独家优惠奖金 100% 高达 1 BTC + 180 免费旋转

Malware Analysis on Bionet.exe File

The provided sample named “sample 31“ is just only for the education purpose and the intended analysis performed over the sample 31 is to find out the artifacts for the learning purpose and to understand core functionality of Backdoor-Malwares like this.

The original name of the Sample 31 is “Bionet.exe” powered by sub7crew who are serving also as threat actor and known for creating Trojan supported files mostly for the remote accessibility for intentional intrusion inside the systems. Specifically, “Bionet 3.07.ME.exe” is a process registered as a backdoor vulnerability which may be installed for malicious purposes by an attacker and can be used as utility allowing access to your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a major risk for your environment and should be removed from your environment.

Non-native processes like bionet.exe originate from software you installed on your system. Since most applications store data on your hard disk, it is likely that your computer has suffered fragmentation and accumulated invalid entries which can affect your PC’s performance and escalate privileged access to your sensitive files.

On the basis of subjected Bionet.exe file suspicious intention, the MITRE ATT&CK mapping includes the clarification for the precise and high-level understanding of this sample attack vector,

Sample Specimen Identity:
Following are the identity information of the assessed sample.

The unique identification of this sample files i.e. SHA256 hash value is “c0b3e7233fa93d47552ab4f7d2f64e445b60ed42dab7f9cf104b557e5857adc7” first we have observed HEX code architecture as it shows “MZP” in offset 0000000, inside the table which fundamentally means that this file identically executes as exe file.

After reviewing this file in EXEinfoPE tool it is observed this file is packed into Borland Delphi 4.

Characteristic:
Access for Rebooting/Shutting down OS:
This sample program contains the ability to reboot or shutdown the Operating System with help of the function “ExitWindowsEx” lies under the User32.dll & another function named “SetSystemPowerState” lies under system32.dll.

Shared Network Resources Lookup:
This sample file is also have the capability of running query regarding information belongs to network shared resources such as printing device in order to act accordingly.

Automated Environment Learning:
It also contains the ability of reading monitor info and current time zone which is intended to evade sandbox environment or learning the environment. The functions this sample file uses for this activity are “GetMonitorInfoA” and “GetLocalTime”.
Another artifact during static overview is seen that this file is using “GetVersionExA” and “GetDiskFreeSpaceA” to figure out environment version and checking for the disk free volume as well. As shown below,

Incoming Internet Connection:

It also has the capability of listening/receiving internet packets request from the targeted or defined CNC server. The function named “listen” lies under the “winsock32.dll” which enables this file to listen instruction through internet and process accordingly. On the other hand, the function named “recv” enables this file to download files from the internet this function also pertains to “winsock32.dll”.

Socket Connection Findings:

The sample also has the characteristic of making connections to an external server, which helps the malware to establish a backdoor connection. Hence, the first feature that we will be analyzing would be how the malware establishes a backdoor connection.

Finding Input Device:

Another strategy which most of the malwares used to initiate the reconnaissance against the environment they are designed to run is looking up for the input devices state. So, this sample is also having the same capability. Hence it is using “GetKeyboardState” function under “user32.dll” for searching keyboard state in order to achieve the input device status. It is also passing the value of keyboard status under parameter of “lpKeyState”. As shown below,

Another Suspicious API functions used by this sample is mention in APPENDIX Table B.

Behavioral Findings Overview:

During Behavioral Analysis it is observed that after opening this file the GUI interface can be seen with the name of BioNet 3.07 ME by Cyberium Technology,

Further drilling into the GUI it is observed that this file is designed to initiate remote connection as you can see in the above mentioned screenshot you just need to enter relevant information to gain remote access to desired asset.

After debugging this file there are so many artifacts came into observation that this file is looking towards the existing user accounts information along with their naming convention by using “GetUserNameA” which belongs to advapi32.dll. which exist in the 761C1000 Base address.

After that moving towards memory forensics, it observed that there were several addresses specified inside the sample file on which this sample is intended to visit

Inside the chunk we also found that base64 encoded streams and after decoding the streams we found list of search engines URL and shopping websites including with other categorical website as well. List of URL’s are resided in Appendix A.

Hence, it does not mentioned any malicious intention but it will consider as the information retrieval characteristic of this sample31. Based upon analysis it leads to information that the analyzed samples is significant file for the remote backdoor malwares as the characteristic of this sample file includes Remote Administration using various techniques as this file is not intended to perform malicious task but can surely be used for malicious purpose.

Appendix A

List of URLs seen inside HTTP stream
americanlisted.com,

bestreviews.guide,

careerjet.jp,

cl.bebee.com,

cybermondaldeals.center,

de.jobrapido.com,

elclasificado.com,

fr.consumersearch.com,

hasgeneral.info,

int.search.myway.com,

int.search.tb.ask.com,

izito,jooble.org,

jora.com,

m.apkpure.com,

m.indiamart.com,

m.in.locan.to,

m.quoka.de,

m.sears.com,

mybrowser-search.com,

nortonsafe.search.ask.com,

ru.gigapromo.com,

sd.cac.attorney,

search.myway.com,

search.smt.docomo.ne.jp,

search.visymo.com,

sp-web.search.auone.jp,

startgoogle.startpagina.nl,

suchen.mobile.de,

suche.web.de,

uk.ask.com,

zapmeta

Appendix B
List of common malicious API

CreateFileMappingA

GetFileAttributesA

GetDriveTypeA

GetTempPathA

WriteFile

GetModuleFileNameA

LoadLibraryExA

UnhandledExceptionFilter

GetModuleHandleA

CreateThread

TerminateProcess

GetTickCount

GetVersionExA

Add a comment

What is your view?

Send

Related posts:

The Best Ways To Locate A Divorce Attorney

Separate is relatively conceivably the most worrisome stage throughout everyday life and its things can be extremely broad. clearly, to have the option to stay down from the standard bothers that…

Stuck With Writing? Ease Yourself Off the Ledge With The Simple Tips

Jenny sat on the couch staring out the window at the falling snow, her fingers resting idly on the keyboard of her laptop, which was warm and humming slightly. Jenny shook her head and turned to gaze…

How To Have A Great Day Tomorrow

Because while some things happen that are out of our control, the quality of most days is determined by how we choose to approach them. A bad day is often the result of bad choices we make about what…