Win32/Fynloski (DarkComet)

Forum for analysis and discussion about malware.

Win32/Fynloski (DarkComet)

Postby markusg » Thu Jan 06, 2011 10:46 am

You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: tr.Obfuscated

Postby EP_X0FF » Thu Jan 06, 2011 11:30 am

This is Backdoor Fynloski.

Keeps connection with 89.242.128.36:1337

Here is decrypted.

https://www.virustotal.com/file-scan/report.html?id=825c2ab5779c5a03e42d78e2aa7586ab06616ca5beaaa33ed3ea566c52b367ec-1294312860

I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!


Written on Delphi. Below is a detailed list of units used.

server
EditServer
UntMain
uFZ
ShlObj
UrlMon
ActiveX
Windows
Types
SysInit
System
Messages
WinInet
RegStr
ShellAPI
CommCtrl
UntServices
Registry
RTLConsts
IniFiles
Classes
SysConst
TypInfo
SysUtils
ImageHlp
Variants
VarUtils
WinSvc
UntShell
UntSendStream
MD5Api
MD5Core
UntControlKey
UntRC4
UntGFXResize
Graphics
Consts
UntWebCam
jpeg
JConsts
MMSystem
untFunctions
PsAPI
TlHelp32
UntProcess
UntResizePic
GDIPUTIL
GDIPOBJ
GDIPAPI
Math
DirectDraw
UntCore
UntFWB
untMainFunctions
untBypass
PELoad
ComObj
ComConst
UntSinInfo
Nb30
CryptApi
WinSock
UntIE7
Pstoreclib
PSTORECLib_TLB
UntKeylogger
UntFTP
Clipbrd
Forms
UxTheme
SyncObjs
DwmApi
Themes
Controls
ActnList
Menus
ImgList
Contnrs
Imm
MultiMon
StdActns
StrUtils
Dialogs
HelpIntfs
WideStrUtils
Dlgs
ExtCtrls
GraphUtil
StdCtrls
Printers
WinSpool
CommDlg
FlatSB
UntUDPFlood
UntSynFlood
UntScanPorts
UntSound
ACMConvertor
MSAcm
ACMIn
ListUnit
UntActivePorts
USock
UntRPCScan
UntInfections
untstartup
UntFireFox
SHFolder
UntFun
UntPasswordAndData
UntMClipboard
UntDesktopCapture
UntBot
UntMSN
MessengerAPI_TLB
StdVCL
OleServer
OleConst
UntMsConfig
UntWindowManager
UntRegEdit
UntNetShareLister
UntHTTPFlood
UntCPU
UntMiscFunc
UntIP
Sockets
uMir
uTrill
RASReader
UntRootKit
UntServerReader
uRes
UntAntiSB
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Malware/MSIL-BA

Postby markusg » Tue Jan 18, 2011 8:36 pm

You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: Malware/Not classified

Postby markusg » Wed Mar 09, 2011 12:18 pm

You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: Malware/Not classified

Postby EP_X0FF » Wed Mar 09, 2011 1:19 pm

You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: trojan

Postby markusg » Tue Mar 29, 2011 7:40 pm

You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: trojan

Postby EP_X0FF » Wed Mar 30, 2011 5:46 am

You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Malware/Not classified

Postby markusg » Mon Apr 04, 2011 2:47 pm

You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: Malware/Not classified

Postby Xylitol » Mon Apr 04, 2011 4:54 pm

markusg wrote:http://www.virustotal.com/file-scan/report.html?id=52a41e0c978ae394cc9f4fe8ece1bd572c2fc7ea8d218ed94df9281812e6a9ea-1301928073


Keylogger/stealer/trojan
Real 'crack' dropped in \%temp%\ and the malicious exe binded is sent into \%systemroot%\system32 with the name 'explorer.exe' and system/hidden attributs
Code: Select all
attrib -s -h C:\WINDOWS\system32\explorer.exe

Keylogged datas are stored in \%Temp%\ file named 'dclogs.sys'

Code: Select all
------------------------------------------
@ Caption : [Process Explorer]
@ at 18:46:19 the 04/04/2011

------------------------------------------

------------------------------------------
@ Caption : [explorer.exe:1512 Properties]
@ at 18:46:22 the 04/04/2011

------------------------------------------

------------------------------------------
@ Clipboard Change : size = 0 Bytes
@ at 18:46:22 the 04/04/2011

------------------------------------------

------------------------------------------
@ Caption : [Poste de travail]
@ at 18:46:26 the 04/04/2011


------------------------------------------

------------------------------------------
@ Caption : [C:\WINDOWS\system32]
@ at 18:46:59 the 04/04/2011
.txt
------------------------------------------

------------------------------------------
@ Clipboard Change : size = 20 Bytes
@ at 18:46:59 the 04/04/2011
C:\WINDOWS\system32\
------------------------------------------

------------------------------------------
@ Caption : [explorer.exe:1512 Properties]
@ at 18:48:08 the 04/04/2011

------------------------------------------

------------------------------------------
@ Caption : [Exécuter]
@ at 18:48:53 the 04/04/2011
%temp%

------------------------------------------

------------------------------------------
@ Caption : [Program Manager]
@ at 18:49:07 the 04/04/2011
testtestesttesttesttesttest
------------------------------------------

------------------------------------------
@ Caption : [Exécuter]
@ at 18:49:10 the 04/04/2011
lol[<-][<-][<-]

------------------------------------------

------------------------------------------
@ Caption : [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp]
@ at 18:49:26 the 04/04/2011
*
------------------------------------------

------------------------------------------
@ Caption : [Program Manager]
@ at 18:50:17 the 04/04/2011
.y[<-]txt
------------------------------------------

------------------------------------------
@ Caption : [Process Explorer - Sysinternals: www.sysinternals.com [XYLITOL-28E1A19\Administrateur]]
@ at 18:54:31 the 04/04/2011

------------------------------------------


Memory strings: http://pastebin.com/t3DccT3a
ThreatExpert: http://www.threatexpert.com/report.aspx ... 4b9325a28c
User avatar
Xylitol
Global Moderator
 
Posts: 1635
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 494

Re: Malware/Not classified

Postby markusg » Sun Apr 10, 2011 10:57 am

You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Next

Return to Malware

Who is online

Users browsing this forum: nadia and 7 guests