WinNT/Viknok

Forum for analysis and discussion about malware.

WinNT/Viknok

Postby EP_X0FF » Mon Apr 22, 2013 3:15 am

Cross platform trojan downloader.

Payload

hxxp://dgfvv.mydad.info/778/bod86.dat
hxxp://dgfvv.mydad.info/778/kres64.dat

both unavailable, if you have them - please attach.

Dropper

SHA256: cd9d72325d1a7cf55835f2e12f3dcba8c7d141e8b308ceb39c9e5f601522d06f
SHA1: 50b48d17912a40758031182c6e0a47ea293047e8
MD5: 04936bc5e3024826616afdf00a18ee51

https://www.virustotal.com/en/file/cd9d72325d1a7cf55835f2e12f3dcba8c7d141e8b308ceb39c9e5f601522d06f/analysis/

Extracted x86-32 stub

SHA256: 633ad444ce553c443cdf1eab5628e4d097a03e754f83062e5349cb3af83d5e42
SHA1: aebec6ebb9fe95198527b173a4a40a7fe304a684
MD5: 67e8ce50883e0416c1e879471065ab2c

https://www.virustotal.com/en/file/633ad444ce553c443cdf1eab5628e4d097a03e754f83062e5349cb3af83d5e42/analysis/1366600343/

Extracted x64 stub

SHA256: 76a0842cf7547f0863863cbfafb6b9f3b338e22c5921708edaef09e9ac1d4269
SHA1: a8399951345d135e7d2ce102b40eec7d82e95e83
MD5: 686e90202180df9062897e609b74ff67

https://www.virustotal.com/en/file/76a0842cf7547f0863863cbfafb6b9f3b338e22c5921708edaef09e9ac1d4269/analysis/1366600343/
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: WinNT/Viknok

Postby EP_X0FF » Mon Apr 22, 2013 3:35 am

Payload located. Seems they use Dynamic DNS and modules name partial randomization (leaving platform id untouched).

C&C IP 46.166.177.114

kres64.dat is a sort of shellcode.

SHA256: 3e631003106e7273d52d393bedaba6d100e9663b11a75ef7fcbd9a2c40f82dcd
SHA1: 9b3a47062c743d74e0ab63642d309e92c5c6eeb3
MD5: 0a78932485a9136ae9dbf4f98d6bfa3b

https://www.virustotal.com/en/file/3e631003106e7273d52d393bedaba6d100e9663b11a75ef7fcbd9a2c40f82dcd/analysis/1366601278/

Browser injects, banking, info stealing, av blacklist.

bik86.dat is x86-32 version of it.

SHA256: 473beb88a5b812ff7e5099aa74e4e3fc2a02ea47627c9d13a662badcab77b663
SHA1: 4b9ef8ed13285ec7b334916106ce8c174c127138
MD5: c217232df3ad8fafba6adb27415c5e89

https://www.virustotal.com/en/file/473beb88a5b812ff7e5099aa74e4e3fc2a02ea47627c9d13a662badcab77b663/analysis/1366601854/

hxxp://noikiv.mydad.info/778/ is open directory, facepalm.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: WinNT/Viknok

Postby Xylitol » Mon Apr 22, 2013 9:40 am

• dns: 1 ›› ip: 46.166.177.114 - adresse: NOIKIV.MYDAD.INFO
Additional hxxp://46.166.177.114/220/ Last modified: 21-Apr-2013, fresh.

bokv4.dat > https://www.virustotal.com/fr/file/b876 ... 366623570/
nor86.dat > https://www.virustotal.com/fr/file/9dc7 ... 366623572/
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: WinNT/Viknok

Postby R136a1 » Sun Apr 28, 2013 6:40 pm

Another x64 stub

SHA256: d9539a4b2400f56311c3fcc80d161d41b68ffe8edc11948864c923e92a78d246
SHA1: d911d4da8c8ba3a72ba381f814984b00c034959c
MD5: 8e13aadce747afb6c53810cea8ecaee9

https://www.virustotal.com/en/file/d953 ... /analysis/
User avatar
R136a1
 
Posts: 216
Joined: Wed Jul 13, 2011 4:30 pm
Location: Germany
Reputation point: 136

Re: WinNT/Viknok

Postby EP_X0FF » Wed May 15, 2013 4:06 am

SHA1, 25 samples

Code: Select all
0045b26f91e65258a5b7ddab5e3180c29dc222d3
066ed88b9c36a28c7693ba23eaf05381cab650f4
09b12fffc75b96828ec15eea057df45f47d706f7
1b99888caefaca395362771b531cc9acd896435e
210065d351faa1f46ba59c405dc3a8700a851042
55d5d20a5a028ac8e93db6cd8b47732b99eae318
5a3e9ac40093ee03397dc7931acc73bcf5eac28d
69ce8d7c1c33d7caaf7097929b66e8e089c6bfa8
6c22da8bcbe63174fb15582c54520f42dbac911f
6c46c37173a16f8a763120ea4c02f6407127b2ee
976683192f013e1b06c780345b960ae70fec0c48
9bdbe454d10f59b0034df3eeed5dc4452559d9c9
9e2e25f64a21c00b8298bb6c0e77fccad8def518
a93231c9f4c6e2f64bc523c0a752fd7a51ea03b2
b715f514840fa0d11ccb8a92b3756c51cb4397e2
b9c7d906ca9abaa6fe5e174dfe18e6262011fd85
bb6b0f51aa8f641116c85fc8b60a7cf82c270efa
bec2e892048caf4ec027c781ccb92afbc5605afd
c500523edb83767a0f4f37756c09cdd6937bae6e
d8c246f199fc58960de3aed2f703e75354edcd39
e982e7c60de315fb0268f05722c4f072e85475ad
ec7dde6eb4449e6255794716fc9340fe880d250b
f516bb5cf230d14c128aa772be090099a6375e13
fabae7de8e608d66190e89559416adfa2f2cad3a
feb1dfb28ac1a1ef99908b29e2ac1e295aeae5f7
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571


Re: WinNT/Viknok

Postby bao » Sat Jun 29, 2013 11:57 am

pass: infected
bao
 
Posts: 20
Joined: Sat Sep 22, 2012 9:27 pm
Reputation point: 0

Re: WinNT/Viknok

Postby rkhunter » Mon Jul 29, 2013 11:32 am

User avatar
rkhunter
 
Posts: 1148
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: WinNT/Viknok

Postby rkhunter » Mon May 12, 2014 11:49 am

User avatar
rkhunter
 
Posts: 1148
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Malware collection

Postby ikolor » Wed Oct 19, 2016 6:37 pm

You do not have the required permissions to view the files attached to this post.
ikolor
 
Posts: 264
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland
Reputation point: 16

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 12 guests