[markusg]

this trojan downloads lot of other malware, all attached.

dropper:
1PkgMgrb.exe
http://www.virustotal.com/file-scan/rep ... 1292936440

am1msgr.exe
http://www.virustotal.com/file-scan/rep ... 1292936855

c2csp.exe
http://www.virustotal.com/file-scan/rep ... 1292937048

eng2dl.exe
http://www.virustotal.com/file-scan/rep ... 1292937021

1PkgMgrb.exe
http://www.virustotal.com/file-scan/rep ... 1292937271
runasb.vxe


http://www.virustotal.com/file-scan/rep ... 1292209529
the last one looks a bit older
it downloads perhaps more, not tested yet.

[Jaxryley]

Didn't get anymore here than posted markusg.

Thanks for sample. :)

[markusg]

@Jaxryley
i think its enough for one infected machine

was not sure i4xcoms.exe(shoutdowner) trys in vm to connect to internet but it crashed
have not tested the rest yet.

[Jaxryley]

http://www.threatexpert.com/report.aspx ... 14defa2c88

!http://citistep.info/pnk5/am1msgr.exe
!http://citistep.info/pnk5/ispcd.exe
!http://citistep.info/lsk2/c2csp.exe
!http://citistep.info/lsk2/eng2dl.exe
!http://citistep.info/pnk5/i4xcoms.exe

[EP_X0FF]

c2csp.exe is TDL4 (0.03)
1PkgMgrb.exe (i4xcoms.exe) is Trojan:Win32.Bamital

1PkgMgrb.exe is TrojanDownloader:Win32/Harnig

Open > nul /c del COMSPEC ver64 %szptfzubjhp.php?adv=adv523&code1=%s&code2=%s&id=%d&p=%s&b=%s Safari Chrome Firefox Opera
Internet Explorer http open %u %sljoxocb.exe %ssjnlgn.php?adv=adv523 %sfpxvranv.exe %styfnhc.php?adv=adv523 %ssybhgefo.exe
%sxbvqxsa.php?adv=adv523 %sfqxuppm.exe %sxavdxsz.php?adv=adv523 %sjqiv.exe %shyfaitavt.php?adv=adv523 %sxeytfnd.exe %sqhlkrzhf.php?adv=adv523
%sohaned.exe %skbwdyfeyta.php?adv=adv523 %stqskmj.exe %smmaucwe.php?adv=adv523 %snrfi.exe %scptrlg.php?adv=adv523 %srvgsxi.exe
%sizgowq.php?adv=adv523 %smalmkano.exe %siztbjhowu.php?adv=adv523 %s%d %sultamgbih.php?adv=adv523
hxxp://bccorps.com/timuo/
hxxp://accrowd.com/timuo/
C:\ psapi.dll ddraw.dll urlmon.dll shell32.dll kernel32.dll user32.dll wininet.dll SeDebugPrivilege ntdll.dll NtMapViewOfSection
\svchost.exe explorer.exe

am1msgr.exe is Renos trojan downloader or Trojan Fake Codec.

runasb.exe? not found in archive.

Perhaps from the given links above you can download more.

Topic title changed.

[EP_X0FF]

Managed to get one exe from the Harnig stuff.

hxxp://accrowd.com/timuo/iztbjhowu.php?adv=adv536

as previously PX5 described it needs some magic in user-agent string to download that trash :)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)ver64

payload however is very well known and nothing interesting as in fact (downloader)

http://www.virustotal.com/file-scan/rep ... 1293032926

[PX5]

Shutdowner should be the bamital agent, some code injected into Winlogon.exe I think.

[markusg]

yes sorry i mean
i4xcoms.exe

[PX5]

Interesting data....

aacoast.com/ekbjqlgny/hlojeyxemt.php?adv=adv447
aacoast.com/ekbjqlgny/imqkfqys.php?adv=adv447
aacoast.com/ekbjqlgny/jjnhtav.php?adv=adv447&code1=JNLH&code2=3153&id=677201889&p=1
aacoast.com/ekbjqlgny/lpgbiq.php?adv=adv447
aacoast.com/ekbjqlgny/mmuyj.php?adv=adv447
aacoast.com/ekbjqlgny/mzqlwqyg.php?adv=adv447
aacoast.com/ekbjqlgny/otjrzgb.php?adv=adv447
aacoast.com/ekbjqlgny/pqksmhcwel.php?adv=adv447
aacoast.com/ekbjqlgny/vmdxsdyfa.php?adv=adv447
aacoast.com/ekbjqlgny/wknic.php?adv=adv447
aacoast.com/ekbjqlgny/wnqcw.php?adv=adv447
aacoast.com/ekbjqlgny/yctbwh.php?adv=adv447
aacoast.com/ekbjqlgny/zmhbj.php?adv=adv447
aacoast.com/timuo/ocwrykrz.php?id=677201889&p=1

baquick.com/ekbjqlgny/mmuyj.php?adv=adv447
baquick.com/ekbjqlgny/mzqlwqyg.php?adv=adv447
baquick.com/ekbjqlgny/wnqcw.php?adv=adv447
baquick.com/ekbjqlgny/yctbwh.php?adv=adv447

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)ver63

Using harnig loader from citistep.info/lsk2/eng2dl.exe


I think we know some of harnigs closest friends too, it always seems to call on Rusty and the rest of the crowd...

204.45.118.202/23/aok
204.45.118.202/23/exc
204.45.118.202/23/iok
204.45.118.202/23/lok
204.45.118.202/23/run
204.45.118.202/jwyydjnmbne.rar
204.45.121.42/jwyydjnmbne.rar

Had a python script to decrypt the rar files but cant seem to locate it at the moment. :?

[EP_X0FF]

here they are (everything what were valid from the list above)

rar files unfortunately not accessible for me


edit:

just finished analyzing one of the gang
wnqcw.exe http://www.virustotal.com/file-scan/rep ... 1293037554

aside from stealing poker passwords it downloads and execute 1.exe (attached) which is TrojanSpy:Win32/Setfic.A

interesting blacklist located (Setfic)

Installation wizard v. 1.0 ActiveX module was completely installed! reset5c.dll SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify reset5c Asynchronous Impersonate DllName StartShell OnLogonEvent lsass.exe KERNEL32.DLL CreateProcessA ExitProcess ExitThread GetProcAddress GetProcessHeap HeapAlloc HeapFree LoadLibraryA lstrcatA lstrlenA SetThreadContext WaitForSingleObject NTDLL.DLL NtWriteVirtualMemory 95 98 Me NT 2000 XP 2003 Vista 7 Unknown navapsvc.exe mcshield.exe kav.exe avp.exe ekrn.exe drweb32w.exe pavsrv51.exe vsserv.exe avguard.exe ashwebsv.exe avgcc.exe msseces.exe Norton McAfee Kaspersky KIS NOD32 DrWeb Panda BitDefender Avira Avast AVG OneCare Unknown \ SeDebugPrivilege svchost.exe C:\Program Files\Internet Explorer\iexplore.exe Comspec Open /c del > nul