Password stealer Trojan – Malware Analysis

Malware Analysis
1

Hi, I got this sample of malware shared on VirusBay.

Sample below:

SHA256: 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad

Signature: Microsoft Visual C# v7.0/ Basic .Net and its a Windows forms application.

blg_03222020_9

Upon execution, this file drops below two files at location C:\Users\<UserProfile>\AppData\Local\Temp\

Dropped files:

C:\Users\<UserProfile>\AppData\Local\Temp\FB_2C02.tmp.exe

C:\Users\<UserProfile>\AppData\Local\Temp\cc3a68ce1dad95ce662e1c51568e3a.exe (Application Server)

blg_03222020_10
blg_03222020_10714×52

blg_03222020_11
blg_03222020_11860×31

blg_03222020_7
blg_03222020_7860×185

Upon execution of this file, it take a screenshot of current screen and save at C:\Users\<UserProfile>\AppData\Local\Temp location.

Also it adds below file to startup programs.

  • cc3a68ce1dad95ce662e1c51568e3a.exe (Application Server)
  • And main malware sample file.

blg_03222020_14
blg_03222020_14860×51

FB_2C02.tmp.exe:

SHA256: A02CF7E4D01C3E04C0C6F723A541289A12C5D87ECC47F6B675D84A6B1B0A23B3

File description: Gomorrah

Signature: Microsoft Visual C# v7.0/ Basic .Net and its a Windows forms application.

I used ILSpy decompiler to decompile FB_2C02.tmp.exe. I could see the functions written to achive below purpose.

Purpose:

  1. Steal browser saved user account information.

blg_03222020_5

I used google chrome on which VM i was doing analysis. I could see this file has created a Passwords.txt file at C:\Users\<UserProfile>\AppData\Local\Temp\Passwords.txt

blg_03222020_15

blg_03222020_13

Decomplied code of executable which grab google chrome url, username and password.

blg_03222020_8
blg_03222020_8860×546

2. System Information.

This file also located at C:\Users\<UserProfile>\AppData\Local\Temp

blg_03222020_4

3. Outlook Password.

This file also located at C:\Users\<UserProfile>\AppData\Local\Temp. As I wasnt using outlook, the file was empty.

blg_03222020_17
blg_03222020_17699×306

4. Credit Card information

This file CC.txt which stores information about CC also located at C:\Users\<UserProfile>\AppData\Local\Temp. It was empty too.

Below code grab CC information from the browser.

blg_03222020_18
blg_03222020_18860×535

Just not from Google chrome but from all below,

  • Amigo
  • Brave
  • Kometa
  • Orbitium
  • Totch
  • Yandex

blg_03222020_7
blg_03222020_7860×185

It uploads all collected to the remote location. Though I am not able to see it is connecting to remote server anymore because when I ran this, got run time exceptions.

But it gets connected to below URL as its mentioned on VirusTotal detection.

blg_03222020_19
blg_03222020_19706×166

Summery:

Malware upload below information to remote server.

  • Web account passwords from web browsers.
  • Credit card information from web browser.
  • Outlook passwords.
  • Client machine information.

 

Thank you.

Article Link: https://malwr-analysis.com/2020/03/28/password-stealer-trojan-malware-analysis/