Jump to content
Tuts 4 You
UniqueLegend

Strange VB injector sample, no injection behavior on physical/virtual machine

Recommended Posts

UniqueLegend

Hi all:

Recently I've analyzed a VB malware sample. This VB injector runs on physical analyzer machine (Win7 x86)  and virtual machines (Win7 x64 and Win XP) without injection behavior. But when I upload the sample to the online sandbox, it appears to inject iexplorer.exe and sends DNS request to C&C server.

By the way, the VC runtime library and .NET framework 2&4 are already installed on the virtual machine. I have not found any way to make the sample appear any injection behavior by checking Process Monitor yet.

Can anyone figure out the reason, it's welcome to communicate, or is there anyone who can dump out its Trojan body, please let me know, thks a lot...

The password of the sample zip package is "infected". Do not run or debug on the real machine!

ANY.RUN report (PC-side access): https://app.any.run/tasks/2be96389-5c11-4541-b3b2-bb027f445add/

Hybrid Analysis report: https://www.hybrid-analysis.com/sample/0e0a3f5fa2d7e092dbb9e31b55e8f1dc6879673d9af92735577522dc504e7af9?environmentId=120

 

VB_Injector_password_infected.zip

Edited by UniqueLegend (see edit history)
  • Like 1

Share this post


Link to post
kao

Injector uses VB P-Code, you'll need to use VB decompiler or some P-Code disassembler for analysis. It's pretty funky code using shellcode, resolving APIs by hash and what not. :)

Or you can simply put breakpoint on RtlDecompressBuffer and then dump decompressed payload from memory. It's an old shitty backdoor called XpertRAT.

 

BTW, injector works just fine in my VMWare (32bit Win7).

  • Like 2

Share this post


Link to post
UniqueLegend
On 11/29/2019 at 2:05 AM, kao said:

Injector uses VB P-Code, you'll need to use VB decompiler or some P-Code disassembler for analysis. It's pretty funky code using shellcode, resolving APIs by hash and what not. :)

Or you can simply put breakpoint on RtlDecompressBuffer and then dump decompressed payload from memory. It's an old shitty backdoor called XpertRAT.

 

BTW, injector works just fine in my VMWare (32bit Win7).

Yeah thank you for noticing me that it is exactly the backdoor XpertRAT! But I'm still confused about the fact that it doesn't work in my Vmware at all...

Really shitty RAT though

Edited by UniqueLegend (see edit history)

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...