Banking Trojan Analysis
I recently came across an interesting malicious document that I would like to analyze for you.
The initial scans show us that the document is detected by some big names such as Google, Symantec, Fortinet…
But let's see what we can find if we dig a little deeper!
Running the File command verifies that it is an HTML document.
Upon examination of the initial HTML (stage1) document, we can see that the page immediately executes javascript with onload function.
This function seems to be loading stage 2 of the exploit. Which is base64 encoded data. We can see from the code that it is image/svg+xml but we can also verify it by grabbing the base64 encoded payload.
Cool. Now that we have our stage 2 file let's keep going with our analysis.
We can open up the stage2 file in a text editor and give it some syntax highlighting for better visibility.
We can see there’s javascript code in here. Let’s create a stage3 file and move the javascript code to a separate document for further analysis.
The variable names are well obfuscated. We can try to logically make sense of the code and obfuscated variables. And clean it up to better understand what is going on.
After some basic cleanup, we can see that on line 36 there’s a function call with the arguments set as our next payload and integer 512. The function seems to be looping through the base64 encoded payload, decoding it, and writing it to a file.
Seems like we should expect the next stage file to be an archive!
Just as we suspected, we are left with a Zip archive data. Let's see what we have inside.
We rename the file as filestage4.zip and run unzip on it.
When trying to unzip the file asks for a password. After some tinkering with good old John, we crack the password which turns out to be “abc111”.
But It didn’t make any sense to me, as to why I would have to crack a password to extract malware. Later when I opened the malware on any.run I realized that the password is given on the initial HTML file. LOL.
Anyway… Let’s move on…
Extracting the files from the archive gives us a .iso file.
I mounted the image file to see its contents.
Moved it to the /tmp directory and also unmount the image so I don’t forget it later.
In the image, we are greeted with the following files.
ComplianceReportCopy.lnk is a windows shortcut file
Imbued.cmd and broadsheets.dat look particularly interesting
Imbued.cmd is a dos batch file that seems to be doing some string obfuscation.
It seems to be building the string “copy %systemroot%\System32\1vr32.exe %temp\givenBind.com” and it appears to be also running broadsheets.dat
ooh! Juicy Windows PE32 executable. Love to see it. Let’s upload it to Virustotal to see if it is able to catch something.
Woah. That escalated quickly :))
Most of the AVs identify the executable as Qbot.
QBot is a modular information stealer. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.
QBot, also known as Qakbot, QBot, QuackBot, and Pinkslipbot is still a dangerous and persistent threat to organizations and has become one of the leading Banking Trojans globally.
Toodaloo. Happy Hacking!
IOCs
7c8b1ddfedaad57ac7021d5ea976df64281df373
da8615c02da6941b17a50f778f8090f581595e7a
d6d88aff8e2a0308470755acdde72bc0c8574bba
A8a0af138368e734de4c19fb4ac766f5577a2f897fe88e4c27f0c4c2d3fb3aa8
