Malware Analysis Backdoor.MSIL.Bladabindi-Static Analysis

[Solarquest]

Thank you @Wave and @tim one ! I enjoyed your explanation because ( I hope the other don't misunderstand me , it's my fault since I study other things , but I like reading about security malwares and so on ) when people writes analysis like fisjicldflxjehkcjspshbdodbsisbdkxmsjdidb XD I understand almost nothing .
But you explained in a way that even I inderstand

Same for me, thank you guys!
The easier they are, the more people can understand and learn from them

 

[Solarquest]

Funny you mentioned an e-book because I literally just started working on one in MS Word. I doubt it'll take long, but I want it to be really complete before I publish here... It will cover a lot, but needs to be perfect!

It's on a dozen topics, not just one.

Looking forward to reading it!

 

[JM Safe]

@tim one well done analysis. This sample is interesting not only for its malicious features and the connection attempts it does to the server to send the stolen files, but also because it is not encrypted. Usually with this type of malware we can analyze only a part of the code, because the majoroty of the original sorce code can be encrypted/obfuscated. So well done with the hunting of this BackDoor. I really like PEiD (even it is not updated frequently) but it is really simple to use and very powerful. It let us to deeply scan our malicious .exe and analyze the most interesting parts of the identification of the sample, such as File Sections, malicious strings, etc. So, thanks for this thread. It is also easy to read , so anyone can read it and understand it!

 

[tim one]

@tim one well done analysis. This sample is interesting not only for its malicious features and the connection attempts it does to the server to send the stolen files, but also because it is not encrypted. Usually with this type of malware we can analyze only a part of the code, because the majoroty of the original sorce code can be encrypted/obfuscated. So well done with the hunting of this BackDoor. I really like PEiD (even it is not updated frequently) but it is really simple to use and very powerful. It let us to deeply scan our malicious .exe and analyze the most interesting parts of the identification of the sample, such as File Sections, malicious strings, etc. So, thanks for this thread. It is also easy to read , so anyone can read it and understand it!

Thanks my friend, the fact that the sample is not obfuscated has a simple explanation,the malcoder is not bothered by the fact that his malware is analyzed, its objective is the maximum spread before it is detected by AVs, and the maximum gain that this backdoor can get. Furthermore, probably the code is a variant, slightly modified around the part relating to the connection and the server, but it is a recycled code.

 

[tim one]

One day, I will make an analysis of one obfuscated sample, only for you (even if I will post it for all members)

Thanks @DardiM to spend your free time by doing these analysis.
As I always say: the worst part of this job is to deobfuscate the code.
You're giving us a great input in this direction

 

[JM Safe]

Thanks my friend, the fact that the sample is not obfuscated has a simple explanation,the malcoder is not bothered by the fact that his malware is analyzed, its objective is the maximum spread before it is detected by AVs, and the maximum gain that this backdoor can get. Furthermore, probably the code is a variant, slightly modified around the part relating to the connection and the server, but it is a recycled code.

Yes, from the screenshots I saw some methods for connection which are reused in other parts of the source code.