Spam Email Contains a Very Large ISO file

Published: 2022-06-04
Last Updated: 2022-06-04 16:55:59 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

This zipped email attachment was received a few days ago and block by antispam policy. It contained a very large ISO/EXE file similar to the diary published by Zavier [1] last week. Instead of using Remnux, I submitted this file to a sandbox. 

This is a summary of the result of the analysis. This malware communicate with the C2 site bitrat9300.duckdns[.]org over TCP/9300. This port is also used by Elasticsearch to connect to remote clusters.

Linux Command

sudo mount -o loop AMD8J46DH_ETRANFER_RECEIPT.iso /mnt
strings -t x AMD8J46DH_ETRANFER_RECEIPT.exe

File Size at Various Stages

-r-xr-xr-x. 1 guy guy 314572800 Jun  4 11:34 AMD8J46DH_ETRANFER_RECEIPT.exe
-rw-rw-r--. 1 guy guy 315176960 May 26 22:37 AMD8J46DH_ETRANFER_RECEIPT.iso
-rw-rw-r--. 1 guy guy   1888843 Jun  4 11:11 AMD8J46DH_ETRANFER_RECEIPT.zip

I noticed the EXE contained the following SmartAssembly URL. "SmartAssembly is an obfuscator that helps protect your application against reverse-engineering or modification, by making it difficult for a third-party to access your source code."[4]

http://www.smartassembly[.]com/webservices/UploadReportLogin/
http://www.smartassembly[.]com/webservices/Reporting/
http://www.smartassembly[.]com/webservices/UploadReportLogin/GetServerURL
http://www.smartassembly[.]com/webservices/Reporting/UploadReport2

VirusTotal currently doesn't have any detection for this malware, currently, Microsoft Defender detect this file as: Trojan: MSIL/AgentTelsa.AFFA!MTB [5]

Indicator of Compromise

bitrat9300.duckdns[.]org (C2)
9842e66708fabef15322d37f432929b28d60b0f240a1613454664917bcbdbf90  AMD8J46DH_ETRANFER_RECEIPT.zip
2b6edc8dd9b00ac316b6aa625f651c513ff614c01d2ca9dc55f0e4cfe5602312  AMD8J46DH_ETRANFER_RECEIPT.iso
02b1606269fdda72f84825701cba28a5a7c5f950a2b58d254b09ac35393fe81e  AMD8J46DH_ETRANFER_RECEIPT.exe

Bitrat Config File

BitRat {"Host": "bitrat9300.duckdns[.]org", "Port": "9300", "Tor Port": "0", "Install Dir": "0", "Install File": "0", "Communication Password": "e10adc3949ba59abbe56e057f20f883e", "Tor Process Name": "tor"}

Setup Schedule Task

C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\user\AppData\Roaming\namjs.exe'" /f

[1] https://isc.sans.edu/forums/diary/A+Zip+Bomb+to+Bypass+Security+Controls+Sandboxes/28670
[2] https://otx.alienvault.com/indicator/domain/bitrat9300.duckdns.org
[3] https://cybergordon.com/result.html?id=fa580bb0-3536-40ea-a8f3-172a2a571182
[4] https://www.red-gate.com/products/dotnet-development/smartassembly/
[5] https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:MSIL/AgentTesla.BFA!MTB&ThreatID=2147782052
[6] https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat
[7] https://www.bleepingcomputer.com/news/security/bitrat-malware-now-spreading-as-a-windows-10-license-activator/

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

0 comment(s)
Diary Archives