Win32/Sinowal (alias Mebroot)

Forum for analysis and discussion about malware.
Post Reply
PX5
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am

Win32/Sinowal (alias Mebroot)

Post by PX5 » Fri Dec 17, 2010 1:06 pm

You do not have the required permissions to view the files attached to this post.
Arrogance led me to my Ignorance

rough_spear
Posts: 163
Joined: Mon Oct 18, 2010 4:46 pm
Location: India

Re: Sinowal--Mebroot

Post by rough_spear » Sun Dec 19, 2010 4:17 pm

post the password along with samples from next time.do not keep us guessing.
Well for other users password is infected

User avatar
GamingMasteR
Global Moderator
Posts: 228
Joined: Sun Mar 07, 2010 10:52 am

Re: Sinowal--Mebroot

Post by GamingMasteR » Sun Dec 19, 2010 5:11 pm

It's common in malware researching forums/sites that zipped malwares have password that is either "malware" or "infected" :)

ramesh
Posts: 4
Joined: Fri May 27, 2011 8:17 am

PWS:Win32/Sinowal (MBR rootkit)

Post by ramesh » Wed Jun 01, 2011 2:14 am

Hello, I'm looking for particular sample of

a) Mebroot sample= Trojan family
b) MD5 0a211ac6b398f49f8ce982bb0b07bd4a (if you have others samples, please attach also)
c) It modifies the Master Boot Record (MBR). It uses sophisticated rootkit techniques to hide its presence and opens a back door that allows a remote attacker
control over the compromised computer.
d)VT=14/40; http://www.virustotal.com/file-scan/rep ... 1275018744

Thank you.

User avatar
Meriadoc
Posts: 195
Joined: Sat Mar 13, 2010 7:36 pm
Location: Cymru

Re: Malware Requests

Post by Meriadoc » Wed Jun 01, 2011 2:55 am

Hi ramesh,

MD5:0A211AC6B398F49F8CE982BB0B07BD4A
You do not have the required permissions to view the files attached to this post.
Who controls the past controls the future
Who controls the present controls the past

PX5
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am

Re: Sinowal--Mebroot

Post by PX5 » Mon Jul 25, 2011 5:00 pm

rough_spear wrote:post the password along with samples from next time.do not keep us guessing.
Well for other users password is infected
FO!

hxxp://anysexlife.net/index.php?tp=3b736217eef38124
hxxp://anysexlife.net/d.php?f=32&e=2

anysexlife.net - 200.35.147.150

hxxp://200.35.147.150/files/17
hxxp://200.35.147.150/files/18
hxxp://200.35.147.150/files/19
hxxp://200.35.147.150/files/23
hxxp://200.35.147.150/files/24
hxxp://200.35.147.150/files/25
hxxp://200.35.147.150/files/26
hxxp://200.35.147.150/files/27
hxxp://200.35.147.150/files/28
hxxp://200.35.147.150/files/29
hxxp://200.35.147.150/files/30
hxxp://200.35.147.150/files/31
hxxp://200.35.147.150/files/32
hxxp://200.35.147.150/files/33
hxxp://200.35.147.150/files/34
hxxp://200.35.147.150/files/35
hxxp://200.35.147.150/files/36
hxxp://200.35.147.150/files/37
hxxp://200.35.147.150/files/38
hxxp://200.35.147.150/files/39
hxxp://200.35.147.150/files/40
hxxp://200.35.147.150/files/41
hxxp://200.35.147.150/files/42
hxxp://200.35.147.150/files/43
hxxp://200.35.147.150/files/44
hxxp://200.35.147.150/files/45
hxxp://200.35.147.150/files/46
hxxp://200.35.147.150/files/47
hxxp://200.35.147.150/files/48
hxxp://200.35.147.150/files/49
hxxp://200.35.147.150/files/50
hxxp://200.35.147.150/files/51
hxxp://200.35.147.150/files/52
hxxp://200.35.147.150/files/53
hxxp://200.35.147.150/files/54
hxxp://200.35.147.150/files/55
hxxp://200.35.147.150/files/56
hxxp://200.35.147.150/files/57
hxxp://200.35.147.150/files/58
hxxp://200.35.147.150/files/59
hxxp://200.35.147.150/files/60
hxxp://200.35.147.150/files/61
hxxp://200.35.147.150/files/63
hxxp://200.35.147.150/files/69
hxxp://200.35.147.150/files/71



Blackhole Kit, loading exe yields nadda, emailed self html link and off we went.

First Ive seen of meb in any public arena in quite some time.

Curious if this one has gone platform compatiable...
Arrogance led me to my Ignorance

Quads
Posts: 148
Joined: Thu May 06, 2010 10:19 pm
Location: New Zealand

Re: Sinowal--Mebroot

Post by Quads » Thu Jul 28, 2011 12:24 am

The unzipped file can't run on XP, it's not a valid win32 application

Quads

User avatar
EP_X0FF
Global Moderator
Posts: 4775
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Sinowal--Mebroot

Post by EP_X0FF » Thu Jul 28, 2011 2:34 am

Quads wrote:The unzipped file can't run on XP, it's not a valid win32 application

Quads
They are DLL's.
Ring0 - the source of inspiration

icr
Posts: 8
Joined: Mon Aug 22, 2011 6:22 pm

Re: Sinowal--Mebroot

Post by icr » Sun Aug 28, 2011 7:54 am

Hey all as this topic was dedicated for mebroot virus programs so I would like to add some of mebroot programs
You do not have the required permissions to view the files attached to this post.

rough_spear
Posts: 163
Joined: Mon Oct 18, 2010 4:46 pm
Location: India

Re: Sinowal--Mebroot

Post by rough_spear » Wed Sep 28, 2011 6:52 pm

Hi,
Here is one more variant of sinowal-mebroot bootkit. :D

hxxp://uablszeuyus.com/w.php?f=26&e=1
File name - contacts.exe
File size - 124 KB

MD5 : 406e27ffcfc5134910f90524a5dd9350
SHA1 : bcc59a3d3b4a5ef41a0df7c2059ccc1da83298a1
SHA256: 45035761a3516278ca53f1c0e0b31d4607e342c4a59afcb4925b8d264bb65e8d
ssdeep: 1536:Zv1aIDH4GJYGb3Wd+OfUedf7JB0vDZfuDCpMT9kb7GThzzBqem:ZtpDYGKGznOfUaf7MvU
DBpkbizzBqe

Regards,


rough_spear. ;)
You do not have the required permissions to view the files attached to this post.

Post Reply