[Notes] Possibly PowerRatankba Chm file

I was bored and found this file with an interesting filename, “22 European Nations Form New .chm”

sha256 : ebec8440590cdea8433079cf2b3f3259694035a9ab80a163f1f0ffcf606939dc
ITW Filename : 22 European Nations Form New .chm

A quick look at the file, it’s actually a zip file with another file within it, “mynakedpic.chm”
That filename, reminded me of this sticker i got from a conference years ago.

sha256 : c9b26ffb11ba2952afaa3e6a96a7089820366eaaa901240f60b8ca6ccd78beef
ITW Filename : mynakedpic.chm

Within this chm file, we can find this interesting html file within it.

We can see the contents here.
https://ghostbin.com/paste/6mh34

Alright, it’s slightly obfuscated, we can clean this up.
https://ghostbin.com/paste/wosbg

We can see that it’s downloading the 2nd stage from “hxxp://png[.]realtimenews[.]tk/fssct.jpg”
The hash of “fssct.png” is 61fa14c91f3014baa8ab09056633d1f9311184564ed49e30aba5203ea3071f25
The contents of that file is here: https://ghostbin.com/paste/t79kd

For those who are too lazy to decode it,i have decoded it for you and put it up on https://ghostbin.com/paste/cdkjf
As you can see that it’s downloading from “hxxp://png[.]realtimenews[.]tk/fs.png”
The hash of “fs.png” is “e95cb15d040e95fef37d8c2cec2ccca5914a116784c4d45ebfb94775fcb9a522”

I have extracted the payload and the hash of the payload is as follows.
SHA256 : fb18b8cc28da930ac06cd7494a4e5f69b91da6669586408293ac842dded8d557

Within the payload, we can find the following Javascript
https://ghostbin.com/paste/dakev

From the Javascript, we can find 1 associated BTC account address, https://blockchain.info/address/1NEGq56fJ1kVXLAo1HY5XBcU3p4y2yxPh4
We can also see that it’s downloading another Json from “hxxp://news[.]realnewstime[.]xyz/news/us”
The hash of the json file is “210dcb3a084179f7489a43000c04082b7d2c8606c077d44a9d912dbc530d542e”

As i’m used to seeing Base64 encoded strings, immediately i knew that is a Base64 encoded zip file.

The hash of the zip is “8cd64f36a12332d2c257713aeb463a44aec924addb19d98dd8b8d1d1be22927b”

Within this zip file, there is another malicious chm file.
sha256 : 413ec374a29f8595e2c90d1549968e3d71db0132b5bfa89b4bb301b132216435
ITW Filename : Wood Group in deal to take over Amec Foster Wheeler – News.chm

After analysing the Javascript within the new chm file, it’s the same as the first one which we found.
The payload will require another writeup on it.

We can find other similar samples that are using the same “Load_HTML_CHM0.html”

Have Phun
Jacob Soo