A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #15548  by markusg
 Thu Sep 06, 2012 5:23 pm
you have only to klick your own posted vt link and read the comments....
trojan Cridex, payload of Blackhole exploit kit at hxxp://studiomonahan.net/main.php?page=2bfd5695763b6536
there is the download
 #16529  by kalptarunet
 Fri Nov 09, 2012 10:54 pm
Looks like its Cridex to me, not able to find any AV able to detect and clean it.SHA256:

https://www.virustotal.com/file/a0703de ... 19e2c1eb2b

SHA1: a135147a0b0ff097d3a11254a2e13be48de7c007
MD5: 532bdd2565cae7b84cb26e4cf02f42a0
File size: 91.5 KB ( 93696 bytes )
File name: readme.exe
You do not have the required permissions to view the files attached to this post.
 #17197  by unixfreaxjp
 Sat Dec 15, 2012 1:56 pm
Thank's @xylit0l for inviting me here, I am @unixfreaxjp of #malwareMustDie, and this is my first post:
SHA1 d4bfbbd375da0ac775812bed2459ff908e1fb9ba
MD5 b360fec7652688dc9215fd366530d40c
VT: https://www.virustotal.com/file/2226d1d ... /analysis/
Is Cridex Payload, dropped by BHEK2/PluginDetect 0.7.9
It dropped & run %AppData%KB00085031.exe (self-copied)
a Cridex Password Stealer Downloader.

Source: Spam
Redirector: //abyssinianflights.com/components/com_ag_google_analytics2/alert-service-citi-sign_in.html
BHEK Landing Page: //eaglepointecondo.biz/detects/operation_alert_login.php"
Payload (THIS FILE): //eaglepointecondo.biz/detects/operation_alert_login.php?of=30:1n:1i:1i:33&ye=1m:1g:1f:1j:1m:1k:30:1k:33:1o&g=1k&hx=l&nd=p
BHEK2's SVR http conf: (59.57.247.185) // a usual one ver 2.01
HTTP/1.1 200 OK
Server: nginx/1.3.3
Date: Sat, 15 Dec 2012 09:01:47 GMT
Content-Type: application/x-msdownload
Content-Length: 135168
Connection: close
X-Powered-By: PHP/5.3.14
Pragma: public
Expires: Sat, 15 Dec 2012 09:01:46 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="info.exe"
Content-Transfer-Encoding: binary

Download Password stealer program:
SHA1 88bab6d7c0e98b1ee55110243251f562af399854
MD5 ce7474646297ed818bb8ed48f50c7e1e
Stamp: 2012/12/15 18:58
122,880 exp2.tmp.exe
VT: https://www.virustotal.com/file/7546e60 ... /analysis/
↑ all of the stealer activities I wrote in VT comment... ( I don't know how to write it like that here..a new comer.. sorry)

I played with this cridex & uploaded in youtube here: https://www.youtube.com/watch?v=ahvbFT0f0j0
I think I will post details about this in the malwaremustdie blog too.
Salute KernelMode.Info, great site! :P
 #17198  by EP_X0FF
 Sat Dec 15, 2012 3:20 pm
List of IP's from Cridex.
Code: Select all
hxxp://123.49.61.59:8080
hxxp://180.235.150.72:8080
hxxp://59.90.221.6:8080
hxxp://173.224.221.135:8080
hxxp://210.56.23.100:8080
hxxp://199.71.215.194:8080
hxxp://74.117.61.66:8080
hxxp://209.51.221.247:8080
hxxp://174.143.174.136:8080
hxxp://74.207.237.170:8080
hxxp://203.217.147.52:8080
hxxp://208.87.243.18:8080
hxxp://206.176.226.157:8080
hxxp://69.64.89.82:8080
hxxp://23.22.174.122:8080
hxxp://173.192.229.36:8080
hxxp://64.120.193.112:8080
hxxp://89.221.242.217:8080
unixfreaxjp wrote:Download Password stealer program:
SHA1 88bab6d7c0e98b1ee55110243251f562af399854
MD5 ce7474646297ed818bb8ed48f50c7e1e
Stamp: 2012/12/15 18:58
122,880 exp2.tmp.exe
VT: https://www.virustotal.com/file/7546e60 ... /analysis/
This is PWS:Win32/Fareit.

List of default passwords/logins for brute
Code: Select all
123456			
password			
phpbb			
qwerty			
12345			
jesus			
12345678			
1234			
abc123			
letmein			
test			
love			
password1			
hello			
monkey			
dragon			
trustno1			
111111			
iloveyou			
1234567			
shadow			
123456789			
christ			
sunshine			
master			
computer			
princess			
tigger			
football			
angel			
jesus1			
123123			
whatever			
freedom			
killer			
asdf			
soccer			
superman			
michael			
cheese			
internet			
joshua			
fuckyou			
blessed			
baseball			
starwars			
000000			
purple			
jordan			
faith			
summer			
ashley			
buster			
heaven			
pepper			
7777777			
hunter			
lovely			
andrew			
thomas			
angels			
charlie			
daniel			
1111			
jennifer			
single			
hannah			
qazwsx			
happy			
matrix			
pass			
aaaaaa			
654321			
amanda			
nothing			
ginger			
mother			
snoopy			
jessica			
welcome			
pokemon			
iloveyou1			
11111			
mustang			
helpme			
justin			
jasmine			
orange			
testing			
apple			
michelle			
peace			
secret			
grace			
william			
iloveyou2			
nicole			
666666			
muffin			
gateway			
fuckyou1			
asshole			
hahaha			
poop			
blessing			
blahblah			
myspace1			
matthew			
canada			
silver			
robert			
forever			
asdfgh			
rachel			
rainbow			
guitar			
peanut			
batman			
cookie			
bailey			
soccer1			
mickey			
biteme			
hello1			
eminem			
dakota			
samantha			
compaq			
diamond			
taylor			
forum			
john316			
richard			
blink182			
peaches			
cool			
flower			
scooter			
banana			
james			
asdfasdf			
victory			
london			
123qwe			
123321			
startrek			
george			
winner			
maggie			
trinity			
online			
123abc			
chicken			
junior			
chris			
passw0rd			
austin			
sparky			
admin			
merlin			
google			
friends			
hope			
shalom			
nintendo			
looking			
harley			
smokey			
7777			
joseph			
lucky			
digital			
thunder			
spirit			
bandit			
enter			
anthony			
corvette			
hockey			
power			
benjamin			
iloveyou!			
1q2w3e			
viper			
genesis			
knight			
qwerty1			
creative			
foobar			
adidas			
rotimi			
slayer			
wisdom			
praise			
zxcvbnm			
samuel			
mike			
dallas			
green			
testtest			
maverick			
onelove			
david			
mylove			
church			
friend			
destiny			
none			
microsoft			
222222			
bubbles			
11111111			
cocacola			
jordan23			
ilovegod			
football1			
loving			
nathan			
emmanuel			
scooby			
fuckoff			
sammy			
maxwell			
jason			
john			
1q2w3e4r			
baby			
red123			
blabla			
prince			
qwert			
chelsea			
55555			
angel1			
hardcore			
dexter			
saved			
112233			
hallo			
jasper			
danielle			
kitten			
cassie			
stella			
prayer			
hotdog			
windows			
mustdie			
gates			
billgates			
ghbdtn			
gfhjkm			
1234567890			
hgTYDOMium	
List of callbacks
Code: Select all
hxxp://132.248.49.112:8080/asp/intro.php			
hxxp://113.130.65.77:8080/asp/intro.php			
hxxp://203.113.98.131:8080/asp/intro.php			
hxxp://110.164.58.250:8080/asp/intro.php			
hxxp://200.108.18.158:8080/asp/intro.php			
hxxp://207.182.144.115:8080/asp/intro.php			
hxxp://148.208.216.70:8080/asp/intro.php			
hxxp://203.172.252.26:8080/asp/intro.php			
hxxp://202.6.120.103:8080/asp/intro.php			
hxxp://203.146.208.180:8080/asp/intro.php			
hxxp://207.126.57.208:8080/asp/intro.php			
hxxp://203.80.16.81:8080/asp/intro.php			
hxxp://202.180.221.186:8080/asp/intro.php
List of Affected Software configs/paths
Code: Select all
Software\Far\Plugins\FTP\Hosts			
Software\Far2\Plugins\FTP\Hosts			
Software\Far Manager\Plugins\FTP\Hosts			
Software\Far\SavedDialogHistory\FTPHost			
Software\Far2\SavedDialogHistory\FTPHost			
Software\Far Manager\SavedDialogHistory\FTPHost	
wcx_ftp.ini			
\GHISLER			
InstallDir			
FtpIniName			
Software\Ghisler\Windows Commander			
Software\Ghisler\Total Commander			
\Ipswitch			
Sites\			
\Ipswitch\WS_FTP			
\win.ini			
.ini			
WS_FTP			
DEFDIR			
CUTEFTP			
QCHistory			
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar			
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar			
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar			
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar			
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar			
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar			
\GlobalSCAPE\CuteFTP			
\GlobalSCAPE\CuteFTP Pro			
\GlobalSCAPE\CuteFTP Lite			
\CuteFTP			
\sm.dat			
Software\FlashFXP\3			
Software\FlashFXP			
Software\FlashFXP\4			
InstallerDathPath			
path			
Install Path			
DataFolder			
\Sites.dat			
\Quick.dat			
\History.dat			
\FlashFXP\3			
\FlashFXP\4			
\FileZilla			
\sitemanager.xml			
\recentservers.xml			
\filezilla.xml			
Software\FileZilla			
Software\FileZilla Client			
Install_Dir			
Host			
User			
Pass			
Port			
Remote Dir			
Server Type			
Server.Host			
Server.User			
Server.Pass			
Server.Port			
Path			
ServerType			
Last Server Host			
Last Server User			
Last Server Pass			
Last Server Port			
Last Server Path			
Last Server Type			
FTP Navigator			
FTP Commander			
ftplist.txt			
\BulletProof Software			
.dat			
.bps			
Software\BPFTP\Bullet Proof FTP\Main			
Software\BulletProof Software\BulletProof FTP Client\Main			
Software\BPFTP\Bullet Proof FTP\Options			
Software\BulletProof Software\BulletProof FTP Client\Options			
Software\BPFTP			
LastSessionFile			
SitesDir			
InstallDir1			
.xml			
\SmartFTP			
Favorites.dat			
History.dat			
addrbk.dat			
quick.dat			
\TurboFTP			
Software\TurboFTP			
installpath			
Software\Sota\FFFTP			
CredentialSalt			
CredentialCheck			
Software\Sota\FFFTP\Options			
Password			
UserName			
HostAdrs			
RemoteDir			
Port			
HostName			
Port			
Username			
Password			
HostDirName			
Software\CoffeeCup Software\Internet\Profiles			
Software\FTPWare\COREFTP\Sites			
Host			
User			
Port			
PthR			
profiles.xml			
\FTP Explorer			
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224			
Buttons			
Software\FTP Explorer\Profiles			
Password			
PasswordType			
Host			
Login			
Port			
InitialPath			
FtpSite.xml			
\Frigate3			
.ini			
\VanDyke\Config\Sessions			
\Sessions			
Software\VanDyke\SecureFX			
Config Path			
UltraFXP			
\sites.xml			
\FTPRush			
RushSite.xml			
Server			
Username			
Password			
FtpPort			
Software\Cryer\WebSitePublisher			
\BitKinex			
bitkinex.ds			
Hostname			
Username			
Password			
Port			
Software\ExpanDrive\Sessions			
\ExpanDrive			
\drives.js			
"password" : "			
Software\ExpanDrive			
ExpanDrive_Home			
Server			
UserName			
Password			
_Password			
Directory			
Software\NCH Software\ClassicFTP\FTPAccounts			
FtpServer			
FtpUserName			
FtpPassword			
_FtpPassword			
FtpDirectory			
SOFTWARE\NCH Software\Fling\Accounts			
Software\FTPClient\Sites			
Software\SoftX.org\FTPClient\Sites			
.oxc			
.oll			
ftplast.osd			
\GPSoftware\Directory Opus			
\SharedSettings.ccs			
\SharedSettings_1_0_5.ccs			
\SharedSettings.sqlite			
\SharedSettings_1_0_5.sqlite			
\CoffeeCup Software			
leapftp			
unleap.exe			
sites.dat			
sites.ini			
\LeapWare\LeapFTP			
SOFTWARE\LeapWare			
InstallPath			
DataDir			
Password			
HostName			
UserName			
RemoteDirectory			
PortNumber			
FSProtocol			
Software\Martin Prikryl			
\32BitFtp.ini			
NDSites.ini			
\NetDrive			
PassWord			
UserName			
RootDirectory			
Port			
Software\South River Technologies\WebDrive\Connections			
ServerType			
FTP CONTROL			
FTPCON			
.prf			
\Profiles			
ftp://			
opera			
wand.dat			
_Software\Opera Software			
Last Directory3			
Last Install Path			
Opera.HTML\shell\open\command			
wiseftpsrvs.bin			
\AceBIT			
Software\AceBIT			
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}			
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}			
wiseftpsrvs.ini			
wiseftp.ini			
FTPVoyager.ftp			
FTPVoyager.qc			
\RhinoSoft.com	
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins			
Firefox			
\Mozilla\Firefox\			
Software\Mozilla			
ftp://			
ftp.			
fireFTPsites.dat			
SeaMonkey			
\Mozilla\SeaMonkey\			
Flock			
\Flock\Browser\			
Mozilla			
\Mozilla\Profiles\			
Software\LeechFTP			
AppDir			
LocalDir			
bookmark.dat			
SiteInfo.QFP			
Odin			
Favorites.dat			
WinFTP			
sites.db			
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32			
servers.xml			
\FTPGetter			
ESTdb2.dat			
QData.dat			
\Estsoft\ALFTP			
Internet Explorer			
WininetCacheCredentials			
MS IE FTP Passwords			
DPAPI: 			
@J7<			
AJ7<			
BJ7<			
%02X			
Software\Microsoft\Internet Explorer\IntelliForms\Storage2			
Microsoft_WinInet_*			
ftp://			
Software\Adobe\Common			
SiteServers			
SiteServer %d\Host			
SiteServer %d\WebUrl			
SiteServer %d\Remote Directory			
SiteServer %d-User			
SiteServer %d-User PW			
%s\Keychain			
SiteServer %d\SFTP			
DeluxeFTP			
sites.xml			
Web Data			
Login Data			
SQLite format 3			
table			
CONSTRAINT			
PRIMARY			
UNIQUE			
CHECK			
FOREIGN			
logins			
origin_url			
password_value			
username_value			
ftp://			
\Google\Chrome			
\Chromium			
\ChromePlus			
Software\ChromePlus			
Install_Dir			
\Bromium			
\Nichrome			
\Comodo			
\RockMelt			
K-Meleon			
\K-Meleon			
\Profiles			
Epic			
\Epic\Epic			
Staff-FTP			
sites.ini			
\Sites			
\Visicom Media			
.ftp			
\Global Downloader			
SM.arch			
FreshFTP			
.SMF			
BlazeFtp			
site.dat			
LastPassword			
LastAddress			
LastUser			
LastPort			
Software\FlashPeak\BlazeFtp\Settings			
\BlazeFtp			
.fpl			
FTP++.Link\shell\open\command			
GoFTP			
Connections.txt			
3D-FTP			
sites.ini			
\3D-FTP			
\SiteDesigner			
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32			
EasyFTP			
\NetSarang			
.xfp			
.rdp			
TERMSRV/*			
password 51:b:			
username:s:			
full address:s:			
TERMSRV/			
FTP Now			
FTPNow			
sites.xml			
SOFTWARE\Robo-FTP 3.7\Scripts			
SOFTWARE\Robo-FTP 3.7\FTPServers			
FTP Count			
FTP File%d			
Password			
ServerName			
UserID			
InitialDirectory			
PortNumber			
ServerType			
2.5.29.37			
Software\LinasFTP\Site Manager			
Host			
User			
Pass			
Port			
Remote Dir			
\Cyberduck			
.duck			
user.config			
<setting name="			
value="			
Software\SimonTatham\PuTTY\Sessions			
HostName			
UserName			
Password			
PortNumber			
TerminalType			
NppFTP.xml			
\Notepad++			
Software\CoffeeCup Software			
FTP destination server			
FTP destination user			
FTP destination password			
FTP destination port			
FTP destination catalog			
FTP profiles			
FTPShell			
ftpshell.fsi			
Software\MAS-Soft\FTPInfo\Setup			
DataDir			
\FTPInfo			
ServerList.xml			
NexusFile			
ftpsite.ini			
FastStone Browser			
FTPList.db			
\MapleStudio\ChromePlus			
Software\Nico Mak Computing\WinZip\FTP			
Software\Nico Mak Computing\WinZip\mru\jobs			
Site			
UserID			
xflags			
Port			
Folder			
.wjf			
winex="			
\Yandex			
My FTP			
project.ini			
.xml			
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}			
NovaFTP.db			
\INSoftware\NovaFTP			
.oeaccount			
Salt			
<POP3_Password2			
<SMTP_Password2			
<IMAP_Password2			
<HTTPMail_Password2			
\Microsoft\Windows Live Mail			
Software\Microsoft\Windows Live Mail			
\Microsoft\Windows Mail			
Software\Microsoft\Windows Mail			
Software\RimArts\B2\Settings			
DataDir			
DataDirBak			
Mailbox.ini			
Software\Poco Systems Inc			
Path			
\PocoSystem.ini			
Program			
DataPath			
accounts.ini			
\Pocomail			
Software\IncrediMail			
EmailAddress			
Technology			
PopServer			
PopPort			
PopAccount			
PopPassword			
SmtpServer			
SmtpPort			
SmtpAccount			
SmtpPassword			
account.cfg			
account.cfn			
\BatMail			
\The Bat!			
Software\RIT\The Bat!			
Software\RIT\The Bat!\Users depot			
Working Directory			
ProgramDir			
Count			
Default			
Dir #%d			
SMTP Email Address			
SMTP Server			
POP3 Server			
POP3 User Name			
SMTP User Name			
NNTP Email Address			
NNTP User Name			
NNTP Server			
IMAP Server			
IMAP User Name			
Email			
HTTP User			
HTTP Server URL			
POP3 User			
IMAP User			
HTTPMail User Name			
HTTPMail Server			
SMTP User			
POP3 Port			
SMTP Port			
IMAP Port			
POP3 Password2			
IMAP Password2			
NNTP Password2			
HTTPMail Password2			
SMTP Password2			
POP3 Password			
IMAP Password			
NNTP Password			
HTTP Password			
SMTP Password			
Software\Microsoft\Internet Account Manager\Accounts			
Identities			
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts			
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings			
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			
Software\Microsoft\Internet Account Manager			
Outlook			
\Accounts			
identification			
identitymgr			
inetcomm server passwords			
outlook account manager passwords			
identities			
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}			
Thunderbird			
\Thunderbird			
FastTrack			
ftplist.txt					
Attached + decrypted cridex.
You do not have the required permissions to view the files attached to this post.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 15