Tuesday, February 24, 2015

Quick analysis of a VisualBasic based Password-Stealer

After the analysis of Golroted i was able to get the key to the attacker's server (actually they gave it to me by embedding it in the code isn't it), using that key i was able to spot an email-message that was used in a spear-phishing campaign.
Spam message
The email-message had an attachment file that i am going to analyze in this post.

Sunday, February 22, 2015

Quick analysis MSIL/Golroted (Stealer)

Golroted purpose is to steal various information from the victim machine (you can read the full description about it in the Microsoft Malware Protection Center).

This particular sample is obfuscated using Smart Assembly and packed inside a .NET based RunPE, after unpacking we can read the code of the malware.

This malware upload the information it steal from the victim through Email and\or FTP. The username and the password of the Email address and the FTP accounts stored in the file itself in an encrypted form.
Encrypted data