A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #13896  by cjbi
 Mon Jun 11, 2012 3:12 pm
Korean targeted banker from China

String(s)
HDSetup.exe wrote:CretClient.exe
cmd /c echo %s http://www.kbstar.com kbstar.com obank.kbstar.com banking.nonghyup.com http://www.wooribank.com wooribank.com pib.wooribank.com bank.keb.co.kr http://www.keb.co.kr > C:\\WINDOWS\\system32\\drivers\\etc\\hosts
error
RunPach
SoftWare\\HDSoft
RegQueryValueEx
RegOpenKeyEx failue
\\drivers\\etc\\hosts
DisableSecuritySettingsCheck
Software\\Policies\\Microsoft\\Internet Explorer\\Security
S-1-5-21-1085031214-651377827-1417001333-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy Objects\\{19178698-7CBB-437F-8DC4-656B041FF525}Machine\\Software\\Policies\\Microsoft\\Internet Explorer\\Security
RegSetValueEx
RegOpenKeyEx failue1
1201
Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3
RegDeleteKey
RegOpenKeyEx failue3
HDSoft
Software
127.0.0.1 localhost\r\n
HDExpress.exe
start
SERVER
Error
%s\\CONFIG.INI
open
cmd /c del C:\\WINDOWS\\system32\\drivers\\etc\\hosts
@ echo off\r\ndel %%1\r\ndel %%0
CretClient.exe wrote:SignCert.der
SignPri.key
%s%sSignPri.key
%s%sCaPubs
%d.CaPubs
%d.Pwd
%d.der
%d.key
*.der)|*.der
\\*.*
USER
.der
C:\\NPKI\\yessign\\user
C:\\Program Files\\NPKI\\yessign\\user
C:\\Users\\
C:\\Program Files\\NPKI\\yessign\\user\\local
\\Application Data\\NPKI\\yessign\\user
C:\\Program Files\\NPKI\\KISA\\user
%c:\\
\\\\.\\%c:
%s\\CONFIG.INI
c:\\windows\\config.ini
Error
SERVER
start
e:\\Code\\ok_code\\CretClient\\release\\CretClient.pdb
VirusTotal result(s)

Install_LiveManagerPlayer.exe(Dropper): VT 8/40 https://www.virustotal.com/file/91d8e75 ... 339426531/
HDSetup.exe: VT 10/42 https://www.virustotal.com/file/337ee64 ... 339426788/
CretClient.exe: VT 6/41 https://www.virustotal.com/file/0f7ba59 ... 339426815/
Attachments
pass: malware
(4.83 MiB) Downloaded 229 times