Hybrid Analysis: https://www.hybrid-analysis.com/sample/fad4dc6268d03bcae8dbe2ff079798eff4ecb380233677b243bcd50d96273180?environmentId=4
Here are some more analysis of the malware. It appears to drop the unencrypted executable file to
- Contact 188.8.131.52 which is connected to a few DNSes, including one from FishDNS which is often used for malware. DNSes includes ratting456.ddns.net (Note the RATting part, since RAT often stands for Remote Access Trojan or Remote Administration Tool), morechedder1.ddns.net, nuziurim.chickenkiller.com, notrip.fishdns.com, and vkhzone.no-ip.org
- The IP is associated with a VPS hosting group, probably used for anonymization
- Drops self to AppData
- Detects debugger
- Imports suspicious APIs
So that is it for this piece of nasty malware. Stay tuned for more malware analysis and cyber news!
VirusTotal scan: https://www.virustotal.com/en/file/fad4dc6268d03bcae8dbe2ff079798eff4ecb380233677b243bcd50d96273180/analysis/1456238541/
Download of file (INFECTED): nevergreen.net/6no
Decompiled with Exe2Aut.
So when I first obtained the sample, I tried to analyze it on malwr but I was unable to due to the fact that malwr was down (Probably due to a cyber attack). It was able to evade Anubis (https://anubis.iseclab.org/?action=result&task_id=1409319bac3c15d44bda1818b345394de&format=html) so my next thought was Hybrid Analysis but due to the long wait I am doing static analysis first. In the VirusTotal scan, I noticed the fact that a file called Au1.tmp is created, which means this file probably is an AutoIt script! According to my source, this file was crypted using a crypter, and this explains it. I quickly threw it in my VM, and decompiled it. The source is available to researchers, if you want it send me a request at [firstname.lastname@example.org removing all of the numbers from it].
The source is obfuscated manually and while it uses some of the methods I mentioned in my previous post, it was not very well done. Only basic StringReverse and variables were used, and the variables were not divided up at all.
Activity analysis based on code:
- Installs itself to AppData\ZGIJJTiKhPcKTTZX.exe
- Removes ZoneId
- Set file attribute to hidden and system
- Uses both StartupDir and Registry keys for startup (HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Cooperation and HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Cooperation)
- Detects VBox, Sandboxie, VmWare
- Drops to Microsoft .NET folder RegAsm.exe
More analysis will be done soon after Hybrid-Analysis complete analyzing the file.
If you are reading this blog, you probably are concerned about security and that kind of stuff. However, scanning a file with your Antivirus sometimes is not enough, since there might be false positives or an AV not detecting the file. So how can you detect these threats before they can do damages?
VirusTotal is an online virus scanner, which scans your file with over 50 antiviruses. However, VirusTotal distributes your file to AV companies, so if you are a privacy freak then you can try
AnonScan is an online virus scanner which does not distribute. The site is created and operated by HF member Raymond Reddington. While it scans with less AVs, it’s UI looks more professional and the site does not distribute.
Malwr is an online malware analysis which execute the file in a VM and analyze the file’s activity. It detects all activity, including network connection and registry as well as file changes. However, as Malwr uses the normal VM techniques which can sometimes be detected by malware, you can use
4. Hybrid Analysis
Hybrid Analysis provided by Payload Security offers a feature called Kernel Mode Monitor, which is extremely hard to be detected by malware and therefore having a much better rate of success. This service also can extract strings from memory and have many unique features.
So that is it for today’s post. Check back often for more post regarding computer, security, SEO and technology related contents!