RegAsm-Cleaned.bin Malware Analysis

PEiD
  • From the figure, we can understand that, it is not packed and language used for the programming of the file is “Microsoft Visual C#/Basic .NET”
Strings -n {Min_length_of_String} "fileName" > "outputFileName" 
zip
  • The File has huge amount of strings majority of them seems to check for encrypted files, zip file, extract encrypted passwords usernames, decrypt some cryptography algorithms like rc4 etc.
  • From some strings, we can understand this file has capability of creating the files, checking directories, getHashvalues, delete somethings and much more.
  • Diving deeper, we can see strings like, “windows secure note”, “windows web password credentials” etc, linked with commands like getpassowords, usernames, gives an idea that it’s trying to fetch as many details as possible.
  • There some text file names like DomainDetect.txt, Passwords_Edge.txt etc., seems to be files for storing the results of extracting the passwords and all the important credentials.
Vpn and bitcoin
browser
  • In addition, there are history, cookies, download_history file strings, with many browser name including major browsers like google etc. These, clear justifies it is trying to steal the credentials. Besides, it’s even trying to get vpn, proxy, bitcoins wallets and social website credentials like telegrams .
IOC’s
  • There are many websites, which are malicious in the file, helping us to make them as IOC’s for this malicious program.
servers
  • It is even trying to fetch the server usernames and passwords like pop3, smtp etc, recent servers the system as tried to connect via log files
  • we can confirm with does stub and signature, that it is an exe.
import
  • The import contains only one dll with one function _CorExeMain which is found in all the .net and used for “initializes the common language runtime (CLR), locates the managed entry point in the executable assembly’s CLR header, and begins execution.”
Resources
  • Seems to contains resources but nothing major can be found here.
http://ip-api.com/xml
https://moist.company/gate.php
https://api.ipify.org/
moist.exe

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sheri_s.k

Sheri_s.k

Cybersecurity Proffessional with experience all sorts of security. Working as IR and soc automation engineer