Noam Afergan

Noam Afergan

Malware Analysis & Binary Exploitation & Low level dev

Bezilom Worm - MAR

2 minute read

Bezilom Malware Analysis Report (MAR)

Author: Noam Afergan
Date: December 14, 2024
TLP: CLEAR

Summary

This Malware Analysis Report (MAR) presents the findings of my research on a common malware variant known as “Bezilom” or “Maria” (based on its known aliases). The malware is classified as a “Worm” and targets email accounts on the victim’s machine. It propagates by sending itself to other machines using Outlook email data found on the compromised system. Additionally, this malware employs a Command and Control (C&C) server to communicate with infected machines.

This malware also prevents the user from opening any new window process on the machine or using an existing opened window and it closes any open window so you can’t open Task Manager \ Task Kill \ Process Explorer to kill the malware.

The Malware Backup itself uses a copy of the real malware file inside the Windows directory that is marked as “Autoruns service” and as system hidden file & copy of the malware inside the C:\ folder with bat script that runs it.

Technical Details

Files

  • Bezilom.exe
    • MD5: 8E9D7FEB3B955E6DEF8365FD83007080
    • Path: Can be located anywhere
    • Size: 28.00 KB
    • Type: Win32 PE
    • Compiler: Microsoft Visual Basic V5.0/V6.0
  • Maria.doc.exe (Backup Copy)
    • MD5: 8E9D7FEB3B955E6DEF8365FD83007080
    • Path: C:\Windows\Maria.doc.exe
    • Size: 28.00 KB
    • Type: Win32 PE
  • autoexec.bat
    • Path: C:\autoexec.bat
    • Size: 1.00 KB
    • Type: Windows Batch File
  • [Random Name].exe (Backup Copy)
    • MD5: 8E9D7FEB3B955E6DEF8365FD83007080
    • Path: C:\[Random Name].exe
    • Size: 28.00 KB
    • Type: Win32 PE

Registry Modifications

  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled
    • "StartUp"="C:\\Windows\\Maria.doc.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Start
    • "RegRes1"=dword:00000003
    • "REGWord"=dword:00000003

YARA Rule

rule Bezilom {
    meta:
        AUTHOR = "Noam Afergan"
        DESCRIPTION = "Detects Bezilom malware files"
        VERSION = "1.0"
        DATE = "2024-12-14"

    strings:
        $original_file_name = "1.exe" wide nocase
        $batch_file_name = "autoexec.bat" wide nocase
        $backup_file = "Maria.doc" wide nocase
        $original_file_path = "AA:\\bez outlooka\\Zimmer.vbp" wide nocase
        $product_name = "Zimmer" wide nocase
        $string_offsets = {04 35 40 00 1C 35 40 00}
        $func_1 = "DisableAll" wide nocase
        $func_2 = "pMemory" wide nocase
        $func_3 = "HardDisk" wide nocase
        $func_4 = "Form" wide nocase
        $func_5 = "Timer" wide nocase

    condition:
        (all of ($original_file_name, $batch_file_name, $backup_file, $original_file_path, $product_name)) or 
        (any of ($string_offsets) and any of ($func*))
}