Malware/AutoIt

Forum for analysis and discussion about malware.
Post Reply
markusg
Posts: 736
Joined: Mon Mar 15, 2010 2:53 pm

Sun Mar 27, 2011 4:45 pm

Step1.exe
http://www.virustotal.com/file-scan/rep ... 1301243159

edit:

This thread contains samples which are AutoIt based
You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Mon Aug 08, 2011 7:08 am, edited 1 time in total.
Reason: thread comment added
fatdcuk
Posts: 46
Joined: Mon Mar 15, 2010 7:45 pm
Contact:

Thu Jul 28, 2011 9:29 pm

Nothing special just weird these types of pages been about for a while now and not may vendors tracking them it would seem..

Java loader start

Code: Select all

http://leechpro.tk/
Payload

Code: Select all

http://dl.dropbox.com/u/27300888/update.exe
http://www.virustotal.com/file-scan/rep ... 1311881026
You do not have the required permissions to view the files attached to this post.
Ade Gill
Malwarebytes Researcher
Image
User avatar
EP_X0FF
Global Moderator
Posts: 4903
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Sat Jul 30, 2011 3:58 pm

I think it's because it Autoit.
Ring0 - the source of inspiration
markusg
Posts: 736
Joined: Mon Mar 15, 2010 2:53 pm

Sun Aug 14, 2011 6:12 pm

You do not have the required permissions to view the files attached to this post.
User avatar
EP_X0FF
Global Moderator
Posts: 4903
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Sun Aug 14, 2011 6:21 pm

markusg wrote:SerialsPart1-Htxt.puorG.EXE
http://www.virustotal.com/file-scan/rep ... 1313344480
Crashes on start here, msgbox - something undefined at line 8 :)
Ring0 - the source of inspiration
markusg
Posts: 736
Joined: Mon Mar 15, 2010 2:53 pm

Mon Aug 15, 2011 9:47 am

this time no error messages
but its done nothing here
SerialsPart1-Htxt.puorG.EXE
http://www.virustotal.com/file-scan/rep ... 1313400261
You do not have the required permissions to view the files attached to this post.
User avatar
EP_X0FF
Global Moderator
Posts: 4903
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Mon Aug 15, 2011 10:47 am

markusg wrote:this time no error messages
but its done nothing here
SerialsPart1-Htxt.puorG.EXE
http://www.virustotal.com/file-scan/rep ... 1313400261
This is funny sample, as you see its using unicode name text reverting to look like text file.
It starts firefox.exe or iexplore.exe copy - browser names are hardcoded, then it tries to write something into their memory, all fails here.
Ring0 - the source of inspiration
Wack0
Posts: 3
Joined: Mon Jun 20, 2011 3:40 pm

Fri Aug 19, 2011 4:17 pm

fatdcuk wrote:Nothing special just weird these types of pages been about for a while now and not may vendors tracking them it would seem..

Java loader start

Code: Select all

http://leechpro.tk/
Payload

Code: Select all

http://dl.dropbox.com/u/27300888/update.exe
http://www.virustotal.com/file-scan/rep ... 1311881026
this is version 2 of some kind of irc bot coded in autoit. it gets the config from either

Code: Select all

http://www.vtp1hero.xlphp.net/Info.php
or

Code: Select all

http://dl.dropbox.com/u/27300888/Info.php
which it saves to %windir%\server.txt but both links are down right now.
it then puts the config into an array, seperated by spaces.
5th parameter shows the latest bot version. if it's later than the current version it gets the latest binary from the above two links, s/Info.php/update.exe
it then connects to the server which is in the 2nd param in config, with the port in the 3rd param, and joins the channel that;s in the 5th param.

The botmaster can show the list of processses, kill a process, shutdown/logoff/restart bots, screen capture (which will be uploaded to an ftpd), run a program, modify the registry, ...

and oh yeah, login password is hardcoded to be 18091989vutanphat - :)

Also, the nick is VTR-<6 random characters, uppercase A to Z>
ikolor
Posts: 331
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Wed Jan 31, 2018 7:55 pm

You do not have the required permissions to view the files attached to this post.
User avatar
EP_X0FF
Global Moderator
Posts: 4903
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Tue Jan 08, 2019 12:58 pm

ikolor wrote:
Wed Jan 31, 2018 7:55 pm
Thanks you .

https://www.virustotal.com/#/file/b4104 ... /detection

############
https://www.youtube.com/watch?v=ICJeTV2zgrM
###########
AutoIt 2 Exe. Posts moved.
Ring0 - the source of inspiration
Post Reply