[pwnslinger]

Hi,
using VB6 packing method, execute shellcode which is packed by MoleBox or sth like that (PUSHAD, CALL).
but i dunno why i just got into this loop. enumerates through all procedure names...
hint me plz

sample also attached below:

As with most of malware crypters used for ZBot it "decryption" based on moment when RunPE executed. Set break on CreateProcess and dump memory region it will attempt to write to the zombie target process.

https://www.virustotal.com/en/file/e4e0 ... 448537374/

"Unpacked" Kronos in attach. Posts moved.

Thanks EP. ;)

after dumping second stage (explorer.exe) (change EP with PUSH/RET) using EBFE method for attaching using ollydbg.
i dunno why when i wanna set toggle bp on code, olly can't and run (memry regions are RWC!)
then i used f4 (run till selection) and hw bp.
but when call SYSENTER... i can't take control back to myself.

me & @antelox analyzed it again and we got call fs[0xc0] related to wow64 (32 bit code running on x64) so this malware can be under controlled on win 7 x64
but in windows xp x86 debugger can't take back control after stepping this function. this is not an anti-debug trick also.
also ssdt index for ntSetValueKey change in windows 7 and you can got it using windbg
you can see differences in this two picture.

[cr33k]

08:00
(2/25/2016 6:02:28 AM) exploit.im: ~~~~!!!!!!~~~~~~
ATTENTION: Kronos Banking Trojan: Working on MSIE,FF,Chrome, and MSIE EDGE!
~~~~!!!!!!~~~~~~

Kronos has been updated and better than ever! Issues with Chrome crashing and not properly grabbing and
injecting data have been fixed. FireFox grabbing and inject have been fixed. MSIE EDGE support for
grabbing and injecting has been added. A few stability fixes have also been established.

Become a customer today and gain discounts on modules that are being developed such as USB Spreader, Socks5,
And hidden VNC.

Price is $3,000 FIRM via Bitcoin.

Useful contacts for smooth operations are given upon purchase.

Contact: Vinny@exploit.im (this is the only authorized contact. DO NOT TRUST ANY OTHERS!)

Link: https://exploit.in/forum/index.php?showtopic=79705

====================
It's advertisement
====================

Appears Kronos now supports IE Edge. No Sample At This Time.

[Antelox]

Just to update about pwnslinger's problem about call to fs:[0xc0].

The sample analyzed queries system process and relative module loaded (through NtQuerySystemInformation API call), encodes the process/module name string, then compare it with hardocoded encoded strings. If strings match then it changes a flag otherwise it continues to search for next process/module. The flag changed influences the compare instruction at address 0xA7B3F in the picture posted above by pwnslinger; the conditional je jump must be taken to perform System Call (fs:[0xc0] indeed) otherwise sysenter is called and an ACCESS_VIOLATION happen.

Antelox

[Antelox]

I was forgetting to post decoded process/modules name strings (Kronos's bad friends )

Code: Select all

vmtoolsd.exe
vboxtray.exe
idaq.exe
idaq64.exe
ollydbg.exe
windbg.exe
wireshark.exe
lordpe.exe
sbiedll.dll
dbghelp.dll
cuckoomon.dll
vmware

BR,
Antelox

[gritland]

new, leaked version

[Xylitol]

https://www.virustotal.com/en/file/673b ... 460576548/ >> 10/57, signed also
Call home: kronocloud.top/elbir/connect.php (hide behind CloudFlare but real ip is: 5.154.190.115)



unpacked: https://www.virustotal.com/en/file/2d1b ... 460825906/
C:\Users\Root\Downloads\kronos\form1\VJF1\Binaries\Release\VJF 1.pdb
PDB path comparison with some other samples:

Code: Select all

MD5 - PDB - Call home
f780458c5331d4e58d09f9363e7f641d - C:\Users\Root\Downloads\dicks\VJF1\Binaries\Release\VJF 1.pdb - flashplayerliveupdate.ru
92f41793668b39e40b15e613178ef72e - C:\Users\Root\Downloads\fleet\VJF1\Binaries\Release\VJF 1.pdb - adobeflashupdate.ru
d94f26b9c84a3173cf2c58941876b5d0 - C:\Users\Root\Downloads\hw\VJF1\Binaries\Release\VJF 1.pdb - slighsplashinside.com
3d697a712c044ced7ac9aade3c06199b - C:\Users\Root\Downloads\kronos\form1\VJF1\Binaries\Release\VJF 1.pdb - morninlows.com

Malware dramascene:


Targeting UK banks.

Code: Select all

set_url https://*http://online.lloydsbank.co.uk/personal/ * GP
set_url https://*http://secure.lloydsbank.co.uk/personal/ * GP
set_url https://www.halifax-online.co.uk/personal/ * GP
set_url https://*http://secure.halifax-online.co.uk/personal/ * GP
set_url https://bank.barclays.co.uk/olb/auth/LoginLink.actio …* GP
set_url https://*http://hsbc.co.uk * GP
set_url https://*http://nationwide.co.uk * GP
set_url https://*http://nwolb.com * GP
set_url https://*http://santander.co.uk * GP

Of interest:
https://www.lexsi.com/securityhub/overv ... t/?lang=en
https://www.lexsi.com/securityhub/krono ... s/?lang=en

[Antelox]

a85aada6b2dc07b404dd173e3951a05a 30/57
2d0f0ce93e4b45065dbf412d6c99fd63 40/56

Code: Select all

http://dribt.com/elbir/connect.php

Antelox

[Xylitol]

http://vxvault.net/ViriFiche.php?ID=30216
https://www.virustotal.com/en/file/7c9e ... 462991939/
unpack: https://www.virustotal.com/en/file/bcdb ... 462996137/
repack: https://www.virustotal.com/en/file/6f81 ... 463053495/ 4/56 - http://vxvault.net/ViriList.php?MD5=88C ... A1514446F1
Call home: johngotti-007.com/007/connect.php - https://www.virustotal.com/en/domain/jo ... formation/

[comak]

few more cncs:

Code: Select all

http://johngotti-007.com:80/007/connect.php
http://johngotti.com.ng:80/007/connect.php
http://johngotti.org:80/007/connect.php
http://johngotti.co.za:80/007/connect.php
http://johngotti-007.co.za:80/007/connect.php

injects attached (from http://johngotti-007.com/007/connect.php)

[tildedennis]

https://virustotal.com/en/file/c9380385 ... /analysis/

Code: Select all

http://BUYCOOLMATTER.INFO/X5YofLgo/connect.php

Sample and config (.ca banks) in attach.