A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19011  by Xylitol
 Fri Apr 19, 2013 12:24 pm
Nothing new in the VISA report we know already all these files.
Infostealer.Somabix in attach, i've sent the sample to ESET for detection, i've read the symantec review and seem it's another already see stuff targeting Retalix POS softwares.
https://www.virustotal.com/fr/file/320a ... 366373692/
edit: Now know by Microsoft as TrojanSpy:Win32/PointOfSale.A
You do not have the required permissions to view the files attached to this post.
 #19248  by bsteo
 Fri May 10, 2013 11:57 am
360Tencent wrote:http://blog.spiderlabs.com/2013/05/alin ... amily.html
Good read. Anyway does somebody have the sample from this read? MD5 is c9e5752eea81f7d3521b1d2232afd3b8

Alina's panel is at: hxtp://208.98.63.228/wordpress/sam.php

208.98.63.228 ssh 22/tcp Secure Shell - RSA encrypted rsh
208.98.63.228 http 80/tcp www www-http World Wide Web HTTP
#208.98.63.228 www 80/tcp World Wide Web HTTP [TXL]
208.98.63.228 sunrpc 111/tcp rpcbind SUN Remote Procedure Call
208.98.63.228 unknown 3306/tcp unassigned
208.98.63.228 unknown 46228/tcp unassigned

SSH and MySQL open, time for a little brute? :)
Last edited by Xylitol on Fri May 10, 2013 1:46 pm, edited 1 time in total. Reason: http obfuscation
 #19251  by Xylitol
 Fri May 10, 2013 1:04 pm
exitthematrix wrote:Anyway does somebody have the sample from this read? MD5 is c9e5752eea81f7d3521b1d2232afd3b8
Alina 3.5, maybe i will do a small response post for spiderlabs about the C&C but not today, i've already posted something.
Also about the panel of this one: wordpress/admin.php
You do not have the required permissions to view the files attached to this post.
 #19402  by Xylitol
 Fri May 24, 2013 4:28 pm
wow, Josh Grunzweig have really do a heavy work.

List of hashs and version of Alina associated:
D31EB6E7F39DDE0C2015DC2804C84A85 - 0.1
0DE9765C9C40C2C2F372BF92E0CE7B68 - 1.0
7CF5A421C3403441D84A0E34F81C3F0C - 2.0
99A307128DAA407147D1C69D2824D703 - 2.1
6686EED5875F622F5ED21397ACB41D86 - 2.1
2139E613DC20DF19DAA6D90A0FF05591 - 2.1
E7E13912AF192ABE2F6EC90F6D429C6C - 3.1
04474D2723D328CE28029C050EC6C0BB - 3.2
5D333312E3DD0FB7B5823696E99000E9 - 3.3
A31E549C1919DD4EE3C78D3265D86EFC - 3.4
1EFEB85C8EC2C07DC0517CCCA7E8D743 - 3.4
C9E5752EEA81F7D3521B1D2232AFD3B8 - 3.5
37493EB319D126D0AB8F5A55DA85563D - 4.0
8CDB63B3BFE16C0517E96B316EDA3514 - 5.2
71FBCA87E863DB0ACA080B4F87CC36F2 - 5.3
A418410FA8B2617F3109DC289FA151C5 - 5.5

In attach
https://www.virustotal.com/en/file/195d ... 369412682/
https://www.virustotal.com/en/file/442d ... 369412684/
https://www.virustotal.com/en/file/8782 ... 369412688/
https://www.virustotal.com/en/file/e4a4 ... 369412690/
You do not have the required permissions to view the files attached to this post.
 #19430  by Xylitol
 Mon May 27, 2013 1:09 am
Alina 5.6 in attach
https://www.virustotal.com/en/file/2cb5 ... 369616232/
Josh Grunzweig will be interested ;)
unpacked: https://www.virustotal.com/en/file/334c ... 369689145/
Compilation timestamp 2013-05-16 23:58:26
You do not have the required permissions to view the files attached to this post.
 #19556  by Xylitol
 Wed Jun 05, 2013 12:27 pm
You do not have the required permissions to view the files attached to this post.
 #20380  by Xylitol
 Sun Aug 04, 2013 10:58 pm
You do not have the required permissions to view the files attached to this post.
 #20475  by Xylitol
 Mon Aug 12, 2013 9:56 pm
You do not have the required permissions to view the files attached to this post.
  • 1
  • 9
  • 10
  • 11
  • 12
  • 13
  • 25