[en] Malware with « big size »

Bloqueur de pub détectée - Vous bloquez l'affichage des publicités.
Pour soutenir le site, merci de bien vouloir laisser les publicités s'afficher
Plus d'informations : Comment désactiver les bloqueurs de publicité sur un site internet

Two days ago, i came across an exploit kit that drop a file with a 16mo size.
I didn't keep the URL - the detections was good.
Yesterday, on a removal forum, i came across of a two others malwares with "big size".

HKShip.exe (16Mo) - it also on the startup directory and creates the random numeric files : http://pjjoint.malekal.com/files.php?read=20130123_z14z15r15h6x6
Malwarebyte Anti-Malware is able to detect thoses random files but not the HKShip.exe file : http://cjoint.com/13jv/CAwvKEFdeLE.htm


The second file is v8uivv8.exe
A service with a bat file launch it :

@echo off
set path=C:\Users/Floriane/AppData/Roaming\
set exe="%path%"v8uivv8.exe

Very simple but probably efficient to bypass detection.

And also a Run Key : dropper_bigfile_205mo_file2
and yeah you don't dream, the file has a 205 Mo size :

This one is very interresting.
Zipped the size drop to 205ko.
It's a VB Packed with probably anti-vm stuffs (doesn't work on VMWare and VirtualBox).
Also malwr.com or Anubis failed.
It Creates a mutex and leaves : http://malwr.com/analysis/c75a563eeb67bc3f03bfd12dd33d327b/

Here the detection of a cleaned version (Thank you to Horgh ) : https://www.virustotal.com/file/ef37e496392fa87ad7b6d446dffcdadfe26068f87d0f46db9429936cc3ab8257/analysis/

SHA256: ef37e496392fa87ad7b6d446dffcdadfe26068f87d0f46db9429936cc3ab8257
File name: v8uivv8.exe
Detection ratio: 8 / 45
Analysis date: 2013-01-23 17:39:28 UTC ( 13 heures, 7 minutes ago )

AntiVir TR/Dropper.Gen 20130123
Avast Win32:Downloader-QUA [Trj] 20130123
AVG Downloader.VB.ACPG 20130123
CAT-QuickHeal (Suspicious) - DNAScan 20130123
ESET-NOD32 a variant of Win32/TrojanDownloader.VB.QBA 20130123
Fortinet W32/VBKrypt.C!tr 20130123
GData Win32:Downloader-QUA 20130123
Panda Suspicious file 20130123

I was able to run it :
First it contacts Yahoo to test the connectivity : dropper_bigfile_Yahoo

then connect to port 82

descr: China Unicom CncNet
country: CN
origin: AS9929
changed: [email protected] 20060330
source: APNICdropper_bigfile2

after that it launchs the WEB browser : dropper_bigfile4
and again 205mo file size : dropper_bigfile3
WEB connections - so Trojan Clicker stuffs :  dropper_bigfile5

The traffic with
returns some others malicious files to be downloaded :


Look like Chinese stuffs.
Detection are really good :


Why this size trick ?
Probably to prevent malicious files to be grab automatcly by Antivirus Client (most of the Antivirus Client send file or hash to lab to add detection).
It's also a pain to sent it to vendors because most of them work with email procedure.

Vous avez trouvé cet article utile et interressant, n'hésitez pas à le partager...

Trouver la solution sur le forum d'aide

Vous êtes arrivé au terme de l'article [en] Malware with « big size » mais vous n'avez pas trouvé la solution à votre problème...
Suivez ces articles du forum pour trouver une réponse ou demandez à votre tour de l'aide sur le forum