A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #13620  by rkhunter
 Fri Jun 01, 2012 7:47 pm
Probably some ZBot modification, but don't remember that I saw such behaviour [at least hosts file modification].
Microsoft: PWS:Win32/Zbot.AEQ

Modifies hosts file for AV site/update block.
Runs from HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Init
Copies itself to %appdata%\xqvpszmglcpxhjoynyfeq1oj2m3xkfql2\svcnost.exe
Firewall bypass by adding to trusted: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\User\Application Data\xqvpszmglcpxhjoynyfeq1oj2m3xkfql2\svcnost.exe
Also dropped %appdata%\desktop.ini - PE exe with
MD5: 4a27242b307c6a836993353035fafc16
1 / 42 https://www.virustotal.com/file/02fd93f ... 338579439/

Unlike ZBot don't restore autorun item in registry.

MD5: 37efd9b2178ea48f8fa9d995beabcbcf
SHA1: 5b2032c7e3542d888cc504008b24046b0b373279
https://www.virustotal.com/file/703df64 ... /analysis/
Attachments
pass:infected
(4.65 KiB) Downloaded 48 times
pass:infected
(1.05 KiB) Downloaded 44 times
pass:infected
(75.74 KiB) Downloaded 42 times
 #13625  by Buster_BSA
 Sat Jun 02, 2012 3:13 am
rkhunter wrote:Probably some ZBot modification, but don't remember that I saw such behaviour [at least hosts file modification].
Microsoft: PWS:Win32/Zbot.AEQ

Modifies hosts file for AV site/update block.
Runs from HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Init
Copies itself to %appdata%\xqvpszmglcpxhjoynyfeq1oj2m3xkfql2\svcnost.exe
Firewall bypass by adding to trusted: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\User\Application Data\xqvpszmglcpxhjoynyfeq1oj2m3xkfql2\svcnost.exe
Also dropped %appdata%\desktop.ini - PE exe with
MD5: 4a27242b307c6a836993353035fafc16
1 / 42 https://www.virustotal.com/file/02fd93f ... 338579439/

Unlike ZBot don't restore autorun item in registry.

MD5: 37efd9b2178ea48f8fa9d995beabcbcf
SHA1: 5b2032c7e3542d888cc504008b24046b0b373279
https://www.virustotal.com/file/703df64 ... /analysis/
Could someone post a memory dump of this malware, please?

I am testing something in Buster Sandbox Analyzer and I would need a memory dump of this sample.

Thanks in advance!
 #13628  by EP_X0FF
 Sat Jun 02, 2012 4:25 am
Decrypted in attach. This is not true Zbot, this is piece of delphi junk + spambot (Mailer.dll) inside.

https://www.virustotal.com/file/ee9da7f ... 338611495/
http://www.microsoft.com/security/porta ... 2147324146

C&C at 87.75.44.12

Posts moved.
Attachments
pass: malware
(63.71 KiB) Downloaded 40 times
 #13630  by rkhunter
 Sat Jun 02, 2012 5:39 am
He-h, I forgot about my VM with this Spambot only about a 10 minutes and my provider blocked me to 15 minutes for spam sending company :facepalm:
 #13634  by Buster_BSA
 Sat Jun 02, 2012 10:24 am
EP_X0FF & rkhunter: Thank you very much!

I noticed EP_X0FF´s dump is different than rkhunter´s, meanwhile rkhunter's dump and the dump done by Buster Sandbox Analyzer using Vlad-Ioan Topan´s MDmp are almost the same.
 #13635  by EP_X0FF
 Sat Jun 02, 2012 10:42 am
It is payload extracted from memory when crypter already decrypted container. Additionally it was compressed with UPX - removed. So this is not dump in classical meaning of memory dump like mdump does.
 #13636  by Buster_BSA
 Sat Jun 02, 2012 10:47 am
EP_X0FF wrote:It is payload extracted from memory when crypter already decrypted container. Additionally it was compressed with UPX - removed. So this is not dump in in classical memory like mdump does.
Ah, ok! That explains it. :)