A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #14669  by Xylitol
 Sun Jul 15, 2012 9:19 pm
From bh 108.178.59.25/a.php?e=5&f=0e44a
Just got interested into this threat
exploits -> payloads -> zeusV3 -> pwd stealer and/or rogue/fake soft
https://www.virustotal.com/file/bfd5046 ... 342385814/
https://www.virustotal.com/file/a1b36aa ... 342385371/
Microsoft don't detect it :mrgreen:
Code: Select all
hxxp://sam-latrilogie.com:8080/pony/gate.php
hxxp://loceanic.fr:8080/pony/gate.php
hxxp://viveroparadiso.com.ar/NSyf.exe
hxxp://uppalneurohospital.com/x7nx.exe
hxxp://greatroastcoffee.com/w1HjW1.exe
gate.php <- If gate/pony so Blackhole and the rest
.exe files -> zeus & cie.

Pony C&C:
Code: Select all
hxxp://80.248.208.162:8080/pony/admin.php (sam-latrilogie.com)
hxxp://194.146.227.48:8080/pony/admin.php (loceanic.fr)
hxxp://176.31.255.41:81/pony/admin.php (etsiunjour.fr)
Abuse already sent to OVH but no reaction.
Look's like they use pony to get accounts/credentials and use them for bh/pony/etc or to host pe on compromised machines

Also have a look here, kafeine have do an awesome work:
http://malware.dontneedcoffee.com/2012/ ... ny-17.html
Attachments
infected
(158.92 KiB) Downloaded 78 times
 #14763  by Xylitol
 Fri Jul 20, 2012 6:36 am
Just got my virtual machine infected with blackhole at 80.248.208.162:8080/view.php
Pony c&c: akamaifilms.com:81/pony/admin.php
• dns: 1 ›› ip: 69.175.8.106 - adresse: AKAMAIFILMS.COM
https://www.virustotal.com/file/c1399c5 ... 342765865/
Attachments
infected
(94.03 KiB) Downloaded 84 times
 #15324  by resercher
 Thu Aug 23, 2012 10:09 am
EP_X0FF wrote: TModule_CuteFTP
TModule_FlashFXP
TModule_FileZilla
TModule_FTPCommander
TModule_BProofFTP
TModule_SmartFTP
TModule_TurboFTP
TModule_FFFTP
TModule_CoreFTP
...
These strings are from PWS:Win32/LdPinch family
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7