![]() ![]() The 2 samples, 391476564923647.exe and zatribmet.exe, are carriers of payloads. The following focuses on retrieving these payload files.ģ91476564923647.exe -> RunPE : Payload#1 -> injects code into svchost.exe -> downloads: zatribmet.exe -> RunPE: Payload #2 Unpacking 9a4a171db069af2b15d6f88759b08db0 - Payload #1 (Upatre - obfuscated & self modifying downloader, prepares code and injects it into svchost.exe).Note that the payloads' hashes (below) may vary, depending on the chosen method of dumping: 2 payloads, which are loaded by the RunPE technique, substituting in memory the 2 above samples.cc5d0acba5c7e0d62dd547641d9da1a1 - zatribmet.exe - an intermediate executable, which is dropped into the %TEMP% folder.There are 4 different executables involved in a chain of execution, leading to deployment of core malicious functions: The malicious sample is shipped as a ZIP-compressed executable, pretending to be a PDF document:Īfter several stages of unpacking, we receive the payload belonging to the Dyreza malware family, a credential stealer. Received: from ( )īy with ESMTP id ixqVA32rotPPduej2c (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) The described sample has been delivered on 1 October 2015 at 17:33 CEST. ![]() This post describes the process of unpacking a malware delivered in a spam campaign. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |