New Malware Crypt Method

[REDACTED]

New malware released, I analysed

File: https://www.sendspace.com/file/5nsyrx

This application uses NSIS's System Plugin to load the contents from file "leuopcoh" (Seen from 7Zip). There are other random files there with junk contents. File "leuopcoh" is shellcode that is used with Windows function "CallWindowProc" with parameter to encrypted data file "eycwmoss.tjhe", used to load the malware.

Calls to NSIS's System Plugin can be clearly seen from the NSIS script (3 calls: VirtualAlloc, FileReadW, CallWindowProcW)

From the NSIS Script:

Code: [Select]

System::Call 'kernel32::VirtualAlloc(i 0, i 9226, i 0x3000, i 0x40) p .r0'
System::Call 'kernel32::ReadFile(i r1, p r0, i 9226, t.,)'
System::Call 'user32::CallWindowProcW(p r0, t 'C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\eycwmoss.tjhe', i 0, i 0, i 0) i .r1)'

[Pondus]

New malware released

Upload and scan file at www.virustotal.com  post link to scan result here

[DavidR]

Please modify/break the link to possible malware (so it isn't active) to avoid accidental exposure.

hXXps://www.sendspace.com/file/5nsyrx

[Pondus]

https://www.virustotal.com/en/file/c852ed76bb87482a7a2638c2a689c2ba671a80271384a2b99170d1a746eacc0b/analysis/

[jefferson sant]

Hello.

If the file was downloaded directly from the link detection is Win32:Evo-gen [Susp] .The same is already on the PC and run when detecting changes to FilerepMalware.Can be seen attached.

[jefferson sant]

I resubmit the file and detection has been added accordingly.
The detection was teetering once was detected another time not because of the behavior.In scanning the file is detected as Win32:Trojan-gen and the files contained within crypt were created
signatures.Attached