Malware Analysis & Reverse Engineering (Case Study)

August 20, 2017December 17, 2017 / Miguel Bigueur / Leave a comment

Summary of Findings

Testbook3.xlsm.mlw: 64f129da1ab476723f147ec9ad92ad0d
Malware creation Date: 2017-04-24 01:53:22Z
Malware Type: Downloader Trojan

VirusTotal resulted in 27/ 57 detections as malicious. This dropper steals username and password information from the SAM database of the victim. This is evidenced by API calls made using SAMSRV.DLL. The stolen data is then sent across an encrypted communications link using SSLv2 encryption.

The malware begins to enumerate SAM hashes from the SAM database and encrypts them before transmitting the stolen data. The malware makes use of several APIs in this process including: crypt32.dll, bcrypt.dll, ncrypt.dll, cryptdll.dll, secure32.dll. Continue reading →

figure 1

Incident coordinator pressing INCIDENT RESPONSE on an interactive touch screen. Computer security concept. Man in blue suit is highlighting an open lock among forensic tool icons signifying a breach.