Previously, we have written about MalSpam attack in Japan.
Recently, we have found several emails that are being sent out targeting DBS users.
[ Sample used in the analysis ]
MD5: 0a7150f13a5ad4e496992374082232f8
SHA256: d69e487eb19b229901ab9857d508e9ec8e33bd5c5dbfd53b8caaa2de06f1565f
Sample:
[ Part 1 : Getting Started ]
For those who want to follow along, this is a link to the .eml file d69e487eb19b229901ab9857d508e9ec8e33bd5c5dbfd53b8caaa2de06f1565f
Do note, this is a MALICIOUS file, so please do the analysis in a “safe” environment. The password to the attachment is “infected29A”
Opening up the .eml file with VisualStudio Code, we can see that the email contain a malicious DOC file(271-20170627-55147_109.doc).
We can also see the contents of that email.
============================================
Dear Customer,
This attached Advice is sent to you for information only.
This is an automatically generated notification.
Please do not reply to this email. Contact us at our corporate hotline at 1800-222-2200 between
8:30am to 6:15pm, for any service requests.
Yours Sincerely,
DBS Bank Ltd
============================================
However, we are more interested in the malicious DOC file. Let’s Base64code decode that back into a DOC file. After decoding that back to a file, we can see that this malicious DOC file contains VBA as shown in the image below.
As the VBA is quite short, we can extract out the decryption method and make use of dotnetfiddle to have a quick decryption of the strings. I’ve made a simple fiddle to show the deobfuscated strings here:
https://dotnetfiddle.net/uniQB6
As you can see here, the VBA will attempt to download the payload from
– http://wallpaperbekasi[.]co[.]id/bankadvise/271-20170627-55164_45PDF.exe
The downloaded payload is developed in VB.net.
A quick analysis on the downloaded payload indicates that it’s most likely a dropper.
So let’s load it up in OllyDbg and set a “BreakPoint” on “WriteProcessMemory”
Now let’s do right-click “Go to” -> “Expression” -> Type “WriteProcessMemory” and set up a breakpoint on it using F2.
Now you can step through it and eventually you will reach to this point as shown in the image below.
Now right-click on “Buffer” and click on “Follow in Dump” and you can find the dropped payload at 0x037C0150
Now dump out the dropped payload.
We can see that it’s yet another Obfuscated .NET malware.
We can use de4dot to deobfuscate it and we should get back a cleaner version of it as shown below.
As i don’t want to bore everyone. A quick look at the deobfuscated strings, the malware is most likely AgentTesla.
The stolen credentials are sent back via email to:
username: [email protected]
password: etou01315
I’ll update this post as i find time to take it apart.
Thanks & Regards
Jacob Soo
SHA-256:
========
Emails containing malicious Doc
d69e487eb19b229901ab9857d508e9ec8e33bd5c5dbfd53b8caaa2de06f1565f
d38359359c5e7abc0b5118f2a7d2afa387b43ccdc52cf18d0e5fefc2f34bec0d
17224da53b266c1a7e487d95b57ad47c21dec82ca42056a785dd816555d46967
a988dd743fc359fc42d2c511f820c758dfc2c5c8301ced4bcfe5ac72672b1cdc
SHA-256:
========
Malicious Doc
db4703a6cea9b700cc17b527e7d0a4e228bdd41659bece18c65f0877724c87a4
SHA-256:
========
Downloaded Payload – 702a17b7accceaa6ffb817a3adf37323a34944d643cbb4524c4e6b7c0900c5e5
Dropped Obfuscated TeslaAgent – 4B6164F16309F6E8426FB89F4AF810929FE574B2EBB724F5CB2237863736E316
Deobfuscated TeslaAgent – 6EAD076346EC568160821BB47F49D463689656F102EDAA06DBA907FDAE3FD5AE
Article Link: http://www.vxsecurity.sg/2017/07/04/technical-teardown-dbs-malspam-attack-bank-fund-transfer/