Trojan SpyEye (alias Pincav)

Forum for analysis and discussion about malware.
User avatar
EP_X0FF
Global Moderator
Posts: 4889
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Thu Jul 08, 2010 4:42 am

http://www.virustotal.com/analisis/2872 ... 1278563453
http://www.virustotal.com/analisis/51f0 ... 1278563448
http://www.virustotal.com/analisis/2f28 ... 1278563461

Some spyeyes :)

Opened for access SpyEyes drop servers. Grab the malware :D

cpucardioholder.com/warrior/bin/
peosoe.com/spa/mn/bin/

stuff in attach as malware.rar
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
PX5
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am

Mon Jul 12, 2010 3:32 pm

Parent Directory-nerukabbcompany.com/fgdhfgvcryegf/bin/

build.exe.crypted.exe">build.exe.crypted.exe>12-Jul-2010 10:17

build_cry.exe>build_cry.exe>08-Jul-2010 15:23

config.bin>12-Jul-2010 08:25
Arrogance led me to my Ignorance
User avatar
EP_X0FF
Global Moderator
Posts: 4889
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Mon Jul 12, 2010 4:00 pm

Actually the same re-crypt of SpyEye v1.2.4

un-protected config.bin in attach.

http://www.virustotal.com/analisis/b8fd ... 1278949997
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
Posts: 4889
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Tue Aug 03, 2010 12:39 pm

Public directory, download what you want :)

hxxp://clickxfinder.com/warrior/bin/

VirusTotal
http://www.virustotal.com/analisis/9a0f ... 1280839060
http://www.virustotal.com/analisis/f070 ... 1280839066
http://www.virustotal.com/analisis/bf53 ... 1280839077
http://www.virustotal.com/analisis/db7d ... 1280839084

from sample version info
BitDefender Management Console
:D

all in attach
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
egomoo
Posts: 19
Joined: Fri May 07, 2010 5:02 am
Location: Shaoxing,China

Thu Aug 05, 2010 2:11 am

it was identified by safe returner
You do not have the required permissions to view the files attached to this post.
PX5
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am

Sun Aug 08, 2010 12:32 pm

You do not have the required permissions to view the files attached to this post.
Arrogance led me to my Ignorance
User avatar
EP_X0FF
Global Moderator
Posts: 4889
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Sun Aug 08, 2010 1:34 pm

Thanks for sharing, attached info (config file, screenshots, webinjects) from recovered config.bin.
Seems to be this is spyeye v1.2.4.

Btw, you can detect SpyEye with WinObjEx by the presence of the following mutex - __SPYNET_REPALREADYSENDED__, WinObjEx will also show you one of the processes where SpyEye code is injected.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
cjbi
Posts: 92
Joined: Sun Mar 14, 2010 7:16 am

Sat Aug 14, 2010 12:35 am

Screenshot of SpyEye 1.2.0 builder.
It supports changing EXE & mutex name.
Interesting!
You do not have the required permissions to view the files attached to this post.
User avatar
EP_X0FF
Global Moderator
Posts: 4889
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Tue Aug 24, 2010 4:18 am

Author wants some vm unfriendly cryptor with sources :) Here is a little discussion.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
cjbi
Posts: 92
Joined: Sun Mar 14, 2010 7:16 am

Sun Sep 05, 2010 11:02 am

Another public directory. Maybe same botmaster? :)

hxxp://carheavens.ru/warrior/bin/

Packer(or Crypter or Whatever) is changed?
Low detection on VirusTotal. (5/43)

VirusTotal result
http://www.virustotal.com/file-scan/rep ... 1283683125
You do not have the required permissions to view the files attached to this post.
Post Reply