Some months ago it was reported in reddit a post about malicious servers on the Electrum network performing phishing attacks against the users of the Electrum wallet (a bitcoin client). It was confirmed by Electrum in this github issue. These fantastic posts in blog.coinbase.com and malwarebytes explained really well how the phishing attack was performed.
Recently I have found some malicious ElectrumX nodes in the Electrum network that are still being connected by the Electrum software. In this post I share some information about these nodes and the ElectrumX patched code that they execute.
PepperMalware Blog
Monday, December 2, 2019
Tuesday, November 5, 2019
Brief analysis of Redaman Banking Malware (v0.6.0.2) Sample
Redaman is a well-known banking malware, discovered around 2015. Recently I have been analyzing a recent version of the malware (0.6.0.2, not sure if latest version, probably one of the newest). This malware uses some interesting tricks probably introduced in these recent versions. In this post I share some notes about the analysis.
- Original Packed Sample: 2b251483ed7705c60ee12b561280a1fc
- Unpacked Sample (dll): 2a298a650b50eb89041548e57d72f726
- Virustotal First Submission: 2019-10-11 10:35:13
- Related links:
Monday, July 29, 2019
Analysis of the Frenchy Shellcode
In this post I analyze a shellcode that I have named "Frenchy shellcode" because of the mutex that it creates (depending on the version: frenchy_shellcode_01, frenchy_shellcode_002, frenchy_shellcode_003,...). This shellcode has been seen together with different packers and loading different malware families (agenttesla, avemaria stealer, formbook, netwire, etc...). Because of this, I decided to take a look at this shellcode and share my notes. Additionally I share a PoC, a python script that loads Frenchy shellcode and uses it to perform hollow processes and execute calc.exe in the context of notepad.exe.
- Original packed samples
- Frenchy shellcode v1 + autoit packer: 0a1340bb124cd0d79fa19a09c821a049 (Avemaria)
- Frenchy shellcode v2 + autoit packer: d009bfed001586db95623e2896fb93aa
- Frenchy shellcode v2 + autoit packer: 20de5694d7afa40cf8f0c88c86d22b1d (Formbook)
- Frenchy shellcode v3 + .Net packer: 21c1d45977877018568e8073c3Acf7c5 (Netwire)
- Extracted frenchy shellcodes:
- Frenchy shellcode v1 at hybrid analysis
- Frenchy shellcode v2 at hybrid analysis
- Frenchy shellcode v3 at hybrid analysis
- Related links:
- https://tccontre.blogspot.com/2019/07/autoit-compiled-formbook-malware.html (I recommend to read this post about the AutoIt script that loads frenchy shellcode).
- https://twitter.com/P3pperP0tts/status/1135976656751996928?s=20
- https://twitter.com/JayTHL/status/1146482606185308160?s=20
- https://twitter.com/James_inthe_box/status/1148966237684133888?s=20
- https://cape.contextis.com/analysis/85189/
- https://twitter.com/James_inthe_box/status/1146527056567472128?s=20
Monday, May 13, 2019
Quick Analysis of AgentTesla SMTP Variant Sample (dated 08-05-2019)
In this post I perform a quick analysis of a recent AgentTesla SMTP variant sample, paying special attention to the strings decryptor (most of the interesting information is kept as encrypted strings, smtp server and mail address included), in an attempt for documenting a bit more the decompiled source code with references to the decrypted strings where they are used, to understand how the malware works.
- Original Packed Sample: ae4d420c05281acf9696e558b02a42f8
- Unpacked Sample: f81064db46e305025ac6e2610e272eb3
- Source Url: hxxp://soksanhotels[.]com/calendar/daes/thai8.exe
- Info Url: URLhaus
- Automatic Generated Report: PepperMalware Report
- Virustotal First Submission: 2019-05-08 20:31:00
- Related links:
Monday, April 15, 2019
Analysis of .Net Deucalion IrcBot Sample Obfuscated with ConfuserEx+KoiVM
In this post I perform a quick analysis of a sample that seems to be an ircbot, named alphaircbot (based on the any.run tags) or deucalion (based on the internal .net classes names and deobfuscated strings). The malware family itself doesn't seem specially interesting, however, it is obfuscated with ConfuserEx obfuscator + KoiVM virtualization.
It was quite hard for me to deal with the obfuscated code, and debug it with dnSpy or similar tools to get the original assembly. I decided to use Windbg's sos extension to walk the loaded assemblies and to find the dynamic assemblies belonging to the original malware code. With this extension it is possible to enum the method tables foreach assembly and the stacks foreach thread that is executing managed code, making easy to find jit generated code that belongs to the malware code (and interesting malware's data referenced by the jit generated code).
Original Packed Sample: 40e751c032c75d33c807219b2de6c584
Source Url: hxxp://54.38.22[.]53/spike/svchost.exe
Info Url: URLhaus
Automatic Generated Report: PepperMalware Report
Virustotal First Submission: 2018-06-10 16:37:46
Other AlphaIrcbot samples at Any.Run:
Any.Run Tags: alphaircbot
Related links:
It was quite hard for me to deal with the obfuscated code, and debug it with dnSpy or similar tools to get the original assembly. I decided to use Windbg's sos extension to walk the loaded assemblies and to find the dynamic assemblies belonging to the original malware code. With this extension it is possible to enum the method tables foreach assembly and the stacks foreach thread that is executing managed code, making easy to find jit generated code that belongs to the malware code (and interesting malware's data referenced by the jit generated code).
asdjdsffdgnms.exe (2018-08-19 10:25:54) KFDJfd.exe (2018-11-16 00:26:10) jjunpkvyalquru.exe (2018-09-01 21:40:15)
https://hackforums.net/showthread.php?tid=5875152 http://offensivecommunity.net/showthread.php?tid=76358 https://urlhaus.abuse.ch/browse/tag/AlphaIRCBot/ https://yck1509.github.io/ConfuserEx/ https://github.com/Loksie/KoiVM-Virtualization https://docs.microsoft.com/en-us/dotnet/framework/tools/sos-dll-sos-debugging-extension https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugging-managed-code https://mindlocksite.wordpress.com/2017/02/11/easy-way-to-unpack-confuserex-1-0-max-settings/ https://github.com/CodeCracker-Tools/MegaDumper
Friday, March 22, 2019
Analysis of .Net Stealer GrandSteal (2019-03-18)
In this post I share my notes about the analysis of a sample (an stealer written in .Net) whose family is unknown to me (any feedback is welcome, if you know the family for the sample that I describe, please tell me and I will update this post). Somebody tagged the sample as quasar at Any.Run, however, after analyzing it and comparing with Quasar code, I concluded this sample doesn't seem to belong to Quasar family. Searching information about the collected IoCs was not successful to classify the sample. I am calling it GrandSteal because of the internal names of the .Net classes of the malware's decompiled code.
- Original Packed Sample: 89782B6CDAAAB7848D544255D5FE7002
- Source Url: http://a4.doshimotai[.]ru/pxpx.exe
- Info Url: VxVault URLhaus
- Automatic Generated Report: PepperMalware Report
- Virustotal First Submission: 2019-03-18 22:28:20
- Any.Run Analysis: Here
- Any.Run Tags: Evasion, Trojan, Rat, Quasar
- My Classification: I named it GrandSteal because of the internal .Net classes names (if you have any information about any well-known family that this malware belongs to, please, tell me and I will update this post)
- Decompiled Source Code: PepperMalware Github
Monday, March 18, 2019
Analysis of BlackMoon (Banking Trojan)'s Evolution, And The Possibility of a Latest Version Under Development
BlackMoon, also known as KrBanker, is a banking trojan that mainly targets South Korea. I thought this family was dead since time ago (around 2016), however these previous days I got a couple of rencent samples that, after unpacking them and performing a quick analysis, I noticed they were BlackMoon. Virustotal's first submission date for one of these samples is 2018-06-18. First submission date for the other one is 2018-11-01. After digging a bit more into this malware family, my conclussion was that probably there is a latest version of BlackMoon that is under development. I explain it in this post, that I hope you enjoy.
Original Packed Sample: C38E54342CDAE1D9181EC48E94DC5C83
Automatic Generated Report: PepperMalware Report
Virustotal First Submission: 2018-11-01 07:03:51
Unpacked Banker Module: 4634F4EF94D9A3A0E2FCF5078151ADB2
Related links:
- https://unit42.paloaltonetworks.com/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/
- https://threatpost.com/blackmoon-banking-trojan-using-new-infection-technique/125425/
- https://community.rsa.com/community/products/netwitness/blog/2017/05/19/the-blackmoon-trojan-framework
- https://www.fortinet.com/blog/threat-research/over-100-000-south-korean-users-affected-by-blackmoon-campaign.html
- https://www.fidelissecurity.com/threatgeek/threat-intelligence/blackmoon-banking-trojan-new-framework
Subscribe to:
Posts (Atom)