Phishing Campaign Malicious Files Analysis (New Phishing Campaign Targeting Cyprus “Request for Quotation (University of Cyprus)”)

Posted by & filed under Security Alerts.

File Details

Type PE32 executable (GUI) Intel 80386, for MS Windows
Size 1062992 bytes
MD5 80eb2f4facc593847ce5666635689fa3
SHA1 9e662e0af45a7fc82b2dd836820d3aa715dfdd77
SHA256 231c4ad3e3b57abc4e80a9e7aff9ab492dc20295da9daec656095c5b8af5635c
SHA512 beccc2a99dc69d8339a73300db1d9e33c47b881d7c1a422589bc3edc444d07ee3f9ba18eeed8f32213b527f754241c3afe0428565e6067353992337d1c92857c

 

Functions of the Malicious File 

  • Checks if Microsoft Office is installed
  • Submission file is bigger than most known malware samples
  • Classification label
  • Creates files inside the user directory
  • Creates temporary files
  • Disables application error messsages (SetErrorMode)
  • May try to detect the Windows Explorer process (often used for injection)
  • PE file has an executable .text section and no other executable section
  • Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)
  • Performs DNS lookups
  • Posts data to webserver
  • Queries the cryptographic machine GUID
  • Reads software policies
  • Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
  • Some HTTP requests failed (404). It is likely the sample will exhibit less behavior
  • Spawns processes
  • Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)
  • Urls found in memory or binary data
  • PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)
  • Binary may include packed or encrypted code
  • Creates a process in suspended mode (likely to inject code)
  • Creates mutexes
  • Enables debug privileges
  • May sleep (evasive loops) to hinder dynamic analysis
  • PE file contains strange resources
  • Reads the hosts file
  • Sample file is different than original file name gathered from version info
  • Tries to load missing DLLs
  • Uses a known web browser user agent for HTTP communication
  • Antivirus detection for unpacked file
  • Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
  • Tries to harvest and steal browser information (history, passwords, etc)
  • Tries to harvest and steal ftp login credentials
  • Tries to steal Mail credentials (via file access)
  • Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

 

Mitigation Steps

Please proceed with the Detection and Deletion of the below files that created by malware

 

 File 1: C:\Users\user\AppData\Roaming\87EAD9\9CD990.hdb

Type Non-ISO extended-ASCII text, with no line terminators
MD5 AE501536B67ACC457C770FA05D5F46F8
SHA1 1C033FF6A52650B8979FC694A8945E533E74231C
SHA256 0217208B5F64BAF64C3F9B0EA7831257EA9A0F29A5AF8D67E246645A5865C2BA
SHA512 76E1190E641F0F38D907F26731CC1E36469D28BEB827F657FDAF7BB47BB775E2189E8DED43D333A47BE5085E7AF57772B66781A1C424C8592985AADE264A45AA

 

File 2: C:\Users\user\AppData\Roaming\87EAD9\9CD990.lck

Type very short file (no magic)
MD5 C4CA4238A0B923820DCC509A6F75849B
SHA1 356A192B7913B04C54574D18C28D46E6395428AB
SHA256 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA512 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A

 

File 3: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3227477682-2585267231-2215363254-1001\3135eda23b225cc6165555b12a32949e_600410b4-7d41-4743-bb5e-17120cb8243b

Type data
MD5 045E14DBA50BE72C42A6734D537723C8
SHA1 1E97345AC6A614EAC19A6B7583B5301C316A934C
SHA256 31E7F079E6918FC6E2759262CFDBC0144BFF329EEE983C6002AB9E2104CDB2C7
SHA512 72D0751C3410BCA5432277E7724EE682D69C3116ED6BD7C849A539925561F179EFEE03A4A25DAAC85259745D78B3AA00A05F6BD303D02E1DD4C03A106022890E

 

 File 4: C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2019-3-12.163.5652.1.aodl

Type

data

MD5

B0123EEADA56BBB73AA0D70639E6073A

SHA1

7D3359543B865489E2816459AFFD95D2F88A61D6

SHA256

E280F72D9A5E8569DB398584D569DF1E78F01AA9666004CB679945D467DF97A9

SHA512

E545A3D3926C6EF21136FB73B90F1931BA143F51A043E75B518642E5CEB051909E14C55238FD913F85004D69E3E3CFCB2BE1C95B3D63172D16BB40E2F9C11512

 

File 5: C:\Users\user\AppData\Roaming\87EAD9\9CD990.lck

Type

very short file (no magic)

MD5

C4CA4238A0B923820DCC509A6F75849B

SHA1

356A192B7913B04C54574D18C28D46E6395428AB

SHA256

6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B

SHA512

4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A

 

File 6: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3227477682-2585267231-2215363254-1002\90367eee3146d09e4f4b426cc7bd2065_600410b4-7d41-4743-bb5e-17120cb8243b

Type

data

MD5

F0DE693DB21B95A470A6F4F20E9036A0

SHA1

8E3A13815F99BE424AE0F9237C1CFDD7CFABBE05

SHA256

B3AB0E751D0CE255988690B066D7375B257D1F80CCE4757C17443A87F5421E32

SHA512

90FA36DB1BA46F9F44B9C9B3461FD698B69B27210EAF748D21B5E2A49F90276EB9B2E5AF06DE7DBF67C8740A6814AFD08112E55C8BEF56EF882CE94798A43951