SHA-256 — 7c3e2a38dcacc3246409151ecdf283814611a8f9d98ed0e5996fb2615adc2cc2
I pulled the request for malware sample from Malshare for analysis and renamed the file with .exe extension.
Tools I used: Ollydbg, WireShark, PEExplorer,
I downloaded malware sample, opened in PE explorer, and found resource information
Before I start debugginh, I extracted the malware executable file using 7-zip. There were 2 vpn applications KVPN kerio application and openvpn.
On opening settings.ini file from above list, There was license owner information given as www. WebTune . ir
I started debugging of malware executable in ollydbg. It shows the behavior of application, check below image.
Malware program got installed and location was
C:\Program Files (x86)\P3Filter v2.3714840114\SmartConnection.exe
It also added short cut file in start program menu.
it also installed kerio vpn switch adapter on my virtual machine.
Wireshark packets showed, application is trying to connect to below URL and DNS is resolving to domain mycn .ir
domain — mycn. ir
Please post your suggestions to improve my analysis.