A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #3598  by xqrzd
 Fri Nov 19, 2010 5:01 pm
Here are a few I have, I've never tested them. Some of them are old, you can sort by date modified attribute to get the newer ones.
Edit: update.zip is from Jan 2010.
You do not have the required permissions to view the files attached to this post.
 #6792  by Meriadoc
 Mon Jun 13, 2011 2:44 pm
shaheen wrote:I need a sample of Gozi trojan, preferably latest variant.

You do not have the required permissions to view the files attached to this post.
 #12307  by rkhunter
 Sat Mar 24, 2012 6:51 am
Trojan - stealer of user personal data. Spreads via BH EK.
Droppers in attach.
You do not have the required permissions to view the files attached to this post.
 #12438  by EP_X0FF
 Sat Mar 31, 2012 3:09 pm
Ursnif dropper (contains client parts for x86 and x64), payload dll and decrypted payload dll in attach. Uses splicing for self-injection.

Set hooks:


Malicious IP identified (BH EK host) (C&C)

Autoruns through

HKLM\System\CurrentControlSet\Session Manager\AppCertDlls

Payload drops to systemroot\system32 directory

Sensitive strings dump
GDI32.dll SHELL32.dll CreateProcessAsUserA CreateProcessAsUserW ADVAPI32.DLL CreateProcessA CreateProcessW KERNEL32.DLL CryptGetUserKey .pfx p a s s w o r d Exported %u certs to file %s
No certs found in "%S".
Certs thread started.
My AddressBook AuthRoot CertificateAuthority Disallowed Root TrustedPeople TrustedPublisher Certs ended with status %u
financepfrro.com.tw masmitnd.com.tw wednesltr.com.tw s1 k1 k2 Version Data FILE /ping http://%s%s user_id=%.4u&version_id=%lu&socks=%lu&build=%lu&crc=%.8x Config from: %s
Config load status: %u
Config updated.
Config update failed.
cert /uda cook sys PR_Close PR_Write PR_Read NSPR4.DLL nspr4.dll %x
Content-Length: %u
Content-Type text/html javascript json Content-Length : chunked Transfer-Encoding ocsp Accept-Encoding: If-Modified-Since: If-None-Match: gz=1 * \ \ \ ? \ Local\ Makezip ended with status %u
%s%0.8X%0.8X.tmp File "%s" added to send list.
Add HANDLE To Send %0.8X
\*.* Host User-Agent HttpQueryInfoW HttpQueryInfoA InternetConnectW InternetConnectA LoadLibraryExW InternetQueryDataAvailable HttpSendRequestW HttpSendRequestA InternetReadFileExW InternetReadFileExA InternetReadFile WININET.DLL WININET.dll Software\Microsoft\Windows\CurrentVersion\Internet Settings User Agent gzip identity Accept-Encoding: identity
A c c e p t - E n c o d i n g : i d e n t i t y Software\Microsoft\Internet Explorer\Main NoProtectedModeBanner Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 2500 http:// https:// i m a g e / g i f screen %.4u %user_id% %u %version_id% NEWGRAB grabs SCREENSHOT PROCESS HIDDEN http %%param_%s%% URL: %s
user=%s&pass=%s auth /ufs POST URL: %s
form GetNativeSystemInfo OS: Microsoft Windows Vista Windows Server 2008 Windows 7 Windows Server 2008 R2 Windows Server 2003 R2, Windows Storage Server 2003 Windows Home Server Windows XP Professional x64 Edition Windows Server 2003, Windows XP Home Edition Professional Windows 2000 Datacenter Server Advanced Server Server (build: %d) 64-bit 32-bit Unknown
ARCH: x64 (AMD or Intel) Intel Itanium-based x86 32bit
USER: Admin User URL: %s
KEY: %s html %02u:%02u:%02u [PipesProcessCommand] SocksStart. Data: %s
[PipesProcessCommand] SocksStart. Data: NULL
[PipesProcessCommand] SocksStart Status = %u
[PipesProcessCommand] SocksStop. /fp %lu iexplore.exe firefox.exe chrome.exe opera.exe safari.exe explorer.exe ExitProcess --------------------------%04x%04x%04x Content-Type: multipart/form-data; boundary=%s Content-Disposition: form-data; name="upload_file"; filename="%s" Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" Content-Type: application/octet-stream --%s
%s %s & --%s = Content-Disposition: form-data; name="%s"
%s --%s-- FullURL "%s%s"
file ProcessQueue: Flag %u, Size %u
user_id=%.4u&version_id=%lu&%s=1 noname Sending %u bytes of file "%s" of type "%s" to URL: %s
Send file status: 0x%0.8X
Sending %u bytes of type "%s" to URL: %s
Send %s status: 0x%0.8X
ProcessQueue: Status %0.8X
GET Content-Type: application/x-www-form-urlencoded SOFTWARE\AppDataLow\ \Vars \\.\pipe\ \Microsoft\ S:(ML;;NW;;;LW) D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA) \\.\%s %lu.exe Software\Microsoft\Windows\CurrentVersion\Run \ \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ c o o k i e s . s q l i t e c o o k i e s . s q l i t e - j o u r n a l \ M a c r o m e d i a \ F l a s h P l a y e r \ * . s o l * . t x t \ s o l s \ c o o k i e . i e \ c o o k i e . f f Cookies thread started.
Cookies ended with status %u
Received %s
EXE DL_EXE DL_EXE_ST CLEAR_COOK VER REBOOT KILL GET_CERTS GET_COOKIES SOCKS_START SOCKS_STOP GET_LOG log /ucommd ZwWow64ReadVirtualMemory64 ntdll.dll .dll IsWow64Process ZwWow64QueryInformationProcess64 LoadLibraryA Wow64ApcRoutine wow64 FreeLibrary open kernelbase ntdll kernel32 {%08x-%04x-%04x-%04x-%08x%04x}
You do not have the required permissions to view the files attached to this post.
 #14644  by rkhunter
 Sat Jul 14, 2012 2:22 pm
Another Ursnif dropper with x32/x64 payload.

SHA1: 7bf57ccfde72a77d568e135c35ec7f41b68a0470
MD5: 79696dbcecbbaa9eda18e05805635fa5

Decrypted dropper with x32/x64 dlls in attach.

Dll registered via HKLM\System\CurrentControlSet\Session Manager\AppCertDlls

epic detection
dropper 16 / 42 https://www.virustotal.com/file/4f48554 ... /analysis/
decrypted 12 / 42 https://www.virustotal.com/file/3e4c5c9 ... /analysis/
x32 dll 5/42 https://www.virustotal.com/file/4df4099 ... 342278900/
x64 dll 1 / 42 https://www.virustotal.com/file/3f2bfd2 ... 342278955/
You do not have the required permissions to view the files attached to this post.