BACKLOG: NanoCore and AgentTesla double tap (maybe triple?)
Files:
File name: LFPEHS.exe
MD5: 450c0d7521b121a919e62401d50a2182
SHA256: 1d9526fe126321b49469341dbac0c9bbb247f896f4f836d93b4f361183e93a5e
Filesize: 207872 bytes
File name: MMCRLC.vbs
MD5: 266f15a950f233e279095158cb2cfe8f
SHA256: d391a3570354b37aafe3340aa92da365d533b4edd1adb80fffab14d0cee29a67
Filesize: 858 bytes
File name: S007591119000628_XLSX.exe
MD5: 792f42f7a4ba4d37015d658e1573cff2
SHA256: c4acc931c61a4b4da44510e645913f78588e2b655bf45790219407cb0b1c3132
Filesize: 1852424 bytes
File name: S007591119000628_XLSX.ISO
MD5: 2482a65df50ca7ef9d7445dcd5985ada
SHA256: bc603a3b6ebf6e1312ad79e8e409c93ac53bfdedb65d961db6bf57cf947a19dd
Filesize: 2424832 bytes
File name: XAAHKP.exe
MD5: 39ee891b8bdbd9ba987b5c4faafb84bd
SHA256: 286803e00ea5f401dc94c9b25130716598210f33e4bf4465fb9fa0490231b176
Filesize: 207360 bytes
Download (password: malware)
Quick note: These files all originated from the exe inside S007591119000628_XLSX.ISO. No internet connection needed.
URLs:
hxxp://plumberspro[.]us/img/WebPanel/api.php
hxxp://nanocore2019.bounceme[.]net
hxxp://rat8882018.bounceme[.]net
IPs:
199.188.200.49
23.82.19.189
197.210.62.23
Details:
This one is a bit old (~2/21/2019) but I find it interesting nonetheless. Sample source is an .iso file attached to malspam. Using .iso is an interesting delivery method as additional software is required to interact with .isos on Windows 7 (7zip, WinRAR, PowerISO, etc.), which I wouldn't expect to be readily available on a corporate workstation. However, Win10 does handle .iso files natively so perhaps that is a clue on what is being targeted here.
A single .exe resides inside the iso:
As soon as I detonate the .exe things start to get wild (we're talking 200mb procmon log wild). From ProcessHacker:
The malicious .exe copies itself to another location and spun up two new executables, as well as a vbscript (via wscript).
As you can see below, the Procmon output and ProcDOT graph is insanity:
Lets talk about each of the new processes separately:
LFPEHS.exe (NanoCore)
Poking around in memory strings reveals "NanoCore" all over the place, including a creatively named C2 "nanocore2019.bouncme[.]net":
XAAHKP.exe (AgentTesla)
This one was less obvious than NanoCore but I believe it to be AgentTesla, or at least a variant due to the C2, C2 parameter format, and an IP check being performed
IP check from Fiddler:
Common AgentTesla C2 data format:
What appears to be the C2 can also be found in strings and observed in ProcessHacker:
Brad from malware-traffic-analysis mentions the same C2 observed in his analysis here https://www.malware-traffic-analysis.net/2018/04/23/index2.html (by the way... there is still an open directory living here: hxxp://plumberspro[.]us/img/"
MMCRLC.vbs (Persistence)
This is unobfuscated VBS that serves as a persistence mechanism for the primary process S007591119000628_XLSX.exe. It scrapes running processes and checks to ensure the malicious process is still running. If the process is not found, it will restart it:
Speaking of S007591119000628_XLSX.exe, there are some shenanigans going on here as well but I have unable to identify the malware family thus far. I know the following:
File name: LFPEHS.exe
MD5: 450c0d7521b121a919e62401d50a2182
SHA256: 1d9526fe126321b49469341dbac0c9bbb247f896f4f836d93b4f361183e93a5e
Filesize: 207872 bytes
File name: MMCRLC.vbs
MD5: 266f15a950f233e279095158cb2cfe8f
SHA256: d391a3570354b37aafe3340aa92da365d533b4edd1adb80fffab14d0cee29a67
Filesize: 858 bytes
File name: S007591119000628_XLSX.exe
MD5: 792f42f7a4ba4d37015d658e1573cff2
SHA256: c4acc931c61a4b4da44510e645913f78588e2b655bf45790219407cb0b1c3132
Filesize: 1852424 bytes
File name: S007591119000628_XLSX.ISO
MD5: 2482a65df50ca7ef9d7445dcd5985ada
SHA256: bc603a3b6ebf6e1312ad79e8e409c93ac53bfdedb65d961db6bf57cf947a19dd
Filesize: 2424832 bytes
File name: XAAHKP.exe
MD5: 39ee891b8bdbd9ba987b5c4faafb84bd
SHA256: 286803e00ea5f401dc94c9b25130716598210f33e4bf4465fb9fa0490231b176
Filesize: 207360 bytes
Download (password: malware)
Quick note: These files all originated from the exe inside S007591119000628_XLSX.ISO. No internet connection needed.
hxxp://plumberspro[.]us/img/WebPanel/api.php
hxxp://nanocore2019.bounceme[.]net
hxxp://rat8882018.bounceme[.]net
199.188.200.49
23.82.19.189
197.210.62.23
Details:
This one is a bit old (~2/21/2019) but I find it interesting nonetheless. Sample source is an .iso file attached to malspam. Using .iso is an interesting delivery method as additional software is required to interact with .isos on Windows 7 (7zip, WinRAR, PowerISO, etc.), which I wouldn't expect to be readily available on a corporate workstation. However, Win10 does handle .iso files natively so perhaps that is a clue on what is being targeted here.
A single .exe resides inside the iso:
As soon as I detonate the .exe things start to get wild (we're talking 200mb procmon log wild). From ProcessHacker:
The malicious .exe copies itself to another location and spun up two new executables, as well as a vbscript (via wscript).
As you can see below, the Procmon output and ProcDOT graph is insanity:
- Multiple copies of the malicious exes, temp files, and log files (.dat) are created across the system
- Multiple AutoStart registry keys are created
- Internet security settings are reduced
- File tracing is enabled
- Followup VBS script created
(this graph png is huge)
Lets talk about each of the new processes separately:
LFPEHS.exe (NanoCore)
Poking around in memory strings reveals "NanoCore" all over the place, including a creatively named C2 "nanocore2019.bouncme[.]net":
XAAHKP.exe (AgentTesla)
This one was less obvious than NanoCore but I believe it to be AgentTesla, or at least a variant due to the C2, C2 parameter format, and an IP check being performed
IP check from Fiddler:
Common AgentTesla C2 data format:
What appears to be the C2 can also be found in strings and observed in ProcessHacker:
Brad from malware-traffic-analysis mentions the same C2 observed in his analysis here https://www.malware-traffic-analysis.net/2018/04/23/index2.html (by the way... there is still an open directory living here: hxxp://plumberspro[.]us/img/"
MMCRLC.vbs (Persistence)
This is unobfuscated VBS that serves as a persistence mechanism for the primary process S007591119000628_XLSX.exe. It scrapes running processes and checks to ensure the malicious process is still running. If the process is not found, it will restart it:
This is easily confirmed as you can terminate the process and watch as the wscript.exe process magically resurrects it.
Speaking of S007591119000628_XLSX.exe, there are some shenanigans going on here as well but I have unable to identify the malware family thus far. I know the following:
The process performs an IP check of its own via ipapi.com:
There are references to a site that looks like a C2, and instead turns out to be a ShoutCast stream of Quran readings:
Evidence of keylogging and many string references to AutoIT v3. I tried several AutoIT decompilers but had no success:
So maybe this is just a generic AutoIT RAT/Keylogger.
Also, who is SAMURA?:
Comments
Post a Comment