How to analyse this?

#15574 by rick8295
Fri Sep 07, 2012 11:01 am

ok so recently my friend said his facebook account is hacked....
i went over to his home and found this in his pc...

now iv been trying to analyse...
:|
but this cant be run on sandbox...
nor can i use wireshark to log the connections to trace the attacker...
since in both cases the program terminates... :3

If any1 can analyze this and give me a ip... or tips would be great.. :D

http://malwr.com/analysis/0c2236e007857 ... a3fad8597/

Attachments

file.rar

pass: infected
(253.23 KiB) Downloaded 38 times

Last edited by EP_X0FF on Sun Sep 16, 2012 10:40 am, edited 1 time in total. Reason: attach reupload, see below

Username

rick8295

Posts

1

Joined

Wed Jul 18, 2012 7:12 pm

Re: How to analyse this?

#15607 by EP_X0FF
Sun Sep 16, 2012 10:44 am

You didn't password protected your file. Attach has been replaced. This file seems damaged and not working either due to crypter. However the following pattern inside

kernel32.dll CreateProcessA ntdll.dll NtUnmapViewOfSection WriteProcessMemory GetThreadContext ReadProcessMemory SetThreadContext ResumeThread VirtualAllocEx VirtualAlloc VirtualFree

is a classic set of functions used in injector based cryptors. As I said this malware crashes in process of decryption. Someone else can try again :)

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: How to analyse this?

#15612 by nullptr
Sun Sep 16, 2012 2:25 pm

It looks like an alpha version of a crypter used for some Zbot variants. Most were unexecutable due to bugs in the crypter,
but I did find a few that actually worked. I'll check through my archives for working samples.

Username

nullptr

Posts

209

Joined

Sun Mar 14, 2010 6:35 am