Trojan SpyEye (alias Pincav)

Forum for analysis and discussion about malware.
User avatar
EP_X0FF
Global Moderator
Posts: 4808
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan SpyEye (alias Pincav)

Post by EP_X0FF » Thu Jul 08, 2010 4:42 am

http://www.virustotal.com/analisis/2872 ... 1278563453
http://www.virustotal.com/analisis/51f0 ... 1278563448
http://www.virustotal.com/analisis/2f28 ... 1278563461

Some spyeyes :)

Opened for access SpyEyes drop servers. Grab the malware :D

cpucardioholder.com/warrior/bin/
peosoe.com/spa/mn/bin/

stuff in attach as malware.rar
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

PX5
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am

Re: Trojan SpyEye (alias Pincav)

Post by PX5 » Mon Jul 12, 2010 3:32 pm

Parent Directory-nerukabbcompany.com/fgdhfgvcryegf/bin/

build.exe.crypted.exe">build.exe.crypted.exe>12-Jul-2010 10:17

build_cry.exe>build_cry.exe>08-Jul-2010 15:23

config.bin>12-Jul-2010 08:25
Arrogance led me to my Ignorance

User avatar
EP_X0FF
Global Moderator
Posts: 4808
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan SpyEye (alias Pincav)

Post by EP_X0FF » Mon Jul 12, 2010 4:00 pm

Actually the same re-crypt of SpyEye v1.2.4

un-protected config.bin in attach.

http://www.virustotal.com/analisis/b8fd ... 1278949997
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

User avatar
EP_X0FF
Global Moderator
Posts: 4808
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan SpyEye (alias Pincav)

Post by EP_X0FF » Tue Aug 03, 2010 12:39 pm

Public directory, download what you want :)

hxxp://clickxfinder.com/warrior/bin/

VirusTotal
http://www.virustotal.com/analisis/9a0f ... 1280839060
http://www.virustotal.com/analisis/f070 ... 1280839066
http://www.virustotal.com/analisis/bf53 ... 1280839077
http://www.virustotal.com/analisis/db7d ... 1280839084

from sample version info
BitDefender Management Console
:D

all in attach
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

egomoo
Posts: 19
Joined: Fri May 07, 2010 5:02 am
Location: Shaoxing,China

Re: Trojan SpyEye (alias Pincav)

Post by egomoo » Thu Aug 05, 2010 2:11 am

it was identified by safe returner
You do not have the required permissions to view the files attached to this post.

PX5
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am

Re: Trojan SpyEye (alias Pincav)

Post by PX5 » Sun Aug 08, 2010 12:32 pm

You do not have the required permissions to view the files attached to this post.
Arrogance led me to my Ignorance

User avatar
EP_X0FF
Global Moderator
Posts: 4808
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan SpyEye (alias Pincav)

Post by EP_X0FF » Sun Aug 08, 2010 1:34 pm

Thanks for sharing, attached info (config file, screenshots, webinjects) from recovered config.bin.
Seems to be this is spyeye v1.2.4.

Btw, you can detect SpyEye with WinObjEx by the presence of the following mutex - __SPYNET_REPALREADYSENDED__, WinObjEx will also show you one of the processes where SpyEye code is injected.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

cjbi
Posts: 92
Joined: Sun Mar 14, 2010 7:16 am

Re: Trojan SpyEye (alias Pincav)

Post by cjbi » Sat Aug 14, 2010 12:35 am

Screenshot of SpyEye 1.2.0 builder.
It supports changing EXE & mutex name.
Interesting!
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4808
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan SpyEye (alias Pincav)

Post by EP_X0FF » Tue Aug 24, 2010 4:18 am

Author wants some vm unfriendly cryptor with sources :) Here is a little discussion.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

cjbi
Posts: 92
Joined: Sun Mar 14, 2010 7:16 am

Re: Trojan SpyEye (alias Pincav)

Post by cjbi » Sun Sep 05, 2010 11:02 am

Another public directory. Maybe same botmaster? :)

hxxp://carheavens.ru/warrior/bin/

Packer(or Crypter or Whatever) is changed?
Low detection on VirusTotal. (5/43)

VirusTotal result
http://www.virustotal.com/file-scan/rep ... 1283683125
You do not have the required permissions to view the files attached to this post.

Post Reply