Backdoor Blackshades NET

Forum for analysis and discussion about malware.

trojan (dos not run in vm)

Postby markusg » Wed Dec 08, 2010 6:27 pm

some trojan, does not run in my vm so can not test.
http://www.virustotal.com/file-scan/rep ... 1291831159
You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: trojan (dos not run in vm)

Postby PX5 » Thu Dec 09, 2010 10:39 am

Copies self to %userprofile%\Application Data\nvdisp.exe

Connects to forum159.no-ip.biz (93.138.110.153) TCP

Searchs for DNS response to 93.188.163.194

Some sorta backdoor bot I think.
Arrogance led me to my Ignorance
PX5
 
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am
Reputation point: 53

Re: trojan (dos not run in vm)

Postby markusg » Thu Dec 09, 2010 10:56 am

thx for this :-)
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Backdoor Blackshades NET

Postby markusg » Mon Jan 03, 2011 5:22 pm

You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: vb trojan

Postby EP_X0FF » Mon Jan 03, 2011 6:00 pm

This is Backdoor Blackshades NET.
UPX + VB Cryptor + UPX -> VB.

Runs through

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components


recovers them, if keys deleted.

Blackshades NET is a very advanced Remote Administration tool coded in Visual Basic 6. Unlike many of you think, VB6 is not as limited and useless as you think. This RAT, unlike many other that are for sale on the marketplace, has no dependencies (.NET Framework, java, etc) and works extremely well. The current version is 3.3

Price: $50

Commands:
- Ping
- Filter Connections (By ID, WAN, LAN, DDOS, IM, USB, Username, Comp. Name, Privileges, OS, Uptime, Idle, Ping, Socks4, Country, Version)
- Install Date
- Change Host (New DNS to connect to)
- Select All/Range
- Resolve Hostname
- Copy (WAN, LAN, Socks, Full Info, Entire List, Socks Checker List)
- Audio Capture
- Full MSN Controller (Block, Add, Unblock, Mass message!)
- Screen Capture and Control (Mouse/Keyboard supported, choose bitsize for quicker transfer)
- Keylog Manager (All/Selected/Single, Filtered/Scan/Complete)
- Webcam Capture
- DDoS (UDP/TCP, select packet/sockets/packet size/port/ip, ability to ddos on join, by country, by ping, by IP range, or random)
- View Network Statistics
- Create Socks4 Proxy (Will not work behind NAT)
- Pharming/Redirect
- Sniffer
- Website Visit (Visible/Multiple Times Hidden)
- File Manager (Search, Execute, Upload, Delete, Download, Multi File Download, Folder Download, Advanced Image Gallery/Previewer)
- Process Manager (Resume, Suspend, Kill)
- Registry Manager (New Key, New Value, Delete Key, Delete Value)
- Service Manager (Start, Stop)
- Shell (cmd prompt)
- Download/Execute
- Update Idle Time
- Seed Torrent
- File Infector
- Update Uptime
- Fun Manager (Reverse/Normal Mouse, Open/Close CD Tray, Hide/Show Mouse, Hide/Show Desktop Icons, Start/Stop Crazy Mouse, Send Message Box, Change Wallpaper (by URL), Speak Text (Type it, then send it. Choose Slow-Mo, Speedy, or Regular Speed), Set Volume 100%, Mute Volume, Unmute Volume, Start Screensaver, Restart Computer, Logoff Computer, Shutdown Computer, Turn off Monitor, Turn on Monitor) - Passwords:
Internet Explorer 7/8
Firefox 3.x
CD Keys
Windows Product Keys
MSN Messenger
Windows Messenger
Windows Live Messenger (WinXP/Vista/7)
Yahoo Messenger (5.x/6.x)
Google Talk
ICQ Lite (4.x/5.x/2003)
AOL Instant Messenger (v4.6 or below/AIM 6.x/AIM Pro)
Trillian
Trillian Astra
Miranda
GAIM/Pidgin
MySpace IM
PaltalkScene
Digsby
Outlook Express
Microsoft Outlook 2000/2002/2003/2007/2010 (POP3, IMAP, HTTP and SMTP Accounts)
Windows Mail
Windows Live Mail
IncrediMail
Eudora
Netscape (6.x/7.x)
Mozilla Thunderbird
Group Mail Free
Yahoo! Mail
Hotmail/MSN mail
Gmail
Google Desktop
Google Talk
- Spread (USB, MSN, AIM/ICQ)
- Edit ID
- Update Server
- Remove Server

Features:
Web Server - Control your bot through the web server, and also set up admin/guest accounts with editable privileges for guests!
- Station - Host through your botnet through your bot to prevent tracebacks 100%
- IP to Country Flags
- New Bots show as Red
- Icon Changer - Change to any .ico File
- File Info Cloner - Clone file details of any exe file
- Server Builder (Uses string replacement - no EOF needed!)
- All settings are stored and remembered
- After a sucessful login, you will not need to input your username and click login - it will automatically log you in.
- Statistics (Disconnected, Attempt, Established Connection, etc)
- View Chart of Bots by Country
- Skin Chooser - choose between 4 lovely skins Wink
- Database Logging (Log Passwords, Connections, Keylogs to SQL)
- Tasks (Keylog, Passwords, DDoS Start/Stop, DL/Execute, Update without being @ PC)
- Multi Transfers (Download multiple files at once, view multiple screens at once, or view multiple webcams at once!)
- Process Protection (Optional) (Cannot be killed by task manager on Vista/7. On XP, you will get BSOD and restart - if protection fails on Vista/7, it will get BSOD and restart)
- Network Sharing (Input the IP and Port of a friend and he can share your bots - update and remove are not allowed)
- No dependencies required.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Mal/VB (Autorunners, PWS)

Postby markusg » Wed Jan 05, 2011 4:43 pm

You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: Backdoor Blackshades NET

Postby EP_X0FF » Wed Jan 05, 2011 6:56 pm

markusg wrote:http://www.virustotal.com/file-scan/report.html?id=c18780b27e5b91a8947fea4966b825c5004c8058ce2d372002963cc4778022f5-1294245382


This is another Blackshades backdoor.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

backdoor

Postby markusg » Sun Jan 09, 2011 12:44 pm

You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: backdoor

Postby EP_X0FF » Sun Jan 09, 2011 12:54 pm



C:\Users\Admin\Desktop\Blackshades project\Blackshades NET\server\server.vbp
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Malware/MSIL-BA

Postby markusg » Mon Jan 17, 2011 12:10 pm

sorry missed second file
You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 5 guests