Win32/Chthonic (Zeus + Andromeda combined)

#24463 by Kafeine
Sat Nov 29, 2014 1:58 pm

Undefined Zeus Variant. Attached.

https://www.virustotal.com/file/c5f191a ... /analysis/

It's being pushed in ES and JP by the group that was using Blackhole then Nuclear to push Citadel then Kins and focusing on JP (Mainly) and DE sometimes.
(they got some attention after TrendMicro post here
http://blog.trendmicro.com/trendlabs-se ... pan-users/
Featured many times here, for instance :
http://www.kernelmode.info/forum/viewto ... =80#p21178
)

[[Edit : After Discussion with Horgh...some of those C&C call could be result from Second stage...and attached sample being Andromeda
Working on grabbing that 2nd Stage.
]]

C&C call (bypassing proxy, which is not the case with Kins):

Code: Select all

11/29/2014-06:08:36.922258 bruonlinearchive.com [**] / [**] Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.2; SV1) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 119456 bytes [**] [Remove]:1038 -> 62.76.189.99:80
11/29/2014-06:08:41.012229 bruonlinearchive.com [**] /www/ [**] Mozilla/6.2 (compatible; MSIE 8.0; Windows NT 6.2; SV1) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 115088 bytes [**] [Remove]:1044 -> 62.76.189.99:80
11/29/2014-06:08:43.910800 bruonlinearchive.com [**] /www/ [**] Mozilla/6.2 (compatible; MSIE 8.0; Windows NT 6.2; SV1) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 126184 bytes [**] [Remove]:1044 -> 62.76.189.99:80
11/29/2014-06:08:45.351476 bruonlinearchive.com [**] /www/ [**] Mozilla/6.2 (compatible; MSIE 8.0; Windows NT 6.2; SV1) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 944 bytes [**] [Remove]:1044 -> 62.76.189.99:80
11/29/2014-06:08:48.655992 bruonlinearchive.com [**] /www/ [**] Mozilla/7.1 (compatible; MSIE 8.0; Windows NT 6.2; SV1) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 140765 bytes [**] [Remove]:1044 -> 62.76.189.99:80
11/29/2014-06:08:49.754737 bruonlinearchive.com [**] /www/ [**] Mozilla/7.1 (compatible; MSIE 8.0; Windows NT 6.2; SV1) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 37097 bytes [**] [Remove]:1044 -> 62.76.189.99:80
11/29/2014-06:08:50.757641 bruonlinearchive.com [**] /www/ [**] Mozilla/7.1 (compatible; MSIE 8.0; Windows NT 6.2; SV1) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 3840 bytes [**] [Remove]:1044 -> 62.76.189.99:80
11/29/2014-06:08:51.760878 bruonlinearchive.com [**] /www/ [**] Mozilla/7.1 (compatible; MSIE 8.0; Windows NT 6.2; SV1) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 3664 bytes [**] [Remove]:1044 -> 62.76.189.99:80
11/29/2014-06:09:14.894118 www.google.com [**] /webhp [**] Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727) [**] <no referer> [**] GET [**] HTTP/1.1 [**] 302 => http://www.google.is/webhp?gws_rd=cr&ei=abd5VOnXFsXYywOQ_4GYCg [**] 263 bytes [**] [Remove]:1059 -> 74.125.230.144:80
11/29/2014-06:09:15.794963 www.google.is [**] /webhp?gws_rd=cr&ei=abd5VOnXFsXYywOQ_4GYCg [**] Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727) [**] <no referer> [**] GET [**] HTTP/1.1 [**] 302 => https://www.google.is/webhp?gws_rd=cr,ssl&ei=abd5VOnXFsXYywOQ_4GYCg [**] 268 bytes [**] [Remove]:1060 -> 74.125.230.151:80
11/29/2014-06:09:18.198447 fastnestfestival.com [**] /www/ [**] Mozilla/7.1 (compatible; MSIE 8.0; Windows NT 6.2; SV1) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 96 bytes [**] [Remove]:1065 -> 62.76.189.99:80
11/29/2014-06:09:19.270556 bruonlinearchive.com [**] /www/ [**] Mozilla/7.2 (compatible; MSIE 8.0; Windows NT 6.2; SV1) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 9417 bytes [**] [Remove]:1044 -> 62.76.189.99:80
11/29/2014-06:09:20.602042 fastnestfestival.com [**] /www/ [**] Mozilla/7.2 (compatible; MSIE 8.0; Windows NT 6.2; SV1) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 80 bytes [**] [Remove]:1065 -> 62.76.189.99:80

Attachments

dcffde96291fe5fba261292106988810_ce276ab104b96389075f39d635aa29f0_undefined.zip

Undefined Zeus Variant - Password : infected
(50.55 KiB) Downloaded 136 times

Last edited by Kafeine on Sat Nov 29, 2014 4:18 pm, edited 3 times in total.

Username

Kafeine

Posts

105

Joined

Thu Jul 28, 2011 1:19 pm

Re: Win32/Zeus (alias Zbot)

#24464 by Horgh
Sat Nov 29, 2014 4:08 pm

Kafeine wrote:Undefined Zeus Variant. Attached.

https://www.virustotal.com/file/c5f191a ... /analysis/

It's being pushed in ES and JP by the group that was using Blackhole then Nuclear to push Citadel then Kins and focusing on JP (Mainly) and DE sometimes.
(they got some attention after TrendMicro post here
http://blog.trendmicro.com/trendlabs-se ... pan-users/
Featured many times here, for instance :
http://www.kernelmode.info/forum/viewto ... =80#p21178
)

.

Worm:Win32/Gamarue.AO
Dump in attach

Attachments

_003E0000.7z

(30.92 KiB) Downloaded 96 times

Username

Horgh

Posts

37

Joined

Fri Dec 07, 2012 9:48 am

Location

France

Re: Win32/Zeus (alias Zbot)

#24465 by Kafeine
Sat Nov 29, 2014 11:29 pm

Hum...this Andromeda is doing weird things (if it's it doing that)

Like calling C&C

and storing a lot of data in Registry

(Exporting the syncSumatraPDF I get a 7Mb file).

I can't find any Zeus on the Drive (but i may have missed it).The C&C and calls I am seing (using the winHttp proxy - not the IE one) are really Zeus Alike.
Could Andromeda be storing its tasks (Zeus at least in this case) encoded in registry...and be in charge of ensuring launch/persistency ?
That really looks like it.

Username

Kafeine

Posts

105

Joined

Thu Jul 28, 2011 1:19 pm

Re: Win32/Zeus (alias Zbot)

#24466 by comak
Sun Nov 30, 2014 1:52 am

based on requests and registry keys im pretty sure is kins or kins derviative it will be nice to see new version;]

mak - @maciekkotowicz

Username

comak

Posts

43

Joined

Mon Oct 14, 2013 8:25 am

Contact

Re: Win32/Zeus (alias Zbot)

#24467 by EP_X0FF
Sun Nov 30, 2014 7:09 am

String dump and VM/sandbox detection looks like Andromeda.

Code: Select all

ntdll.dll			
KiFastSystemCall			
wuauserv			
WinDefend			
MpsSvc			
SharedAccess			
wscsvc			
SeDebugPrivilege			
SeBackUpPrivilege			
SeRestorePrivilege			
cdosys.dll			
NtMapViewOfSection			
ws2_32.dll			
GetAddrInfoW			
Shell_TrayWnd			
\\.\pipe\%lu			
EnableLUA			
software\microsoft\windows\currentversion\policies\system			
TaskbarNoNotification			
software\microsoft\windows\currentversion\policies\Explorer			
HideSCAHealth			
ShowSuperHidden			
software\microsoft\windows\currentversion\explorer\advanced			
Hidden			
software\microsoft\windows nt\currentversion\image file executio options\taskmgr.exe		
ryma			
B:_rjtrvbagfh~!kiu			
tylBTdWDSS			
msiexec.exe			
explorer.exe			
8.8.4.4			
software\microsoft\windows\currentversion\Run			
software\microsoft\windows\currentversion\Policies\Explorer\Run			
ALLUSERSPROFILE			
APPDATA			
\%s.exe			
:Zone.Identifier			
127.0.0.1			
/c %s			
cmd.exe			
runas			
update.microsoft.com			
microsoft.com			
bing.com			
google.com			
yahoo.com			
%08X			
POST			
Content-Type: application/x-www-form-urlencoded			
Connection: close			
Software\Microsoft\			
unknown			
InstallDate			
SOFTWARE\Microsoft\Windows NT\CurrentVersion			
DigitalProductId			
%s_%08X%08X			
\SysWOW64\msiexec.exe			
\system32\msiexec.exe			
update

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Win32/Zeus (alias Zbot)

#24651 by comak
Thu Dec 18, 2014 12:34 pm

apparently kaspersky did some more analysis of this:
https://securelist.com/blog/virus-watch ... n-of-zeus/

and give it some new fancy name...

it looks like data above is part of loader

mak - @maciekkotowicz

Username

comak

Posts

43

Joined

Mon Oct 14, 2013 8:25 am

Contact

Re: Win32/Chthonic (Zeus + Andromeda combined)

#24719 by Kafeine
Tue Dec 23, 2014 9:27 am

I see a lot of those.

Here is one fresh loader (So andromeda i guess) pushed in Sweet Orange
eff1c3077a332c754b88c7e30bf038d5

CnC: 62.76.189.118
http://toysgameshop .com/www/
http://alieexpressplaseusend .com/www/
http://wsusupdatesystemfiles121214 .com/www/

Attachments

eff1c3077a332c754b88c7e30bf038d5_57705853bcd3b95203a554a3f86f568c_Chthnoic_Loader.zip

Password : infected
(52.25 KiB) Downloaded 96 times

Username

Kafeine

Posts

105

Joined

Thu Jul 28, 2011 1:19 pm

Re: Win32/Chthonic (Zeus + Andromeda combined)

#24917 by Kafeine
Mon Jan 12, 2015 2:21 pm

The JP/ES focused gang is striking again since 3 Days.

C&C

www .molchtoohookeie .com
202.28.32.110
9562 | 202.28.32.0/24 | MSU-TH | TH | STREAM.AZ | UNINET

Attached sample
111200c7f13c90ffc30fdd308bbbafd8c6f24a4ce1b83bb8539c82dbe2edf828

and fiddler with the encoded traffic
Again am not 100% sure it's Chtonic or another evolution.
[Edit: It appears (hint: EmergingThreats) that the http calls are "Citadel-ish" : filename="%2e/files/atmos_video.module"
Meaning this post need to be moved to Citadel. Sorry ]

Attachments

chto.zip

Password : infected - Fiddler and Sample
(1.38 MiB) Downloaded 79 times

Username

Kafeine

Posts

105

Joined

Thu Jul 28, 2011 1:19 pm

Re: Win32/Chthonic (Zeus + Andromeda combined)

#24921 by r3shl4k1sh
Mon Jan 12, 2015 7:28 pm

Kafeine wrote: Again am not 100% sure it's Chtonic or another evolution.
[Edit: It appears (hint: EmergingThreats) that the http calls are "Citadel-ish" : filename="%2e/files/atmos_video.module"
Meaning this post need to be moved to Citadel. Sorry ]

In attach unpacked sample.
It packed with two stages, the first is a .NET crap but the second has some muscles...
Anyway here's the strings:

Code: Select all

.text:00401990 00000021 C 258C804A6C32A4EE66E786A111B32901                                                                                                                                                                           
.text:004063BC 00000007 C system                                                                                                                                                                                                     
.text:004063C4 00000009 C registry                                                                                                                                                                                                   
.text:004063D0 00000009 C setvalue                                                                                                                                                                                                   
.text:004063DC 00000009 C getvalue                                                                                                                                                                                                   
.text:004063E8 0000000A C hvnc_stop                                                                                                                                                                                                  
.text:004063F4 0000000B C hvnc_start                                                                                                                                                                                                 
.text:00406400 0000000C C video_start                                                                                                                                                                                                
.text:0040640C 0000000A C bc_remove                                                                                                                                                                                                  
.text:00406418 00000007 C bc_add                                                                                                                                                                                                     
.text:00406420 00000005 C test                                                                                                                                                                                                       
.text:00406474 00000006 C utf-8                                                                                                                                                                                                      
.text:0040647C 00000005 C ansi                                                                                                                                                                                                       
.text:00406484 0000000B C image/tiff                                                                                                                                                                                                 
.text:00406490 0000000A C image/png                                                                                                                                                                                                  
.text:0040649C 0000000B C image/jpeg                                                                                                                                                                                                 
.text:004064A8 0000000A C image/gif                                                                                                                                                                                                  
.text:004064B4 00000009 C text/xml                                                                                                                                                                                                   
.text:004064C0 0000000A C text/html                                                                                                                                                                                                  
.text:004064CC 00000010 C text/javascript                                                                                                                                                                                            
.text:004064DC 0000000B C text/plain                                                                                                                                                                                                 
.text:004064E8 0000000A C Not found                                                                                                                                                                                                  
.text:004064F4 0000000A C Forbidden                                                                                                                                                                                                  
.text:00406500 0000000C C Bad Request                                                                                                                                                                                                
.text:0040655C 00000022 C %s, %02u %s %u %02u:%02u:%02u GMT                                                                                                                                                                          
.text:00406580 00000009 C HTTP/1.1                                                                                                                                                                                                   
.text:0040658C 00000009 C HTTP/1.0                                                                                                                                                                                                   
.text:00406598 00000005 C Host                                                                                                                                                                                                       
.text:004065A0 0000000F C Content-Length                                                                                                                                                                                             
.text:004065B0 00000008 C http://                                                                                                                                                                                                    
.text:004065B8 00000008 C Referer                                                                                                                                                                                                    
.text:004065C0 0000000D C Content-Type                                                                                                                                                                                               
.text:004065D0 0000000E C Authorization                                                                                                                                                                                              
.text:004065E0 0000000D C ; charset=%s                                                                                                                                                                                               
.text:004065F0 000000B6 C HTTP/1.1 %u %s\r\nServer: Apache\r\nDate: %s\r\nAccept-Ranges: bytes\r\nContent-Length: %u\r\nCache-control: no-cache\r\nPragma: no-cache\r\nExpires: %s\r\nConnection: close\r\nContent-Type: %s%s\r\n\r\n
.text:004066A8 00000040 C HTTP/1.1 %u %s\r\nServer: Apache\r\nDate: %s\r\nConnection: close\r\n\r\n                                                                                                                                  
.text:004066E8 00000005 C arg0                                                                                                                                                                                                       
.text:004066F0 00000008 C DEFAULT                                                                                                                                                                                                    
.text:004066F8 00000015 C ID: %s\r\nRESULT: OK\r\n                                                                                                                                                                                   
.text:00406710 00000005 C arg1                                                                                                                                                                                                       
.text:00406718 00000005 C arg2                                                                                                                                                                                                       
.text:00406720 00000005 C arg3                                                                                                                                                                                                       
.text:00406728 0000000B C if(1==1){}                                                                                                                                                                                                 
.text:00406734 00000007 C global                                                                                                                                                                                                     
.text:0040673C 00000009 C value_%s                                                                                                                                                                                                   
.text:00406748 00000006 C local                                                                                                                                                                                                      
.text:00406750 0000000C C value_%s_%s                                                                                                                                                                                                
.text:00406780 00000005 C NULL                                                                                                                                                                                                       
.text:00406788 00000005 C text                                                                                                                                                                                                       
.text:00406794 0000000B C %s = \"%s\";                                                                                                                                                                                               
.text:004067A0 00000005 C \r\n\r\n                                                                                                                                                                                                   
.text:004067D0 0000001C C http://www.google.com/webhp                                                                                                                                                                                
.text:00406974 0000001F C Wow64DisableWow64FsRedirection                                                                                                                                                                             
.text:00406994 00000007 C %s%s%s                                                                                                                                                                                                     
.text:00406A14 00000012 C _getFirefoxCookie                                                                                                                                                                                          
.text:00406A3C 00000016 C PR_GetNameForIdentity                                                                                                                                                                                      
.text:00406A54 0000000C C PR_SetError                                                                                                                                                                                                
.text:00406A60 0000000C C PR_GetError                                                                                                                                                                                                
.text:00406A6C 0000000A C NSS layer                                                                                                                                                                                                  
.text:00406A78 00000009 C https://                                                                                                                                                                                                   
.text:00406A84 0000000B C User-Agent                                                                                                                                                                                                 
.text:00406A90 00000007 C Cookie                                                                                                                                                                                                     
.text:00406A98 00000010 C Accept-Language                                                                                                                                                                                            
.text:00406AA8 00000010 C Accept-Encoding                                                                                                                                                                                            
.text:00406AB8 00000008 C HTTP/1.                                                                                                                                                                                                    
.text:00406AC0 00000012 C Transfer-Encoding                                                                                                                                                                                          
.text:00406AD4 00000008 C chunked                                                                                                                                                                                                    
.text:00406ADC 0000000B C Connection                                                                                                                                                                                                 
.text:00406AE8 00000006 C close                                                                                                                                                                                                      
.text:00406AF0 00000011 C Proxy-Connection                                                                                                                                                                                           
.text:00406B08 00000010 C X-Frame-Options                                                                                                                                                                                            
.text:00406B18 00000005 C %x\r\n                                                                                                                                                                                                     
.text:00406B20 00000008 C \r\n0\r\n\r\n                                                                                                                                                                                              
.text:00406B28 0000001C C GET /favicon.ico HTTP/1.1\r\n                                                                                                                                                                              
.text:00406B48 00000007 C Accept                                                                                                                                                                                                     
.text:00406B50 00000009 C identity                                                                                                                                                                                                   
.text:00406B60 00000012 C If-Modified-Since                                                                                                                                                                                          
.text:00406BD8 0000000D C _hvnc_init@4                                                                                                                                                                                               
.text:00406BE8 0000000F C _hvnc_uninit@0                                                                                                                                                                                             
.text:00406BF8 0000000E C _hvnc_start@8                                                                                                                                                                                              
.text:00406C08 0000000D C _hvnc_stop@0                                                                                                                                                                                               
.text:00406C18 0000000D C _hvnc_wait@0                                                                                                                                                                                               
.text:00406C28 0000000D C _hvnc_work@0                                                                                                                                                                                               
.text:00406F5C 0000000F C GetProcAddress                                                                                                                                                                                             
.text:00406F6C 0000000D C LoadLibraryA                                                                                                                                                                                               
.text:00406F7C 0000000F C NtCreateThread                                                                                                                                                                                             
.text:00406F8C 00000014 C NtCreateUserProcess                                                                                                                                                                                        
.text:00406FA0 0000001A C NtQueryInformationProcess                                                                                                                                                                                  
.text:00406FBC 00000013 C RtlUserThreadStart                                                                                                                                                                                         
.text:00406FD0 0000000B C LdrLoadDll                                                                                                                                                                                                 
.text:00406FDC 00000010 C LdrGetDllHandle                                                                                                                                                                                            
.text:00406FEC 00000007 C .reloc                                                                                                                                                                                                     
.text:00407000 0000000D C CreateThread                                                                                                                                                                                               
.text:00407010 00000011 C GetModuleHandleW                                                                                                                                                                                           
.text:00407068 00000011 C __startRecord@36                                                                                                                                                                                           
.text:0040707C 0000000D C __isRecord@0                                                                                                                                                                                               
.text:0040708C 0000000F C __stopRecord@0                                                                                                                                                                                             
.text:0040709C 0000000F C __waitRecord@8                                                                                                                                                                                             
.text:004070AC 00000008 C unknown                                                                                                                                                                                                    
.text:004070FC 0000000F C *.facebook.com                                                                                                                                                                                             
.text:0040710C 0000000E C *.twitter.com                                                                                                                                                                                              
.text:0040711C 00000010 C *.instagram.com                                                                                                                                                                                            
.text:0040712C 0000000E C *.booking.com                                                                                                                                                                                              
.text:0040713C 00000011 C *.sharepoint.com                                                                                                                                                                                           
.text:00407150 0000000C C *.yahoo.com                                                                                                                                                                                                
.text:0040715C 00000010 C login.yahoo.com                                                                                                                                                                                            
.text:0040716C 0000000D C *.google.com                                                                                                                                                                                               
.text:0040717C 00000014 C accounts.google.com                                                                                                                                                                                        
.text:00407190 0000000C C 192.168.*.*                                                                                                                                                                                                
.text:0040719C 0000000A C 127.0.0.1                                                                                                                                                                                                  
.text:004071A8 00000010 C */wp-login.php*                                                                                                                                                                                            
.text:004071B8 00000005 C *.ru                                                                                                                                                                                                       
.text:004071C0 00000005 C *.ua                                                                                                                                                                                                       
.text:004071C8 00000005 C *.kz                                                                                                                                                                                                       
.text:004071D0 00000005 C *.il                                                                                                                                                                                                       
.text:004071D8 00000005 C *.li                                                                                                                                                                                                       
.text:004071E0 00000005 C *.bg                                                                                                                                                                                                       
.text:004071E8 00000005 C *.by                                                                                                                                                                                                       
.text:004071F0 00000005 C *.az                                                                                                                                                                                                       
.text:004071F8 00000005 C *.am                                                                                                                                                                                                       
.text:00407200 00000005 C *.kg                                                                                                                                                                                                       
.text:00407208 00000005 C *.md                                                                                                                                                                                                       
.text:00407210 00000005 C *.tj                                                                                                                                                                                                       
.text:00407218 00000005 C *.tm                                                                                                                                                                                                       
.text:00407220 00000005 C *.uz                                                                                                                                                                                                       
.text:00407228 0000000B C *.xn--p1ai                                                                                                                                                                                                 
.text:00407244 00000008 C %BOTID%                                                                                                                                                                                                    
.text:0040724C 00000009 C %BOTNET%                                                                                                                                                                                                   
.text:00407258 0000000D C %BC-*-*-*-*%                                                                                                                                                                                               
.text:00407268 00000008 C %VIDEO%                                                                                                                                                                                                    
.text:00407270 00000005 C POST                                                                                                                                                                                                       
.text:0040727C 0000000D C Cookie: %s\r\n                                                                                                                                                                                             
.text:0040728C 0000000E C Referer: %s\r\n                                                                                                                                                                                            
.text:0040729C 0000000D C Accept: %s\r\n                                                                                                                                                                                             
.text:004072AC 00000016 C Accept-Language: %s\r\n                                                                                                                                                                                    
.text:004072C4 00000016 C Accept-Encoding: %s\r\n                                                                                                                                                                                    
.text:004072F4 00000009 C 0N0N0N0N                                                                                                                                                                                                   
.text:00407308 00000011 C PR_OpenTCPSocket                                                                                                                                                                                           
.text:0040731C 00000009 C PR_Close                                                                                                                                                                                                   
.text:00407328 00000008 C PR_Read                                                                                                                                                                                                    
.text:00407330 00000009 C PR_Write                                                                                                                                                                                                   
.text:0040739C 0000000C C gdiplus.dll                                                                                                                                                                                                
.text:004073A8 0000000F C GdiplusStartup                                                                                                                                                                                             
.text:004073B8 00000010 C GdiplusShutdown                                                                                                                                                                                            
.text:004073C8 0000001C C GdipCreateBitmapFromHBITMAP                                                                                                                                                                                
.text:004073E4 00000011 C GdipDisposeImage                                                                                                                                                                                           
.text:004073F8 00000019 C GdipGetImageEncodersSize                                                                                                                                                                                   
.text:00407414 00000015 C GdipGetImageEncoders                                                                                                                                                                                       
.text:0040742C 00000016 C GdipSaveImageToStream                                                                                                                                                                                      
.text:00407444 0000000A C ole32.dll                                                                                                                                                                                                  
.text:00407450 00000016 C CreateStreamOnHGlobal                                                                                                                                                                                      
.text:00407468 0000000A C gdi32.dll                                                                                                                                                                                                  
.text:00407474 0000000A C CreateDCW                                                                                                                                                                                                  
.text:00407480 00000013 C CreateCompatibleDC                                                                                                                                                                                         
.text:00407494 00000017 C CreateCompatibleBitmap                                                                                                                                                                                     
.text:004074AC 0000000E C GetDeviceCaps                                                                                                                                                                                              
.text:004074BC 0000000D C SelectObject                                                                                                                                                                                               
.text:004074CC 00000007 C BitBlt                                                                                                                                                                                                     
.text:004074D4 0000000D C DeleteObject                                                                                                                                                                                               
.text:004074E4 00000009 C DeleteDC                                                                                                                                                                                                   
.text:00407500 0000000C C hvnc_module                                                                                                                                                                                                
.text:0040750C 00000012 C atmos_hvnc.module                                                                                                                                                                                          
.text:00407520 0000000E C cookie_module                                                                                                                                                                                              
.text:00407530 00000016 C atmos_ffcookie.module                                                                                                                                                                                      
.text:00407548 0000000D C video_module                                                                                                                                                                                               
.text:00407558 00000013 C atmos_video.module                                                                                                                                                                                         
.text:004075A0 00000051 C |$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\\]^_`abcdefghijklmnopq                                                                                                                          
.text:004076C4 0000001A C ZwQueryInformationProcess                                                                                                                                                                                  
.text:00407704 0000000F C IsWow64Process                                                                                                                                                                                             
.text:00407730 0000000C C userenv.dll                                                                                                                                                                                                
.text:0040773C 00000017 C CreateEnvironmentBlock                                                                                                                                                                                     
.text:00407754 00000018 C DestroyEnvironmentBlock                                                                                                                                                                                    
.text:0040776C 00000023 C :d\r\ndel \"%s\"\r\nif exist \"%s\" goto d                                                                                                                                                                 
.text:00407798 0000001D C @echo off\r\n%s\r\ndel /F \"%s\"\r\n                                                                                                                                                                       
.text:004077D8 00000038 C Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)                                                                                                                                                    
.text:00407810 00000014 C Connection: close\r\n                                                                                                                                                                                      
.text:00407824 0000000B C urlmon.dll                                                                                                                                                                                                 
.text:00407830 00000016 C ObtainUserAgentString                                                                                                                                                                                      
.text:004078F4 0000000C C cabinet.dll                                                                                                                                                                                                
.text:00407900 0000000A C FCICreate                                                                                                                                                                                                  
.text:0040790C 0000000B C FCIAddFile                                                                                                                                                                                                 
.text:00407918 00000010 C FCIFlushCabinet                                                                                                                                                                                            
.text:00407928 0000000B C FCIDestroy                                                                                                                                                                                                 
.text:00407934 00000014 C bcdfghklmnpqrstvwxz                                                                                                                                                                                        
.text:00407948 00000007 C aeiouy                                                                                                                                                                                                     
.text:00407970 00000052 C http://%02x%02x%02x%02x%02x%02x%02x%02x.com/%02x%02x%02x%02x/%02x%02x%02x%02x.php                                                                                                                          
.text:004079C4 00000005 C file                                                                                                                                                                                                       
.text:004079DC 00000005 C www.                                                                                                                                                                                                       
.text:00407A38 00000007 C script                                                                                                                                                                                                     
.text:00407A40 00000006 C nbsp;                                                                                                                                                                                                      
.text:00407A48 00000007 C Basic                                                                                                                                                                                                      
.text:00407B60 00000005 C FAIL                                                                                                                                                                                                       
.text:00407B68 00000015 C GetSystemPowerStatus                                                                                                                                                                                       
.text:00407B80 00000005 C GET                                                                                                                                                                                                        
.text:00407B88 00000005 C PUT                                                                                                                                                                                                        
.text:00407B90 00000006 C POST                                                                                                                                                                                                       
.text:00407B9C 00000009 C &curren;                                                                                                                                                                                                   
.text:00407BA8 00000008 C &pound;                                                                                                                                                                                                    
.text:00407BB0 00000007 C &cent;                                                                                                                                                                                                     
.text:00407BB8 00000007 C &euro;                                                                                                                                                                                                     
.text:00407BC0 00000006 C &yen;                                                                                                                                                                                                      
.text:00407BC8 00000009 C &#65509;                                                                                                                                                                                                   
.text:00407BD4 00000008 C &#8369;                                                                                                                                                                                                    
.text:00407BDC 00000008 C &#8366;                                                                                                                                                                                                    
.text:00407BE4 00000008 C &#8365;                                                                                                                                                                                                    
.text:00407BEC 00000008 C &#8363;                                                                                                                                                                                                    
.text:00407BF4 00000008 C &#8362;                                                                                                                                                                                                    
.text:00407BFC 00000008 C &#8361;                                                                                                                                                                                                    
.text:00407C04 00000008 C &#8360;                                                                                                                                                                                                    
.text:00407C0C 00000008 C &#8359;                                                                                                                                                                                                    
.text:00407C14 00000008 C &#8358;                                                                                                                                                                                                    
.text:00407C1C 00000008 C &#8357;                                                                                                                                                                                                    
.text:00407C24 00000008 C &#8356;                                                                                                                                                                                                    
.text:00407C2C 00000008 C &#8354;                                                                                                                                                                                                    
.text:00407C34 00000008 C &#8353;                                                                                                                                                                                                    
.text:00407C3C 00000008 C &#8372;                                                                                                                                                                                                    
.text:00407C44 00000008 C &#8364;                                                                                                                                                                                                    
.text:00407C4C 00000008 C &#8355;                                                                                                                                                                                                    
.text:00407C54 00000008 C &#6107;                                                                                                                                                                                                    
.text:00407C5C 00000008 C &#3647;                                                                                                                                                                                                    
.text:00407C64 00000007 C &#165;                                                                                                                                                                                                     
.text:00407C6C 00000007 C &#164;                                                                                                                                                                                                     
.text:00407C74 00000007 C &#162;                                                                                                                                                                                                     
.text:00407C7C 00000007 C &#163;                                                                                                                                                                                                     
.text:00407C84 00000007 C &nbsp;                                                                                                                                                                                                     
.text:00407C8C 00000018 C value=[%s], code=[%s]\r\n                                                                                                                                                                                  
.text:00407CA4 00000010 C %COMMANDSERVER%                                                                                                                                                                                            
.text:00407CB4 00000015 C http://127.0.0.1:%u/                                                                                                                                                                                       
.text:00407CCC 00000005 C /%s/                                                                                                                                                                                                       
.text:00407CD4 00000005 C %s%s                                                                                                                                                                                                       
.text:00407CDC 0000000F C X-Type: %s\r\n\r\n                                                                                                                                                                                         
.text:00407DE0 00000006 C socks                                                                                                                                                                                                      
.text:00407DE8 00000006 C shell                                                                                                                                                                                                      
.text:00407DF0 0000000B C powershell                                                                                                                                                                                                 
.text:00407DFC 0000000B C screenshot

After 1 stage unpack VT 26/56
Fully unpacked VT 35/56

Attachments

unpacked.7z

pass: infected
(264.24 KiB) Downloaded 85 times

Username

r3shl4k1sh

Posts

119

Joined

Tue Feb 05, 2013 10:26 pm

Location

Israel

Contact

Re: Win32/Chthonic (Zeus + Andromeda combined)

#25850 by pyre08
Tue May 12, 2015 3:54 am

Do we have sample/dump from Stage 2 Loader or the Main Module of Chthonic?

Username

pyre08

Posts

4

Joined

Mon Mar 30, 2015 12:12 pm