A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17251  by EP_X0FF
 Tue Dec 18, 2012 2:59 am
TeamRocketOps wrote:Same behavior:

Located in C:\Windows\<random>.exe
HKCU\..\Run for startup

Plays same mp3 as before

Very low detection:

VT: 1/45
https://www.virustotal.com/file/7af5919 ... /analysis/

MD5: 0fb86c45ce140545c025fc40dc9aca14
This is Trojan:Win32/Weelsof.C with bbac_x64.dll Trojan:Win64/Weelsof.A inside.
Code: Select all
instance_mutex_name_seed    design_directory_name_seed  explorer.exe    locker_file_name        S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ R u n   633718  718 PL  151 core_remote_entry
  core_remote_entry   b_x64
  code has been injected
 . e x e     S h e l l   S O F T W A R E \ M i c r o s o f t \ W i n d o w s   N T \ C u r r e n t V e r s i o n \ W i n l o g o n   e x p l o r e r . e x e     172.63.87.2 m a i n . h t m l   w a i t . h t m l   b g . w a v     c a m - p l a c e . b m p   abcdefghijklmnopqrstuvwxyz  a b c d e f g h i j k l m n o p q r s t u v w x y z     Global\ 79.76.71.166    UN  <!-- $_NOTICE_BLOCK_%d_START_$ -->  <!-- $_NOTICE_BLOCK_%d_END_$ -->    $_ERR_MSG_%d_START_$    $_ERR_MSG_%d_END_$  $_OK_MSG_%d_START_$ $_OK_MSG_%d_END_$   $_IP_ADDR_$ send_report_data(%s)
   /topic.php  ACCEPTED    load-my-info.info   vew8hezxc58hvd7d.info   /get_dsn.php    /get_coce.php   /get.php    t y p e =   p i n _ t y p e =   p i n =     gui_class_name_seed     M y   H o s t   N a m e     s u b m i t _ d a t a ?     config_file_lock_name_seed  config_file_name_seed   http_connect(%s, %d, %x, %s)
   GET POST    ERRO: HttpQueryInfo=%d
 ERRO: HttpQueryInfo
    ERRO: HttpSendRequest=%d
   Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)       IsWow64Process  k e r n e l 3 2 . d l l     I n s t a l l D a t e       S O F T W A R E \ M i c r o s o f t \ W i n d o w s   N T \ C u r r e n t V e r s i o n     D e v i c e   F i l t e r   S a m p l e   G r a b b e r     N u l l   R e n d e r e r 
dll
Code: Select all
locker_file_name                S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ R u n       . e x e         abcdefghijklmnopqrstuvwxyz      a b c d e f g h i j k l m n o p q r s t u v w x y z     Global\ UN      /topic.php      ACCEPTED        load-my-info.info       vew8hezxc58hvd7d.info   /get_dsn.php    /get_coce.php   /get.php        config_file_lock_name_seed      config_file_name_seed   GET POST        Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)       I n s t a l l D a t e           S O F T W A R E \ M i c r o s o f t \ W i n d o w s   N T \ C u r r e n t V e r s i o n
Does not work here. Empty page.

bbac "projects" mentioned here http://www.xylibox.com/2012/06/win32wee ... -zeus.html