Some Russian campaign running
over leaked email spreads different kind of malware. Today on Yahoo mail
has come some fresh Ursnif with 0 detections. | The domain used for my email was inactive and there was no file for download, but I found it somewhere else. In the pictures below will find the research steps: Was easy to find a sample of malware using the SHA256 (d6c0ca87f712c0633eab5ac020ceaad2e256cd3251808ce7c7b45faf4042123e) on Google. The
.zip file is detected and this may be an advantage for the users IF
they are using the Antivirus that have on his database this sample… but
this is another discussion… At this moment the VirusTotal says 18/57.. so is going to be better in a few hours. Now.. extracting them one by one we have a good
encrypted malware named Ursnif (GOZI/ ISFB). This malware is trying to
steal baking credentials from his victims and the hacker may have access
to the system. I will not explain the whole process at this time but the way to do that you will find it on the recent post I’ve made: https://www.prodefence.org/malware-analysis-gozi-ifsb-bank-trojan-aka-ursnif/
Useful links: Urlscan with samples VirusTotal .zip VirusTotal .js VirusTotal .bin
This is the Gozi IFSB malware,
created to steal data & informations from the victims. In the folder
you will see all the files needed to create your own malware server.
For this malware analysis I will use an .bin
found after google search. With this .bin file I will be 2 steps closer
for the analysis. I don’t have the .doc/.pdf file with the payload, but the
.bin is the downloaded file resulted from the payload.
I will transform the .bin file to
infected.exe(10000.exe)!
008c4bd6ee834d113cfc693af0ea90396eaa47e860bcdd567ffd964b57434e1d.bin
MD5: e6d118192fc848797e15dc0600834783
SHA1: 16d5ded68677f4a870423d3fd30da8377a5b2408
Let’s go to security manipulation and creation
of the malware on the system. The $LN33 it is exported by the executable, after
that will jump to C Runtime Library.
Calling the security_init_cookie for buffer overrun protection to comprommise the system security. Let’s run the infected file to see his actions!
I see that the explorer.exe has some activiti. Cyber security – Malware analysisThere I have some movements… let’s go to
\Roaming\MIcrosoft\ to see the new folder created ‘BthM300C’. An executable(the same .exe with diffrerent
name) created in new folder after runed the infected.exe / D3DCsapi.exe aka
1000.exe The Registry. Prodefence SRLNow… the explorer.exe.
24 .dll are suspicious.
That means some of them are from the injection
process. explorer.exe (2304) – 52074 – 166.124.148.146.bc.googleusercontent.com.
This is an Google Cloud Platform and the
explorer.exe has some connections there. genesisgrandergh.at
