MalwareDisasters is a division of MalwareIntelligence. In the same test information is captured about the behavior of malicious code, and also offering the necessary countermeasures to mitigate the malicious actions in question.


Generic trojan type backdoor via popular crimeware “Loader”

This is the icon used for this malware.

Technical information & PE file attribute
MD5 :  aab21e11953aee66ff16772576ceaec0
SHA1:  576910d3ae484144db32dd835594c605dac90a9d
[['Microsoft Visual C++ 8'], ['VC8 -> Microsoft Corporation']

This malware was created and is spread through crimeware "VertexNet Loader".

PE information & sections:
     57.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
     12.2% (.DLL) Win32 Dynamic Link Library (generic) (6581/28/2)
     12.0% (.EXE) Win32 Executable Generic (6514/8/2)
     10.3% (.EXE) Win64 Executable Generic (5563/38/1)
     3.7% (.EXE) Generic Win/DOS Executable (2002/3)

Mutex: VN_MUTEX16
Optional Header: 0x400000
Address Of Entry Point: 0xaf4a
Compile Time: 2011-06-20 11:05:05
Number of RVA and Sizes: 16
Number of Sections: 5

API Functions:


VT information about detection rate 35/42 

VN_MUTEX16 is the string that is set as default "mutex" through internal constructor VertexNet Loader:

This information corresponds to the default settings when creating the bot through the internal constructor:

Information report in the C&C statistics panel about infected machine:

This information is inserted into the database (default MySQL) of the crimeware. You can see this information/C&C communication in traffic capture:

GET /x1/adduser.php?uid={52bacd1a-7586-11e0-a813-xxxxxxxxxxxx--1962905967}
&lan=XXX.XXX.XXX.XXX&cmpname=XXXXXXXXXX-59903E%20[Administrator]&country= &idle=0&ver=v1.2 HTTP/1.1
User-Agent: V32

You can read more information about the functions, command and extract data in infected machine for this crimeware in MalwareIntelligence post: VertexNetLoader crimeware timeline, popular functions and marketing scheme

VertexNet Loader crimeware C&C
In this case, the malicious software have you control panel in hxxp://

** Information obtained through the automated process malware analysis of CrimewareAttack Service (by  MalwareIntelligence).


0 comentarios:

Post a Comment