2019-07-17 AveMaria InfoStealer/RAT with interesting UAC bypass

I came across this sample yesterday via my usual method – the email filters. The email is your pretty standard stuff acting as a proposal for an order. Once you open the zip file, there is an executable. From here, the fun began. For the artifacts/logs/PCAP from this analysis, please see my Github repo for this here. IOCs: ===== respainc.duckdns.org / 79.134.225.51:28 (TCP) 8.8.8.8:53 (TCP) Artifacts: ========== Microsoft.exe/Quotation.exe a07a5a3100544aceeade42e743218e6a http://www.virustotal.com/gui/file/a52f455f897f54af3e3d1505e686d391171d2f981ba7971b63cc491708b12fee/detection First Submission 2019-07-16 10:12:09 28/67 engines detected this file Path: C:\Users%USERNAME%\AppData\Roaming | %TEMP% dismcore.dll 6b906764a35508a7fd266cdd512e46b1 http://www.virustotal.com/gui/file/fc0c90044b94b080f307c16494369a0796ac1d4e74e7912ba79c15cca241801c/detection First Submission 2018-10-24 20:23:05 51/70 engines detected this file Path: %TEMP% ellocnak.xml 427eb7374887305b72f5c552837c9036 http://www.virustotal.com/gui/file/b3f421780a49cbe680a317259d4df9ce1d0cdaca3020b4df0dc18cc01d68ccbb/detection…

Continue reading

2019-04-12 Crypto/Clipboard Stealer Malspam

Yesterday I came across some malspam that I have not seen before and thought that I would do a quick entry for it. This particular malware sits quietly in the background and looks for crypto currency addresses being copied and pasted between applications/pages. The interesting part of this is that once the user “pastes” the crypto address into the other application/tab, the address is changed to one that the bad actor controls. Playing around with this in my VM, I did not notice it sending anything outbound within Wireshark, and nothing came up in Process Explorer which kind of makes…

Continue reading

2019-04-02 Interesting obfuscation from Emotet

So yesterday while going through the mail filters, I cam across this email: Looks to be pretty standard stuff to be honest. So the first thing that I did was run this through decalage2’s Vipermonkey to see if I could get at the macro script. Unfortunately Vipermonkey died and was not able to parse this file. So using Didier Stevens strings.py script (with the -L option to sort it from shortest to longest string) I was able to find the base64 script code. Here is the cleaned up version of the script: So everything up to this point seem to…

Continue reading

2019-02-12 Deobfuscating an Emotet maldoc

This blog entry is going to cover how I managed to de-obfuscate the macro from the Emotet sample that I was able to grab. The maldoc can be found in my Github repo located here: http://github.com/bloomer1016/2019-02-12-Deobfuscating-Emotet-Maldoc. Indicators of Compromise: ========================== MD5 of Word doc: 35c716c82f9912cb1a57bf7ee72e0c53 VT: http://www.virustotal.com/#/file/9fb5e5242394557e27ca3ccfc492f7db0f7474662148a8797953df702b4d78db/detection Any.Run: http://app.any.run/tasks/0e428667-3602-489f-85ac-1f022e2c9c1f Analysis: ========= So to be honest, I was using this maldoc as a case to try to get better using oledump from Didier Stevens. This all stems from his latest posts on the SANS ISC blog (http://isc.sans.edu/forums/diary/Maldoc+Analysis+of+the+Weekend/24626/ and http://isc.sans.edu/forums/diary/Video+Maldoc+Analysis+of+the+Weekend/24628/). Unfortunately I was not able to get this maldoc de-obfuscated as easily…

Continue reading

2019-01-18 Emotet Malspam

Just a quick post about some emotet malspam from this morning. Pretty standard from what I can tell. For the artifacts, ProcMon log, and PCAP, please see the repo here. IOC: ===== http://kcespolska.pl//Details/2019-01 69.16.238.96:80 / hxxp://greenplastic.com/hUYu36qNEQ 134.0.11.142:80 / hxxp://stats.emalaya.org/gWItwAFU hxxp://innio.biz/rg1n590 hxxp://kiot.coop/yzc2cJzANO hxxp://atkcgnew.evgeni7e.beget.tech/HkHe3fKTc 200.43.114.10:8080 TCP Artifacts: =========== File name: 190118-Untitled-1653.doc File size: 127KB File path: NA MD5 hash: 1ce19abf935240c42b5f2959861c3ccc Virustotal: http://www.virustotal.com/#/file/3553ff9236d640518f6293464d195c54e09923c8ff3778b6d396b269db26d221/detection Detection ratio: 12 / 57 First detected: 2019-01-18 14:51:05 Any.Run: http://app.any.run/tasks/c066703c-130e-4f78-bd1c-18c9f300cb98 File name: ipropwfp.exe File size: 148KB File path: C:\Users\%username%\AppData\Local\ipropwfp MD5 hash: 4ca746d87cf1b5f6135c9f99e7044b2d Virustotal: http://www.virustotal.com/#/file/8a60dc9876ad042a6c957db6414918f33b932aa1fa0bc56799100968d2a992ab/detection Detection ratio: 25 / 69 First detected: 2019-01-18 15:05:53 Any.Run: http://app.any.run/tasks/2b777d77-06bc-430d-85f9-4d4a7abea5c1 / http://app.any.run/tasks/2842a89d-1db7-4993-a2aa-c098311fcd26 / http://app.any.run/tasks/e21438cb-3261-4611-b071-abe0f20d0ca1

Continue reading

2019-01-03 Adwind RAT/Houdini Malspam

**2019-01-07** After talking with some researches about this malware via this Twitter thread, the JAR file is only the delivery mechanism for the VB script inside it. Once the JAR file has been unpacked; the VB script executed that sends traffic to 31.171.152.106:2522 is related to the Adwind RAT. The VB script, and the data POSTed to ‘goz.unknowncrypter.com’ is related to Houdini. This post stems from looking at some malspam that had a JAR file as an attachment from yesterday. I also posted some of the information over on Twitter yesterday too. To see that thread click here. Based on…

Continue reading

2018-11-05 DarkComet Malspam

Here is a quick writeup of some DarkComet RAT malspam that I was able to find this morning. The infection method is leveraging the standard RTF buffer overflow technique (CVE-2017-11882). For more information about what DarkComet is, please see the following link: http://www.contextis.com/en/blog/malware-analysis-dark-comet-rat All artifacts can be found over at my Github repo located here. I also have the memory dump post-infection saved here since it is too large for GitHub. Plus it gives me (and others) the ability to play with some memory forensics via Volatility. 😎 IOCs: ====== 209.90.88.141 / thinker101.5gbfree.com 23.227.201.154:1604 Artifacts: =========== File name: TYN NEW…

Continue reading

2018-10-31 Nanocore Malspam

While looking through the email filters this morning, I came across several emails that had malicious Word docs attached to them. The sender was the same for all the emails along with the document that was attached. This is a write-up of what I was able to get from the malware on my VM. After doing some research it looks as if this malware is related to the Nanocore RAT. For more information about what this RAT is, please see the following link:  http://www.stratosphereips.org/blog/2018/9/7/what-do-we-know-about-nanocore-rat-a-review For all the artifacts from this investigation, please see the the Github repo located here. IOCs:…

Continue reading

2018-10-24 Agent Telsa Malspam

This is a quick write-up of some Agent Telsa malspam that I was able to find within our email filters. For a good overview of what this malware is and how it works, please see the following links: http://krebsonsecurity.com/2018/10/who-is-agent-tesla/ http://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html For the artifacts found from this investigation, please see my Github repo located here. IOCs: ===== 208.91.199.225:587 (TCP) Artifacts ======= File name: RFQ-HMA-2120864-18.arj File size: 216K File path: NA MD5 hash: 321a93e4393042bcae84ee695def3e63 Virustotal: http://www.virustotal.com/#/file/a84aafdffc64e7755dd1025781095c3244c9f1389e2e836ac2691ac0fa1a0925/detection Detection ratio: 25 / 56 First Detected: 2018-10-21 10:43:42 File name: RFQ-HMA-2120864-18.exe / tmpG998.tmp / MyOtApp.exe File size: 260K File path: NA / C:\Users\%username%\AppData\Local\Temp / C:\Users\Bill\AppData\Roaming\MyOtApp…

Continue reading

2018-10-12 Using Visual Studio to debug VBScript

There was a phishing email that came in the other day that looked interesting. When I went to the URL found in the PDF, it linked to an ARJ archive file. Once i downloaded this file and extracted it, I saw that there was a VBScript file. Opening this file gave me the following code (also available at my Github located here). As you can see, this looks pretty complex (and just confusing to be honest). Manually trying to walk through this code was somewhat confusing since 1) the variable names were all over the language place (some are Italian,…

Continue reading