Avast WEBforum
Other => Viruses and worms => Topic started by: REDACTED on August 16, 2016, 02:20:54 PM
-
New malware released, I analysed
File: https://www.sendspace.com/file/5nsyrx
This application uses NSIS's System Plugin to load the contents from file "leuopcoh" (Seen from 7Zip). There are other random files there with junk contents. File "leuopcoh" is shellcode that is used with Windows function "CallWindowProc" with parameter to encrypted data file "eycwmoss.tjhe", used to load the malware.
Calls to NSIS's System Plugin can be clearly seen from the NSIS script (3 calls: VirtualAlloc, FileReadW, CallWindowProcW)
From the NSIS Script:
System::Call 'kernel32::VirtualAlloc(i 0, i 9226, i 0x3000, i 0x40) p .r0'
System::Call 'kernel32::ReadFile(i r1, p r0, i 9226, t.,)'
System::Call 'user32::CallWindowProcW(p r0, t 'C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\eycwmoss.tjhe', i 0, i 0, i 0) i .r1)'
-
New malware released
Upload and scan file at www.virustotal.com post link to scan result here
-
Please modify/break the link to possible malware (so it isn't active) to avoid accidental exposure.
hXXps://www.sendspace.com/file/5nsyrx
-
https://www.virustotal.com/en/file/c852ed76bb87482a7a2638c2a689c2ba671a80271384a2b99170d1a746eacc0b/analysis/
-
Hello.
If the file was downloaded directly from the link detection is Win32:Evo-gen [Susp] .The same is already on the PC and run when detecting changes to FilerepMalware.Can be seen attached.
-
I resubmit the file and detection has been added accordingly.
The detection was teetering once was detected another time not because of the behavior.In scanning the file is detected as Win32:Trojan-gen and the files contained within crypt were created
signatures.Attached