Win32/Kelihos (+Waledac downloader)

Forum for analysis and discussion about malware.

Win32/Kelihos (+Waledac downloader)

Postby fatdcuk » Thu Dec 16, 2010 6:44 pm

Just bagged the dropper and have not played with it yet.

Downloaded alongiside Security shield Fake AV.

VT detections(9/43) all packer generic except M$
http://www.virustotal.com/file-scan/rep ... 1292524798
You do not have the required permissions to view the files attached to this post.
Ade Gill
Malwarebytes Researcher
Image
fatdcuk
 
Posts: 46
Joined: Mon Mar 15, 2010 7:45 pm
Reputation point: 78

Re: Backdoor:Win32/Kelihos.A

Postby EP_X0FF » Thu Dec 16, 2010 8:11 pm

Thanks for sharing. Typical backdoor with tcp server inside. Bot packed with UPX 3.07 and crypted.

Autoruns through HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run as SmartIndex

Just a coupe of stirngs from this bot (there are a lot of them inside), some typos detected :)

Client
started.
Error!!! .\client.cpp
Failed to init client!
_tWinMain
GoogleImpl
GooglePath
Software\Google
client:
Autorun update write failed
Config loaded Ok. own_id=
, port =
Loaded bootstrap list:
[forwardingrequest]Failed to connect to job_server:
X-Real-My-IP
[forwardingrequest]Failed to invoke get to job_server:
[forwardingrequest]http_response_info* presnose not filled after success get.
HTTP Proxy routed success. [remote_client:
-->> remote_server:
], URI=
Internal Server Error
AppID
SmartIndex
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Failed to write autorun entry
Autorun entry writed success.
[requesting_parachute]Failed to resolve URL:
[requesting_parachute]Connecting to
[requesting_parachute]Failed to connect to server:
[requesting_parachute]Invoking to
[requesting_parachute]Failed to invoke to server:
[requesting_parachute] presnose not filled, server:
[requesting_parachute]boot_helper surprise, response code =
[requesting_parachute]Failed! wrong response code =
[requesting_parachute] Empty body in http response :(
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Malware Requests

Postby teleboti » Thu Oct 20, 2011 7:33 pm

Hlux/Kelihos any sample? Thanks!!
User avatar
teleboti
 
Posts: 3
Joined: Mon Mar 15, 2010 5:40 am
Location: Russian Federation
Reputation point: 7

Re: Malware Requests

Postby Xylitol » Thu Oct 20, 2011 7:45 pm

teleboti wrote:Hlux/Kelihos any sample? Thanks!!

viewtopic.php?f=16&t=538&p=4031#p4031
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Malware Requests

Postby sugar » Fri May 18, 2012 10:09 am

hello,
im looking for Kelihos/Khelios/Hlux
https://www.virustotal.com/file/e297c8b ... /analysis/
010ac0bff69eb945108b57b40a4784be
sugar
 
Posts: 12
Joined: Sat Jul 30, 2011 10:33 am
Reputation point: 0

Re: Malware Requests

Postby rkhunter » Fri May 18, 2012 10:26 am

sugar wrote:hello,
im looking for Kelihos/Khelios/Hlux
https://www.virustotal.com/file/e297c8b ... /analysis/
010ac0bff69eb945108b57b40a4784be

Backdoor:Win32/Kelihos.B
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1148
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Backdoor:Win32/Kelihos

Postby nullptr » Thu Sep 20, 2012 10:23 am

SHA1: 4571518150a8181b403df4ae7ad54ce8b16ded0c
MD5: 1c837a8f652c36ea8d85f5ffee70068e

VT 7/43 - https://www.virustotal.com/file/4265111 ... /analysis/

original + unpacked in attachment
You do not have the required permissions to view the files attached to this post.
nullptr
 
Posts: 210
Joined: Sun Mar 14, 2010 6:35 am
Reputation point: 100

Re: Backdoor:Win32/Kelihos

Postby nullptr » Sun Nov 04, 2012 9:08 am

MD5: F22AF0C2BC0356FFBEA84D6034BFD4A9
SHA-1: C1D3CE13E0473CC333D8A484E3BD58E1AD953CA6
From Oct 31, 2012

dropper + unpacked attached
You do not have the required permissions to view the files attached to this post.
nullptr
 
Posts: 210
Joined: Sun Mar 14, 2010 6:35 am
Reputation point: 100

Trojan-PSW.Win32.Tepfer.cepv

Postby Buster_BSA » Wed Nov 28, 2012 6:00 pm

I am looking for this one:

MD5: b59b1300ac72a530b7170e50bc8

https://www.virustotal.com/file/1502cfb ... /analysis/

Thans in advance!
User avatar
Buster_BSA
 
Posts: 390
Joined: Mon Mar 22, 2010 6:42 am
Reputation point: 35

Re: Trojan-PSW.Win32.Tepfer.cepv

Postby Win32:Virut » Wed Nov 28, 2012 6:07 pm

I don't have this file, but I don't think this is Tepfer, probably System Progressive Protection but I'm not sure. I have file B59C79DCEA3404E86161C01593A1F358. This is also detected by Kaspersky as Tepfer but also probably SPP.

EDIT:

One more attached.
You do not have the required permissions to view the files attached to this post.
Last edited by Win32:Virut on Wed Nov 28, 2012 6:15 pm, edited 1 time in total.
Win32:Virut
 
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm
Reputation point: 82

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 9 guests