Skip navigation.
Home

SecureMail?

Finally back at this blog...
Today my spamfilter catched another nice executable!
I got SecureMail ;-)
Ready for some python-based reversing:

phil@vr:~$ python /opt/projects/rem/peframe/peframe.py --auto SecureMail.exe
File Name: SecureMail.exe
File Size: 137728 byte
Compile Time: 2013-01-23 19:05:56
DLL: False
Sections: 5
MD5 hash: 6870fd8fd2b2bedd83e218d9e7e4de8b
SHA-1 hash: 4b7a2c0cee63634907c5ccc249c8cd4c0231f03a
Packer: None
Anti Debug: None
Anti VM: None

File and URL:
FILE: KERNEL32.dll
FILE: USER32.dll
FILE: MSAATEXT.dll
FILE: RASAPI32.dll
URL: None

Suspicious API Functions:
Func. Name: MapViewOfFile
Func. Name: VirtualProtect
Func. Name: GetFileAttributesA
Func. Name: GetTickCount
Func. Name: GetModuleHandleA
Func. Name: FindResourceA
Func. Name: GetFileAttributesA
Func. Name: CreateDirectoryA
Func. Name: GetDriveTypeW

Suspicious API Anti-Debug:

Suspicious Sections:
Sect. Name: .rsrc
MD5 hash: 6d7aab84d0a5b3497e562704a14defc6
SHA-1 hash: 2c427b3bc98e865b65a099887674b8927c1ca52a

Uaah, thanks, it's unpacked. And it uses some suspicious functions. What's more?

phil@vr:~$ python /opt/projects/rem/pyew/pyew.py SecureMail.exe
PE Information

Sections:
.text 0x1000 0x150c 5632
.rdata 0x3000 0xa86 3072
.data 0x4000 0x3000 512
.rsrc 0x7000 0x1ef00 126976
.import 0x26000 0x1dc 512

Entry Point at 0x576
Virtual Address is 0x401176
Code Analysis ...
Analyzing address 0x0000156c - 0 in queue / 81 totall
0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 84 00 00 00 ................
0040 BB 11 00 0F 1F B5 0A CD 21 B8 01 4C CD 21 90 90 ........!..L.!..
0050 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 This program mus
0060 74 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57 t be run under W
0070 69 6E 33 32 0A 0D 24 37 00 00 00 00 00 00 00 00 in32..$7........
0080 00 00 00 00 50 45 00 00 4C 01 05 00 84 26 00 51 ....PE..L....&.Q
0090 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 FF FF ................
00A0 00 16 00 00 00 FE 01 00 00 00 00 00 76 11 00 00 ............v...
00B0 00 10 00 00 00 30 00 00 00 00 40 00 00 10 00 00 .....0....@.....
00C0 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 ................
00D0 00 00 00 00 00 70 02 00 00 04 00 00 00 00 00 00 .....p..........
00E0 02 00 01 00 00 00 10 00 00 10 00 00 00 00 10 00 ................
00F0 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 ................
0100 00 00 00 00 AC 30 00 00 50 00 00 00 00 70 00 00 .....0..P....p..
0110 6C EF 01 00 00 00 00 00 00 00 00 00 00 00 00 00 l...............
0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0160 00 00 00 00 38 24 00 00 08 00 00 00 00 00 00 00 ....8$..........
0170 00 00 00 00 00 00 00 00 00 00 00 00 2E 74 65 78 .............tex
0180 74 00 00 00 0C 15 00 00 00 10 00 00 00 16 00 00 t...............
0190 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01A0 20 00 00 60 2E 72 64 61 74 61 00 00 86 0A 00 00 ..`.rdata......
01B0 00 30 00 00 00 0C 00 00 00 1A 00 00 00 00 00 00 .0..............
01C0 00 00 00 00 00 00 00 00 40 00 00 40 2E 64 61 74 ........@..@.dat
01D0 61 00 00 00 00 30 00 00 00 40 00 00 00 02 00 00 a....0...@......
01E0 00 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .&..............
01F0 40 00 00 C0 2E 72 73 72 63 00 00 00 00 EF 01 00 @....rsrc.......
[0x00000000:0x00400000]> len(pyew.functions)
81
[0x00000000:0x00400000]> pyew.names
{1048: 'sub_00000418',
1100: 'sub_0000044c',
1188: 'sub_000004a4',
1220: 'sub_000004c4',
1316: 'sub_00000524',
1398: 'start',
1496: 'sub_000005d8',
1564: 'sub_0000061c',
1684: 'sub_00000694',
1720: 'sub_000006b8',
1752: 'sub_000006d8',
1784: 'sub_000006f8',
1816: 'sub_00000718',
1984: 'sub_000007c0',
2052: 'sub_00000804',
2168: 'sub_00000878',
2204: 'sub_0000089c',
2284: 'sub_000008ec',
2316: 'sub_0000090c',
2348: 'sub_0000092c',
2416: 'sub_00000970',
2480: 'sub_000009b0',
2512: 'sub_000009d0',
2704: 'sub_00000a90',
2740: 'sub_00000ab4',
2772: 'sub_00000ad4',
2804: 'sub_00000af4',
2836: 'sub_00000b14',
3036: 'sub_00000bdc',
3068: 'sub_00000bfc',
3100: 'sub_00000c1c',
3132: 'sub_00000c3c',
3172: 'sub_00000c64',
3252: 'sub_00000cb4',
3284: 'sub_00000cd4',
3352: 'sub_00000d18',
3384: 'sub_00000d38',
3452: 'sub_00000d7c',
3488: 'sub_00000da0',
3556: 'sub_00000de4',
3592: 'sub_00000e08',
3624: 'sub_00000e28',
3656: 'sub_00000e48',
3736: 'sub_00000e98',
3824: 'sub_00000ef0',
3856: 'sub_00000f10',
3976: 'sub_00000f88',
4044: 'sub_00000fcc',
4076: 'sub_00000fec',
4108: 'sub_0000100c',
4224: 'sub_00001080',
4296: 'sub_000010c8',
4332: 'sub_000010ec',
4364: 'sub_0000110c',
4496: 'sub_00001190',
4532: 'sub_000011b4',
4564: 'sub_000011d4',
4596: 'sub_000011f4',
4636: 'sub_0000121c',
4668: 'sub_0000123c',
4736: 'sub_00001280',
4832: 'sub_000012e0',
4864: 'sub_00001300',
5016: 'sub_00001398',
5048: 'sub_000013b8',
5128: 'sub_00001408',
5196: 'sub_0000144c',
5228: 'sub_0000146c',
5292: 'sub_000014ac',
5324: 'sub_000014cc',
5388: 'sub_0000150c',
5452: 'sub_0000154c',
5484: 'sub_0000156c',
5620: 'sub_000015f4',
5656: 'sub_00001618',
5760: 'sub_00001680',
5912: 'sub_00001718',
5988: 'sub_00001764',
6020: 'sub_00001784',
6132: 'sub_000017f4',
6164: 'sub_00001814',
4206592: 'KERNEL32.dll!MapViewOfFile',
4206596: 'KERNEL32.dll!VirtualProtect',
4206600: 'KERNEL32.dll!GetLocaleInfoA',
4206604: 'KERNEL32.dll!GetStringTypeA',
4206608: 'KERNEL32.dll!GetFileAttributesA',
4206612: 'KERNEL32.dll!TlsGetValue',
4206616: 'KERNEL32.dll!RemoveDirectoryA',
4206620: 'KERNEL32.dll!SetLastError',
4206624: 'KERNEL32.dll!GetTickCount',
4206628: 'KERNEL32.dll!IsValidCodePage',
4206632: 'KERNEL32.dll!ResetEvent',
4206636: 'KERNEL32.dll!GetModuleHandleA',
4206640: 'KERNEL32.dll!FindResourceA',
4206644: 'KERNEL32.dll!GetFileAttributesA',
4206648: 'KERNEL32.dll!HeapSize',
4206652: 'KERNEL32.dll!CreateDirectoryA',
4206656: 'KERNEL32.dll!GetProcessHeap',
4206660: 'KERNEL32.dll!GetDriveTypeW',
4206664: 'KERNEL32.dll!GetExitCodeThread',
4206668: 'KERNEL32.dll!FindClose',
4206672: 'KERNEL32.dll!IsBadWritePtr',
4206680: 'USER32.dll!IsWindow',
4206684: 'USER32.dll!PeekMessageA',
4206688: 'USER32.dll!IsDialogMessageA',
4206692: 'USER32.dll!GetWindowLongW',
4206696: 'USER32.dll!LoadCursorA',
4206700: 'USER32.dll!SetFocus',
4206704: 'USER32.dll!SetCursor',
4206708: 'USER32.dll!GetCapture',
4206712: 'USER32.dll!GetWindowTextW',
4206716: 'USER32.dll!LoadImageW',
4206720: 'USER32.dll!PostMessageW',
4206724: 'USER32.dll!wsprintfW',
4206728: 'USER32.dll!DispatchMessageA',
4206736: 'MSAATEXT.dll!DllUnregisterServer',
4206740: 'MSAATEXT.dll!DllUnregisterServer',
4206744: 'MSAATEXT.dll!DllCanUnloadNow',
4206748: 'MSAATEXT.dll!DllGetClassObject',
4206756: 'RASAPI32.dll!DwRasUninitialize'}
[0x00000000:0x00400000]> url
[0x00000000:0x00400000]> vt
File SecureMail.exe with MD5 6870fd8fd2b2bedd83e218d9e7e4de8b
-------------------------------------------------------------

Norman : Hlux.XI
McAfee-GW-Edition : Heuristic.BehavesLike.Win32.Suspicious-BAY.K
CAT-QuickHeal : (Suspicious) - DNAScan
BitDefender : Trojan.GenericKDZ.15594
McAfee : Fake-SecTool-FLH!6870FD8FD2B2
Malwarebytes : Trojan.FakeAlert
Fortinet : W32/Kryptik.AGAJ!tr
Comodo : Heur.Packed.Unknown

[0x00000000:0x00400000]> s ep
[0x00000576:0x00401176]> c
0x00000576 ; FUNCTION start
0x00000576 (01) f8 CLC
0x00000577 (02) 1bc9 SBB ECX, ECX
0x00000579 (05) be0c314000 MOV ESI, 0x40310c
0x0000057e (03) 83ee6d SUB ESI, 0x6d
0x00000581 (03) 8b46ff MOV EAX, [ESI-0x1]
0x00000584 (02) 8bf0 MOV ESI, EAX
0x00000586 (03) c1e610 SHL ESI, 0x10
0x00000589 (03) 6633f6 XOR SI, SI
0x0000058c (05) 68c9114000 PUSH DWORD 0x4011c9
0x00000591 (06) 81ee18ff0000 SUB ESI, 0xff18
0x00000597 (01) 50 PUSH EAX
0x00000598 (03) 648b19 MOV EBX, [FS:ECX]
0x0000059b (03) 648921 MOV [FS:ECX], ESP
0x0000059e (03) 803e50 CMP BYTE [ESI], 0x50
0x000005a1 (02) 7403 JZ 0x000005a6 ; 1
0x000005a1 ----------------------------------------------------------------------
0x000005a3 (03) 83c608 ADD ESI, 0x8
0x000005a6 (06) 8d86ac000000 LEA EAX, [ESI+0xac]
0x000005ac (01) 41 INC ECX
0x000005ad (03) 0fb616 MOVZX EDX, [ESI]
0x000005b0 (02) 1bca SBB ECX, EDX
0x000005b2 (02) 7721 JA 0x000005d5 ; 2
0x000005b2 ----------------------------------------------------------------------
0x000005b4 (02) b61a MOV DH, 0x1a
0x000005b6 (02) 3a30 CMP DH, [EAX]
0x000005b8 (02) 7312 JAE 0x000005cc ; 3
0x000005b8 ----------------------------------------------------------------------
0x000005ba (01) 90 NOP
0x000005bb (02) b638 MOV DH, 0x38
0x000005bd (02) 3830 CMP [EAX], DH
0x000005bf (02) 770b JA 0x000005cc ; 4
0x000005bf ----------------------------------------------------------------------
0x000005c1 (06) 8d3d00404000 LEA EDI, [0x404000]
0x000005c7 (02) 7ea7 JLE 0x00000570 ; 5
0x000005c7 ----------------------------------------------------------------------
0x000005c9 (01) 9d POPF
0x000005ca (02) 6a07 PUSH 0x7
0x000005cc (06) ff3574304000 PUSH DWORD [0x403074] ; USER32.dll!GetCapture
0x000005d2 (03) ff0c24 DEC DWORD [ESP]

[0x00000576:0x00401176]>

Kinda low AV detection rate, yet. Come on guys, we need more generics!
Static analysis might take some hours.
Sandbox to the rescue!

http://www.threatexpert.com/report.aspx?md5=6870fd8fd2b2bedd83e218d9e7e4de8b