Win32/Fynloski (DarkComet)

Forum for analysis and discussion about malware.
markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Win32/Fynloski (DarkComet)

Post by markusg » Thu Jan 06, 2011 10:46 am

You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4811
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: tr.Obfuscated

Post by EP_X0FF » Thu Jan 06, 2011 11:30 am

This is Backdoor Fynloski.

Keeps connection with 89.242.128.36:1337

Here is decrypted.

https://www.virustotal.com/file-scan/re ... 1294312860
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!
Written on Delphi. Below is a detailed list of units used.
server
EditServer
UntMain
uFZ
ShlObj
UrlMon
ActiveX
Windows
Types
SysInit
System
Messages
WinInet
RegStr
ShellAPI
CommCtrl
UntServices
Registry
RTLConsts
IniFiles
Classes
SysConst
TypInfo
SysUtils
ImageHlp
Variants
VarUtils
WinSvc
UntShell
UntSendStream
MD5Api
MD5Core
UntControlKey
UntRC4
UntGFXResize
Graphics
Consts
UntWebCam
jpeg
JConsts
MMSystem
untFunctions
PsAPI
TlHelp32
UntProcess
UntResizePic
GDIPUTIL
GDIPOBJ
GDIPAPI
Math
DirectDraw
UntCore
UntFWB
untMainFunctions
untBypass
PELoad
ComObj
ComConst
UntSinInfo
Nb30
CryptApi
WinSock
UntIE7
Pstoreclib
PSTORECLib_TLB
UntKeylogger
UntFTP
Clipbrd
Forms
UxTheme
SyncObjs
DwmApi
Themes
Controls
ActnList
Menus
ImgList
Contnrs
Imm
MultiMon
StdActns
StrUtils
Dialogs
HelpIntfs
WideStrUtils
Dlgs
ExtCtrls
GraphUtil
StdCtrls
Printers
WinSpool
CommDlg
FlatSB
UntUDPFlood
UntSynFlood
UntScanPorts
UntSound
ACMConvertor
MSAcm
ACMIn
ListUnit
UntActivePorts
USock
UntRPCScan
UntInfections
untstartup
UntFireFox
SHFolder
UntFun
UntPasswordAndData
UntMClipboard
UntDesktopCapture
UntBot
UntMSN
MessengerAPI_TLB
StdVCL
OleServer
OleConst
UntMsConfig
UntWindowManager
UntRegEdit
UntNetShareLister
UntHTTPFlood
UntCPU
UntMiscFunc
UntIP
Sockets
uMir
uTrill
RASReader
UntRootKit
UntServerReader
uRes
UntAntiSB
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Re: Malware/MSIL-BA

Post by markusg » Tue Jan 18, 2011 8:36 pm

You do not have the required permissions to view the files attached to this post.

markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Re: Malware/Not classified

Post by markusg » Wed Mar 09, 2011 12:18 pm

You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4811
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Malware/Not classified

Post by EP_X0FF » Wed Mar 09, 2011 1:19 pm

Password protected SFX archive with Backdoor:Win32/Fynloski.A inside.

http://www.virustotal.com/file-scan/rep ... 1299676442

Posts moved.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Re: trojan

Post by markusg » Tue Mar 29, 2011 7:40 pm

You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4811
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: trojan

Post by EP_X0FF » Wed Mar 30, 2011 5:46 am

Backdoor:Win32/Fynloski.A

Unpacked Delphi stub
https://www.virustotal.com/file-scan/re ... 1301463823

Posts moved.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Re: Malware/Not classified

Post by markusg » Mon Apr 04, 2011 2:47 pm

You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1670
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Malware/Not classified

Post by Xylitol » Mon Apr 04, 2011 4:54 pm

Keylogger/stealer/trojan
Real 'crack' dropped in \%temp%\ and the malicious exe binded is sent into \%systemroot%\system32 with the name 'explorer.exe' and system/hidden attributs

Code: Select all

attrib -s -h C:\WINDOWS\system32\explorer.exe
Keylogged datas are stored in \%Temp%\ file named 'dclogs.sys'

Code: Select all

------------------------------------------
@ Caption : [Process Explorer]
@ at 18:46:19 the 04/04/2011

------------------------------------------

------------------------------------------
@ Caption : [explorer.exe:1512 Properties]
@ at 18:46:22 the 04/04/2011

------------------------------------------

------------------------------------------
@ Clipboard Change : size = 0 Bytes
@ at 18:46:22 the 04/04/2011

------------------------------------------

------------------------------------------
@ Caption : [Poste de travail]
@ at 18:46:26 the 04/04/2011


------------------------------------------

------------------------------------------
@ Caption : [C:\WINDOWS\system32]
@ at 18:46:59 the 04/04/2011
.txt
------------------------------------------

------------------------------------------
@ Clipboard Change : size = 20 Bytes
@ at 18:46:59 the 04/04/2011
C:\WINDOWS\system32\
------------------------------------------

------------------------------------------
@ Caption : [explorer.exe:1512 Properties]
@ at 18:48:08 the 04/04/2011

------------------------------------------

------------------------------------------
@ Caption : [Exécuter]
@ at 18:48:53 the 04/04/2011
%temp%

------------------------------------------

------------------------------------------
@ Caption : [Program Manager]
@ at 18:49:07 the 04/04/2011
testtestesttesttesttesttest
------------------------------------------

------------------------------------------
@ Caption : [Exécuter]
@ at 18:49:10 the 04/04/2011
lol[<-][<-][<-]

------------------------------------------

------------------------------------------
@ Caption : [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp]
@ at 18:49:26 the 04/04/2011
*
------------------------------------------

------------------------------------------
@ Caption : [Program Manager]
@ at 18:50:17 the 04/04/2011
.y[<-]txt
------------------------------------------

------------------------------------------
@ Caption : [Process Explorer - Sysinternals: www.sysinternals.com [XYLITOL-28E1A19\Administrateur]]
@ at 18:54:31 the 04/04/2011

------------------------------------------
Memory strings: http://pastebin.com/t3DccT3a
ThreatExpert: http://www.threatexpert.com/report.aspx ... 4b9325a28c

markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Re: Malware/Not classified

Post by markusg » Sun Apr 10, 2011 10:57 am

You do not have the required permissions to view the files attached to this post.

Post Reply