A forum for reverse engineering, OS internals and malware analysis 

Search found 43 matches

 Go to advanced search

Re: WinNT/Vawtrak

 by comak ¦  Fri Jul 08, 2016 11:26 am ¦  Forum: Malware ¦  Topic: WinNT/Vawtrak ¦  Replies: 33 ¦  Views: 57638

So there is a new paper about Vawtrak: https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-vawtrak-v2-sahin-wyke.pdf?la=en Another question from me: Is Vawtrak the same as ursniff/isfb and gozi? If so then this is also relevant for here: https://github.com/gbrindisi/malware/tre...

Re: Bolik /bankbot,infector 32 and 64/

 by comak ¦  Thu Jun 09, 2016 2:27 pm ¦  Forum: Malware ¦  Topic: WinNT/Bolik ¦  Replies: 7 ¦  Views: 15326

tildedennis wrote: Comak (or anyone) know why the name "Bolek" ?
I think because the guy who named is lacking imagination... ;]
bolek is a shorter form of a common name "Bolesław" in .pl.

btw, thanks for cfgs, you got them from cnc? or rip them from memory?

Re: H1N1 loader (aka Win32/Zlader)

 by comak ¦  Tue Jun 07, 2016 2:00 pm ¦  Forum: Malware ¦  Topic: H1N1 loader (aka Win32/Zlader) ¦  Replies: 22 ¦  Views: 57979

xors wrote:https://malwr.com/analysis/ZTJlOWU4OGFk ... c4MDVhZmU/

from hxxp://orhislighmi.com
Code: Select all
rc4key: xHjj488vs873hGGevvctRWTvc
urls	orhislighmi.com:80/h/gate.php,sofrofhatpa.ru:80/h/gate.php,wasshedtonhar.ru:80/h/gate.php

Re: Kronos

 by comak ¦  Thu May 12, 2016 6:11 pm ¦  Forum: Malware ¦  Topic: Kronos ¦  Replies: 24 ¦  Views: 52926

few more cncs:

Code: Select all
http://johngotti-007.com:80/007/connect.php
http://johngotti.com.ng:80/007/connect.php
http://johngotti.org:80/007/connect.php
http://johngotti.co.za:80/007/connect.php
http://johngotti-007.co.za:80/007/connect.php
injects attached (from http://johngotti-007.com/007/connect.php)

Re: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)

 by comak ¦  Wed Dec 16, 2015 5:15 pm ¦  Forum: Malware ¦  Topic: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader) ¦  Replies: 83 ¦  Views: 118414

This is a new one, with modification dates end up on 2015, it doesn't have recent changes thou

Re: Variant of Zbot

 by comak ¦  Thu Nov 26, 2015 11:14 am ¦  Forum: Malware ¦  Topic: Kronos ¦  Replies: 24 ¦  Views: 52926

This is Kronos,

Code: Select all
http://bitcoind.su:80/krpanel/connect.php
http://bulletvpn.su:80/krpanel/connect.php
http://thereturn15.su:80/krpanel/connect.php
http://skycard.su:80/krpanel/connect.php
http://cyberhosting.su:80/krpanel/connect.php
http://skycard.su:80/krpanel/connect.php
cheers,
mak

Re: Win32/Spy.Shiz.NCP (Shifu)

 by comak ¦  Wed Sep 09, 2015 6:56 pm ¦  Forum: Malware ¦  Topic: Win32/Spy.Shiz.NCP (Shifu) ¦  Replies: 9 ¦  Views: 26790

it turns out extracting data from it is quite simple, in attachment some data i got from above samples there are 2 hardcoded cnc "cnc": "blatnoidomen.com", "cnc": "eboduftazce-ru.com", one seed for dga "dga_seed": 976302970, and to different dga configurations: "dga_cfg": "B2luZm8AAAC75IWXxwy6uvPkhZ...

Re: Win32/Spy.Shiz.NCP (Shifu)

 by comak ¦  Tue Sep 08, 2015 10:13 am ¦  Forum: Malware ¦  Topic: Win32/Spy.Shiz.NCP (Shifu) ¦  Replies: 9 ¦  Views: 26790

i got few more, Shifu:f52295ba37658b146bbb81fec021bbc3161f7b21ac5d43f36eb7c3c3bb89760d Shifu:48049807286f73648bfdfd9b97be1229c1966f47a2d4dc31adc03efef7591c6f Shifu:01c53e0d31c578393ba09add090fff2560c1f53a2a13fdbed8a66bd783a2ee70 Shifu:55a6ac329fca1bc63bbb1f9d90bf1e980b3b3ea2c28ab4e3bc73e2764440c79a ...

Re: WinNT/Cridex (alias Dridex, Drixed)

 by comak ¦  Wed Aug 26, 2015 3:35 pm ¦  Forum: Malware ¦  Topic: WinNT/Cridex (alias Dridex, Drixed) ¦  Replies: 149 ¦  Views: 244592

and cnc's for completeness

Code: Select all
    {
      "cnc": "91.239.232.9",
      "port": "8448"
    },
    {
      "cnc": "212.47.196.149",
      "port": "543"
    },
    {
      "cnc": "78.47.119.85",
      "port": "543"
    },
    {
      "cnc": "31.131.251.33",
      "port": "743"
    }
  ],

Re: ZeusVM (Zeus clone)

 by comak ¦  Wed Jul 15, 2015 2:27 pm ¦  Forum: Malware ¦  Topic: ZeusVM (Zeus clone) ¦  Replies: 59 ¦  Views: 90113

i believe you are right ;] { "binary": "54f5ffd397b156782a177dfe85c3c8ea", "family": "vmzeus2", "rc4sbox": "561f0493246b664cc022f9ed609fe5f673ce447800135215bade1435bc746340aef15db7691a09e4d50fc14e8562c34d8c8a024f7145bdfafba7b6e9965ee35541c73ee65cd16e7261d237e15319c4862d3f58a0c2b56a31c53df0bef2ad9805...