A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #20918  by Userbased
 Mon Sep 23, 2013 1:02 am
Win32/Napolar http://www.microsoft.com/security/porta ... /Napolar.A
MD5: 60a8e935b5418a76593bb97120da1adc
https://www.virustotal.com/en/file/0c63 ... 379897504/

The bot has a site listing features and a panel file at solarbot.net
Dumped from a Autoit packer (Thanks to Betamonkey for help unpacking).
You do not have the required permissions to view the files attached to this post.
 #20923  by Xylitol
 Mon Sep 23, 2013 6:54 am
Image
Code: Select all
hxxp://kasvatus.org/solar/index.php?login

http://kasvatus.org/serve/crysol.exe 
http://kasvatus.org/serve/crypsoliar.exe 
http://kasvatus.org/serve/crypsola.exe
You do not have the required permissions to view the files attached to this post.
 #20925  by Thanat0S
 Mon Sep 23, 2013 7:40 am
uCares wrote:Panel :
Code: Select all
hxtp://canc3r1nf0rmat10n.pw/Panel/
not working, reupload panel src please I want to analyze it

edit, you mean gate not panel , well I thought it was panel source code, anyways if anyone find it, please post it
Last edited by Xylitol on Mon Sep 23, 2013 10:01 am, edited 1 time in total. Reason: link obfuscation
 #20932  by Xylitol
 Mon Sep 23, 2013 8:50 am
Thanat0S wrote: edit, you mean gate not panel , well I thought it was panel source code, anyways if anyone find it, please post it
panel source can be downloaded from the solar website. (and the TOR site of solar is offline seem)
and canc3r1nf0rmat10n.pw is online and working FYI.
 #20933  by domin
 Mon Sep 23, 2013 9:14 am
Straight from the website before it went down
You do not have the required permissions to view the files attached to this post.
 #20959  by TheExecuter
 Tue Sep 24, 2013 6:53 pm
olly crashes on normal debugging. winxp olly terminates immediately even when i apply system breakpoint O_O
tried immunity, it works.
unpacking first file , piece of cake.
second file contains TLS code and no EP.
1st call back, 2nd callback obvious.
last call RVA 0x109A (encoded before hand, decoded in TLS callback code)
2 decryption routines.
then final ep RVA 0xB0AA
malwr.com analysis still pending after 24 hours. what the hell?