Introduction
We got interesting malware family today, named as Bolik. We done our analysis with one of the samples from Bolik variants and which is going in wild.
Short description about Bolik variants
A multicomponent polymorphic file virus that can infect file objects on 32-bit and 64-bit versions of Microsoft Windows. It is designed to perform web injections, intercept traffic, take screenshots, to execute keylogging functions, and to steal login credentials for online banking applications. It can also establish reverse RDP connections (back connect) and launch a local SOCKS5 proxy server and HTTP server in order to perform CMD commands. The virus is known to inherit several characteristic features from Trojan.Carberp and Trojan.PWS.Panda (Zeus).
Sample Details
MD5 8fba6db8fb1a6caedc0d0b5364f3d30e
SHA-1 ba03bb635d7202ab20485bae7938843a114acbe0
SHA-256 6c9be80fcc455459876335ec87b3ea0c0032f4d6abb98a88e1f34e82b22ebbb2
Size 1.4 MB (1509072 bytes)
Type Win32 EXE
Magic PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID
Win32 Executable MS Visual C++ (generic) (42.2%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
VULCAN 2015
Product Rejestrowanie licencji
Original name stub32i.exe
Internal name stub32
File version Edycja na rok szkolny 2015/2016 wraz z aktualizacjami
Description Aktualizowano:15.12.2014
Comments Rejestracja programów Optivum
Signature verification The digital signature of the object did not verify.
Signing date 6:57 AM 1/8/2017
MD5 : 8fba6db8fb1a6caedc0d0b5364f3d30e
Found intersting strings:
This file seems to be installer. Typical program installer usually seen in legit application as well as potentially unwanted application. They look for free disk space, system folder, windows folder, load language stuffs, etc. Wizard button, dialog boxes, pkg stuffs are part of installer files.
stings [RICHED32.DLL]
stings [\SYSTEM32]
stings [CommonFilesDir]
stings [ProgramFilesDir]
stings [SOFTWARE\Microsoft\Windows\CurrentVersion]
stings [%spftw%d.pkg]
stings [welcome]
stings [LoadLanguage Failed]
stings [ext.dll]
stings [PackageShutdown]
stings [UnpackFile]
stings [PackageStartup]
stings [%s - %s]
stings [WizardButtons]
stings [Dialog%d]
stings [Dialog1005]
stings [FinishButton]
stings [Dialog1006]
stings [Strings]
stings [Unable to Execute!]
stings [{\rtf1]
stings [Dialog1000]
stings [pftw%d.pkg]
stings [rename]
stings [wininit.ini]
stings [SYSTEM]
stings [System]
stings [kernel32.dll]
stings [GetDiskFreeSpaceExA]
stings [MPR.DLL]
stings [WNetUseConnectionA]
stings [WNetCancelConnectionA]
stings [IDD_WIZ97SHEET]
stings [MS SHELL DLG]
stings [wwwwwwwx]
stings [IDD_WIZ97SHEET]
stings [MS Shell Dlg]
stings [msctls_progress32]
stings [Progress1]
stings [Overwrite Protection]
stings [MS Shell Dlg]
stings [Cancel]
stings [Y&es to All]
stings [N&o to All]
stings [The following file is already installed on your system:]
stings [Static]
stings [Do you wish to overwrite this file?]
stings [MS Shell Dlg]
stings [RICHEDIT]
stings [MS Shell Dlg]
stings [RICHEDIT]
stings [MS Shell Dlg]
stings [MS Shell Dlg]
stings [should not see me]
stings [MS Shell Dlg]
stings [MS Shell Dlg]
stings [MS Shell Dlg]
stings [ the specified path.=Unable to create the specified output folder. Bad path name.*Unable to start the decompression process!5The EXE file has been corrupted. Unable to continue.]
stings [-Unable to execute the specified command line!ZThis program is used internally by PackageFromTheWeb. It should not be executed directly."Bad or missing header information!]
stings ['Do you wish to cancel the installation?]
stings [,Insufficient disk space to open the package!!Security error! Invalid password.]
stings [Memory allocation failure!]
stings [%General failure reading this package.]
stings [Bad cabinet version.]
stings [CRC failure.!System error during decompression]
stings [version]
stings [Unpacking %s...]
stings ["The specified drive does not exist]
stings [&Please free up %.2f %s and click Retry]
stings [&Finish]
stings [8,MS Shell Dlg]
Manual extraction:
I manually extracted the file, and it contains two files.
vLicencje.exe
MD5: A5F552B52AEF920C304F459EFAF81050
I searched the sample in VT and it showing clean result (uploaded 2 years back). So just go for reanalyze option to see the current status of that file. Still zero hits.
Last submission:
2014-12-01 20:35:33 vLicencje.exe 42b28184 (api) FR
Current status: https://virustotal.com/en/file/4b16b23621d116504d5c7052bae11f1ba5db6abda1410aef50fb788758603482/analysis/1483860324/
cd.ini
MD5: 35C2F9BCA930B93707E568755E0E5D2D
Dynamic analysis:
It creates a folder in system32.
Location: \system32\Ozokquyclu
Inside that location, there were three files get created.
Ytraohy.exe
MD5: 9C45D38B74634C9DED60BEC640C5C3CA
WINMM.dll
MD5: 0C2B5A436F6CF7298C6B463FBCCE79F8
Non pe file named as : Iqunak.tue
We got interesting malware family today, named as Bolik. We done our analysis with one of the samples from Bolik variants and which is going in wild.
Short description about Bolik variants
A multicomponent polymorphic file virus that can infect file objects on 32-bit and 64-bit versions of Microsoft Windows. It is designed to perform web injections, intercept traffic, take screenshots, to execute keylogging functions, and to steal login credentials for online banking applications. It can also establish reverse RDP connections (back connect) and launch a local SOCKS5 proxy server and HTTP server in order to perform CMD commands. The virus is known to inherit several characteristic features from Trojan.Carberp and Trojan.PWS.Panda (Zeus).
Sample Details
MD5 8fba6db8fb1a6caedc0d0b5364f3d30e
SHA-1 ba03bb635d7202ab20485bae7938843a114acbe0
SHA-256 6c9be80fcc455459876335ec87b3ea0c0032f4d6abb98a88e1f34e82b22ebbb2
Size 1.4 MB (1509072 bytes)
Type Win32 EXE
Magic PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID
Win32 Executable MS Visual C++ (generic) (42.2%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
FileVersionInfo properties
CopyrightVULCAN 2015
Product Rejestrowanie licencji
Original name stub32i.exe
Internal name stub32
File version Edycja na rok szkolny 2015/2016 wraz z aktualizacjami
Description Aktualizowano:15.12.2014
Comments Rejestracja programów Optivum
Signature verification The digital signature of the object did not verify.
Signing date 6:57 AM 1/8/2017
MD5 : 8fba6db8fb1a6caedc0d0b5364f3d30e
Found intersting strings:
This file seems to be installer. Typical program installer usually seen in legit application as well as potentially unwanted application. They look for free disk space, system folder, windows folder, load language stuffs, etc. Wizard button, dialog boxes, pkg stuffs are part of installer files.
stings [RICHED32.DLL]
stings [\SYSTEM32]
stings [CommonFilesDir]
stings [ProgramFilesDir]
stings [SOFTWARE\Microsoft\Windows\CurrentVersion]
stings [%spftw%d.pkg]
stings [welcome]
stings [LoadLanguage Failed]
stings [ext.dll]
stings [PackageShutdown]
stings [UnpackFile]
stings [PackageStartup]
stings [%s - %s]
stings [WizardButtons]
stings [Dialog%d]
stings [Dialog1005]
stings [FinishButton]
stings [Dialog1006]
stings [Strings]
stings [Unable to Execute!]
stings [{\rtf1]
stings [Dialog1000]
stings [pftw%d.pkg]
stings [rename]
stings [wininit.ini]
stings [SYSTEM]
stings [System]
stings [kernel32.dll]
stings [GetDiskFreeSpaceExA]
stings [MPR.DLL]
stings [WNetUseConnectionA]
stings [WNetCancelConnectionA]
stings [IDD_WIZ97SHEET]
stings [MS SHELL DLG]
stings [wwwwwwwx]
stings [IDD_WIZ97SHEET]
stings [MS Shell Dlg]
stings [msctls_progress32]
stings [Progress1]
stings [Overwrite Protection]
stings [MS Shell Dlg]
stings [Cancel]
stings [Y&es to All]
stings [N&o to All]
stings [The following file is already installed on your system:]
stings [Static]
stings [Do you wish to overwrite this file?]
stings [MS Shell Dlg]
stings [RICHEDIT]
stings [MS Shell Dlg]
stings [RICHEDIT]
stings [MS Shell Dlg]
stings [MS Shell Dlg]
stings [should not see me]
stings [MS Shell Dlg]
stings [MS Shell Dlg]
stings [MS Shell Dlg]
stings [ the specified path.=Unable to create the specified output folder. Bad path name.*Unable to start the decompression process!5The EXE file has been corrupted. Unable to continue.]
stings [-Unable to execute the specified command line!ZThis program is used internally by PackageFromTheWeb. It should not be executed directly."Bad or missing header information!]
stings ['Do you wish to cancel the installation?]
stings [,Insufficient disk space to open the package!!Security error! Invalid password.]
stings [Memory allocation failure!]
stings [%General failure reading this package.]
stings [Bad cabinet version.]
stings [CRC failure.!System error during decompression]
stings [version]
stings [Unpacking %s...]
stings ["The specified drive does not exist]
stings [&Please free up %.2f %s and click Retry]
stings [&Finish]
stings [8,MS Shell Dlg]
Manual extraction:
I manually extracted the file, and it contains two files.
vLicencje.exe
MD5: A5F552B52AEF920C304F459EFAF81050
I searched the sample in VT and it showing clean result (uploaded 2 years back). So just go for reanalyze option to see the current status of that file. Still zero hits.
Last submission:
2014-12-01 20:35:33 vLicencje.exe 42b28184 (api) FR
Current status: https://virustotal.com/en/file/4b16b23621d116504d5c7052bae11f1ba5db6abda1410aef50fb788758603482/analysis/1483860324/
cd.ini
MD5: 35C2F9BCA930B93707E568755E0E5D2D
Dynamic analysis:
It creates a folder in system32.
Location: \system32\Ozokquyclu
Inside that location, there were three files get created.
Ytraohy.exe
MD5: 9C45D38B74634C9DED60BEC640C5C3CA
WINMM.dll
MD5: 0C2B5A436F6CF7298C6B463FBCCE79F8
Non pe file named as : Iqunak.tue
No comments:
Post a Comment