://agaratas.com/docs/new?id=bc%0.8X
0x401bf6L
Elevation:Administrator!new:
0x401c96L
SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions
0x401cc0L
Exclusions_Extensions
0x401ccfL
SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions
0x401cffL
DisableRealtimeMonitoring
0x401d0eL
SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
0x401d45L
DisableAntiSpyware
0x401d54L
SOFTWARE\Policies\Microsoft\Windows Defender
0x401da9L
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
0x401dceL
{6EDD6D74-C007-4E75-B76A-E5740995E24C}
0x401df0L
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
0x401e94L
e%016I64X
0x401feaL
ws2_32.dll
0x402049L
lc%0.8X%0.2X%0.2X%0.8X.agaratas.com
0x4020ecL
WinDefend
https://twitter.com/maciekkotowicz/stat ... 2990735361
Some of the other strings are used in what appears to be two UAC bypass functions when comparing with EP_X0FFs stuff on github
0x401D89 - CMSTPLUA COM UAC bypass compared to https://gist.github.com/hfiref0x/196af7 ... 28b5a5d68d
0x40154F - Looks like Tyranid from https://github.com/hfiref0x/UACME/blob/ ... /tyranid.c
Also of note looks like trying to add exe to a file extension exclusion list in Windows Defender at 0x40134B
String decode -> 0x40233E
RC4 -> 401A1D
Attachments
pw: infected
(456.07 KiB) Downloaded 38 times
(456.07 KiB) Downloaded 38 times