COVID-19, Info Stealer & the Map of Threats; Threat Analysis Report

March 9, 2020

Featured On

Summary

As global awareness of a Coronavirus pandemic gradually gives way to full out panic, and as governments begin ramping up their efforts to combat the virus and protect its citizens, global news agencies find themselves racing to answer the public’s demand for accurate information about new Corona related infections, deaths, transmissions, etc.

This demand creates a vulnerability that malicious actors have quickly taken advantage of by spreading malware disguised as a “Coronavirus map”. ReasonLabs cybersecurity researcher, Shai Alfasi, found and analyzed this malware that had weaponized coronavirus map applications in order to steal credentials such as user names, passwords, credit card numbers and other sensitive information that is stored in the users’ browser. Attackers can use this information for many other operations as well, such as selling it on the deep web or for gaining access to bank accounts or social media.

The new malware activates a strain of malicious software known as AZORult. AZORult is an information stealer and was first discovered in 2016. It is used to steal browsing history, cookies, ID/passwords, cryptocurrency and more. It can also download additional malware onto infected machines. AZORult is commonly sold on Russian underground forums for the purpose of collecting sensitive data from an infected computer. There is also a variant of the AZORult that creates a new, hidden administrator account on the infected machine in order to allow Remote Desktop Protocol (RDP) connections.

As the coronavirus continues to spread and more apps and technologies are developed to monitor it, we will likely be seeing an increase in corona malware and corona malware variants well into the foreseeable future.

Sample Analyzed

VirusTotal

File Name Corona-virus-Map.com.exe
MD5 73da2c02c6f8bfd4662dc84820dcd983
SHA-1 949b69bf87515ad8945ce9a79f68f8b788c0ae39
SHA-256 2b35aa9c70ef66197abfb9bc409952897f9f70818633ab43da85b3825b256307
File Size 3.26 MB (3421696 bytes)
File Type Win32 EXE
First Submission 2020-03-02 16:50:25

The malware has a GUI that looks very good and convincing. When running the malware, the GUI window loads information, which pools from the web.

ק.png

The malware uses a few layers of packing as well as a multi-sub-process technique to make research more difficult. The malware also uses an information-stealing technique, which was first seen in 2016 and related to the “AZORult” malware family. To make sure the malware can persist and keep operating, it uses the “Task Scheduler”.

Indicators of Compromise:

Created files:

Corona-virus-Map.com.exe

C:\Users\%username%\AppData\Local\Temp\aut9BDA.tmp
C:\Users\%username%\AppData\Roaming\Z11062600\Corona[.]exe
C:\Users\%username%\AppData\Local\Temp\aut9DFE.tmp
C:\Users\%username%\AppData\Roaming\Z11062600\Corona-virus-Map.com[.]exe

Corona.exe

C:\Users\%username%\AppData\Local\Temp\RarSFX0\Corona[.]bat
C:\Users\%username%\AppData\Local\Temp\RarSFX0\Corona.sfx[.]exe
C:\Users\%username%\AppData\Local\Temp\autA83E.tmp
C:\Users\%username%\AppData\Roaming\Z58538177\bin[.]exe
C:\Users\%username%\AppData\Local\Temp\autAAB0.tmp
C:\Users\%username%\AppData\Roaming\Z58538177\Build[.]exe

Bin.exe

C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-console-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-datetime-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-debug-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-errorhandling-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-2-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-file-l2-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-handle-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-heap-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-interlocked-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-libraryloader-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-localization-l1-2-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-memory-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-namedpipe-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-processenvironment-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-0.dl
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-1.dl
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-profile-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-rtlsupport-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-string-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-console-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-2-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-sysinfo-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-timezone-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-util-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-conio-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-private-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-process-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-c
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-2-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-sysinfo-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-timezone-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-util-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-conio-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-2-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-sysinfo-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-timezone-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-util-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-conio-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-private-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-process-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dll
C:\Users\%username%\AppData\Local\Temp\2fda\freebl3.dll
C:\Users\%username%\AppData\Local\Temp\2fda\mozglue.dll
C:\Users\%username%\AppData\Local\Temp\2fda\msvcp140.dll
C:\Users\%username%\AppData\Local\Temp\2fda\nss3.dll
C:\Users\%username%\AppData\Local\Temp\2fda\nssdbm3.dll
C:\Users\%username%\AppData\Local\Temp\2fda\softokn3.dll
C:\Users\%username%\AppData\Local\Temp\2fda\ucrtbase.dll
C:\Users\%username%\AppData\Local\Temp\2fda\vcruntime140.dll
C:\Users\%username%\AppData\Local\Temp\2fda\nss3.dll
C:\Users\%username%\AppData\Local\Temp\2fda\nss3.dll
C:\Users\%username%\AppData\Local\Temp\2fda\mozglue.dll
C:\Users\%username%\AppData\Local\Temp\2fda\vcruntime140.dll
C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983

Windows.Globalization.Fontgroups.exe

C:\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
C:\Users\%username%\AppData\Local\Temp\autB628.tmp
C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.sqlite3.module.dll.2
C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.sqlite3.module.dll
C:\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE\2KY2PE8H\getMe[1].json
C:\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1
C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE\1OZ94YX5\json[1].json
C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\1\Information.txt
C:\Users\%username%\AppData\Local\Temp\autCC51.tmp
C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.module.exe.2
C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.module.exe
C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z
C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z
C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z
C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z
C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z
C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z
C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z

Modified registers

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntrane
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix
HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-3887374624-1885671809-3229943349-1001\\Device\HarddiskVoume4\Windows\SysWOW64\cmd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475
HKCU\Software\Classes\Local Settings\MuiCache\56\52C64B7E\LanguageList
HKCU\Software\Classes\Local Settings\MuiCache\56\52C64B7E\LanguageList
HKCU\Software\Classes\Local Settings\MuiCache\56\52C64B7E\LanguageList
HKCU\Software\Classes\Local Settings\MuiCache\56\52C64B7E\LanguageList

Mutexes Created:

\Sessions\1\BaseNamedObjects\A4B6CE24-E72D679B-BE9A182F-D7CE305A-FB62BB342
\Sessions\1\BaseNamedObjects\IESQMMUTEX_0_208
\Sessions\1\BaseNamedObjects\417087542ENU_FE97A6DDE921C7562535
\Sessions\1\BaseNamedObjects\MSIMGSIZECacheMutex
\Sessions\1\BaseNamedObjects\GdiplusFontCacheFileV1
\Sessions\1\BaseNamedObjects\Global\CPFATE_2304_v4.0.30319
\Sessions\1\BaseNamedObjects\Local\c:!users!user!appdata!roaming!microsoft!windows!ietldcache!
\Sessions\1\BaseNamedObjects\Local\_!MSFTHISTORY!_LOW!_
\Sessions\1\BaseNamedObjects\Local\c:!users!user!appdata!local!microsoft!windows!temporary internet files!low!content.ie5!
\Sessions\1\BaseNamedObjects\Local\c:!users!user!appdata!roaming!microsoft!windows!cookies!low!
\Sessions\1\BaseNamedObjects\Local\c:!users!user!appdata!local!microsoft!windows!history!low!history.ie5!
\Sessions\1\BaseNamedObjects\A4B6CE24-E72D679B-BE9A182F-DACC8B0F-7324685F3
\Sessions\1\BaseNamedObjects\417087542ENU_687FE9797AC054582535
\Sessions\1\BaseNamedObjects\Global\CPFATE_1308_v4.0.30319

Network communication Process Ip Address Url

Bin.exe

104.24.103.192:80

Coronavirusstatus[.]space/index.php

Windows.Globalization.Fontgroups.exe

149.154.167.220:443

api.telegram.org

Windows.Globalization.Fontgroups.exe

104.26.9.44:443

ipapi.co/json

Windows.Globalization.Fontgroups.exe

93.184.220.29:80

ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D

Corona-virus-Map.com.exe

18.205.183.153:443

gisanddata.maps.arcgis[.]com

Corona-virus-Map.com.exe

54.192.87.49:443

https://js.arcgis.com/3.31/dijit/form/_ListBase[.]js

Corona-virus-Map.com.exe

54.192.87.49:443

https://js.arcgis.com/3.31/dijit/form/MappedTextBox[.]js

Execution Flow Summary

NOTE: js.arcgis.com is safe to visit.

Full analysis

After receiving the sample, I started first with dynamic analysis, executed the file “CoronaMap.exe”[PID 4280] and opened up a window that showed the following “CoronaVirus” statistics:

ק.png

Running procmon at the same time revealed a multi-sub process that was created by “CoronaMap.exe”[PID 4280] which is the root process.

“CoronaMap.exe”[PID 4280] starts by creating another binary called “Corona.exe”[PID 7032]. When analyzing this file, it was easy to see that it was an archive, which means that it probably contains execution commands that can execute it.

Simply by using Winrar to view the archive content, I found two files inside it and they were in self-extracted mode (SFX). The two files were “Corona.bat” and “Corona.sfx.exe”, which we can also see in the process tree in procmon. Upon opening the “Corona.bat” file, we could see that “Corona.sfx.exe” was extracted with a hardcoded password (3D2oetdNuZUqQHPJmcMDDHYoqkyNVsFk9r) to the “C:\windows\system32” directory:

The “Corona.sfx.exe”[PID 3552] is an extracting process called “Corona.exe”[PID 9452]. This process creates more processes, but we will be focusing on only three of them: “bin.exe”[PID 8604], “timeout.exe”[PID 5680] And “Build.exe”[PID 6348]

As I started to analyze the“bin.exe”[PID 8604] with Ollydbg, I was able to see that it was writing some Dll’s, one of which was known to me from different actors: the “nss3.dll” :

Going deeper inside with Ollydbg, I saw static loading of APIs related to “nss3.dll”. The code utilized the API functions within the “nss3.dll” to decrypt saved passwords and create output data.

This technique is pretty common. I came across it once before, and after doing some digging around, discovered that this information-stealing tactic came from a malware family called “AZORult”, which was first seen in the wild in 2016. Its behavior is as follows: When the victim gets infected, the malware extracts data and creates a unique ID of the victim’s workstation. It then applies XOR encryption using the generated ID. This ID is used to tag the workstation in order to start C2 communication. The C2 server responds with configuration data, which contains target web browser names, web browser path information, API names, sqlite3 queries, and legitimate DLLs.

Using Ollydbg and keeping a trace on the API calls from the loaded “nss3.dll”, I was able to see the following calls:

Sqlite3_open
Sqlite3_close
Sqlite3_prepare_v2
Sqlite3_step
Sqlite3_column_text
Sqlite3_column_bytes
Sqlite3_finalize
NSS_Init
PK11_GetInternalKeySlot
PK11_Authenticate
PK11SDR_Decrypt
NSS_Shutdown
PK11_FreeSlot

The password-stealing operation process is simple because the malware steals the “login data” from the installed browser and moves it to “C:\Windows\Temp”. The “login data” is based on Sqlite3 DB structure. To read the date the malware queries the SQLite data in order to extract the information. Once the extraction is over, the malware creates a file called “PasswordList.txt”, which holds all the information.

13.1.png

As I kept on digging in the code of “bin.exe”[PID 8604], I could see that the malware is also looking for different cryptocurrency wallets such as “Electrum” and “Ethereum”:

13.2.png

Also looking for “Telegram Desktop”:

13.3.png

Searches for “Steam” account:

13.4.png

Takes a screenshot and saves it as “scr.jpg”:

Resolve the public IP address of the victim machine and save it as “ip.txt”:

Collecting information about the system such as the OS system, the architecture, the hostname, the username, etc:

14.3.png

As I continued with “bin.exe”[PID 8604], I found that the malware communicates with its C2 server using the address of 104.24.103.192:80, which we can resolve to http://coronavirusstatus[.]space/. By analyzing the traffic, I found that the “bin.exe”[PID 8604] uses “chunked” transfer encoding, which is also something we see in the wild. When the Content-Length value is smaller than the chunked payload size, the origin server will check the Content-Length header to determine the length of the request, but there will be some leftover payload that will be concatenated to the next incoming request. This is how the malware sends out the information it steals:

14.4.png

14.5.png

Moving on to the “timeout.exe”[PID 5680], it was easy to understand that the malware author used it in order to create a delay execution. This is also a pretty common technique that is used to trick AVs. As I started analyzing the “Build.exe”[PID 6348], I could see a “Loadlibrary” of “taskschd.dll”, which I was already familiar with this in case of persistence:

The “Build.exe”[PID 6348] creates a subprocess “Windows.Globalization.Fontgroups.exe”[PID 3848] which the persistence runs.

When analyzing the “Windows.Globalization.Fontgroups.exe”[PID 3848], I could see that it was packed with UPX, which is pretty easy to unpack.

After unpacking, I noticed that there was another layer of packing. This time, it was with AutoIT. Moving forward with the analysis, I found that this binary is responsible for enumerating the OS in order to find new browsers and resources that it can steal information from:

The “Windows.Globalization.Fontgroups.exe”[PID 3848] creates a process called “Windows.Globalization.Fontgroups.module.exe”[PID 3848] which is responsible for creating the zip file with all the information “bin.exe”[PID 8604] sends out:

C:\Users\shy32\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z

The “Windows.Globalization.Fontgroups.exe”[PID 3848] uses “Attrib.exe”[PID 8832] in order to hide this directory:

Remediation

Download RAV Endepoint Protection.
Doubleclick on the installed executable and follow the prompts to complete the installation.
Once the installation is complete, click ‘Finish’.
Definitions and security patches will automatically be updated.
Once the process is complete, select the ‘Scan Now’ button to start your scan.
When the scan is finished, select all the threats that were detected and then click on ‘Remove selected threats’.
When prompted, restart your computer.