A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #6882  by Xylitol
 Mon Jun 20, 2011 10:30 am
markusg wrote:info[1].exe
http://www.virustotal.com/file-scan/rep ... 1308559296
Hello, in attach unpacked sample

Image

20/41 >> 48.8%
http://www.virustotal.com/file-scan/rep ... 1308565159
You do not have the required permissions to view the files attached to this post.
 #9317  by EP_X0FF
 Thu Oct 20, 2011 2:53 pm
markusg wrote:explorer.exe
MD5   : 412cc709170aff1a15e895e16c397244
http://www.virustotal.com/file-scan/report.html?id=73f1f147380c03dad7fccfb5639e9d784d53f6a971821a772908d7aeb7f600f0-1319118846
Calls home hxxp://91.228.160.157/de/2/gate.php?cmd=ul&id=gpo5fv71j6hfh3x2

Replaces explorer.exe with malware copy.

Terminates taskmanager and process explorer.

In attach decrypted.
W:\locker\locker\Release\locker.pdb
You do not have the required permissions to view the files attached to this post.
 #9747  by EP_X0FF
 Fri Nov 18, 2011 2:29 pm
Interesting. Internally this sample looks equal to those posted by markusg earlier.
y:\src\_cpp\bwin_nl\Release\bwin3.pdb
Take a look on debug path string, bwin_nl.

Also the same call home address hxxp://89.248.165.131

The only difference is in resources part. Different HTML and images.

Fully decrypted workable sample in attach.
You do not have the required permissions to view the files attached to this post.
 #9793  by S!Ri
 Mon Nov 21, 2011 8:37 am
Didn't see this spanish version (or I miss it):

Image
You do not have the required permissions to view the files attached to this post.
 #9833  by Xylitol
 Tue Nov 22, 2011 6:06 pm
Image

Switzerland version
it do a GET req and call tools.ip2location.com as usual later
Code: Select all
GET /i.php?a=2 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible;)
Host: 89.248.165.131
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Tue, 22 Nov 2011 17:22:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
Following url was found on the server:
Code: Select all
http://89.248.165.131:80/cgi-bin/
http://89.248.165.131:80/icons/
http://89.248.165.131:80/webmail/
http://89.248.165.131:80/error/
http://89.248.165.131:80/manager/
http://89.248.165.131:80/disabled/
You do not have the required permissions to view the files attached to this post.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 14