A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #5719  by fatdcuk
 Tue Mar 29, 2011 12:54 pm
EP_X0FF wrote:
hxxp://qvc.com/cgen/cdi.jpg
hxxp://qvc.com/qvcapp/icsx.jpg
hxxp://qvc.com/cgen/bch.jpg
hxxp://qvc.com/qvcapp/ehds.jpg

unavailable for me.
Catch :)
Attachments
(159.45 KiB) Downloaded 45 times
 #5720  by EP_X0FF
 Tue Mar 29, 2011 1:20 pm
Thanks :)

All them - NSIS downloaders. They download this:

hxxp://qvc.com/qcc/icsd.exe
hxxp://qvc.com/qic/asp.exe
hxxp://qvc.com/qcc/esld.exe
hxxp://qvc.com/qic/wcs.exe

yet again I can't download them from 2 completely different IP's. And it fails to d/l the payload (however code is still calling CreateProcess for non existent file).
 #5721  by fatdcuk
 Tue Mar 29, 2011 1:29 pm
Your original suspicions were on the money :)

Attached is MZ harvest>>> Usual suspects.
Attachments
(334.13 KiB) Downloaded 47 times
 #6282  by EP_X0FF
 Wed May 11, 2011 5:37 am
markusg wrote:eubmi.exe
http://www.virustotal.com/file-scan/rep ... 1304690161
Payload hxxp://uvxmedia.info/vgxv/eupvp.exe (TrojanDownloader:Win32/Harnig.S)
markusg wrote:gamsn.exe
http://www.virustotal.com/file-scan/rep ... 1304689916
Payload hxxp://uvxmedia.info/vgxv/gamsn.exe
markusg wrote:icvsp.exe
http://www.virustotal.com/file-scan/rep ... 1304690015
Payload hxxp://uvxmedia.info/vgxv/ikvlp.exe (TDL4)
[main]
version=0.03
aid=30067
sid=0
builddate=351
rnd=484763869
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.15
markusg wrote:rtipv.exe
http://www.virustotal.com/file-scan/rep ... 1304690456
Payload hxxp://uvxmedia.info/vgxv/rtpvs.exe (TrojanDownloader:Win32/Renos.MJ)