A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #12367  by STRELiTZIA
 Tue Mar 27, 2012 1:15 pm
Corrupted sample?
Yes, it seems to be broken this VB Dropper...

After a little research on the forum, here is the link (Same password to unzip decoded attached config file).
9B24636E1BB55960CF9B8F04A905FE96

http://www.kernelmode.info/forum/viewto ... FE96#p6489

Regards.
You do not have the required permissions to view the files attached to this post.
 #12492  by STRELiTZIA
 Mon Apr 02, 2012 12:57 pm
Thanks for sample:
Password to unzip decoded attached config file: 3B298B4955465853185AA4CF0E8B2138

Collectors:
31.184.242.140:41254
31.184.242.41:41254
31.184.242.43:41254
31.184.242.139:41254
Gates:
hxxp://31.184.242.140/gate/gate.php;90
hxxp://31.184.242.139/gate/gate.php;90
hxxp://31.184.242.41/gate/gate.php;90
hxxp://31.184.242.43/gate/gate.php;90
hxxp://fredxs12312.co.cc/uugt/gate.php;90
hxxp://fredxs12323.co.cc/uugt/gate.php;90
hxxp://fredxs12334.co.cc/uugt/gate.php;90
hxxp://fredxs12345.co.cc/uugt/gate.php;90
hxxp://fredxs12357.co.cc/uugt/gate.php;90
You do not have the required permissions to view the files attached to this post.
 #12683  by EP_X0FF
 Fri Apr 13, 2012 1:38 pm
SpyEye

https://www.virustotal.com/file/c87139b ... /analysis/

Gate
hxxp://bys1nessbank1ng.info:8080/im3g9ios.php;150
Password for decrypted config 130CBE0950491F6148A65482B9B50CC4

Dropper + decrypted config in attach.
You do not have the required permissions to view the files attached to this post.
 #12685  by EP_X0FF
 Fri Apr 13, 2012 1:47 pm
Bot itself will die only when interest to it will die :)
 #12687  by EP_X0FF
 Fri Apr 13, 2012 2:00 pm
SpyEye was much more widely spread on black market than for example TDL. Many customers still have it and will use last version until it will produce profit.
  • 1
  • 36
  • 37
  • 38
  • 39
  • 40
  • 42