Malware Journey Day 24
Zeichnungen Muster.bin
SHA256 HASH:CFD13DA57BB620EC32A6AD174D4D4CAC2C715AF8E7AAA57931574152F5FFFDD9
The goal again is to get to the unpacking stub. This is were Zeichnungen will allocate memory and execute shellcode by decrypting it.
Normally I would set bp’s on first VirtualAlloc and VirtualProtect. But this isnt so easy as last time. In PEBear I see these functions are being called
What looked most interesting to me was LoadLibraryA and IsDebuggerPresent. I decieded to set lots of bp’s on interesting functions just to learn how they interact with each other.
After the entrypoint the first bp I get is GetProcAddress.
I am guessing this is the beginning of a DLL injection. But this is really dynamic linking because it is happening at runtime. I am most interested in the 2nd addr of this api, which is the processname.
This is the 2nd param and it is EnumSystemLocalesEx. Whats so special about this to have the malware author to want to obfuscate this call by using dynamic linking? Well, first it seems to try to find the region the computer is located in?
After the GetProcAddress I see this,
One thing to note is bp’s on VirtualAlloc,VirtualProtect and CreateRemoteThread all failed to hit. Seems like what this sample is doing is trying to avoid detection by not referencing the IAT.
Well, it didnt call anything I was guessing.
From the return of GetProcAddress I see RtlDisownModuleHeapAllocation. Nothing interesting from docs. basically freeing the heap.
Hitting this bp I get excited but find it the file name is either obfuscated or just gibberish
What this malware could be doing is modifying a function in the process?
Ok. this is just the path to the packed file. Skip….
After awhile I am just looping through GetProcAddress. Nothing good so far.
GetProcAddress seems to just be retrieving the system name, region, date so far.
After awhile its just been looping through GetProcAddress and GetModuleFileNameW. Time to skip these all together.
Seems like all above was a waste of time. I thought I passed EntryPoint, appears I didnt. haha. Makes more sense now.
Finally I hit LoadLibraryA, which is just loading something from kernel32.dll
Next I hit CreateFileW, which appears to just create the exe for this binary. Next it creates MountPointManager. Interesting???
WriteFile just writes to the exe
I hit IsDebuggerPresent. Time to change it so its appears not.
CreateFileW is creating a ”C:\\Windows\\Globalization\\Sorting\\sortdefault.nls”. Seems to be trying to find the lang of our system. After this my program crashes. Time to set a bp on CreateProcessInternalW and NtResumeThread.
The first CreateProcessInternalW seems to just be referencing itself.
I do NtResumeThread since dll injection suspends a process. So this should resume it. This is for injecting unpacked code. When Hitting NtResumeThread, I will need to attach it to another application.
The next BP on the attached process is RtlUserThreadStart.
Ah. Finally hit VirtualAlloc
Dumping it and running gives me an error. First chance exception.
Due to this deadend its time to try several automated unpacking services and see what Im not finding.
VirusTotal and Malwoverview didnt give me much. I next tried unpac.me and was able to see the unpacked file and more details.
MalwareBazaar tells me the signature is AgentTesla
TRIAGE tells me this is a UPX packer
So it appears this is an infostealer.
The use of these winAPI functions tells me it is trying to look for possible web browsers and emails.
Joes SandBox gives me nothing…
Although I have the unpacked file through unpac.me, it would be nice to see this manually. Currently my stump is when attaching the next process when my main process hits NtResumeThread… On the 2nd process attached hitting VirtualAlloc and dumping it is showing to fail.
