Threat Level: green Handler on Duty: Tom Webb

SANS ISC: Spamvertized URL with multistage downloads and lots of spyware - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Spamvertized URL with multistage downloads and lots of spyware

A new virus was submitted to us today by a friend of ours known
as SPAM_Buster. The Spamvertized URL redirects to
hxxp://www.tera.cartoes1.com/saudlov.scr

This thing had several download stages and to do a complete
analysis could take a long time. Ultimately it is some type of
spyware/Trojan. I will use VirusTotal and CWSandbox to analysis
some of the binaries involved.

 Saudlov.src 12/32 “recognized” it.
Virus Total Results
http://www.virustotal.com/analisis/021d7c1131b1130f35051d41df
b05370
AntiVir -> TR/Spy.Gen
BitDefender->Trojan.Downloader.Banload.QL
ClamAV->Trojan.Downloader.Banload-4552
F-Secure->Q32/Downloader
Ikarus->Trojan-Downloader.Wn32.Banload.auf
Kaspesky->Heur.Downloader
Norman->W32/Downloader
Panda->Suspicious file
Rising->Trojan.DL.Delf.yhc
Sophos->Mal/Emogen-N
VBA32->Trojan-Downloader.Win32.Banload.tz
WebWasher-Gateway ->Trojan.Spy.Gen
MD5...: 19172589717bd700088e49af196a8a39
SHA1..: 0ad0cfc9d17126ccce07ffce7ae94efb72564c85
SHA256: ebbc15c2236d8615b899267954eb6482cc392be49b56f6a305d050e1e491780e
SHA512: a1a65d6f0e3c4f005ba898aec58dda1b462f0743faea28fd0f9ba609cc205287
e507de2bf2809a4f3ccc18774ee9c203a917b7e8377cf078fdcc993516cb37e7

CWSandbox analysis for saudlov.scr
https://cwsandbox.org/?page=details&id=220785&password=vyagd

Interesting strings in sadlov.scr:
c:\windows\mdword.exe
http://caixa.nexenservices.com/game/game01.exe
c:\windows\mdword.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
hxxp://www.terra.com.br/avisolegal/

Looks like it downloads game01.exe and something from
www[dot]terra[dot]com/br/avisolegal/

So I downloaded game01.exe and ran it thru VirusTotal.
1/32 “recognized” it F-Secure called it
“Suspicious:W32/Malware/Gemini
http://www.virustotal.com/analisis/00e6839634881c4b247c0fa983
32ea95

MD5: 7cf3a4ea1422e2f890728a964ec7d877
SHA1: 5bf10216b4163be15b27102ada8f034bb8c0280e
SHA256: 2f2df59bb0997e362cc6b24b3bf8fd0288de07f588ea8670a4e67efcafd78fb6
SHA512:8308de1f3f7e66fe19325c937da1d97bc9dcfaee8a70932e575ec7a79d4a533f17b211fd475a6ceb74
75b3969960ea2a7ed91061e263210a6e81dd7180ebed27


CWSandbox analysis for game01.exe
https://cwsandbox.org/?page=details&id=220822&password=irkom

Game01.exe has several interesting strings.
,hxxp://www.skzinfos.com.br/module/ModCx2.jpg
,hxxp://www.skzinfos.com.br/module/ccciti.jpg
+hxxp://www.skzinfos.com.br/module/citit.jpg
-hxxp://www.skzinfos.com.br/module/ModBrd2.jpg
,hxxp://www.skzinfos.com.br/module/modctl.jpg
,hxxp://www.skzinfos.com.br/module/ModCx1.jpg
+hxxp://www.skzinfos.com.br/module/ieico.jpg
-hxxp://www.skzinfos.com.br/module/ModBrd1.jpg
+hxxp://www.skzinfos.com.br/module/modbb.jpg
-hxxp://www.skzinfos.com.br/module/modsant.jpg
-hxxp://www.skzinfos.com.br/module/ModItit.jpg

So I downloaded them using wget. They are NOT jpegs.
They are PE windows binaries.
I submitted the binaries off to VirusTotal.

ccciti.jpg: 1/32 recognize it.
F-Secure ->Suspicious:W32/Malware!Gemni.
http://www.virustotal.com/analisis/7d9fe4b43ba6006ec2236b581300cef4
MD5...: 2be7e8ef38456531a1167131e8c5f813
SHA1..: 14f22e66fc93a69e19682fda4d5a406ad6a435bc
SHA256: 748c377e3c3bb98a453118499d4ee3006bae980e85523944c4d1adfffe146e18
SHA512: f24f891e313a22050d09332262e433ae62d48f74b86f2f94a5fe1575fd5a9e3c
48835658e4d7400e9b635ba089c772bac85084a47642c7d3f9a01fb9868e4013

CWSandbox report for cccti.jpg
https://cwsandbox.org/?page=details&id=220912&password=nuxln

ieico.jpg: 0/32 recognize it.
MD5...: c2716e7250578d925597e2d0e4cfb61e
SHA1..: ffe8bf78b8af059561df1889b3bfa6bce7e49d16
SHA256: 65249d5b9881693c940212451dcd3ed663fa04d5faf7023c3865947e952ad10d
SHA512: c73029eeb21b068ebddaf48a9339035e39cee94f50ee22e1cf2f0a64eccf3eec
9be6f6dbb4796ef4f5d2af2f8137308f34b611d49c92f38a0d58817fb771ef96

modbb.jpg 0/32 recognize it.
MD5...: 83552437675b3b3e2c7896d5132e1c55
SHA1..: 21c2cdef153fdfdd234bafbc6492998e7d1dc505
SHA256: 5c372fe2a5b894abf124984a99a01360cb007a66ddbfc67eb9fb6bc2a16bc841
SHA512: 45e5ab93748a606e9ca93df1db14f487a687d0e3b2f8a1d993a551dbf334ba23
1f1da0cba8f05dad37adec90cd141f5af54ea724add0c428bdb251c506081004

ModBrd1.jpg 2/32 recognize it.
http://www.virustotal.com/analisis/1ba6837131cb006f0be95a56a1
ae7b03
F-Secure -> Suspicious:W32/Malware!Gemini
Ikarus -> Trojan-Downloader.Win32.Banload.BO
MD5...: 46bc7deda088fdfc83f7cd680dd50306
SHA1..: 1b22c0be1fe35e72c826f8931f5e9b02902fc775
SHA256: faf4ac8dd1f2b32776a68333c03779210ea2aa17dff7dac8a1e7594c3ad67fdc
SHA512: 79c43dff6fb609508e457f2d295229be5f5161a2922a24d34ae754759ade1969
4ad2158437c9baa41e9fc286fb3578bb22d1f8c806ccffaef6ba72fe2298e60b

ModBrd2.jpg 3/32 recognize it.
http://www.virustotal.com/analisis/627cadb1182b5448c903604acc
ccc4ef
ClamAV -> Trojan.Downloader.banload-4567
F-Secure -> Suspicious:W32/Malware!Gemini
Panda -> Suspicious file
MD5...: e9942d01deb1880b216b822e00529e16
SHA1..: 8d98427a0a569c7d77f31199ecaa56d84f9b1808
SHA256: 1709e26ad069926ea1304cde6b5fd3fbe124e66d142ab6e0e4430b77e2be3990
SHA512: ee4a386811a8afcc5be58a7d92f5d623e90edad19e25e7d784096071a283217c
ad21e702654b257a226abc534ffd5df5a8e6274de4de5ac5ecb6ab812553f1a2

modctl.jpg 1/32 recognize it.
http://www.virustotal.com/analisis/df445086c71a9dc87f421907d12f2951
F-Secure-> Suspicious:W32/Malware!Gemini
MD5...: 255385e309203be5d0297a06e846c8bb
SHA1..: 8c9be7e4ec140183edaee743e0f52ff573360889
SHA256: d17b42e47d35ed29827bbc0200146738bdb44d698c190942c3055e86f1e440fb
SHA512: 466984b4fe2810de2485867fe4d1e1864eead8a60992ea39312a4be7376e962c
c558835374298ca259656867fe372535e63769ff43afad31657e3edb705c9c6d

ModCx1.jpg 2/32 recognize it.
http://www.virustotal.com/analisis/461015498f21a611f4ec56fe129
43433
ClamAV -> Trojan.Downloader.banload-4567
F-Secure -> Suspicious:W32/Malware!Gemini
MD5...: 146c37ba985b9f231cc676f3b2f4ca49
SHA1..: 0ec68669eb9b7c05f0707c8dca11f349c280e285
SHA256: b5107d998301ee086bac925c759ea5b80f4459e4d458ec8219420b6a8849c29a
SHA512: 5db644d2885211b1ab8d3f6ccc40c2517519350153764a25106a3afcb7f9fe70
44e78f4f77cbc505665e97c8c4b269e9624ef30a787d724e67ade33b57e3b7e9

MocCx2.jpg 0/32 recognize it.
MD5...: 02ab04a384b2c655c4c22d2aae6a9a0f
SHA1..: ff0689073c220ad0679030247dba748dc23589b4
SHA256: 889087021dfb81b97a1a0e58d201f7e5c066d9ff44c74c133092e707df651b5d
SHA512: 0f7ae9efe50a5000d2705b55f3adcb8f315a0d1736249d49b1abcc56307c5aa8
0b288938b9830149a85309c1dd8958978f71651c4a364a843089135351fa1b96

modsant.jpg 5/32 recognize it.
http://www.virustotal.com/analisis/89c768b4a87676b9a7c450ce62
973e92
ClamAV -> Trojan.Downloader.banload-4567
F-Secure -> Suspicious:W32/Malware!Gemini
Microsoft->TrojanSpy:win32/Bancos.gen!C
Panda->Suspicious file
Sophos Mal/Banspy-I
MD5...: 417fed34ffe6d22e47ef06b49d41a571
SHA1..: 2bb064d18caf0a7ae6925dd09f13a0a9877c55b4
SHA256: 41e0ccdd1b3d143d35af3b9132dc05297f32a3ef26ae6bae36078f6577fe9bf3
SHA512: aedeb2f5eed793314a3a43ff1ae432c3de04cca7476f2402a02bd21f7353c3ce
7878e133e340a4802e3ef012cf5441099829c52fcbfa29c6dfcc34d9d45af5b5

donald

206 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!