Trojan SpyEye (alias Pincav)

Forum for analysis and discussion about malware.
User avatar
STRELiTZIA
Posts: 103
Joined: Sun Mar 14, 2010 7:02 am

Re: Trojan SpyEye (alias Pincav)

Post by STRELiTZIA » Tue Mar 27, 2012 1:15 pm

Corrupted sample?
Yes, it seems to be broken this VB Dropper...

After a little research on the forum, here is the link (Same password to unzip decoded attached config file).
9B24636E1BB55960CF9B8F04A905FE96

http://www.kernelmode.info/forum/viewto ... FE96#p6489

Regards.
You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Trojan SpyEye (alias Pincav)

Post by rkhunter » Mon Apr 02, 2012 6:29 am

Seems SpyEye, under VBInject

MD5: D1A86696778AC1AEE4DE62DFBC30D8CE
https://www.virustotal.com/file/3410319 ... /analysis/
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan SpyEye (alias Pincav)

Post by EP_X0FF » Mon Apr 02, 2012 7:15 am

This is recrypted spyeye, mentioned here http://www.kernelmode.info/forum/viewto ... 178#p12178
Ring0 - the source of inspiration

miae
Posts: 1
Joined: Mon Apr 02, 2012 11:07 am

Re: Trojan SpyEye (alias Pincav)

Post by miae » Mon Apr 02, 2012 11:39 am

Sems SpyEye

installs to [NTFS]\[root]\g4fweq23.Bi\40842F38B7A.exe

MD5:7e566b480517cac170e1002fa7414a41
http://www.threatexpert.com/report.aspx ... 2fa7414a41
or
http://malwr.com/analysis/7e566b480517c ... fa7414a41/

virus
40842F38B7A.rar
config
A8CB55AE2B68EDD.rar
You do not have the required permissions to view the files attached to this post.

User avatar
STRELiTZIA
Posts: 103
Joined: Sun Mar 14, 2010 7:02 am

Re: Trojan SpyEye (alias Pincav)

Post by STRELiTZIA » Mon Apr 02, 2012 12:57 pm

Thanks for sample:
Password to unzip decoded attached config file: 3B298B4955465853185AA4CF0E8B2138

Collectors:
31.184.242.140:41254
31.184.242.41:41254
31.184.242.43:41254
31.184.242.139:41254
Gates:
hxxp://31.184.242.140/gate/gate.php;90
hxxp://31.184.242.139/gate/gate.php;90
hxxp://31.184.242.41/gate/gate.php;90
hxxp://31.184.242.43/gate/gate.php;90
hxxp://fredxs12312.co.cc/uugt/gate.php;90
hxxp://fredxs12323.co.cc/uugt/gate.php;90
hxxp://fredxs12334.co.cc/uugt/gate.php;90
hxxp://fredxs12345.co.cc/uugt/gate.php;90
hxxp://fredxs12357.co.cc/uugt/gate.php;90
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan SpyEye (alias Pincav)

Post by EP_X0FF » Fri Apr 13, 2012 1:38 pm

SpyEye

https://www.virustotal.com/file/c87139b ... /analysis/

Gate
hxxp://bys1nessbank1ng.info:8080/im3g9ios.php;150
Password for decrypted config 130CBE0950491F6148A65482B9B50CC4

Dropper + decrypted config in attach.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Trojan SpyEye (alias Pincav)

Post by rkhunter » Fri Apr 13, 2012 1:45 pm

I thought that it died...

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan SpyEye (alias Pincav)

Post by EP_X0FF » Fri Apr 13, 2012 1:47 pm

Bot itself will die only when interest to it will die :)
Ring0 - the source of inspiration

User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Trojan SpyEye (alias Pincav)

Post by rkhunter » Fri Apr 13, 2012 1:49 pm

Hm, anyone interested in bot of died malware.

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan SpyEye (alias Pincav)

Post by EP_X0FF » Fri Apr 13, 2012 2:00 pm

SpyEye was much more widely spread on black market than for example TDL. Many customers still have it and will use last version until it will produce profit.
Ring0 - the source of inspiration

Post Reply