Win32/Fareit

Forum for analysis and discussion about malware.
User avatar
EX!
Posts: 35
Joined: Wed Jun 29, 2011 8:24 pm
Contact:

Win32/Fareit

Post by EX! » Fri Jan 13, 2012 4:05 pm

https://www.virustotal.com/file/f856b07 ... 326469918/

Detection ratio: 17 / 43

Maybe Spyeye.

Downloaded from c&c
hxxp://fdgsafkgdsfaskfshfgjahsgdf634570.in/sallemoz.dyndns.org/gate.php
You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Mon Mar 11, 2013 8:14 am, edited 2 times in total.
Reason: c&c link disabled

User avatar
EP_X0FF
Global Moderator
Posts: 4788
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan SpyEye (alias Pincav)

Post by EP_X0FF » Fri Jan 13, 2012 4:19 pm

EX! wrote:https://www.virustotal.com/file/f856b07308b5113ee2c89ca4ac9a5808d597bb5381d917b2826b3e26b54fa372/analysis/1326469918/

Detection ratio: 17 / 43

Maybe Spyeye.

Downloaded from c&c
hxxp://fdgsafkgdsfaskfshfgjahsgdf634570.in/sallemoz.dyndns.org/gate.php
This is different password stealer written on Delphi and packed by UPX.
Stealing implemented in separate Delphi modules, for example (names should be enough self-explaining)

TModule_CuteFTP
TModule_FlashFXP
TModule_FileZilla
TModule_FTPCommander
TModule_BProofFTP
TModule_SmartFTP
TModule_TurboFTP
TModule_FFFTP
TModule_CoreFTP
TModule_Frigate3
TModule_SecureFX
TModule_UltraFXP_Base
TModule_UltraFXP
TModule_FTPRushX
TModule_WebSitePublisher
TModule_BitKinex
TModule_ExpanDrive
TModule_ClassicFTP
TModule_Fling
TModule_SoftX
TModule_DOpus
TModule_FTPUploader
TModule_FreeFTPd

and a lot of others.

Slightly longer description of this trojan can be found here

Config.zip and config.bin indeed SpyEye configs, but without SpyEye dropper it's hard to unpack them due to long password.
Ring0 - the source of inspiration

User avatar
EX!
Posts: 35
Joined: Wed Jun 29, 2011 8:24 pm
Contact:

Re: PWS:Win32/Fareit.A

Post by EX! » Fri Jan 13, 2012 5:30 pm

Thanks EP_X0FF!

User avatar
rkhunter
Posts: 1150
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: PWS:Win32/Fareit.A

Post by rkhunter » Sat Feb 18, 2012 6:20 pm

Fareit was active at last few days, 10 droppers in archive.
You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1150
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: PWS:Win32/Fareit.A

Post by rkhunter » Tue Feb 21, 2012 3:05 pm

More 8 samples.
You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1150
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: PWS:Win32/Fareit.A

Post by rkhunter » Sun Mar 04, 2012 7:05 pm

11 fresh samples
You do not have the required permissions to view the files attached to this post.

User avatar
thisisu
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Contact:

Re: Trojan Zeus (alias ZBot)

Post by thisisu » Wed Mar 28, 2012 7:48 am

MD5: 71388404bb160b5a85d76185af96a4b0
9/42
You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1150
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Trojan Zeus (alias ZBot)

Post by rkhunter » Wed Mar 28, 2012 7:53 am

thisisu wrote:MD5: 71388404bb160b5a85d76185af96a4b0
Not ZBot, Fareit PWS.

User avatar
thisisu
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Contact:

Re: Trojan Zeus (alias ZBot)

Post by thisisu » Fri Mar 30, 2012 8:03 am

rkhunter wrote:
thisisu wrote:MD5: 71388404bb160b5a85d76185af96a4b0
Not ZBot, Fareit PWS.
Hi rkhunter,

I'm sorry about that :oops:

User avatar
rkhunter
Posts: 1150
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Fareit - BlackHole loader of ZBot

Post by rkhunter » Fri Mar 30, 2012 8:18 am

Since middle of February '12 Fareit was very active from BH. http://www.microsoft.com/security/porta ... 2%2fFareit
If it spreads via BH, it usualy as a downloader of ZBot.
Samples of loader that were observed since 15 Feb.
You do not have the required permissions to view the files attached to this post.

Post Reply