A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #25505  by teddybear
 Wed Mar 25, 2015 5:24 pm
comak wrote:bizzanalytics[.]com <- now seems dead?
Yes, samples tries to contact address 94,102,50,60 on TCP 80 but that port is closed.
 #25506  by p4r4n0id
 Wed Mar 25, 2015 6:03 pm
Attached curved module from memory.

Uses mhook library for hooking: https://github.com/martona/mhook

InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
PR_Write
PR_Read
PR_Close
LoadLibraryA
LoadLibraryW

C2:
http://www.bizzanalytics.com
/info.php?key=hQEMAwWjOozTqt1iAQgAjYKm8wz7gq5
You do not have the required permissions to view the files attached to this post.
 #25507  by comak
 Wed Mar 25, 2015 6:16 pm
p4r4n0id » you can find clean module in my zip

im quite curious what are those registers string for... since they don't seems to be a meaningful part of binary...
 #25510  by EP_X0FF
 Thu Mar 26, 2015 7:11 am
comak wrote:im quite curious what are those registers string for... since they don't seems to be a meaningful part of binary...
They are part of mhook disassembler.
 #26196  by R136a1
 Sun Jun 28, 2015 3:43 pm
Hi folks,

fresh sample of Slave alias Win32/Spy.Bizzana.A attached.

What is today known as Slave is the evolution of what was first detected as VBKlip in 2013:
http://www.cert.pl/news/7662
https://devcentral.f5.com/articles/vbkl ... he-browser
You do not have the required permissions to view the files attached to this post.
 #26198  by comak
 Sun Jun 28, 2015 6:03 pm
R136a1 wrote: What is today known as Slave is the evolution of what was first detected as VBKlip in 2013:
http://www.cert.pl/news/7662
https://devcentral.f5.com/articles/vbkl ... he-browser
This sound quite bizarre to me, as far we know (cert.pl) the person who coded vklip is
uncapable of coding in c ;]

But if this is the case, huh someone has stepped up his game... will look into it
 #26199  by R136a1
 Sun Jun 28, 2015 7:31 pm
comak wrote:
R136a1 wrote: What is today known as Slave is the evolution of what was first detected as VBKlip in 2013:
http://www.cert.pl/news/7662
https://devcentral.f5.com/articles/vbkl ... he-browser
This sound quite bizarre to me, as far we know (cert.pl) the person who coded vklip is
uncapable of coding in c ;]

But if this is the case, huh someone has stepped up his game... will look into it
What you describe as VBKlip 2.0 or Banatrix in your Blog is coded in C:
http://www.cert.pl/news/8999/langswitch_lang/en
http://www.cert.pl/news/9565/langswitch_lang/en

And what is described in f5 article very much sounds like Banatrix:
https://devcentral.f5.com/articles/vbkl ... he-browser

And in f5 article you can see some similarities to Slave:
http://securityblog.s21sec.com/2015/03/ ... banks.html
https://devcentral.f5.com/articles/slav ... e-analysis
 #26200  by comak
 Sun Jun 28, 2015 9:03 pm
If i recall correctly banatrix is quite complex malware and has nothing to do with orginal vbklip which was pice of crap, but
im not the one who discovered/analyzed so i may be wrong, let me check tomorrow with my colleague.

As for the rest, i completely agree that wat f5 describes we know as slave
(which is quite funny name considering its named after path from 3rd party ssl lib used in chrome as well ;])

anyhow thanks for posting this article, this could give some interesting results.

cheers
mak