- Original Packed Sample: 89782B6CDAAAB7848D544255D5FE7002
- Source Url: http://a4.doshimotai[.]ru/pxpx.exe
- Info Url: VxVault URLhaus
- Automatic Generated Report: PepperMalware Report
- Virustotal First Submission: 2019-03-18 22:28:20
- Any.Run Analysis: Here
- Any.Run Tags: Evasion, Trojan, Rat, Quasar
- My Classification: I named it GrandSteal because of the internal .Net classes names (if you have any information about any well-known family that this malware belongs to, please, tell me and I will update this post)
- Decompiled Source Code: PepperMalware Github
Friday, March 22, 2019
Analysis of .Net Stealer GrandSteal (2019-03-18)
In this post I share my notes about the analysis of a sample (an stealer written in .Net) whose family is unknown to me (any feedback is welcome, if you know the family for the sample that I describe, please tell me and I will update this post). Somebody tagged the sample as quasar at Any.Run, however, after analyzing it and comparing with Quasar code, I concluded this sample doesn't seem to belong to Quasar family. Searching information about the collected IoCs was not successful to classify the sample. I am calling it GrandSteal because of the internal names of the .Net classes of the malware's decompiled code.
Monday, March 18, 2019
Analysis of BlackMoon (Banking Trojan)'s Evolution, And The Possibility of a Latest Version Under Development
BlackMoon, also known as KrBanker, is a banking trojan that mainly targets South Korea. I thought this family was dead since time ago (around 2016), however these previous days I got a couple of rencent samples that, after unpacking them and performing a quick analysis, I noticed they were BlackMoon. Virustotal's first submission date for one of these samples is 2018-06-18. First submission date for the other one is 2018-11-01. After digging a bit more into this malware family, my conclussion was that probably there is a latest version of BlackMoon that is under development. I explain it in this post, that I hope you enjoy.
Original Packed Sample: C38E54342CDAE1D9181EC48E94DC5C83
Automatic Generated Report: PepperMalware Report
Virustotal First Submission: 2018-11-01 07:03:51
Unpacked Banker Module: 4634F4EF94D9A3A0E2FCF5078151ADB2
Related links:
- https://unit42.paloaltonetworks.com/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/
- https://threatpost.com/blackmoon-banking-trojan-using-new-infection-technique/125425/
- https://community.rsa.com/community/products/netwitness/blog/2017/05/19/the-blackmoon-trojan-framework
- https://www.fortinet.com/blog/threat-research/over-100-000-south-korean-users-affected-by-blackmoon-campaign.html
- https://www.fidelissecurity.com/threatgeek/threat-intelligence/blackmoon-banking-trojan-new-framework
Tuesday, March 5, 2019
Quick Analysis of a Trickbot Sample with NSA's Ghidra SRE Framework
This post is not a deep analysis of TrickBot. Here, I did a quick analysis of a TrickBot sample from early 2019 by using the Ghidra Software Reverse Engineering (SRE) Framework, developed by the NSA, that was released some hours ago. This is not a deep analysis of TrickBot, I only wanted to learn a bit about Ghidra and I used this framework to find some interesting parts of the code of TrickBot that were introduced in the newer versions of the malware. Hope you enjoy it!
Wednesday, January 2, 2019
Analysis of Neutrino Bot Sample (dated 2018-08-27)
In this post I analyze a Neutrino Bot sample. It was probably generated 2018-08-27. I will compare the analyzed Neutrino sample with the NukeBot's source code that was leaked on spring, 2017, and I will check that Neutrino Bot is probably an evolution (or, at least, it reuses parts) of the NukeBot leaked code.
- Original Packed Sample: 3F77B24C569600E73F9C112B9E7BE43F
- Automatic Generated Report: PepperMalware Report
- Virustotal First Submission: 2018-08-28 14:36:26
- Sample Creation Date: 2018-08-27
- Unpacked Banker Module: 896609A8EE8CC860C2214FCD1E3CF264
- Internal executable id: aug27
- Related links:
Subscribe to:
Posts (Atom)