Following a suspicious padded executable over the past week, Appears to be Astaroth Brazilian Banking Trojan.

It's been a while since I've posted anything, but this is genuinly interesting to me and I want to put this out there. I have been using a "hunting query" in VirusTotal to look for "imphash:9cbefe68f395e67356e2a5d8d1b285c0 size:140MB+".

I use this primarily to look for some known patterns in the recent solarmark campaign, however, it's recently been picking up a number of other large padded files.

IDfac-t.165.j0.exe: 2045ce1f72fab0c0de425d10308afcd4 390MB+
IDfac-t.165.j0.exe: 9c10c074275f038aeaff06455d7425f1 389MB+
PDF-Notafiscal-avqlz-07382-TGJKC.exe: dff097514b96ab3f3ef1899091ac31eb 282MB+

I've pulled a few of these and ran them through Here are some of the results:

The last one is after I remvoed most of the padding (not all of it). The padding was just a buunch of added null bytes and easy to remove in a hex editor.

What's interesting about these, is that once the executable is run, it drops a number of files.

Many of these files appear to be part of StuffIT software suite, however, one interesting point here is that StuffItEngine.dll is heavily padded placing it well of 200MB in size.
This file is likely sideloaded by convert.exe.
If these factors were not enough to raise suspicion, there are a few other interesting thigns to note.

For example:

  • A task file is created: \Windows\System32\Tasks\Run DeskRemot
  • The domain " mastdcoodbdfdsgfhfcx[.]com" appears to be fairly new.
  • Then there is the one interesting sample run that made a request to "hxxp://20.70.3[.]186/contgmx/ybnzkvj[.]php"
  • When browsing to that folder there are a number of php files as well as one txt file which appears to be data representing IP connections with OS, browser and city/country.
  • A large file (~9MB) named g2m that appears to be encoded or encrypted.
  • Another interesting file in some samples named gas.dbd that may be a decryption key
  • All these files are dropped in the root of "c:\users\user\"

These may not really be anything but its still an intersting datapoint.
As of this writing, I am still in the process of documenting findings. However I did run across this twitter post that identifies the same txt file I had seen, as well as some of the domains I've been seeing.

This appears to be Astaroth, a Brazilian Banking trojan. Just for fun I will give this paticular version a name of OverStuffed Trojan. Just to play on the "StuffIt" and massive overlay in the intial EXE and DLL.