Friday, March 22, 2019

Analysis of .Net Stealer GrandSteal (2019-03-18)

In this post I share my notes about the analysis of a sample (an stealer written in .Net) whose family is unknown to me (any feedback is welcome, if you know the family for the sample that I describe, please tell me and I will update this post). Somebody tagged the sample as quasar at Any.Run, however, after analyzing it and comparing with Quasar code, I concluded this sample doesn't seem to belong to Quasar family. Searching information about the collected IoCs was not successful to classify the sample. I am calling it GrandSteal because of the internal names of the .Net classes of the malware's decompiled code.

  • Original Packed Sample: 89782B6CDAAAB7848D544255D5FE7002
  • Source Url: http://a4.doshimotai[.]ru/pxpx.exe
  • Info Url: VxVault URLhaus
  • Automatic Generated Report: PepperMalware Report
  • Virustotal First Submission: 2019-03-18 22:28:20
  • Any.Run Analysis: Here
  • Any.Run Tags: Evasion, Trojan, Rat, Quasar
  • My Classification: I named it GrandSteal because of the internal .Net classes names (if you have any information about any well-known family that this malware belongs to, please, tell me and I will update this post)
  • Decompiled Source Code: PepperMalware Github

Monday, March 18, 2019

Analysis of BlackMoon (Banking Trojan)'s Evolution, And The Possibility of a Latest Version Under Development

BlackMoon, also known as KrBanker, is a banking trojan that mainly targets South Korea. I thought this family was dead since time ago (around 2016), however these previous days I got a couple of rencent samples that, after unpacking them and performing a quick analysis, I noticed they were BlackMoon. Virustotal's first submission date for one of these samples is 2018-06-18. First submission date for the other one is 2018-11-01. After digging a bit more into this malware family, my conclussion was that probably there is a latest version of BlackMoon that is under development. I explain it in this post, that I hope you enjoy.

Tuesday, March 5, 2019

Quick Analysis of a Trickbot Sample with NSA's Ghidra SRE Framework

This post is not a deep analysis of TrickBot. Here, I did a quick analysis of a TrickBot sample from early 2019 by using the Ghidra Software Reverse Engineering (SRE) Framework, developed by the NSA, that was released some hours ago. This is not a deep analysis of TrickBot, I only wanted to learn a bit about Ghidra and I used this framework to find some interesting parts of the code of TrickBot that were introduced in the newer versions of the malware. Hope you enjoy it!