A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1448  by EP_X0FF
 Thu Jul 08, 2010 4:42 am
http://www.virustotal.com/analisis/2872 ... 1278563453
http://www.virustotal.com/analisis/51f0 ... 1278563448
http://www.virustotal.com/analisis/2f28 ... 1278563461

Some spyeyes :)

Opened for access SpyEyes drop servers. Grab the malware :D

cpucardioholder.com/warrior/bin/
peosoe.com/spa/mn/bin/

stuff in attach as malware.rar
You do not have the required permissions to view the files attached to this post.
 #1477  by PX5
 Mon Jul 12, 2010 3:32 pm
Parent Directory-nerukabbcompany.com/fgdhfgvcryegf/bin/

build.exe.crypted.exe">build.exe.crypted.exe>12-Jul-2010 10:17

build_cry.exe>build_cry.exe>08-Jul-2010 15:23

config.bin>12-Jul-2010 08:25
 #1746  by EP_X0FF
 Tue Aug 03, 2010 12:39 pm
Public directory, download what you want :)

hxxp://clickxfinder.com/warrior/bin/

VirusTotal
http://www.virustotal.com/analisis/9a0f ... 1280839060
http://www.virustotal.com/analisis/f070 ... 1280839066
http://www.virustotal.com/analisis/bf53 ... 1280839077
http://www.virustotal.com/analisis/db7d ... 1280839084

from sample version info
BitDefender Management Console
:D

all in attach
You do not have the required permissions to view the files attached to this post.
 #1775  by egomoo
 Thu Aug 05, 2010 2:11 am
it was identified by safe returner
You do not have the required permissions to view the files attached to this post.
 #1851  by EP_X0FF
 Sun Aug 08, 2010 1:34 pm
Thanks for sharing, attached info (config file, screenshots, webinjects) from recovered config.bin.
Seems to be this is spyeye v1.2.4.

Btw, you can detect SpyEye with WinObjEx by the presence of the following mutex - __SPYNET_REPALREADYSENDED__, WinObjEx will also show you one of the processes where SpyEye code is injected.
You do not have the required permissions to view the files attached to this post.
 #1960  by cjbi
 Sat Aug 14, 2010 12:35 am
Screenshot of SpyEye 1.2.0 builder.
It supports changing EXE & mutex name.
Interesting!
You do not have the required permissions to view the files attached to this post.
 #2223  by EP_X0FF
 Tue Aug 24, 2010 4:18 am
Author wants some vm unfriendly cryptor with sources :) Here is a little discussion.
You do not have the required permissions to view the files attached to this post.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 42