Spam Email Contains a Very Large ISO file

Published: 2022-06-04
Last Updated: 2022-06-04 16:55:59 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

This zipped email attachment was received a few days ago and block by antispam policy. It contained a very large ISO/EXE file similar to the diary published by Zavier [1] last week. Instead of using Remnux, I submitted this file to a sandbox. 

This is a summary of the result of the analysis. This malware communicate with the C2 site bitrat9300.duckdns[.]org over TCP/9300. This port is also used by Elasticsearch to connect to remote clusters.

Linux Command

sudo mount -o loop AMD8J46DH_ETRANFER_RECEIPT.iso /mnt
strings -t x AMD8J46DH_ETRANFER_RECEIPT.exe

File Size at Various Stages

-r-xr-xr-x. 1 guy guy 314572800 Jun  4 11:34 AMD8J46DH_ETRANFER_RECEIPT.exe
-rw-rw-r--. 1 guy guy 315176960 May 26 22:37 AMD8J46DH_ETRANFER_RECEIPT.iso
-rw-rw-r--. 1 guy guy   1888843 Jun  4 11:11

I noticed the EXE contained the following SmartAssembly URL. "SmartAssembly is an obfuscator that helps protect your application against reverse-engineering or modification, by making it difficult for a third-party to access your source code."[4]


VirusTotal currently doesn't have any detection for this malware, currently, Microsoft Defender detect this file as: Trojan: MSIL/AgentTelsa.AFFA!MTB [5]

Indicator of Compromise

bitrat9300.duckdns[.]org (C2)
2b6edc8dd9b00ac316b6aa625f651c513ff614c01d2ca9dc55f0e4cfe5602312  AMD8J46DH_ETRANFER_RECEIPT.iso
02b1606269fdda72f84825701cba28a5a7c5f950a2b58d254b09ac35393fe81e  AMD8J46DH_ETRANFER_RECEIPT.exe

Bitrat Config File

BitRat {"Host": "bitrat9300.duckdns[.]org", "Port": "9300", "Tor Port": "0", "Install Dir": "0", "Install File": "0", "Communication Password": "e10adc3949ba59abbe56e057f20f883e", "Tor Process Name": "tor"}

Setup Schedule Task

C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\user\AppData\Roaming\namjs.exe'" /f


Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

0 comment(s)


Diary Archives