A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #30251  by Pave
 Fri Apr 21, 2017 3:44 pm
Hi guys!
I am kind of new in the field of reverse engineering, so sorry if it is a silly question.

I am currently analyzing a trojan for a school thesis that has similarities with the trojans Fareit and Tepfer.
I already know that the main purpose of the malware is to steal user credentials and to send them then to a c & c server via HTTP.

But there are two functionalities that I stillt don't understand:
- How is the malware encrypting the sent payload?
- Why is the malware creating a new CMD process? Does the malware maybe also function as an reverse shell?

Virustotal link: https://www.virustotal.com/de/file/8dc6 ... /analysis/
The malware sample is attached
You do not have the required permissions to view the files attached to this post.
 #30348  by Xylitol
 Mon May 15, 2017 7:43 am
related to this sample i've seen it the 14 Dec 2016 23:15:30 according to my system.
this one is also know as 'pony 3 gates' usually delivered by hancitor, here is a screenshot of one of their pony panel https://twitter.com/CyberCrimeWHQ/statu ... 0349409280
related to your questions i don't remember how pony encryption work etc but there is literally tons of white papers about pony and you can even find the code, so it shouldn't be hard to find your answers.
and nope, Fareit/Tepfer don't do a reverse shell.
 #30349  by Antelox
 Mon May 15, 2017 8:46 am
The encryption used is RC4. For the sample you linked the key is: 1RcpNUE12zpJ8uDaDqlygR70aZl2ogwes

And yes, this has been spread by Hancitor (AKA Chanitor) by the following URLs:
The campaign/build number for this is: 1412b