A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #8974  by EP_X0FF
 Wed Oct 05, 2011 5:06 pm
markusg wrote:http://www.virustotal.com/file-scan/report.html?id=d4b703bc3259272c11b3001ec56cd1a5f6c8534e60ad27695fe02d0949a56ae0-1317832653
Trojan downloader Phokace with AntiVM.

Payload hxxp://www.allezdax.com/images/m.exe (crypted and packed by MPRESS Worm:Win32/Phorpiex.B)

decrypted downloader, payload + decrypted in attach

Windows Live Messenger spam templates
ICQ Conversations - MiniUserProfileDlg Internet Explorer_Server %s %s DEU AUT LUX LIE CHE wie findest du das foto? hab ich dir das foto schon gezeigt? das foto solltest du wirklich sehen schau mal das foto an unglaublich welche fotos leute von sich machen schau mal so will ich nicht aussehen wenn ich alt bin schau mal welches foto ich gefunden hab bist du das auf dem foto? kennst du das foto schon? FRA je ne pense pas que je vais pouvoir dormir aprиs avoir vu ces photos. je n'arrive pas a croire que j'ai encore cette photo de toi depuis l'hiver dernier. devrais-je mettre cette photo de profile? c'est la photo la plus marrante! dis moi ce que tu pense de cette photo de moi? mes parents vont me tuйs si ils trouvent cette photo. NLD BEL ken je dat foto nog? kijk wat voor een foto ik heb gevonden zo iets leilijk heb ik nog nooit in mijn leven gezien ik hoop dat jij het net bent op dit foto ben jij dat op dit foto? dit foto zal je echt eens bekijken! ken je dit foto al? ITA ti piace la foto? hai visto questa foto? la foto e grandiosa! ti ricordi la Foto? dopo che hai visto la foto, tu non dormirai piu conosci la persona in questa foto? chi e in questa foto? NOR se pе dette bildet DNK ser pе dette billede FIN katso tдtд kuvaa SWE titta pе denna bild tell me what you think of this picture i edited this is the funniest photo ever! tell me what you think of this photo i don't think i will ever sleep again after seeing this photo i cant believe i still have this picture should i make this my default picture?
posts moved
You do not have the required permissions to view the files attached to this post.
 #9340  by markusg
 Fri Oct 21, 2011 10:36 am
Code: Select all
http://www.shufflet.com//images/images.php?image=IMG0485497269.JPG

http://www.shufflet.com//images/ok.exe
IMG04854912.JPG.scr
MD5   : 818f265ef1991e4245083f5d1805f269
https://www.virustotal.com/file-scan/re ... 1319192552
ok.exe
MD5   : f9987d42b5e18ab1d4c8418949f9e837
https://www.virustotal.com/file-scan/re ... 1319192377
You do not have the required permissions to view the files attached to this post.
 #17842  by Waves97
 Thu Jan 24, 2013 6:08 pm
Next Zbot - I think.
You do not have the required permissions to view the files attached to this post.
 #17845  by EP_X0FF
 Fri Jan 25, 2013 4:09 am
Waves97 wrote:Next Zbot - I think.
Phorpiex.B which downloads Phorpiex.P (hxxp://www.nuvocuisine.com/images.php?image=IMG0540255.JPG) which downloads Phorpiex.M (hxxp://nuvocuisine.com/nnn.exe)

Missing bots in attach, posts moved.
You do not have the required permissions to view the files attached to this post.
 #18484  by EP_X0FF
 Mon Mar 11, 2013 6:49 am
Phorpiex delivered in spam. As usual contain SandboxIE and VM trivial detections. USB autorunner.

UPX -> AutoIt Injector -> Bot (C:\Users\s\Desktop\Home\Code\B\Release\Trik.pdb)

https://www.virustotal.com/ru/file/edb1 ... /analysis/
https://www.virustotal.com/ru/file/2345 ... /analysis/

phorpiex.su
x1x4x0.su

Source hxxp://simplywtctickets.com/images.php
Code: Select all
HTTP/1.1 200 OK
Date: Mon, 11 Mar 2013 10:49:16 GMT
Server: Apache
Content-disposition: attachment; filename=IMG0540230-JPG.scr
Connection: close
Transfer-Encoding: chunked
Content-Type: application/octet-stream
You do not have the required permissions to view the files attached to this post.
 #18492  by rinn
 Mon Mar 11, 2013 12:47 pm
Hi.

from the above VT https://www.virustotal.com/ru/file/2345 ... /analysis/
Code: Select all
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
MachineType..............: Intel 386 or later, and compatibles
TimeStamp................: 2013:03:10 21:02:35+01:00
FileType.................: Win32 EXE
PEType...................: PE32
CodeSize.................: 23040
LinkerVersion............: 9.0
EntryPoint...............: 0x6696
InitializedDataSize......: 10752
SubsystemVersion.........: 5.0
ImageVersion.............: 0.0
OSVersion................: 5.0
UninitializedDataSize....: 0
Image

facepalm ;)

Best Regards,
-rin