Win32/Sinowal (alias Mebroot)

Forum for analysis and discussion about malware.

Win32/Sinowal (alias Mebroot)

Postby PX5 » Fri Dec 17, 2010 1:06 pm

You do not have the required permissions to view the files attached to this post.
Arrogance led me to my Ignorance
PX5
 
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am
Reputation point: 53

Re: Sinowal--Mebroot

Postby rough_spear » Sun Dec 19, 2010 4:17 pm

post the password along with samples from next time.do not keep us guessing.
Well for other users password is infected
rough_spear
 
Posts: 163
Joined: Mon Oct 18, 2010 4:46 pm
Location: India
Reputation point: 61

Re: Sinowal--Mebroot

Postby GamingMasteR » Sun Dec 19, 2010 5:11 pm

It's common in malware researching forums/sites that zipped malwares have password that is either "malware" or "infected" :)
User avatar
GamingMasteR
Global Moderator
 
Posts: 228
Joined: Sun Mar 07, 2010 10:52 am
Reputation point: 78

PWS:Win32/Sinowal (MBR rootkit)

Postby ramesh » Wed Jun 01, 2011 2:14 am

Hello, I'm looking for particular sample of

a) Mebroot sample= Trojan family
b) MD5 0a211ac6b398f49f8ce982bb0b07bd4a (if you have others samples, please attach also)
c) It modifies the Master Boot Record (MBR). It uses sophisticated rootkit techniques to hide its presence and opens a back door that allows a remote attacker
control over the compromised computer.
d)VT=14/40; http://www.virustotal.com/file-scan/rep ... 1275018744

Thank you.
ramesh
 
Posts: 4
Joined: Fri May 27, 2011 8:17 am
Reputation point: 0

Re: Malware Requests

Postby Meriadoc » Wed Jun 01, 2011 2:55 am

Hi ramesh,

MD5:0A211AC6B398F49F8CE982BB0B07BD4A
You do not have the required permissions to view the files attached to this post.
Who controls the past controls the future
Who controls the present controls the past
User avatar
Meriadoc
 
Posts: 195
Joined: Sat Mar 13, 2010 7:36 pm
Location: Cymru
Reputation point: 87

Re: Sinowal--Mebroot

Postby PX5 » Mon Jul 25, 2011 5:00 pm

rough_spear wrote:post the password along with samples from next time.do not keep us guessing.
Well for other users password is infected


FO!

hxxp://anysexlife.net/index.php?tp=3b736217eef38124
hxxp://anysexlife.net/d.php?f=32&e=2

anysexlife.net - 200.35.147.150

hxxp://200.35.147.150/files/17
hxxp://200.35.147.150/files/18
hxxp://200.35.147.150/files/19
hxxp://200.35.147.150/files/23
hxxp://200.35.147.150/files/24
hxxp://200.35.147.150/files/25
hxxp://200.35.147.150/files/26
hxxp://200.35.147.150/files/27
hxxp://200.35.147.150/files/28
hxxp://200.35.147.150/files/29
hxxp://200.35.147.150/files/30
hxxp://200.35.147.150/files/31
hxxp://200.35.147.150/files/32
hxxp://200.35.147.150/files/33
hxxp://200.35.147.150/files/34
hxxp://200.35.147.150/files/35
hxxp://200.35.147.150/files/36
hxxp://200.35.147.150/files/37
hxxp://200.35.147.150/files/38
hxxp://200.35.147.150/files/39
hxxp://200.35.147.150/files/40
hxxp://200.35.147.150/files/41
hxxp://200.35.147.150/files/42
hxxp://200.35.147.150/files/43
hxxp://200.35.147.150/files/44
hxxp://200.35.147.150/files/45
hxxp://200.35.147.150/files/46
hxxp://200.35.147.150/files/47
hxxp://200.35.147.150/files/48
hxxp://200.35.147.150/files/49
hxxp://200.35.147.150/files/50
hxxp://200.35.147.150/files/51
hxxp://200.35.147.150/files/52
hxxp://200.35.147.150/files/53
hxxp://200.35.147.150/files/54
hxxp://200.35.147.150/files/55
hxxp://200.35.147.150/files/56
hxxp://200.35.147.150/files/57
hxxp://200.35.147.150/files/58
hxxp://200.35.147.150/files/59
hxxp://200.35.147.150/files/60
hxxp://200.35.147.150/files/61
hxxp://200.35.147.150/files/63
hxxp://200.35.147.150/files/69
hxxp://200.35.147.150/files/71



Blackhole Kit, loading exe yields nadda, emailed self html link and off we went.

First Ive seen of meb in any public arena in quite some time.

Curious if this one has gone platform compatiable...
Arrogance led me to my Ignorance
PX5
 
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am
Reputation point: 53

Re: Sinowal--Mebroot

Postby Quads » Thu Jul 28, 2011 12:24 am

The unzipped file can't run on XP, it's not a valid win32 application

Quads
Quads
 
Posts: 148
Joined: Thu May 06, 2010 10:19 pm
Location: New Zealand
Reputation point: 22

Re: Sinowal--Mebroot

Postby EP_X0FF » Thu Jul 28, 2011 2:34 am

Quads wrote:The unzipped file can't run on XP, it's not a valid win32 application

Quads


They are DLL's.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Sinowal--Mebroot

Postby icr » Sun Aug 28, 2011 7:54 am

Hey all as this topic was dedicated for mebroot virus programs so I would like to add some of mebroot programs
You do not have the required permissions to view the files attached to this post.
icr
 
Posts: 8
Joined: Mon Aug 22, 2011 6:22 pm
Reputation point: 4

Re: Sinowal--Mebroot

Postby rough_spear » Wed Sep 28, 2011 6:52 pm

Hi,
Here is one more variant of sinowal-mebroot bootkit. :D

hxxp://uablszeuyus.com/w.php?f=26&e=1
File name - contacts.exe
File size - 124 KB

MD5 : 406e27ffcfc5134910f90524a5dd9350
SHA1 : bcc59a3d3b4a5ef41a0df7c2059ccc1da83298a1
SHA256: 45035761a3516278ca53f1c0e0b31d4607e342c4a59afcb4925b8d264bb65e8d
ssdeep: 1536:Zv1aIDH4GJYGb3Wd+OfUedf7JB0vDZfuDCpMT9kb7GThzzBqem:ZtpDYGKGznOfUaf7MvU
DBpkbizzBqe

Regards,


rough_spear. ;)
You do not have the required permissions to view the files attached to this post.
rough_spear
 
Posts: 163
Joined: Mon Oct 18, 2010 4:46 pm
Location: India
Reputation point: 61

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 6 guests