XKeyScore

Forum for analysis and discussion about malware.
Post Reply
MalwareInfo
Posts: 6
Joined: Sat Oct 01, 2016 3:37 am

XKeyScore

Post by MalwareInfo » Sun Oct 01, 2017 3:49 am

This malware may be using OutputDebugString as an anti-debugging technique.I am not familiar with this technique,so how to fix it? Any help would be greatly appreciated!
You do not have the required permissions to view the files attached to this post.
Last edited by Xylitol on Thu Jan 24, 2019 4:32 pm, edited 1 time in total.
Reason: edited topic title

User avatar
Xylitol
Global Moderator
Posts: 1671
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: malware

Post by Xylitol » Sun Oct 01, 2017 9:24 am

in attachment unpacked keylogger, 8/64 on VT https://www.virustotal.com/en/file/5fb7 ... 506849125/
payload is took from ressource and then decoded, ending up with a file you can upx -d, appear coded in delphi

Code: Select all

ASCII "C:\\Downloads\\FUD\\XKey\\autorunreg.pas"
ASCII "----------------------------------------------------------------------------------------------------"
ASCII "\r\n"
ASCII "[<<]"
ASCII "[Tab]"
ASCII "[Esc]"
ASCII "[PrtScr]"
ASCII "[Del]"
ASCII "[Num Lock]"
ASCII "\r\n\r\n================================== 0USER0 - "
ASCII "[ Áóôåð îáìåíà - Clipboard - "
ASCII "nynewsguardianinternet.com"
ASCII "text="
ASCII "/upwin/index.php"
ASCII "Content-Type: application/x-www-form-urlencoded"
ASCII "GetAsyncKeyState"
KeyloggerTimer
AtivarTimer
DesativarTimer
host where it send datas is down and file is 2 years old.
You do not have the required permissions to view the files attached to this post.

sysopfb
Posts: 97
Joined: Thu Oct 23, 2014 1:22 am
Contact:

Re: malware

Post by sysopfb » Thu Jan 17, 2019 4:25 pm

Sorry for necroing but this is XKeyScore , found topic while looking at another sample

Panel attached from a different C2 server
You do not have the required permissions to view the files attached to this post.

Post Reply