Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Interesting .NET malware disassembly
Message
<blockquote data-quote="Andy Ful" data-source="post: 896567" data-attributes="member: 32260"><p>The initial malware (<strong><span style="color: rgb(184, 49, 47)">malware.exe</span></strong>) drops two files: <span style="color: rgb(184, 49, 47)"><strong>&startupname&.exe</strong></span> (internal name BSCPQ.exe) and <span style="color: rgb(41, 105, 176)"><strong>tmp1F0.tmp</strong></span> (XML script). It also adds the scheduled task to execute the script <span style="color: rgb(41, 105, 176)"><strong>tmp1F0.tmp . </strong></span>This script executes <strong><span style="color: rgb(184, 49, 47)">&startupname&.exe (</span></strong>probably Agent Teslka malware).</p><p></p><p>The <strong><span style="color: rgb(184, 49, 47)">malware.exe</span></strong> uses also the legal system file <span style="color: rgb(0, 168, 133)"><strong>RegSvcs.exe</strong></span> which spawns <strong><span style="color: rgb(0, 168, 133)">Reg.exe</span></strong> (also legal) to make persistence via "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" and run the executable <span style="color: rgb(0, 168, 133)"><strong>oPLNOE.exe</strong></span> from the user profile. The <span style="color: rgb(0, 168, 133)"><strong>oPLNOE.exe</strong></span> is a copy of <strong><span style="color: rgb(0, 168, 133)">RegSvcs.exe</span></strong>.</p><p>If I correctly remember the RegSvcs.exe is a target of shellcode injection in Agent Tesla malware.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 896567, member: 32260"] The initial malware ([B][COLOR=rgb(184, 49, 47)]malware.exe[/COLOR][/B]) drops two files: [COLOR=rgb(184, 49, 47)][B]&startupname&.exe[/B][/COLOR] (internal name BSCPQ.exe) and [COLOR=rgb(41, 105, 176)][B]tmp1F0.tmp[/B][/COLOR] (XML script). It also adds the scheduled task to execute the script [COLOR=rgb(41, 105, 176)][B]tmp1F0.tmp . [/B][/COLOR]This script executes [B][COLOR=rgb(184, 49, 47)]&startupname&.exe ([/COLOR][/B]probably Agent Teslka malware). The [B][COLOR=rgb(184, 49, 47)]malware.exe[/COLOR][/B] uses also the legal system file [COLOR=rgb(0, 168, 133)][B]RegSvcs.exe[/B][/COLOR] which spawns [B][COLOR=rgb(0, 168, 133)]Reg.exe[/COLOR][/B] (also legal) to make persistence via "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" and run the executable [COLOR=rgb(0, 168, 133)][B]oPLNOE.exe[/B][/COLOR] from the user profile. The [COLOR=rgb(0, 168, 133)][B]oPLNOE.exe[/B][/COLOR] is a copy of [B][COLOR=rgb(0, 168, 133)]RegSvcs.exe[/COLOR][/B]. If I correctly remember the RegSvcs.exe is a target of shellcode injection in Agent Tesla malware. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
