Malware/AutoIt

Forum for analysis and discussion about malware.
Post Reply
markusg
Posts: 732
Joined: Mon Mar 15, 2010 2:53 pm

Malware/AutoIt

Post by markusg » Sun Mar 27, 2011 4:45 pm

Step1.exe
http://www.virustotal.com/file-scan/rep ... 1301243159

edit:

This thread contains samples which are AutoIt based
You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Mon Aug 08, 2011 7:08 am, edited 1 time in total.
Reason: thread comment added

fatdcuk
Posts: 46
Joined: Mon Mar 15, 2010 7:45 pm
Contact:

Misc critter Gen/Heur detections VT 8/43

Post by fatdcuk » Thu Jul 28, 2011 9:29 pm

Nothing special just weird these types of pages been about for a while now and not may vendors tracking them it would seem..

Java loader start

Code: Select all

http://leechpro.tk/
Payload

Code: Select all

http://dl.dropbox.com/u/27300888/update.exe
http://www.virustotal.com/file-scan/rep ... 1311881026
You do not have the required permissions to view the files attached to this post.
Ade Gill
Malwarebytes Researcher
Image

User avatar
EP_X0FF
Global Moderator
Posts: 4860
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Misc critter Gen/Heur detections VT 8/43

Post by EP_X0FF » Sat Jul 30, 2011 3:58 pm

I think it's because it Autoit.
Ring0 - the source of inspiration

markusg
Posts: 732
Joined: Mon Mar 15, 2010 2:53 pm

Re: Malware/AutoIt

Post by markusg » Sun Aug 14, 2011 6:12 pm

You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4860
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Malware/AutoIt

Post by EP_X0FF » Sun Aug 14, 2011 6:21 pm

markusg wrote:SerialsPart1-Htxt.puorG.EXE
http://www.virustotal.com/file-scan/rep ... 1313344480
Crashes on start here, msgbox - something undefined at line 8 :)
Ring0 - the source of inspiration

markusg
Posts: 732
Joined: Mon Mar 15, 2010 2:53 pm

Re: Malware/AutoIt

Post by markusg » Mon Aug 15, 2011 9:47 am

this time no error messages
but its done nothing here
SerialsPart1-Htxt.puorG.EXE
http://www.virustotal.com/file-scan/rep ... 1313400261
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4860
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Malware/AutoIt

Post by EP_X0FF » Mon Aug 15, 2011 10:47 am

markusg wrote:this time no error messages
but its done nothing here
SerialsPart1-Htxt.puorG.EXE
http://www.virustotal.com/file-scan/rep ... 1313400261
This is funny sample, as you see its using unicode name text reverting to look like text file.
It starts firefox.exe or iexplore.exe copy - browser names are hardcoded, then it tries to write something into their memory, all fails here.
Ring0 - the source of inspiration

Wack0
Posts: 3
Joined: Mon Jun 20, 2011 3:40 pm

Re: Misc critter Gen/Heur detections VT 8/43

Post by Wack0 » Fri Aug 19, 2011 4:17 pm

fatdcuk wrote:Nothing special just weird these types of pages been about for a while now and not may vendors tracking them it would seem..

Java loader start

Code: Select all

http://leechpro.tk/
Payload

Code: Select all

http://dl.dropbox.com/u/27300888/update.exe
http://www.virustotal.com/file-scan/rep ... 1311881026
this is version 2 of some kind of irc bot coded in autoit. it gets the config from either

Code: Select all

http://www.vtp1hero.xlphp.net/Info.php
or

Code: Select all

http://dl.dropbox.com/u/27300888/Info.php
which it saves to %windir%\server.txt but both links are down right now.
it then puts the config into an array, seperated by spaces.
5th parameter shows the latest bot version. if it's later than the current version it gets the latest binary from the above two links, s/Info.php/update.exe
it then connects to the server which is in the 2nd param in config, with the port in the 3rd param, and joins the channel that;s in the 5th param.

The botmaster can show the list of processses, kill a process, shutdown/logoff/restart bots, screen capture (which will be uploaded to an ftpd), run a program, modify the registry, ...

and oh yeah, login password is hardcoded to be 18091989vutanphat - :)

Also, the nick is VTR-<6 random characters, uppercase A to Z>

ikolor
Posts: 303
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Wed Jan 31, 2018 7:55 pm

You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4860
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Malware collection

Post by EP_X0FF » Tue Jan 08, 2019 12:58 pm

ikolor wrote:
Wed Jan 31, 2018 7:55 pm
Thanks you .

https://www.virustotal.com/#/file/b4104 ... /detection

############
https://www.youtube.com/watch?v=ICJeTV2zgrM
###########
AutoIt 2 Exe. Posts moved.
Ring0 - the source of inspiration

Post Reply