Win32/Fareit

Forum for analysis and discussion about malware.

Win32/Fareit

Postby EX! » Fri Jan 13, 2012 4:05 pm

You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Mon Mar 11, 2013 8:14 am, edited 2 times in total.
Reason: c&c link disabled
User avatar
EX!
 
Posts: 35
Joined: Wed Jun 29, 2011 8:24 pm
Reputation point: 11

Re: Trojan SpyEye (alias Pincav)

Postby EP_X0FF » Fri Jan 13, 2012 4:19 pm

EX! wrote:https://www.virustotal.com/file/f856b07308b5113ee2c89ca4ac9a5808d597bb5381d917b2826b3e26b54fa372/analysis/1326469918/

Detection ratio: 17 / 43

Maybe Spyeye.

Downloaded from c&c
hxxp://fdgsafkgdsfaskfshfgjahsgdf634570.in/sallemoz.dyndns.org/gate.php


This is different password stealer written on Delphi and packed by UPX.
Stealing implemented in separate Delphi modules, for example (names should be enough self-explaining)

TModule_CuteFTP
TModule_FlashFXP
TModule_FileZilla
TModule_FTPCommander
TModule_BProofFTP
TModule_SmartFTP
TModule_TurboFTP
TModule_FFFTP
TModule_CoreFTP
TModule_Frigate3
TModule_SecureFX
TModule_UltraFXP_Base
TModule_UltraFXP
TModule_FTPRushX
TModule_WebSitePublisher
TModule_BitKinex
TModule_ExpanDrive
TModule_ClassicFTP
TModule_Fling
TModule_SoftX
TModule_DOpus
TModule_FTPUploader
TModule_FreeFTPd

and a lot of others.

Slightly longer description of this trojan can be found here

Config.zip and config.bin indeed SpyEye configs, but without SpyEye dropper it's hard to unpack them due to long password.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4744
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 560

Re: PWS:Win32/Fareit.A

Postby EX! » Fri Jan 13, 2012 5:30 pm

Thanks EP_X0FF!
User avatar
EX!
 
Posts: 35
Joined: Wed Jun 29, 2011 8:24 pm
Reputation point: 11

Re: PWS:Win32/Fareit.A

Postby rkhunter » Sat Feb 18, 2012 6:20 pm

Fareit was active at last few days, 10 droppers in archive.
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1140
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: PWS:Win32/Fareit.A

Postby rkhunter » Tue Feb 21, 2012 3:05 pm

More 8 samples.
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1140
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: PWS:Win32/Fareit.A

Postby rkhunter » Sun Mar 04, 2012 7:05 pm

11 fresh samples
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1140
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Trojan Zeus (alias ZBot)

Postby thisisu » Wed Mar 28, 2012 7:48 am

MD5: 71388404bb160b5a85d76185af96a4b0
9/42
You do not have the required permissions to view the files attached to this post.
User avatar
thisisu
 
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Reputation point: 65

Re: Trojan Zeus (alias ZBot)

Postby rkhunter » Wed Mar 28, 2012 7:53 am

thisisu wrote:MD5: 71388404bb160b5a85d76185af96a4b0

Not ZBot, Fareit PWS.
User avatar
rkhunter
 
Posts: 1140
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Trojan Zeus (alias ZBot)

Postby thisisu » Fri Mar 30, 2012 8:03 am

rkhunter wrote:
thisisu wrote:MD5: 71388404bb160b5a85d76185af96a4b0

Not ZBot, Fareit PWS.

Hi rkhunter,

I'm sorry about that :oops:
User avatar
thisisu
 
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Reputation point: 65

Fareit - BlackHole loader of ZBot

Postby rkhunter » Fri Mar 30, 2012 8:18 am

Since middle of February '12 Fareit was very active from BH. http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fFareit
If it spreads via BH, it usualy as a downloader of ZBot.
Samples of loader that were observed since 15 Feb.
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1140
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 4 guests