Win32/Fareit

Forum for analysis and discussion about malware.

Re: Win32/Fareit

Postby sysopfb » Fri Jan 09, 2015 5:32 pm

Someone spamming out samples to a trojanforge pony panel


Downloads in the word doc macros:
url1 = "http://www.megreen.com.sg/image/belg/microsoft.exe"
url2 = "http://www.megreen.com.sg/image/belg/microsoftKey.exe"
url3 = "http://www.megreen.com.sg/image/belg/microsoftNet.exe"

TF pony panel: dunlam007.ru/belg/gate.php - 31.220.20.150

ftp.dunlam007.ru
user: u118891974.bgpony
pass: doggod123
sysopfb
 
Posts: 88
Joined: Thu Oct 23, 2014 1:22 am
Reputation point: 52

Re: Win32/Fareit

Postby patriq » Fri Jan 09, 2015 8:29 pm

the config.php for that panel.

Code: Select all
<?php

// mysql settings
$mysql_host = "mysql.hostinger.ru";
$mysql_user = "u118891974_bgpon";
$mysql_pass = "doggod123";
$mysql_database = "u118891974_bgpon";

$global_directory_slash = DIRECTORY_SEPARATOR;
$global_temporary_directory = "temp";

// debug settings
$global_verbose_log = false; // improved verbose log, use for debugging only!
$global_allow_all_ftp = false; // disable filtering, set 'true' for testing purposes only!

$global_filter_list = array(
    "127.0.0.1",
    "192.168.",
    "localhost",
    "nonymous",
    "bitshare.com",
    "depositfiles.com",
    "filesonic.com",
    "gigapeta.com",
    "hotfile.com",
    "ifolder.ru",
    "letitbit.net",
    "sms4file.com",
    "turbobit.ru",
    "uploadbox.com",
    "vip-file.com",
    "wupload.com",
);

// accept connections from white-list IPs only
$white_list = array(
   // add at least one IP to enable white-list mode
   //"127.0.0.1",
);

date_default_timezone_set('Europe/Moscow');
$enable_http_mode = true;
$show_help_to_users = true;
$show_http_to_users = true;
$show_logons_to_users = true;
$disable_ip_logger = false;
$enable_email_mode = true;
$show_email_to_users = true;
$show_other_to_users = true;


although i cant resolve an IP for mysql.hostinger.ru, so couldn't connect.
patriq
 
Posts: 109
Joined: Fri Jun 28, 2013 8:11 pm
Reputation point: 22

Re: Win32/Fareit, etc.

Postby patriq » Fri Jun 05, 2015 1:37 am

active pony campaign. pretty much FUD
https://malwr.com/analysis/NWFiM2JjNDE2 ... VjN2VmNWI/

panel:
hxtp://trashformatdocer.com/admin.php

pony downloading from here:
hxtp://tefaltanwebs.com/wp-content/plug ... dweb_data/
(note WP)

... downloaded some sort of banker..(zeus?) (there was a zeus panel anyway)
https://www.virustotal.com/en/file/1e3b ... /analysis/

:roll: Vito Corleone config:
hxtp://pasnirthland.com/confk.jpg
confk.jpg



zeus panel:
htxp://pasnirthland.com/cp.php?m=login
(pic in attach)

there was also an older dyre on that WP host too:
https://www.virustotal.com/en/file/7556 ... /analysis/

more url from that pony:
banking phishing
hxtp://rzpkoszalin.pl/images/
Online Banking - Google Chrome_026.png


these little fucks are busy ;)
You do not have the required permissions to view the files attached to this post.
patriq
 
Posts: 109
Joined: Fri Jun 28, 2013 8:11 pm
Reputation point: 22

Re: Win32/Fareit

Postby patriq » Fri Jun 05, 2015 2:09 am

(Throwback Thursday -> 2013 post) :D

viewtopic.php?f=16&t=1558&start=30#p19682
r3shl4k1sh wrote:Sample of Fareit downloaded by ransomeware
....
In its strings we find a long list of general passwords phrases, Does Fareit try to brute force:
....


Yes.

"The wordlist is used to enumerate local passwords with the LogonUserA Windows API call."
https://www.damballa.com/pony-loader-2- ... code-sale/
patriq
 
Posts: 109
Joined: Fri Jun 28, 2013 8:11 pm
Reputation point: 22

Re: Win32/Fareit

Postby sysopfb » Thu Oct 22, 2015 4:25 pm

0/55 pony Delivered with Necurs by Bedep
https://www.virustotal.com/en/file/d02f ... 445529894/


Gate:
mist.fortunetwork.com/news.php

unpack via RtlDecompressBuffer
You do not have the required permissions to view the files attached to this post.
sysopfb
 
Posts: 88
Joined: Thu Oct 23, 2014 1:22 am
Reputation point: 52

Win32/Napolar aka Dapato

Postby unixfreaxjp » Thu Mar 31, 2016 11:11 am

Someone shared me this sample.
It's back again (Dapato)
Image
https://www.virustotal.com/en/file/c36d ... 459419650/
Info:
Code: Select all
#Trojan PWS Win32/Napolar aka Dapato
#CredentialStealer Faking "PcHealth"

// Self copy
C:\Users\%USER%\AppData\Roaming\PcHealth\PcHealth.exe

// Autostart
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run PcHealth

// Check for MS Office & Documents
 HKEY_USERS\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
 C:\Users\%USER%\Documents

// FTP credential stealer:

 C:\Users\%USER%\AppData\Local\GlobalSCAPE\CuteFTP Pro\
 C:\Windows\32BitFtp.ini
 C:\Users\%USER%\AppData\Roaming\GlobalSCAPE\CuteFTP\
 C:\Users\%USER%\AppData\Roaming\GPSoftware\Directory Opus\
 C:\Users\%USER%\AppData\Roaming\GHISLER\wcx_ftp.ini
 C:\Users\%USER%\AppData\Roaming\NetSarang\
 C:\Users\%USER%\AppData\Roaming\FlashFXP\4\Sites.dat
 C:\Users\%USER%\AppData\Roaming\FlashFXP\4\History.dat
 C:\Program Files\CuteFTP\sm.dat
 C:\ProgramData\FileZilla\recentservers.xml
 C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.dat
 C:\Users\%USER%\AppData\Roaming\NetDrive\
 C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.ccs
 C:\Users\%USER%\AppData\Local\NetDrive\
 C:\ProgramData\3D-FTP\
 C:\ProgramData\FTPRush\
 C:\Users\%USER%\AppData\Roaming\SharedSettings_1_0_5.sqlite
 C:\ProgramData\Estsoft\ALFTP\
 C:\Users\%USER%\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.sqlite
 C:\Users\%USER%\AppData\Local\SharedSettings_1_0_5.ccs
 C:\ProgramData\FlashFXP\4\Sites.dat
 C:\Users\%USER%\AppData\Local\GPSoftware\Directory Opus\
 C:\ProgramData\AceBIT\
 C:\Users\%USER%\AppData\Roaming\SharedSettings.sqlite
 C:\Users\%USER%\AppData\Roaming\FileZilla\sitemanager.xml
 C:\Users\%USER%\AppData\Local\AceBIT\
 C:\ProgramData\FTP Explorer\
 C:\Users\%USER%\AppData\Local\FTPRush\
 C:\Users\%USER%\AppData\Local\CoffeeCup Software\SharedSettings.ccs
 C:\ProgramData\TurboFTP\
 C:\Users\%USER%\AppData\Local\FlashFXP\4\Quick.dat
 C:\Users\%USER%\AppData\Local\INSoftware\NovaFTP\
 C:\ProgramData\CuteFTP\sm.dat
 C:\ProgramData\GlobalSCAPE\CuteFTP Lite\
 C:\Program Files\GlobalSCAPE\CuteFTP\sm.dat
 C:\ProgramData\SharedSettings_1_0_5.sqlite
 C:\Users\%USER%\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.dat
 C:\Users\%USER%\AppData\Roaming\FlashFXP\4\Quick.dat
 C:\ProgramData\FTPGetter\
 C:\ProgramData\SharedSettings.ccs
 C:\ProgramData\FileZilla\filezilla.xml
 C:\ProgramData\LeapWare\LeapFTP\
 C:\ProgramData\GlobalSCAPE\CuteFTP Pro\
 C:\Users\%USER%\AppData\Local\FileZilla\recentservers.xml
 C:\ProgramData\FileZilla\sitemanager.xml
 C:\Users\%USER%\AppData\Roaming\FlashFXP\3\Quick.dat
 C:\Users\%USER%\AppData\Roaming\CuteFTP\
 C:\Users\%USER%\AppData\Roaming\SharedSettings_1_0_5.ccs
 C:\Users\%USER%\AppData\Roaming\SharedSettings.ccs
 C:\Users\%USER%\AppData\Roaming\TurboFTP\
 C:\ProgramData\BitKinex\
 C:\Users\%USER%\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.dat
 C:\Users\%USER%\AppData\Roaming\CoffeeCup Software\SharedSettings.sqlite
 C:\Users\%USER%\AppData\Roaming\FlashFXP\3\History.dat
 C:\Users\%USER%\AppData\Local\CuteFTP\sm.dat
 C:\Program Files\GlobalSCAPE\CuteFTP\
 C:\ProgramData\FlashFXP\4\Quick.dat
 C:\ProgramData\GlobalSCAPE\CuteFTP\
 C:\Users\%USER%\AppData\Local\BlazeFtp\
 C:\Users\%USER%\AppData\Local\FlashFXP\3\Sites.dat
 C:\Program Files\CuteFTP\
 C:\ProgramData\CoffeeCup Software\SharedSettings.sqlite
 C:\Users\%USER%\AppData\Local\BitKinex\
 C:\Users\%USER%\AppData\Local\FileZilla\filezilla.xml
 C:\Users\%USER%\AppData\Local\FlashFXP\4\Sites.dat
 C:\Users\%USER%\AppData\Local\GHISLER\wcx_ftp.ini
 C:\Users\%USER%\AppData\Roaming\INSoftware\NovaFTP\
 C:\Users\%USER%\AppData\Local\RhinoSoft.com\
 C:\Users\%USER%\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\
 C:\ProgramData\Frigate3\
 C:\ProgramData\SharedSettings.sqlite
 C:\Users\%USER%\AppData\Roaming\ExpanDrive\drives.js
 C:\ProgramData\FTPInfo\
 C:\Program Files\GlobalSCAPE\CuteFTP Pro\
 C:\Users\%USER%\AppData\Local\CoffeeCup Software\SharedSettings.sqlite
 C:\ProgramData\GHISLER\wcx_ftp.ini
 C:\Users\%USER%\AppData\Roaming\FTP Explorer\
 C:\Users\%USER%\AppData\Local\FileZilla\sitemanager.xml
 C:\ProgramData\CoffeeCup Software\SharedSettings.ccs
 C:\Users\%USER%\AppData\Roaming\FileZilla\recentservers.xml
 C:\Users\%USER%\AppData\Roaming\RhinoSoft.com\
 C:\Users\%USER%\AppData\Roaming\FlashFXP\3\Sites.dat
 C:\Users\%USER%\AppData\Local\NetSarang\
 C:\ProgramData\FlashFXP\3\Quick.dat
 C:\Users\%USER%\AppData\Local\FTPGetter\
 C:\Program Files\GlobalSCAPE\CuteFTP Lite\
 C:\ProgramData\FlashFXP\3\History.dat
 C:\Program Files\GlobalSCAPE\CuteFTP Pro\sm.dat
 C:\ProgramData\NetSarang\
 C:\Users\%USER%\AppData\Roaming\BitKinex\
 C:\Users\%USER%\AppData\Local\GlobalSCAPE\CuteFTP\sm.dat
 C:\Users\%USER%\AppData\Local\Frigate3\
 C:\Users\%USER%\AppData\Local\TurboFTP\
 C:\Program Files\GlobalSCAPE\CuteFTP Lite\sm.dat
 C:\Users\%USER%\AppData\Roaming\FTPGetter\
 C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.dat
 C:\Users\%USER%\AppData\Roaming\CoffeeCup Software\SharedSettings.ccs
 C:\ProgramData\SmartFTP\
 C:\ProgramData\CuteFTP\
 C:\Users\%USER%\AppData\Local\ExpanDrive\drives.js
 C:\Users\%USER%\AppData\Local\SmartFTP\
 C:\Users\%USER%\AppData\Local\GlobalSCAPE\CuteFTP Lite\
 C:\Users\%USER%\AppData\Local\FTPInfo\
 C:\Users\%USER%\AppData\Local\FlashFXP\3\History.dat
 C:\ProgramData\SharedSettings_1_0_5.ccs
 C:\ProgramData\GPSoftware\Directory Opus\
 C:\Users\%USER%\AppData\Local\SharedSettings_1_0_5.sqlite
 C:\Users\%USER%\AppData\Roaming\CuteFTP\sm.dat
 C:\Users\%USER%\AppData\Roaming\AceBIT\
 C:\Users\%USER%\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.dat
 C:\Users\%USER%\AppData\Local\CuteFTP\
 C:\Users\%USER%\AppData\Local\SharedSettings.ccs
 C:\Users\%USER%\AppData\Roaming\Frigate3\
 C:\ProgramData\INSoftware\NovaFTP\
 C:\Users\%USER%\AppData\Roaming\FTPRush\
 C:\Windows\wcx_ftp.ini
 C:\Users\%USER%\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.ccs
 C:\Users\%USER%\AppData\Local\FlashFXP\4\History.dat
 C:\Users\%USER%\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.sqlite
 C:\ProgramData\GlobalSCAPE\CuteFTP\sm.dat
 C:\ProgramData\NetDrive\
 C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.sqlite
 C:\Users\%USER%\AppData\Roaming\FTPInfo\
 C:\Users\%USER%\AppData\Local\GlobalSCAPE\CuteFTP\
 C:\Users\%USER%\AppData\Roaming\BlazeFtp\
 C:\Users\%USER%\AppData\Local\LeapWare\LeapFTP\
 C:\Users\%USER%\AppData\Local\Estsoft\ALFTP\
 C:\Users\%USER%\AppData\Roaming\SmartFTP\
 C:\Users\%USER%\AppData\Local\FTP Explorer\
 C:\ProgramData\FlashFXP\3\Sites.dat
 C:\ProgramData\FlashFXP\4\History.dat
 C:\Users\%USER%\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.dat
 C:\Users\%USER%\AppData\Roaming\Estsoft\ALFTP\
 C:\Users\%USER%\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.dat
 C:\ProgramData\RhinoSoft.com\
 C:\Users\%USER%\AppData\Roaming\LeapWare\LeapFTP\
 C:\Users\%USER%\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.ccs
 C:\Users\%USER%\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\
 C:\ProgramData\ExpanDrive\drives.js
 C:\Users\%USER%\AppData\Roaming\FileZilla\filezilla.xml
 C:\Users\%USER%\wcx_ftp.ini
 C:\ProgramData\SiteDesigner\
 C:\ProgramData\BlazeFtp\
 C:\Users\%USER%\AppData\Local\SharedSettings.sqlite
 C:\Users\%USER%\AppData\Local\FlashFXP\3\Quick.dat

// Mail credential stealer

HKEY_USERS\Software\Microsoft\Windows Live Mail
HKEY_USERS\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings

// callback via SNS

h00ps://www.facebook.com/connect/ping?client_id=132970837947&domain=www.msn.com&origin=
1&redirect_uri=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter%2FX9pYjJn4xhW.
js%3Fversion%3D41%23cb%3Df2532cc6538d7e8%26domain%3Dwww.msn.com%26origin%3Dhttp%253A%252
F%252Fwww.msn.com%252Ff2811413b1d7db%26relation%3Dparent&response_type=token%2Csigned_re
quest%2Ccode&sdk=joey1oP


// debug symbols:
c:\users\rr\documents\visual studio 2005\projects\stub1003_3_18_2016b\release\Stub1003_3_18_2016b.pdb
source: PURCHASE ENQUIRY.exe, PcHealth.exe

c:\Users\John\Documents\Visual Studio 2005\Projects\Stub_Startup\release\Stub_Startup.pdb source: PURCHASE ENQUIRY.exe
--
#MalwareMustDie!!!

Please add more samples if you find others, thanks.
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Malware collection

Postby ikolor » Tue May 10, 2016 4:35 pm

You do not have the required permissions to view the files attached to this post.
ikolor
 
Posts: 212
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland
Reputation point: 16

Re: Malware collection

Postby EP_X0FF » Tue Oct 18, 2016 9:48 am



rayy.exe - Win32/Fareit (PWS)
Code: Select all
Software\Far\Plugins\FTP\Hosts Software\Far2\Plugins\FTP\Hosts Software\Far Manager\Plugins\FTP\Hosts Software\Far\SavedDialogHistory\FTPHost Software\Far2\SavedDialogHistory\FTPHost Software\Far Manager\SavedDialogHistory\FTPHost Password HostName User Line _cx_ftp.ini \GHISLER InstallDir FtpIniName Software\_hisler\Windows Commander Software\_hisler\Total Commander \Ipswitch Sites\ \Ipswitch\WS_FTP \win.ini .ini WS_FTP DIR DEFDIR CUTEFTP QCHistory Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar Software\GlobalSCAPE\CuteFTP 9\QCToolbar \GlobalSCAPE\CuteFTP \GlobalSCAPE\CuteFTP Pro \GlobalSCAPE\CuteFTP Lite \CuteFTP \sm.dat _oftware\FlashFXP\3 _oftware\FlashFXP _oftware\FlashFXP\4 InstallerDathPath path Install Path DataFolder \Sites.dat \Quick.dat \_istory.dat \FlashFXP\3 \FlashFXP\4 \FileZilla \sitemanager.xml \recentservers.xml \filezilla.xml Software\FileZilla Software\FileZilla Client Install_Dir Host User Pass Port Remote Dir Server Type Server.Host Server.User Server.Pass Server.Port Path ServerType Last Server Host Last Server User Last Server Pass Last Server Port Last Server Path Last Server Type FTP Navigator FTP Commander ftplist.txt \BulletProof Software .dat .bps Software\BPFTP\Bullet Proof FTP\Main Software\BulletProof Software\BulletProof FTP Client\Main Software\BPFTP\Bullet Proof FTP\Options Software\BulletProof Software\BulletProof FTP Client\Options Software\BPFTP LastSessionFile SitesDir InstallDir1 .xml \SmartFTP Favorites.dat _istory.dat _ddrbk.dat quick.dat \TurboFTP Software\TurboFTP installpath Software\Sota\FFFTP CredentialSalt CredentialCheck Software\Sota\FFFTP\Options Password UserName HostAdrs RemoteDir Port HostName Port Username Password HostDirName Software\CoffeeCup Software\Internet\Profiles Software\FTPWare\COREFTP\Sites Host User Port PW PthR SSH profiles.xml \FTP Explorer Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224 Buttons Software\FTP Explorer\Profiles Password PasswordType Host Login Port InitialPath FtpSite.xml \Frigate3 .ini _VanDyke\Config\Sessions \Sessions Software\VanDyke\SecureFX Config Path UltraFXP \sites.xml \FTPRush RushSite.xml Server Username Password FtpPort Software\Cryer\WebSitePublisher \BitKinex bitkinex.ds Hostname Username Password Port Software\ExpanDrive\Sessions \ExpanDrive \drives.js "password" : " ", Software\ExpanDrive ExpanDrive_Home Server UserName Password _Password Directory Software\NCH Software\ClassicFTP\FTPAccounts FtpServer FtpUserName FtpPassword _FtpPassword FtpDirectory SOFTWARE\NCH Software\Fling\Accounts Software\FTPClient\Sites Software\SoftX.org\FTPClient\Sites .oxc .oll ftplast.osd \GPSoftware\Directory Opus \SharedSettings.ccs \SharedSettings_1_0_5.ccs \SharedSettings.sqlite \SharedSettings_1_0_5.sqlite \CoffeeCup Software leapftp unleap.exe sites.dat sites.ini \LeapWare\LeapFTP SOFTWARE\LeapWare InstallPath DataDir Password HostName UserName RemoteDirectory PortNumber FSProtocol Software\Martin Prikryl \32BitFtp.ini NDSites.ini \NetDrive PassWord Url UserName RootDirectory Port Software\South River Technologies\WebDrive\Connections ServerType FTP CONTROL FTPCON .prf \Profiles ѓ}ьЋіиisЇяhttp:// https:// ftp:// opera wand.dat _Software\Opera Software Last Directory3 Last Install Path Opera.HTML\shell\open\command \Opera Software wiseftpsrvs.bin \AceBIT Software\AceBIT MRU SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777} SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C} wiseftpsrvs.ini wiseftp.ini FTPVoyager.ftp FTPVoyager.ftp.backup FTPVoyager.ftp.old.backup FTPVoyager.qc \RhinoSoft.com nss3.dll NSS_Init NSS_Shutdown NSSBase64_DecodeBuffer SECITEM_FreeItem PK11_GetInternalKeySlot PK11_Authenticate PK11SDR_Decrypt PK11_FreeSlot                                          profiles.ini Profile IsRelative Path PathToExe prefs.js signons.sqlite signons.txt signons2.txt signons3.txt #2c #2d #2e Firefox \Mozilla\Firefox\ Software\Mozilla --- ftp:// http:// https:// ftp. fireFTPsites.dat SeaMonkey \Mozilla\SeaMonkey\ Flock \Flock\Browser\ Mozilla \Mozilla\Profiles\ Software\LeechFTP AppDir LocalDir bookmark.dat SiteInfo.QFP Odin Favorites.dat WinFTP sites.db CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32 servers.xml \FTPGetter ESTdb2.dat QData.dat \Estsoft\ALFTP Internet Explorer WininetCacheCredentials MS IE FTP Passwords DPAPI:  @J7<дєПї} Є iFоAJ7<дєПї} Є iFоBJ7<дєПї} Є iFо?   %02X Software\Microsoft\Internet Explorer\IntelliForms\Storage2 h t t p : / / w w w . f a c e b o o k . c o m /       a b e 2 8 6 9 f - 9 b 4 7 - 4 c d 9 - a 3 5 8 - c 2 2 9 0 4 d b a 7 f 7   Microsoft_WinInet_* ftp:// Software\Adobe\Common SiteServers SiteServer %d\Host SiteServer %d\WebUrl SiteServer %d\Remote Directory SiteServer %d-User SiteServer %d-User PW %s\Keychain SiteServer %d\SFTP DeluxeFTP sites.xml SQLite format 3 table ( )   CONSTRAINT PRIMARY UNIQUE CHECK FOREIGN  Web Data Login Data logins origin_url password_value username_value ftp:// http:// https:// moz_logins hostname encryptedPassword encryptedUsername \Google\Chrome \Chromium \ChromePlus Software\ChromePlus Install_Dir \Bromium \Nichrome \Comodo \RockMelt K-Meleon \K-Meleon \Profiles Epic \Epic\Epic Staff-FTP sites.ini \Sites \Visicom Media .ftp S e t t i n g s   \Global Downloader SM.arch FreshFTP .SMF BlazeFtp site.dat LastPassword LastAddress LastUser LastPort Software\FlashPeak\BlazeFtp\Settings \BlazeFtp .fpl FTP++.Link\shell\open\command GoFTP Connections.txt 3D-FTP sites.ini \3D-FTP \SiteDesigner SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32 EasyFTP \NetSarang .xfp .rdp TERMSRV/* password 51:b: username:s: full address:s: . TERMSRV/ FTP Now FTPNow sites.xml SOFTWARE\Robo-FTP 3.7\Scripts SOFTWARE\Robo-FTP 3.7\FTPServers FTP Count FTP File%d Password ServerName UserID InitialDirectory PortNumber ServerType    /pA je‘}ЃGL/¶Щ шеУfMY 2.5.29.37 0
+ Software\LinasFTP\Site Manager Host User Pass Port Remote Dir \Cyberduck .duck user.config <setting name=" " value=" Software\SimonTatham\PuTTY\Sessions HostName UserName Password PortNumber TerminalType NppFTP.xml \Notepad++ Software\CoffeeCup Software FTP destination server FTP destination user FTP destination password FTP destination port FTP destination catalog FTP profiles FTPShell ftpshell.fsi Software\MAS-Soft\FTPInfo\Setup DataDir \FTPInfo ServerList.xml NexusFile ftpsite.ini FastStone Browser FTPList.db \MapleStudio\ChromePlus Software\Nico Mak Computing\WinZip\FTP Software\Nico Mak Computing\WinZip\mru\jobs Site UserID xflags Port Folder .wjf winex=" "/> \Yandex My FTP project.ini .xml {74FF1730-B1F2-4D88-926B-1568FAE61DB7} NovaFTP.db \INSoftware\NovaFTP .oeaccount Salt         > </ <_OP3_Password2 <_MTP_Password2 <IMAP_Password2 <HTTPMail_Password2  \Microsoft\Windows Live Mail Software\Microsoft\Windows Live Mail \Microsoft\Windows Mail Software\Microsoft\Windows Mail Software\RimArts\B2\Settings DataDir DataDirBak Mailbox.ini Software\Poco Systems Inc Path \PocoSystem.ini Program DataPath accounts.ini \Pocomail Software\IncrediMail EmailAddress Technology PopServer PopPort PopAccount PopPassword _mtpServer _mtpPort _mtpAccount _mtpPassword account.cfg account.cfn \BatMail \The Bat! Software\RIT\The Bat! Software\RIT\The Bat!\Users depot Working Directory ProgramDir Count Default Dir #%d RLUQ!Dl`hm!@eesdrr RLUQ!Rdswds QNQ2!Rdswds QNQ2!Trds!O`ld RLUQ!Trds!O`ld OOUQ!Dl`hm!@eesdrr OOUQ!Trds!O`ld OOUQ!Rdswds HL@Q!Rdswds HL@Q!Trds!O`ld Dl`hm IUUQ!Trds IUUQ!Rdswds!TSM QNQ2!Trds HL@Q!Trds IUUQL`hm!Trds!O`ld IUUQL`hm!Rdswds RLUQ!Trds  QNQ2!Qnsu RLUQ!Qnsu HL@Q!Qnsu  QNQ2!Q`rrvnse3 HL@Q!Q`rrvnse3 OOUQ!Q`rrvnse3 IUUQL`hm!Q`rrvnse3 RLUQ!Q`rrvnse3  QNQ2!Q`rrvnse HL@Q!Q`rrvnse OOUQ!Q`rrvnse IUUQ!Q`rrvnse RLUQ!Q`rrvnse  Software\Microsoft\Internet Account Manager\Accounts Identities Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Software\Microsoft\Internet Account Manager Outlook \Accounts identification identitymgr inetcomm server passwords outlook account manager passwords identities {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} Thunderbird \Thunderbird FastTrack ftplist.txt wallet.dat \Bitcoin electrum.dat \Electrum .wallet \MultiBit Accounts.ini \Maxprog\FTP Disk wallet.dat \Litecoin wallet.dat \Namecoin wallet.dat \Terracoin .wallet \Armory wallet.dat \PPCoin wallet.dat \Primecoin wallet.dat \Feathercoin wallet.dat \NovaCoin wallet.dat \Freicoin wallet.dat \Devcoin wallet.dat \Franko wallet.dat \ProtoShares wallet.dat \Megacoin wallet.dat \Quarkcoin wallet.dat \Worldcoin wallet.dat \Infinitecoin wallet.dat \Ixcoin wallet.dat \Anoncoin wallet.dat \BBQcoin wallet.dat \Digitalcoin wallet.dat \Mincoin wallet.dat \GoldCoin (GLD) wallet.dat \Yacoin wallet.dat \Zetacoin wallet.dat \Fastcoin wallet.dat \I0coin wallet.dat \Tagcoin wallet.dat \Bytecoin wallet.dat \Florincoin wallet.dat \Phoenixcoin wallet.dat \Luckycoin wallet.dat \Craftcoin wallet.dat \Junkcoin


ScanDoc-0x.exes - trojan muldrop with MailPassView & BrowserPassview inside.

Posts moved to Fareit thread.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4744
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 560

Re: Malware collection

Postby ikolor » Sat Mar 04, 2017 6:28 pm

You do not have the required permissions to view the files attached to this post.
ikolor
 
Posts: 212
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland
Reputation point: 16

Re: Malware collection

Postby Antelox » Sat Mar 04, 2017 7:04 pm



Pony

Gate
http://richwellgroupsinc.com/hat/lazz/gate.php

Panel
http://richwellgroupsinc.com/hat/lazz/admin.php


BR,
Antelox
Antelox
 
Posts: 80
Joined: Sun Mar 21, 2010 10:38 pm
Reputation point: 50

Previous

Return to Malware

Who is online

Users browsing this forum: Google Feedfetcher and 5 guests