Hexacorn

Added Amiti IFC files. It’s not a well-known AV program, but I came across it today and couldn’t resist so … here we are.

The latest version of DeXRAY can be downloaded here.

DeXRAY supports:

AhnLab (V3B)
Amiti (IFC)
ASquared (EQF)
Avast (Magic@0=’-chest- ‘)
Avira (QUA)
Baidu (QV)
BitDefender (BDQ)
BullGuard (Q)
Cisco AMP
CMC Antivirus (CMC)
Comodo (not really; Quarantined files are not encrypted 🙂
ESafe (VIR)
ESET (NQF)
F-Prot (TMP) (Magic@0=’KSS’)
Kaspersky (KLQ, System Watcher’s .bin)
Lavasoft AdAware (BDQ) /BitDefender files really/
Lumension LEMSS (lqf)
MalwareBytes Data files (DATA) – 2 versions
MalwareBytes Quarantine files (QUAR) – 2 versions
McAfee Quarantine files (BUP) /full support for OLE format/
Microsoft Antimalware / Microsoft Security Essentials
Microsoft Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 metadata + 0B AD malicious content
Panda Zip files
Sentinel One (MAL)
Spybot – Search & Destroy 2 ‘recovery’
SUPERAntiSpyware (SDB)
Symantec ccSubSdk files: {GUID} files and submissions.idx
Symantec Quarantine Data files (QBD)
Symantec Quarantine files (VBN), including from SEP on Linux
Symantec Quarantine Index files (QBI)
Symantec Quarantine files on MAC (quarantine.qtn)
TrendMicro (Magic@0=A9 AC BD A7 which is a ‘VSBX’ string ^ 0xFF)
QuickHeal files
Vipre (_ENC2)
Zemana files+quarantine.db
Any binary file (using X-RAY scanning)

Samir pinged me about his research into c:\Windows\System32\browserexport.exe, and after few back and forth we cracked some of the command line arguments this program accepts. I then promised Samir that I won’t publish a blog post about it. So this his me keeping my promise. Not.

Luckily to us, browserexport.exe is an easy read in Ida Pro. We also found good references to this .exe inside the btrowserbroker.dll file that helped us to guess what is required for the program invocation. After some quick code eyeballing we have extracted a number of interesting command line wannabe arguments:

ALL
COOKIES
FAVICONS
FORMDATA
HEURISTIC
HISTORY
LOGINS
LOWCOOKIES
SETTINGS

Analysis of code confirmed that the program requires at least 4 arguments so after some more digging we came up with command line arguments that actually worked:

browserexport.exe "" ie11 all foo4

where:

“” is a GUID which we don’t exactly know what it is, but it’s only used for exports from IE11; could be related to the GUID of the IE user profile (?),
IE11 is just one of the browsers supported by the tool; all the supported browsers are
- CHROME
- IE11
- QIHOO360SE
- QQBROWSER
all – one of the options listed above and below (we have not tried other options assuming that ALL means, well… all)
- ALL
- COOKIES
- FAVICONS
- FORMDATA
- HEURISTIC
- HISTORY
- LOGINS
- LOWCOOKIES
- SETTINGS
foo4 — output file name

Have a go and run this command. You will be surprised how much data is saved to foo4. it’s a nice JSON file that includes something along these lines (and I don’t use IE11 too much):

{
"MigrationData": {
"browser": "IE11",
"history": [
{
"title": "…",
"url": "…",
"LastAccessed": …
},
{
"title": "….",
"url": "…",
"LastAccessed": …
},
],
"logins": [
…
],
"cookies": [
{
"name": "…",
"value": "…",
"domain": "…",
"path": "…",
"dwFlags": …,
"ftExpires": …,
"fExpiresSet": …
},
]
}
}

We feel that BrowserExport.exe is a close cousin of ExtExport.exe. In fact, both are referenced by btrowserbroker.dll. Neither of them can be considered a Lolbin, but then again.. that’s a lot of exportable value they both present w/o any effort from malware authors.

Hexacorn

DeXRAY 2.22 update

Samir is my hero aka colab on browserexport