Analyzing a .Net Sample: ziraat_limpi.exe

MD5 hash: DC4200AC514006F084EAD7F83B84C928
Virus Total Link: https://www.virustotal.com/gui/file/a850de0705c0f6095910aa1d5ed0e73a49581aa7427fcfaf2ff5144e93b047c1/community

Intro:

Analysis Pt 1:

Filter the malware in ProcMon
1. It doesn't seem to create any new processes when looking at Process Hacker2. It tries to open and query registry keys such as: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe, HKCU\Software\Google\Google Desktop\Mailboxes, HKCU\Software\Microsoft\Office\Outlook\OMI, HKCU\Software\DownloadManager\Passwords to name a few.We can hence derive that the malware may try to find passwords and other credentials on the system for multiple software and browsers such as chrome, paltalk, MSNMessenger, Yahoo, Mozilla Thunderbird and others.3. Tries to load and query multiple DLL's such as kernel32.dll, advapi32.dll for registry editing, wininet.dll for HTTP functionality and much more4. It may store information on passwords and other collected credentials in two files created in C:\ProgramData called 'Browsers.txt' and 'Mails.txt'
Querying Chrome and Opera User Data and saving it to Browsers.txt example
Newly Created Files when the malware is run

Analysis Pt 2:

Threads Being created when malware is run
Dynamic, Encryption, FileZilla, GetActiveWindow, GonnyCam, IMVU, InternetDownloadManager, 
JDownloader, KeyHook (Keylogging functions), Paltalk, RecoverBrowsers, RecoverMail, Send (Send logs to C2C), Óµ (This library is used for decrypting strings/text)
Record Keys function
Snippet of SendLog Function
C2 Server/Domain
Malware collects and searches for passwords for following software and browsers
Snippet of Encryption Function
1. Óµ.ØØØØ(executablePath, cmd, Encryption.RSMDecrypt(ƈƖƻƨÔ, bytes), false); RecoverMail Line 65
2. Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(ƄƏƵÉ, new byte[8], 1); RSMDecrypt Line 5
Go to Array02 → Show Memory Window → Save selection
string text = Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData) + "\\Mails.txt"; RecoverMail Line 53
Snippet of strings in First Executable in IDA
Snippet of strings in Second Executable in PESTUDIO

Conclusion:

IOCS EXTRACTED(MD5):
1. DC4200AC514006F084EAD7F83B84C928
2. 05468F42AEA663F756E4CDDC42491913
3. DC4CA15BD566DEF0259EDF6D0F692EB0
Capabilities: Keylogging, Password stealing for emails and browsers
Encryption: AES
C2: http://ziraat-helpdesk.com/components/com_content/limpopapa/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ben Lee

Ben Lee

12 Followers

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.