İstanbul escort bayan sivas escort samsun escort bayan sakarya escort Muğla escort Mersin escort Escort malatya Escort konya Kocaeli Escort Kayseri Escort izmir escort bayan hatay bayan escort antep Escort bayan eskişehir escort bayan erzurum escort bayan elazığ escort diyarbakır escort escort bayan Çanakkale Bursa Escort bayan Balıkesir escort aydın Escort Antalya Escort ankara bayan escort Adana Escort bayan

HomeNetwork SecurityA Hacker Caught During Malware Analysis

A Hacker Caught During Malware Analysis

Today, while I am analyzing one of the sample that I found it very suspicious, I found SMTP username and password of the malware writer. And I decided to share the details with you.

The sample was sent by e-mail with a Word attachment as below.


Attachment contains a macro, which is trying to download a PE file from the internet.

Dropped Sample:


Firstly, I had a look at dropped sample from PEStudio as follows. And I realized that, It was written in C# and complied an hour before It was sent.

I tried to decompile it with .NET Reflector Decompilation tool but it wasn’t successful.

And then, I analyzed the sample with Exeinfo PE application and It can be easily seen that it was obfuscated or packed.


In order to deobfuscate the sample, I used de4dot .NET deobfuscator and unpacker  with respect to Gökmen Güreşçi‘s suggestion.

After all, I tried to open the deobfuscated version of the portable executable again with .NET Reflector.

Then I realized in the resources part ,that there was a Bitmap file and the other parts didn’t contain so many codes in it.

To extract the bitmap file, I used Exeinfo PE as below.

As seen below, 203 Kbytes out of 251 Kbytes is used to store this PNG.


But, I couldn’t find anything worthy in this PNG file. (If someone has an idea about how to  analyze PNG file, he can ping me)

That’s why, I decided to analysis the malware dynamically. Briefly, It modifies the registry to add itself to autostart, tries to identify public IP of the host and tries to connect an SMTP server ( with TCP port 587 as seen below.


To sum up, it takes screenshots in every minutes, looking for some credentials in the config files and tries to send these information by using SMTP with the user [email protected].

Before giving up, while I was walking around the strings in the memory, I saw interesting strings in the memory as follows.


After all, I tried to login with the password ‘@1B2c3D4e5F6g7H8’ and ‘kingdom12345@’.

Then bingo 🙂


There are too many victims seen in the inbox and some victims were from Turkey.  And there is not only screenshots, but also it is logging keystrokes and send them to the attacker. For example, authentication information of the firewall of a victim gathered as below.


There is an intresting screenshot show us that there is a well known endpoint security installed on one of the victim as below.


But it is not over. The guy behind this attack, stores his malwares in dropbox as below. And he recreates them with different templates regularly.


I checked the login activity of the mail box. And, It was obvious that the attacker connects the mailbox from four different countries (Nigeria,United States, Austria, and interestingly Turkey).


Thats all for now 🙂

PS: I shared the sample and details with USOM (TR CERT)

Ali Bay
Ali Bay
Sr. Network & Security Engineer


Please enter your comment!
Please enter your name here

Most Popular

Recent Comments