A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18275  by Cassiel
 Wed Feb 20, 2013 2:15 pm
i have the file you wanted but no additional information about it.
if you find something let us know
You do not have the required permissions to view the files attached to this post.
 #18276  by TwinHeadedEagle
 Wed Feb 20, 2013 3:11 pm
OK, I cleaned computer of user that opened the thread about this malware

Malware drops at following location
Code: Select all
c:\progra~2\locals~1\temp\msoppo.exe
Creating following reg key
Code: Select all
[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 
"0"="c:\progra~2\locals~1\temp\msoppo.exe"
Here is the VT report

https://www.virustotal.com/en/file/21b0 ... 361372494/

Attaching sample
You do not have the required permissions to view the files attached to this post.
 #18281  by Userbased
 Wed Feb 20, 2013 4:58 pm
msoppo.exe attempts to connect to the following domains:
Code: Select all
xdqzpbcgrvkj.ru 
anam0rph.su 
orzdwjtvmein.in 
ygiudewsqhct.in 
bdcrqgonzmwuehky.nl 
somicrososoft.ru
The only one that currently resolves is somicrososoft.ru, where it connects to /in.php. It is a sample of andromeda 2.06. PCAP file is attached.
You do not have the required permissions to view the files attached to this post.
 #18286  by aaSSfxxx
 Thu Feb 21, 2013 10:01 am
I think pcap traffic is a little bit useless for andromeda, since the bot traffic is encrypted (with the bot key).

The bot key is stored with url list, and I wrote some tools (in python 2) which allow to extract andromeda config from an unpacked sample and query c&c co get stuff dropped by andromeda (in attach).

I also attached unpacked andromeda sample for people who doesn't want to fight against XPXAXCXK.

Virustotal (unpacked): https://www.virustotal.com/fr/file/d37d ... /analysis/

Virustotal (msoppo.exe): https://www.virustotal.com/fr/file/21b0 ... /analysis/
You do not have the required permissions to view the files attached to this post.
 #18318  by grum
 Sat Feb 23, 2013 4:12 pm
:) maybe help me code tools for brute force C&C server login and pass very fast, real try with THydra but bad and can't crack it's

i need tools code in php or asm or perl maybe python or ruby, hope all can help!
 #18321  by Xylitol
 Sun Feb 24, 2013 9:13 am
grum wrote::) maybe help me code tools for brute force C&C server login and pass very fast, real try with THydra but bad and can't crack it's

i need tools code in php or asm or perl maybe python or ruby, hope all can help!
hydra can do it, you just don't know how to use it.
 #18461  by EP_X0FF
 Thu Mar 07, 2013 6:06 am
grum wrote:THydra last and bruteforce can help?
What kind of answer do you expect?

Yes, bruteforce can do it. No, we don't do it for you - do it yourself.
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7
  • 13