2020-09-16 01:42:10 Author: www.vmray.com(查看原文) 阅读量:145 收藏
After more than a decade in operation, the Qbot Trojan is . A that ran from March to the end of June. Then this same modified version was used, in some cases, as the payload for the Emotet Trojan campaign in July that .
First discovered in 2008, Qbot has evolved from a banking Trojan which steals online banking credentials to becoming a , capable of not only stealing credentials but also distributing ransomware and performing other malicious activity.
This Malware Analysis Spotlight focuses on one of the methods used to deliver Qbot and highlights some interesting features of the delivery process leading to the . In contrast to commonly used delivery techniques through documents with embedded VBA macros, the payload used in this sample is disguised as properties of different objects. This can bypass static analysis because the referenced properties have to be taken into account to see the full behavior of the macro.
View the VMRay Analyzer Report for Qbot
Analysis of a Qbot Delivery Method
The initial delivery method is using a Word document with an embedded VBA macro. The macro is referencing data hidden inside a forms object also embedded inside the document. From the label embedded in the form, it extracts a Visual Basic script, drops it into a file and executes it by starting explorer.exe with the script as an argument (Figure 1). The tool oledump by Didier Stevens is also capable of extracting information from user forms as has been demonstrated in Maldoc: Payloads in User Forms.
Figure 1: Malicious document with “hidden” data.
The VBS contains a lot of noise including a variable declaration for errors and messages, and a header claiming the original name of the file is winrm.vbs.
The actual purpose it serves is to write a set of commands into a .cmd file which it then executes. This functionality is located near the middle of the file, surrounded by the previously mentioned noise.
The written invokes Powershell with commands as arguments, which then downloads the payload from one of the hard-coded domains to “C:\BlotRoots\Loterious.exe and executes it with the standard alias saps (Figure 2).
Figure 2: VMRay Analyzer Behavior – Powershell downloads next stage.
The final payload is Qbot. It contains multiple evasion techniques and at this stage, it enumerates over existing processes and compares them against a hard-coded list (Figure 3). Next, it sets a mutex, drops a copy of itself with a random name together with a configuration file into the %AppData% directory and starts 3 new processes. The first one is using current process’s base image but this time uses the parameter “/C”, the second one has the image located in %AppData% as base and takes no parameters, the third one is executing a command which overwrites the Loterios.exe image with calc.exe (Figure 4).
Figure 3: VMRay function log – Enumerate processes and compare against an internal list
Figure 4: VMRay Analyzer Behavior – Creation of new processes.
The new process that was started with the “/C” parameter is responsible for the anti-analysis techniques. Just as before it enumerates running processes and internal list, it also uses the SetupAPI to enumerate devices and compare them against a hard-coded list. The next check it performs is to verify that none of the currently loaded DLLs is one on his list (Figure 5).
Figure 5: VMRay function log – Device enumeration (left) and DLL enumeration (right)
Finally, it verifies that the name of the sample doesn’t contain one of the following strings (Figure 6):
- sample
- mlwr_smpl
- artifact.exe
Figure 6: VMRay function log – Verify the sample’s name
After the attempts to identify an artificial environment, the final stage is injected into explorer.exe at address 0x28e0000 (Figure 7).
Figure 7: VMray Analyzer Behavior – Injection into process.exe at address 0x028e0000
This payload then decrypts one of its resources with the name “307” and loads it at address 0x02AC0000 (Figure 8). This resource is one of the core modules of Qbot. A more detailed analysis of Qbot can be found in Deep Analysis of Qbot Banking Trojan.
Figure 8: VMRay function log and Behavior – Find resource and allocate memory for it (left) and a dump of that memory region (right).
Conclusion
In this analysis, we can see that the delivery can be split up into multiple stages, whereby each stage has its own purpose.
However, we can easily follow the path of delivery and observe Qbot’s detection mechanism and its further behavior. The memory dumping ability of VMRay’s Analyzer eases the access to Qbots core modules loaded in memory.
One day after we collected the sample, the payload was either deleted or replaced by putty. This means that opening the document now can result in downloading and executing putty instead of Qbot.
IOCs
Sample
b2946daf21b5a0d9c70f32230f6e511ff4aeb939fc8f9a5d372a67f932483c4d
Payload
37790b6946072ccacb7cf9be694b962deee2c53818449eba20f450389d0cfa4a
Network
hxxp://rijschoolfastandserious[.]nl hxxp://nanfeiqiaowang[.]com hxxp://forum[.]insteon[.]com hxxp://webtest[.]pp[.]ua hxxp://quoraforum[.]com/ hxxp://quickinsolutions[.]com hxxp://bronco[.]is hxxp://studiomascellaro[.]it hxxp://craniotylla[.]ch hxxp://marineworks[.]eu
IP Addresses
173.172.205.216 66.25.168.167 201.216.216.245 75.182.220.196 188.25.26.41 213.67.45.195 68.134.181.98 68.190.152.98 75.183.171.155 67.165.206.193 75.170.94.218 73.137.184.213 190.24.177.147 188.173.70.18 216.146.110.68 98.190.24.81 209.137.209.163 189.210.114.157 93.151.180.170 188.26.11.29 186.82.157.66 108.46.145.30 71.197.126.250 175.111.128.234 24.71.28.247 66.26.160.37 71.163.224.206 207.255.161.8 47.153.115.154 72.209.191.27 76.170.77.99 47.153.115.154 100.4.173.223 200.75.136.78 100.37.36.240 93.113.177.152 77.27.173.8 67.170.137.8 108.185.113.12 72.28.255.159 24.37.178.158 207.255.161.8 2.90.92.255 166.62.180.194 103.238.231.40 71.182.142.63 71.56.53.127 35.134.202.234 172.87.134.226 73.227.232.166 190.77.170.197 79.115.145.90 72.240.200.181 72.142.106.198 98.11.125.62 69.123.179.70 187.214.9.138 69.11.247.242 72.214.55.195 189.140.61.205 68.174.15.223 172.78.30.215 68.225.56.31 24.234.86.201 71.80.66.107 96.20.108.17 95.76.185.240 173.173.72.199 188.51.3.210 115.21.224.117 209.182.122.217 70.164.39.91 70.95.118.217 24.116.227.63 98.4.227.199 144.202.48.107 2.7.65.32 178.222.12.162 75.137.239.211 94.59.241.189 73.60.148.209 73.30.244.90 206.51.202.106 70.123.92.175 189.163.82.104 182.185.40.22 36.230.79.179 95.77.144.238 187.163.101.137 95.77.223.148 73.214.248.17 189.130.26.216 66.57.216.53 70.164.37.205 24.44.142.213 159.0.126.131 72.82.15.220 24.122.157.93 207.255.161.8 186.6.197.11 99.231.221.117 188.241.159.208 2.89.74.34 24.46.40.189 68.4.137.211 189.183.72.138 74.73.120.226 86.153.98.126 24.229.150.54 134.228.24.29 151.205.102.42 96.234.20.230 96.232.163.27 208.93.202.49 47.44.217.98 45.32.154.10 98.240.24.57 5.15.65.198 5.193.155.181 80.240.26.178 45.77.215.141 207.246.71.122 67.8.103.21 199.247.16.80 207.246.75.201 49.191.3.234 73.228.1.246 24.139.132.70 76.187.12.181 92.59.35.196 50.244.112.10 108.27.217.44 199.116.241.147 24.201.79.208 217.162.149.212 59.98.248.254 96.41.93.96 50.244.112.106 78.100.229.44 86.182.234.245 71.126.139.251 165.120.230.108 80.195.103.146 89.247.217.163 216.201.162.158 197.210.96.222 117.218.208.239 174.80.7.235 98.26.50.62 199.247.22.145
如有侵权请联系:admin#unsafe.sh