Win32/Fareit

#11007 by EX!
Fri Jan 13, 2012 4:05 pm

https://www.virustotal.com/file/f856b07 ... 326469918/

Detection ratio: 17 / 43

Maybe Spyeye.

Downloaded from c&c
hxxp://fdgsafkgdsfaskfshfgjahsgdf634570.in/sallemoz.dyndns.org/gate.php

Attachments

Archive.rar

pass = infected
(888.06 KiB) Downloaded 200 times

Last edited by EP_X0FF on Mon Mar 11, 2013 8:14 am, edited 2 times in total. Reason: c&c link disabled

Username

EX!

Posts

35

Joined

Wed Jun 29, 2011 8:24 pm

Contact

Re: Trojan SpyEye (alias Pincav)

#11008 by EP_X0FF
Fri Jan 13, 2012 4:19 pm

EX! wrote:https://www.virustotal.com/file/f856b07308b5113ee2c89ca4ac9a5808d597bb5381d917b2826b3e26b54fa372/analysis/1326469918/

Detection ratio: 17 / 43

Maybe Spyeye.

Downloaded from c&c
hxxp://fdgsafkgdsfaskfshfgjahsgdf634570.in/sallemoz.dyndns.org/gate.php

This is different password stealer written on Delphi and packed by UPX.
Stealing implemented in separate Delphi modules, for example (names should be enough self-explaining)

TModule_CuteFTP
TModule_FlashFXP
TModule_FileZilla
TModule_FTPCommander
TModule_BProofFTP
TModule_SmartFTP
TModule_TurboFTP
TModule_FFFTP
TModule_CoreFTP
TModule_Frigate3
TModule_SecureFX
TModule_UltraFXP_Base
TModule_UltraFXP
TModule_FTPRushX
TModule_WebSitePublisher
TModule_BitKinex
TModule_ExpanDrive
TModule_ClassicFTP
TModule_Fling
TModule_SoftX
TModule_DOpus
TModule_FTPUploader
TModule_FreeFTPd

and a lot of others.

Slightly longer description of this trojan can be found here

Config.zip and config.bin indeed SpyEye configs, but without SpyEye dropper it's hard to unpack them due to long password.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: PWS:Win32/Fareit.A

#11010 by EX!
Fri Jan 13, 2012 5:30 pm

Thanks EP_X0FF!

Username

EX!

Posts

35

Joined

Wed Jun 29, 2011 8:24 pm

Contact

Re: PWS:Win32/Fareit.A

#11692 by rkhunter
Sat Feb 18, 2012 6:20 pm

Fareit was active at last few days, 10 droppers in archive.

Attachments

Fareit.zip

pass:infected
(1.06 MiB) Downloaded 153 times

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: PWS:Win32/Fareit.A

#11730 by rkhunter
Tue Feb 21, 2012 3:05 pm

More 8 samples.

Attachments

Fareit.zip

pass:infected
(778.27 KiB) Downloaded 107 times

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: PWS:Win32/Fareit.A

#11958 by rkhunter
Sun Mar 04, 2012 7:05 pm

11 fresh samples

Attachments

Fareit.zip

pass:infected
(794.43 KiB) Downloaded 109 times

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Trojan Zeus (alias ZBot)

#12374 by thisisu
Wed Mar 28, 2012 7:48 am

MD5: 71388404bb160b5a85d76185af96a4b0
9/42

Attachments

71388404bb160b5a85d76185af96a4b0.zip

pass: infected
(83.19 KiB) Downloaded 101 times

Username

thisisu

Posts

362

Joined

Sun Feb 26, 2012 8:57 am

Contact

Re: Trojan Zeus (alias ZBot)

#12375 by rkhunter
Wed Mar 28, 2012 7:53 am

thisisu wrote:MD5: 71388404bb160b5a85d76185af96a4b0

Not ZBot, Fareit PWS.

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Trojan Zeus (alias ZBot)

#12401 by thisisu
Fri Mar 30, 2012 8:03 am

rkhunter wrote:
thisisu wrote:MD5: 71388404bb160b5a85d76185af96a4b0
Not ZBot, Fareit PWS.

Hi rkhunter,

I'm sorry about that

Username

thisisu

Posts

362

Joined

Sun Feb 26, 2012 8:57 am

Contact

Fareit - BlackHole loader of ZBot

#12403 by rkhunter
Fri Mar 30, 2012 8:18 am

Since middle of February '12 Fareit was very active from BH. http://www.microsoft.com/security/porta ... 2%2fFareit
If it spreads via BH, it usualy as a downloader of ZBot.
Samples of loader that were observed since 15 Feb.

Attachments

Fareit.zip

pass:infected
(4.1 MiB) Downloaded 119 times

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact