Malware Analysis & Reverse Engineering (Case Study)



Summary of Findings 

  • Testbook3.xlsm.mlw: 64f129da1ab476723f147ec9ad92ad0d
  • Malware creation Date: 2017-04-24 01:53:22Z
  • Malware Type: Downloader Trojan

VirusTotal resulted in 27/ 57 detections as malicious. This dropper steals username and password information from the SAM database of the victim. This is evidenced by API calls made using SAMSRV.DLL. The stolen data is then sent across an encrypted communications link using  SSLv2 encryption.

The malware begins to enumerate SAM hashes from the SAM database and encrypts them before transmitting the stolen data. The malware makes use of several APIs in this process including: crypt32.dll, bcrypt.dll, ncrypt.dll, cryptdll.dll, secure32.dll.  Continue reading

Malware Analysis (Yara Rules)



In an effort to help identify and classify malware samples, Yara rules have been specifically written to help identify if a computer or system is infected, and if so, uncover the location of potentially infected files.

The first Yara rule, as seen below, was written to identify any files and their location on disk that could potentially be infected with the Prosium Bot. The following strings have been optimized to help minimize false positives while providing the most effective file identification possible. Continue reading