A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #29429  by sysopfb
 Sun Oct 16, 2016 6:16 pm
This matches both of these reports for Fleercivet

https://www.microsoft.com/security/port ... eercivet.A
https://www.symantec.com/security_respo ... asid=28085

Was downloaded from a TrickBot infection via:
207.244.97[.]80/?aff_id=1193&auth=2d0fbffe203e050bcc15bd2ebb74f90a&r=9207860&t=1

Onboard config is decrypted from RCDATA section via:
key = CryptDeriveKey(sha256sum("86gun98u7tyuFGFYdft87gyT!F986GYTdf5"),CALG_AES_256)
AES_Decrypt(data,key)

Or just patch the binary and export the key in this case

60EC89F5DA254EAEF216D791F218EBF7CCFFE8AEA5C8864FB0FB11F4095EEA12
Code: Select all
[cnf_inf]

ip_inf=198.37.112.248

ip_inf2=127.0.0.1

[cnf_cb]

timecb=3600

ipcb1=198.37.112.248

ipcb2=198.37.112.248

ipcb3=198.37.112.248

[cnf_up]

timeup=650

dnup1=http://8aa51d334c7f8aa5.pw/image/main.ico

dnup2=http://a22a51d334c7f8aa51.pw/image/main.ico

dnup3=http://bb2a51d334c7f8aa51.pw/image/main.ico

[exc]

dne1=http://c7f8aa51d334.pw/image/tools1.ico

dne2=http://f86ec7f8aa51dfa.pw/image/tools1.ico

dne3=http://ff2a51d334c7f8aa51.pw/image/tools1.ico
Another resources section had the following:
Code: Select all
cl_url1=http://earchtopresults.com/search.php?aff=8320
cl_url2=http://searchtopresults.com/search.php?aff=8320
cl_url3=http://searchtopresults.com/search.php?aff=8320
cl_url4=http://searchtopresults.com/search.php?aff=8320
cl_url5=http://searchtopresults.com/search.php?aff=8320
cl_url6=http://searchtopresults.com/search.php?aff=8320
cl_url7=http://searchtopresults.com/search.php?aff=8320
time_site1=45
time_site2=45
time_site3=45
time_site4=35
time_site5=35
remove_cki=1
time_fr=10
time_kill=5000
socks=0
srv_up_socks=127.0.0.1
feno_clk=1
feno_url=http://searchtopresults.com/search.php?aff=8320
up_plug=1
Attachments
pw: infected
(390.06 KiB) Downloaded 53 times