In this short Blogpost I am going to dissect a Downloader which is part of the ongoing "1Mission" campaign against targets in South Korea (thanks Chae Jong Bin for pointing me at). The Downloader comes in the form of a DLL and has the small size of 4 KB. What remains unknown is the way the DLL gets executed (through exploit/loader/...). Except its small size there isn't anything special about this malware. Unfortunately the file it wanted to download isn't available anymore, so there is no chance to dig deeper...
DLL sample
Size: 4.096 Bytes
Timestamp: 2013-05-30 03:54:37
MD5: 17e3e09c27d26c81c9f33882279d6319
SHA1: c467f59cddba2d029044f6f2b22b6b2123b341b6
Report: https://www.virustotal.com/en/file/5b011ebdf1a5a0fd93a933cb40b59fcb8c35667529e28cf0c9d63f92985c4d5d/analysis/
Download: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2690&p=19700#p19700
DLL sample
Size: 4.096 Bytes
Timestamp: 2013-05-30 03:54:37
MD5: 17e3e09c27d26c81c9f33882279d6319
SHA1: c467f59cddba2d029044f6f2b22b6b2123b341b6
Report: https://www.virustotal.com/en/file/5b011ebdf1a5a0fd93a933cb40b59fcb8c35667529e28cf0c9d63f92985c4d5d/analysis/
Download: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2690&p=19700#p19700