Spam Email Contains a Very Large ISO file
This zipped email attachment was received a few days ago and block by antispam policy. It contained a very large ISO/EXE file similar to the diary published by Zavier [1] last week. Instead of using Remnux, I submitted this file to a sandbox.
This is a summary of the result of the analysis. This malware communicate with the C2 site bitrat9300.duckdns[.]org over TCP/9300. This port is also used by Elasticsearch to connect to remote clusters.
Linux Command
sudo mount -o loop AMD8J46DH_ETRANFER_RECEIPT.iso /mnt
strings -t x AMD8J46DH_ETRANFER_RECEIPT.exe
File Size at Various Stages
-r-xr-xr-x. 1 guy guy 314572800 Jun 4 11:34 AMD8J46DH_ETRANFER_RECEIPT.exe
-rw-rw-r--. 1 guy guy 315176960 May 26 22:37 AMD8J46DH_ETRANFER_RECEIPT.iso
-rw-rw-r--. 1 guy guy 1888843 Jun 4 11:11 AMD8J46DH_ETRANFER_RECEIPT.zip
I noticed the EXE contained the following SmartAssembly URL. "SmartAssembly is an obfuscator that helps protect your application against reverse-engineering or modification, by making it difficult for a third-party to access your source code."[4]
http://www.smartassembly[.]com/webservices/UploadReportLogin/
http://www.smartassembly[.]com/webservices/Reporting/
http://www.smartassembly[.]com/webservices/UploadReportLogin/GetServerURL
http://www.smartassembly[.]com/webservices/Reporting/UploadReport2
VirusTotal currently doesn't have any detection for this malware, currently, Microsoft Defender detect this file as: Trojan: MSIL/AgentTelsa.AFFA!MTB [5]
Indicator of Compromise
bitrat9300.duckdns[.]org (C2)
9842e66708fabef15322d37f432929b28d60b0f240a1613454664917bcbdbf90 AMD8J46DH_ETRANFER_RECEIPT.zip
2b6edc8dd9b00ac316b6aa625f651c513ff614c01d2ca9dc55f0e4cfe5602312 AMD8J46DH_ETRANFER_RECEIPT.iso
02b1606269fdda72f84825701cba28a5a7c5f950a2b58d254b09ac35393fe81e AMD8J46DH_ETRANFER_RECEIPT.exe
Bitrat Config File
BitRat {"Host": "bitrat9300.duckdns[.]org", "Port": "9300", "Tor Port": "0", "Install Dir": "0", "Install File": "0", "Communication Password": "e10adc3949ba59abbe56e057f20f883e", "Tor Process Name": "tor"}
Setup Schedule Task
C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\user\AppData\Roaming\namjs.exe'" /f
[1] https://isc.sans.edu/forums/diary/A+Zip+Bomb+to+Bypass+Security+Controls+Sandboxes/28670
[2] https://otx.alienvault.com/indicator/domain/bitrat9300.duckdns.org
[3] https://cybergordon.com/result.html?id=fa580bb0-3536-40ea-a8f3-172a2a571182
[4] https://www.red-gate.com/products/dotnet-development/smartassembly/
[5] https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:MSIL/AgentTesla.BFA!MTB&ThreatID=2147782052
[6] https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat
[7] https://www.bleepingcomputer.com/news/security/bitrat-malware-now-spreading-as-a-windows-10-license-activator/
-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
Comments