Open in app

Sign in

Write

Sign in

RegAsm-Cleaned.bin Malware Analysis

Sheri_s.k
3 min readJun 27, 2021

Let’s start analysis by checking whether the file is packed/not packed.

PEiD
  • From the figure, we can understand that, it is not packed and language used for the programming of the file is “Microsoft Visual C#/Basic .NET”

Now lets, check for the Strings

Strings -n {Min_length_of_String} "fileName" > "outputFileName"
zip
  • The File has huge amount of strings majority of them seems to check for encrypted files, zip file, extract encrypted passwords usernames, decrypt some cryptography algorithms like rc4 etc.
  • From some strings, we can understand this file has capability of creating the files, checking directories, getHashvalues, delete somethings and much more.
  • Diving deeper, we can see strings like, “windows secure note”, “windows web password credentials” etc, linked with commands like getpassowords, usernames, gives an idea that it’s trying to fetch as many details as possible.
  • There some text file names like DomainDetect.txt, Passwords_Edge.txt etc., seems to be files for storing the results of extracting the passwords and all the important credentials.
Vpn and bitcoin
browser
  • In addition, there are history, cookies, download_history file strings, with many browser name including major browsers like google etc. These, clear justifies it is trying to steal the credentials. Besides, it’s even trying to get vpn, proxy, bitcoins wallets and social website credentials like telegrams .
IOC’s
  • There are many websites, which are malicious in the file, helping us to make them as IOC’s for this malicious program.
servers
  • It is even trying to fetch the server usernames and passwords like pop3, smtp etc, recent servers the system as tried to connect via log files

Till here, we can say the program is capable of stealing many form of credentials and details and can also decrypt some encrypted and encoded files.

Let’s check for the PE header details.

  • we can confirm with does stub and signature, that it is an exe.
import
  • The import contains only one dll with one function _CorExeMain which is found in all the .net and used for “initializes the common language runtime (CLR), locates the managed entry point in the executable assembly’s CLR header, and begins execution.”
Resources
  • Seems to contains resources but nothing major can be found here.

From the analysis, we can conclude its could be a Credential stealer.

IOC’s

Websites:

http://ip-api.com/xml
https://moist.company/gate.php
https://api.ipify.org/

Executable:

moist.exe

Behavioral Analysis Coming Soon

Malware Analysis

--

--

Sheri_s.k

Written by Sheri_s.k

15 Followers

Currently Pursuing My Cyber Security Masters Degree.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams