Date: 01/08/2025
Severity: Medium
Summary
Recent changes to HeartCrypt-packed malware include a shift in how the malware payload is hidden. Previously, the position-independent code (PIC) was stored in the PE file's resource data, but now the payload is hidden in two separate files disguised as BMP images. These files contain a fake BMP header, followed by junk data, an XOR key, and XOR-encrypted data. The encrypted data is then decrypted and combined to form the final payload, enhancing evasion techniques.
Indicators of Compromise (IOC) List
Hash |
1b7411d5d2854c40f66cc933f80f147167e39778f54115b842fc32b4a5d3d483
374147d9a1183af2f4bb249ef4cd55fe3cb584d932bc80102d933809826a6a0f
87c1cb9d609659ce466d16354973ce4dbb8bea8652dbe104a196e42b3a739786
fa5ca2d7c232c7abef7c18d67a2303ac22e1d5f3320c7b6d4a95b56342b38c3b
2baf9b0ff18b826f394498385d0ac66b241cd55c9e35822f50c97ec33ed8df8e
46911b593034e23c7d56b2ebf9a4bb94ef2e2ded7c7b66e20c1d9fd9b1687ad4 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 |
sha256hash IN ("2baf9b0ff18b826f394498385d0ac66b241cd55c9e35822f50c97ec33ed8df8e","fa5ca2d7c232c7abef7c18d67a2303ac22e1d5f3320c7b6d4a95b56342b38c3b","1b7411d5d2854c40f66cc933f80f147167e39778f54115b842fc32b4a5d3d483","87c1cb9d609659ce466d16354973ce4dbb8bea8652dbe104a196e42b3a739786","46911b593034e23c7d56b2ebf9a4bb94ef2e2ded7c7b66e20c1d9fd9b1687ad4","374147d9a1183af2f4bb249ef4cd55fe3cb584d932bc80102d933809826a6a0f") |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-06-changes-to-HeartCrypt-packed-malware.txt