Page 2 of 42

Re: Trojan SpyEye (alias Pincav)

PostPosted:Thu Jul 08, 2010 4:42 am
by EP_X0FF
http://www.virustotal.com/analisis/2872 ... 1278563453
http://www.virustotal.com/analisis/51f0 ... 1278563448
http://www.virustotal.com/analisis/2f28 ... 1278563461

Some spyeyes :)

Opened for access SpyEyes drop servers. Grab the malware :D

cpucardioholder.com/warrior/bin/
peosoe.com/spa/mn/bin/

stuff in attach as malware.rar

Re: Trojan SpyEye (alias Pincav)

PostPosted:Mon Jul 12, 2010 3:32 pm
by PX5
Parent Directory-nerukabbcompany.com/fgdhfgvcryegf/bin/

build.exe.crypted.exe">build.exe.crypted.exe>12-Jul-2010 10:17

build_cry.exe>build_cry.exe>08-Jul-2010 15:23

config.bin>12-Jul-2010 08:25

Re: Trojan SpyEye (alias Pincav)

PostPosted:Mon Jul 12, 2010 4:00 pm
by EP_X0FF
Actually the same re-crypt of SpyEye v1.2.4

un-protected config.bin in attach.

http://www.virustotal.com/analisis/b8fd ... 1278949997

Re: Trojan SpyEye (alias Pincav)

PostPosted:Tue Aug 03, 2010 12:39 pm
by EP_X0FF
Public directory, download what you want :)

hxxp://clickxfinder.com/warrior/bin/

VirusTotal
http://www.virustotal.com/analisis/9a0f ... 1280839060
http://www.virustotal.com/analisis/f070 ... 1280839066
http://www.virustotal.com/analisis/bf53 ... 1280839077
http://www.virustotal.com/analisis/db7d ... 1280839084

from sample version info
BitDefender Management Console
:D

all in attach

Re: Trojan SpyEye (alias Pincav)

PostPosted:Thu Aug 05, 2010 2:11 am
by egomoo
it was identified by safe returner

Re: Trojan SpyEye (alias Pincav)

PostPosted:Sun Aug 08, 2010 12:32 pm
by PX5

Re: Trojan SpyEye (alias Pincav)

PostPosted:Sun Aug 08, 2010 1:34 pm
by EP_X0FF
Thanks for sharing, attached info (config file, screenshots, webinjects) from recovered config.bin.
Seems to be this is spyeye v1.2.4.

Btw, you can detect SpyEye with WinObjEx by the presence of the following mutex - __SPYNET_REPALREADYSENDED__, WinObjEx will also show you one of the processes where SpyEye code is injected.

Re: Trojan SpyEye (alias Pincav)

PostPosted:Sat Aug 14, 2010 12:35 am
by cjbi
Screenshot of SpyEye 1.2.0 builder.
It supports changing EXE & mutex name.
Interesting!

Re: Trojan SpyEye (alias Pincav)

PostPosted:Tue Aug 24, 2010 4:18 am
by EP_X0FF
Author wants some vm unfriendly cryptor with sources :) Here is a little discussion.

Re: Trojan SpyEye (alias Pincav)

PostPosted:Sun Sep 05, 2010 11:02 am
by cjbi
Another public directory. Maybe same botmaster? :)

hxxp://carheavens.ru/warrior/bin/

Packer(or Crypter or Whatever) is changed?
Low detection on VirusTotal. (5/43)

VirusTotal result
http://www.virustotal.com/file-scan/rep ... 1283683125