1. Executive Summary A. Fingerprinting MD5: 459aad8cc95d9fe2bd1d3199966289f7 SHA256: eb22d542b3b6e69a98801ff7843fa6981b13ca8628a5382cfdc0f713cdb72cba VirusTotal Report: https://www.virustotal.com/gui/file/eb22d542b3b6e69a98801ff7843fa6981b13ca8628a5382cfdc0f713cdb72cba B. Classification Infostealer, used to harvest stored credentials and session objects from browsers installed on the machine.
C. Behavioral Summary The malware is a PyInstaller packed executable, with slight obfuscation. When the sample is executed, it extracts the packed Python bytecode, and required libraries into a temporary folder. It then proceeds to spawn a child process by executing itself again, sets/adds the temporary folder into its DLL directories, unpacks and unmarshall the Python bytecode on the fly in the memory.
1. Executive Summary A. Fingerprinting MD5: 425cf022932c7ace6542f18af4fbac2a SHA256: b24ce8861d8d06d10d73e38c6fcc0c026a5c9529fda74927f85b4cfe022f7e1d VirusTotal Report: https://www.virustotal.com/gui/file/b24ce8861d8d06d10d73e38c6fcc0c026a5c9529fda74927f85b4cfe022f7e1d/detection/f-b24ce8861d8d06d10d73e38c6fcc0c026a5c9529fda74927f85b4cfe022f7e1d-1668189288 B. Classification The AveMariaRat is a Remote Access Trojan that allow the attacker to connect and control the victim’s machine throught the using of a fake process and a reverse connection the its C&C server.
C. Behavioral Summary The AveMariaRat comes with a common technique that hide the exe malware using a fake Word icon, once launched the exe start some cmd that creates two distinct dll files.
1. Executive Summary A. Fingerprinting MD5: c5782ebad92661d4acfacaf4daa1fc52 SHA256: 1b82ac159d87162964a4eb61122bb411a35e748e135cc3b97ab39466e5827c7e VirusTotal Report: https://www.virustotal.com/gui/file/1b82ac159d87162964a4eb61122bb411a35e748e135cc3b97ab39466e5827c7e B. Classification PirateStealer is a new Info Stealer in the scene. Not much info is provided about this family and the sample is relatively new. No traces has been found on either Malware Bazaar or Malpedia. The sample will be submitted to aforementioned databases after this post.
C. Behavioral Summary The sample executes itself and checks for presence of Virtualized Environment by using registry information and disk drive identifiers.
Contents Disclamer Introduction ContiLeaks Zipped Locker Unzipped Locker backdoor.js Source Code Analysis: Locker Initialization Command Line Arguments Modifying the Code Searching for Files Cryptanalysis Source Code Analysis: Decryptor Cryptanalysis Performance Conclusion 1. Disclaimer I won’t be releasing/sharing exact complete source-code out of respect to the person because of whom this all was possible.