ARTICLE / 安全
样本分析-trojan/buzus“霸族”木马通过邮件传播
Trojan/Buzus“霸族”木马通过邮件传播
背景
关于buzus
翻阅网上的关于霸族的资料介绍如下: W32/Buzus是一种蠕虫,它通过将自身复制到可移动驱动器来传播,并试图从受损的计算机中窃取机密信息。https://www.symantec.com/security-center/writeup/2009-121019-2757-99 霸族本身存在蠕虫行为,且存在传染性可能。本次样本发现为木马类buzus,或同源Trojan.AgentWDCR.HWI行为,基于各厂商对病毒命名不同略有差别。https://www.virustotal.com/gui/file/e41e19b9ee8889b3887b8cacf264468c661bdf382706bbd9052c1f95c4eea504/detection
基本信息
文件名称: document.exe 文件大小: 394KB (403968bytes) 文件类型: PE32 executable (GUI) Intel 80386, for MS Windows 开始时间: 2019-09-09 12:54:18 MD5: c1a5ba03f0ba9832cc87180a4c4622a5[virustotal] SHA1: b6c0f0588c8efffc48f308dfddecbf6170204dd9 壳或编译器信息: 无匹配信息
动态分析
前台无任何异常,进程看到子程序调用,rundll32.exe调用并处在运行,可看到触发报错告警。
可以观察到rundll32.exe调用plareb.dll运行命令:
通过行为分析复盘可以看到:
document.exe再执行时开始创建调起进程:"%Temp%\NvMcTray.exe"
查找删除防护软件注册表操作:

样本行为审计可以总结下完整的样本document.exe行为:document.exe运行创建%Temp%\NvMcTray.exe和%Temp%\NvTaskbarInit.exe(这个是受保护隐藏的备份),之后通过NvMcTray.exe进行正常流程调用rundll32.exe运行,删除英伟达注册表并新增额外启动项指向隐藏备份的释放文件NvTaskbarInit.exe,开启代理,删除防护软件启动项等操作。之后NvTaskbarInit.exe还会调用下载dll进行后续下载操作。

NvTaskbarInit.exe样本行为审计:释放plareb.dll到%LocalAppData%\plareb.dll,调用rundll32.exe运行dll。
rundll32.exe调用行为审计: rundll32.exe 运行%LocalAppData%\efazufer.dll,运行_5b78e6e8a21a43cd8ced445ed9ca5ed30ca6835_0b3cf67e\Report.wer,运行%LocalAppData%\plareb.dll,修改注册表,修改cookie等。
网络行为发现连接大量域名IP,主要两处:
静态分析
IOCs:
文件hash 4e04c09cb0c3b3b2375d9e2e92a9e0e82f115c9011ca16a34cc83b4b94a730dc f0a3eec2709682107edae2372e8984e15bd3b2b7e3de9878ba76cd69cc556ce0 4e04c09cb0c3b3b2375d9e2e92a9e0e82f115c9011ca16a34cc83b4b94a730dc e53e796d032239c68fa1d485372c69d2232a4a269547f9da959d03f7ed448870 f5853afb6b66570e29fcf6cae815ffb001970e179d24f7739d2efedc317e0ead e41e19b9ee8889b3887b8cacf264468c661bdf382706bbd9052c1f95c4eea504 e117b82bd7c22e656f0e508dcd9ee7e4cf918cf9feacd170236eea67fd6a1984 f6846e5625a17d76a1a6e954ba67ee14896e0f7350030f5f61c3218b6463af4c 28619bf9a073ce5ade879ef7123c5a60f28bdfead6997c63540e1a5fede309e6 07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541 2454bcaae690d629420b45e7db2297269cd97ccb1bb2640401d23f0a1d9b5bcc e41e19b9ee8889b3887b8cacf264468c661bdf382706bbd9052c1f95c4eea504 5877a70e36f1d51945837daae394da0275ca57e8acbb725fad992b454b7d16c6 c38239c98d9ba20e7af37cd7e516dc69d3accfaf699d9d517976f6cfeccb052c 196ba3121fba4cb7e6dadc93f46bda0450996aed308325f124ac7a508ff6bb10 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a 3269095d5a98d381acfa4bdfab9e47d2e58f84bf646bf5a4bf2a3f6c6630203c 196ba3121fba4cb7e6dadc93f46bda0450996aed308325f124ac7a508ff6bb10 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a 3269095d5a98d381acfa4bdfab9e47d2e58f84bf646bf5a4bf2a3f6c6630203c f0a3eec2709682107edae2372e8984e15bd3b2b7e3de9878ba76cd69cc556ce0 33e3065cc7fe4f4a6c7b707fbef7a138a81cdc7906fcf2b565be5e91ec17ec08 196ba3121fba4cb7e6dadc93f46bda0450996aed308325f124ac7a508ff6bb10 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a 3269095d5a98d381acfa4bdfab9e47d2e58f84bf646bf5a4bf2a3f6c6630203c f0a3eec2709682107edae2372e8984e15bd3b2b7e3de9878ba76cd69cc556ce0
HOST: 081007e30903.lantzel.com/get2.php?c=CNEUQIGW&d=26606B67393435363E2F676268307D3F222022222425243177757E4469747A224213131B1212151E0E5C434F116F1C6A76057701040172050A0D0309797F7F0C7304707A01707E767F7E0C7F7F6B2C263E2737216964606F7E31333F616E6A3A535155505243070305545A4D031E180A024C442C455329031B12474B4C4D4E47B6B0B6BABDA3F6F5E7EAB7F9F9E3EAE3FCA2A0BDF1EDF3B1F4FDABC4F9A0AFB9C3CDCCD7FBC09B978EDE9C9F919C88C98D8094C1898490D4D6DDD6869AD4DADEB4A4FFF2F6FDF0F6FEFCF8FFFDEB8B8082 081007e30903.lantzel.com
样本地址
https://github.com/XTpeeps/MalwareSamples/tree/master/Trojan_Buzus





