Win32/Dofoil

Forum for analysis and discussion about malware.
Post Reply
kalptarunet
Posts: 12
Joined: Sun Feb 27, 2011 2:25 pm

Sat Apr 21, 2012 1:00 pm

Hello,

I'm looking sample of

Dofoil”, also known as “Bredo”/ “Zurgop”,

AutoRun Value:

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\dxdiag.exe

Sorry not having any info or MD5.

Thanks,
User avatar
hx1997
Posts: 101
Joined: Sat Apr 07, 2012 12:16 am

Sat Apr 21, 2012 4:34 pm

kalptarunet wrote:Hello,

I'm looking sample of

Dofoil”, also known as “Bredo”/ “Zurgop”,

AutoRun Value:

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\dxdiag.exe

Sorry not having any info or MD5.

Thanks,
Maybe this one?
C1E5DAE72A51A7B7219346C4A360D867 - Win32/TrojanDownloader.Zurgop.AB trojan

Password "infected"
You do not have the required permissions to view the files attached to this post.
dumb110
Posts: 111
Joined: Tue Jun 05, 2012 1:29 pm

Fri Jun 29, 2012 10:48 am

SHA256: 9b200cd9c38f78e589dbe259b34fbb3da0a292b1fa2710927823d7dc14800aee

sample please..
User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Sat Jun 30, 2012 7:23 am

dumb110 wrote:SHA256: 9b200cd9c38f78e589dbe259b34fbb3da0a292b1fa2710927823d7dc14800aee

sample please..
MD5: c6b3a65256f0948d65ce38d6435a9db8
SHA1: 1654bed972c0b5d75f9431f5fe39a7a9cfc61133
You do not have the required permissions to view the files attached to this post.
User avatar
EP_X0FF
Global Moderator
Posts: 4889
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Wed Jun 05, 2013 6:06 am

Dofoil using simplified version of PowerLoader style inject. Sample courtesy of noxnox. Dropper and payload attached.
Set breaks on NtCreateSection/SetWindowLongA to see more.

https://www.virustotal.com/en/file/83ed ... /analysis/
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
sugar
Posts: 12
Joined: Sat Jul 30, 2011 10:33 am

Wed Jun 05, 2013 8:00 am

for zbot fix Imagebase to 108B0000
User avatar
thisisu
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Contact:

Sat Jun 21, 2014 8:37 pm

Win32/Dofoil.T

MD5 8176a3ec0aec664fb4170fdf9c9ee261
SHA1 034cee51257195b9b29e68d5ec714671de9ccc0d
SHA256 3d773d150fa014625c9c8718068d91b6a32b05431601754808e91ec1932512a8
https://www.virustotal.com/en/file/3d77 ... /analysis/

Code: Select all

HKU\Owner\...\Policies\Explorer\Run: [Ukcmedia] => C:\Users\Owner\AppData\Roaming\udbsfdsv\sgfautuj.exe [128008 2010-11-21] ()
You do not have the required permissions to view the files attached to this post.
User avatar
Aleksandra
Posts: 79
Joined: Sun Jun 05, 2011 9:34 pm

Sun Feb 15, 2015 4:23 am

You do not have the required permissions to view the files attached to this post.
Post Reply