A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #629  by EP_X0FF
 Sat Apr 10, 2010 3:45 pm
VirusTotal
http://www.virustotal.com/analisis/ffd0 ... 1270913371

Rootkit Unhooker v3.8 report
RkU Version: 3.8 (b020410.388.590), Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>SSDT State
==============================================
ntoskrnl.exe-->NtClose, Type: Address change 0x805678DD-->F4B048A0 [C:\WINDOWS\system32\drivers\win32x.sys]
ntoskrnl.exe-->NtCreateKey, Type: Address change 0x8057065D-->F4B04740 [C:\WINDOWS\system32\drivers\win32x.sys]
ntoskrnl.exe-->NtEnumerateKey, Type: Address change 0x80570D64-->F4B04550 [C:\WINDOWS\system32\drivers\win32x.sys]
ntoskrnl.exe-->NtOpenKey, Type: Address change 0x80568D59-->F4B04650 [C:\WINDOWS\system32\drivers\win32x.sys]
==============================================
>Drivers
==============================================
0x81CB41E0 unknown_irp_handler 3616 bytes
0x81CBB440 unknown_irp_handler 3008 bytes
==============================================
>Files
==============================================
!-->[Hidden] C:\WINDOWS\system32\dllcache\userinit.exe
!-->[Hidden] C:\WINDOWS\system32\drivers\win32x.sys
!-->[Hidden] C:\WINDOWS\system32\userinit.exe
!-->[Hidden] C:\WINDOWS\system32\win32x.exe
Hooks IRP handlers of ntfs.sys (IRP_MJ_CREATE, IRP_MJ_DIRECTORY_CONTROL) driver to hide it's files and counteract removal.
SSDT hooking providing rootkit registry keys hiding/protection.
You do not have the required permissions to view the files attached to this post.
 #647  by NOP
 Sun Apr 11, 2010 11:23 am
Thanks. DLL and driver extracted from loader attached.
You do not have the required permissions to view the files attached to this post.
 #682  by NOP
 Tue Apr 13, 2010 10:35 am
Another sample, found on MDL.

Packed with UPX >> custom packer >> then UPX again.
Code: Select all
f:\programs\revolution6\preloader\objfre_wxp_x86\i386\PreLoader.pdb
Once its running as "reader_s.exe" injects itself into svchost.exe.

3/40
http://www.virustotal.com/analisis/a9e1 ... 1271151062
You do not have the required permissions to view the files attached to this post.
 #5981  by Meriadoc
 Mon Apr 18, 2011 11:43 pm
Previous post deleted. (This is same sample)

Can't verify but I think this spammer is Cutwail.

http://www.threatexpert.com/report.aspx ... f0cb3b8488

VT - http://www.virustotal.com/file-scan/rep ... 1303157483
You do not have the required permissions to view the files attached to this post.
 #18794  by EP_X0FF
 Mon Apr 01, 2013 4:29 pm
Payload of BH EK with another epic static detection ratio.

Detection ratio: 1 / 46
TheHacker Posible_Worm32

SHA256: c1dc67d00f3f9d0b01a31ef96c2af34e164604ed0581f96cdb46bcb650070058
SHA1: ecfa21d813eaa667a449109562fa3752bb653684
MD5: 57b289be780c2af5ad8636d6297db351

https://www.virustotal.com/en/file/c1dc ... 364833014/
You do not have the required permissions to view the files attached to this post.
 #18826  by EP_X0FF
 Wed Apr 03, 2013 11:26 am
Payload of BH EK.

Detection ratio: 0 / 46

SHA256: 467871492f1de04872f46ef16e02d2188859333fc7a4d450509401a4591a47cd
SHA1: ae328356ece35bc778c262e64d387f704133ab87
MD5: e07308d37cbdb61f474bee7786231069

https://www.virustotal.com/en/file/4678 ... 364987871/

Deobfuscated:

Detection ratio: 26 / 43

https://www.virustotal.com/en/file/7d79 ... 364988218/
You do not have the required permissions to view the files attached to this post.
 #18969  by thisismalicious
 Tue Apr 16, 2013 7:59 pm
If anyone is interested, here are a handful of different Cutwail spam module binaries:

3855e6bb32a9c228171e8c780132b0c4
5e97fce3b1374f1c42ef7bbb78fd2d08
6223751a5807b155ddb62c08b9d573be
7179cfafbc0cba21e12478faa0a9e90e
743a281b6d5466637605097ed1aa158e

They are pulled down (encrypted) by the loader, and handle spamming, including fetching target email addresses and message templates (also encrypted). They use different C2s than the loader, and can be run without the loader or other modules.
You do not have the required permissions to view the files attached to this post.