poplatext.blogg.se

XTREME RAT 3.5 PASSWORD FULL
XTREME RAT 3.5 PASSWORD WINDOWS

We can use a memory dump to analyse the binary. The malware is stored in the directory: C:\Windows\Browser\Web.exeĪ configuration file is available here: C:\Documents and Settings\rootbsd\Application Data\Microsoft\Windows\S5tVn.cfg Semi talented To be persitent, the malware adds a value (antivirus) in the registry: Software\Microsoft\Windows\CurrentVersion\Run We execute it, and launch netstat.exe on Windows.

XTREME RAT 3.5 PASSWORD FULL

We can use 3 methods to analyse the binary: the simple, the semi talented method and the full talented method. The second interesting think is that fact that the RAT is used in Syria : We easily identify a well-known RAT: strings -el | grep RATĪfter a quick search on Google, we discovered that the RAT could be buy here.

XTREME RAT 3.5 PASSWORD WINDOWS

UPX 3.07 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 08th 2010Ĥ6821 <- 23269 49.70% win32/pe ī: PE32 executable for MS Windows (GUI) Intel 80386 32-bit UPX20030XMarkusOberhumerLaszloMolnarJohnReiser UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser We used yara to identify the binary: yara -r packer.yara Now we have a binary with the md5: 18e5ff1d0610341257f33e6fefe4f9a7 Third binary

Now we can use lordPE to make a partial dump: - launch LordPE If we scroll we can see the complete MZ : We can see a PE value in the bottom left.

Right click on the EAX value, and click on “Follow in dump”. Now we can see the allocated address of the memory in the EAX register: 0x40B61B. Now the application is break at kernel32.VirtualAllocEx :Įxecute the binary until the next RET with Ctrl+F9. Right click on kernel32.dll -> View namesĪ lot of exception must be pass. So as usual, we add breakpoint on VirtualAlloc & VirtualAllocEx calls: In fact this malware volontary uses and traps exceptions to be unpacked. We are suprised by a lot of exception when we tried to debug the sample. We use yara to identify the binary: yara -r packer.yara binary doesn’t use a well-known packer. cat base64.dmp | base64 -d > file base64.outīase64.out: PE32 executable for MS Windows (GUI) Intel 80386 32-bit W1EPulAAAAIAAQAgAEAAAQABADQBAAAFAAAAAQAEACAgEAABAAQA6AIAAAEAEBAQAAEABAAoAQAAĪgAgIAAAAQAgAKgQAAADABAQAAABACAAaAQAAAMAUEEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAĪAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA TAEEAKYPc0oAAAAAAAAAAOAADwELAQYAAEIAAACUAAAAAAAAdE8AAAAQAAAAYAAAAABAAAAQAAAAĪgAABAAAAAAAAAAEAAAAAAAAAAAQAQAABAAAAAAAAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAA LNnXBpQe2FuU1NcGlN3XB5Tg1waUNcgNlNzXBpRl0QCU3NcGlFJpY2jd1waUAAAAAAAAAABQRQAA ZGUuDQ0KJAAAAAAAAACZtmjHqtcGlN3XBpTd1waUpssKlNzXBpReywiU3NcGlDXIDJTW1waUNcgC TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAĪAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v With the strings command, we find somethink that looks like a base64. NETexecutableMicrosoft Facture147778.pdf. First binary yara -r packer.yara Facture147778.pdf\ \ \ \ \ \ \ \ \ \ \ \. scr, some users may thought that the file is really a. To trick the user, the attacker adds several space before the extension.

Volatility in order to analyse memory dump.

A debugger for dynamic analysis (in our case OllyDbg).

We sent an email to the administrator and we do not have a feedback for the moment. We think that the Website “” was compromised and the attacker puts the malware on it. Of course we never bought something from Apple!!!!īut when we put our mouse on the link we can see the real link: We received an email with an invoice from Apple (in french).