[markusg]

not sure what it is

[EP_X0FF]

not sure what it is

Trojan PWS written on Dotnet.

Runs through HKCU\Software\Microsoft\Windows\CurrentVersion\Run as
X:\documents and settings\user\application data\java.exe

In attach dump of sensitive strings from the inside, they fully describing it's nature.

Additionally downloads hxxp://173.212.207.176/coologger/process.exe, another piece of dotnet malware, written by mister Jacob. See attach for it.

C:\Users\Jacob\Documents\Visual Studio 2008\Projects\processprotect\processprotect\obj\Release\processprotect.pdb

[markusg]

Runescape DDoS Tool V1.3 Working 2011.exe
http://www.virustotal.com/file-scan/rep ... 1301424401

[EP_X0FF]

Runescape DDoS Tool V1.3 Working 2011.exe
http://www.virustotal.com/file-scan/rep ... 1301424401

COOLoger keylogger.
Thread split and moved.

Start
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

CooLogger Recovered Data from -
~~~~~Stealers~~~~~
Process
CooLogger Infection Notification
CooLogger Installed On -
Yes
COOLogger Logs From -
~~~~~Keylogger~~~~~
Removal ID:
COOLogger Logs from -
Screenshot failed to capture
Removal ID:
PartyPics-3-26.exe
EnableLUA
~~~~~MSN~~~~~
Username:
Password:
IndexOf
Substring
UNIQUE
table
SQLite format 3
Not a valid SQLite 3 Database File
Auto-vacuum capable database is not supported
No supported Schema layer file-format
\Google\Chrome\User Data\Default\Login Data
ReadTable
logins
GetRowCount
GetValue
b3JpZ2luX3VybA==
dXNlcm5hbWVfdmFsdWU=
GetBytes
password_value
~~~~~Chrome~~~~~
Host:
Username:
Password:
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
URL:
APPDATA
\CoreFTP\sites.idx
HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites\
\Host
\Port
\User
\Name
Entry:
Host:
User:
Pwd:
(Encrypt)
~~~~~CoreFTP~~~~~
Host:
User:
C:\Program Files\Mozilla Firefox\firefox.exe
TW96aWxsYQ==
RmlyZWZveA==
UHJvZmlsZXM=
c2lnbm9ucy5zcWxpdGU=
SELECT * FROM moz_logins;
SELECT * FROM moz_disabledHosts;
formSubmitURL
VXJs
encryptedUsername
VXNlcm5hbWU=
encryptedPassword
UGFzc3dvcmQ=
WScript.Shell
RegRead
\FileZilla\recentservers.xml
</Host>
<Host>
Host :
</User>
<User>
Username :
</Pass>
<Pass>
Password :
~~~~~FileZilla~~~~~
Username
All Users
\FlashFXP\3\quick.dat
port=
user=
pass=
created=
~~~~~FlashFXP~~~~~
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FTP Commander\UninstallString
uninstall.exe
Ftplist.txt
;Server=
;Port=
;Password=
;User=
;Anonymous=
Name=
~~~~~FTP Commander~~~~~
HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC
Password
~~~~~No-IP~~~~~
\SmartFTP\Client 2.0\Favorites\Quick Connect\
\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
<Port>
</Port>
<Password>
</Password>
<Name>
</Name>
~~~~~SmartFTP~~~~~
PROGRAMFILES
bW96Y3J0MTkuZGxs
bnNwcjQuZGxs
cGxjNC5kbGw=
cGxkczQuZGxs
c3N1dGlsMy5kbGw=
c3FsaXRlMy5kbGw=
bnNzdXRpbDMuZGxs
c29mdG9rbjMuZGxs
bnNzMy5kbGw=
NSS_Init
PK11_GetInternalKeySlot
PK11_Authenticate
NSSBase64_DecodeBuffer
PK11SDR_Decrypt
Error with opening database
SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%'UNION ALL SELECT name FROM sqlite_temp_master WHERE type IN ('table','view') ORDER BY 1
Error with executing non-query: "
resultTable
System.Int32
System.Single
System.String
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
DigitalProductId
32-Bit
64-Bit
~~~~~PC Info~~~~~
IP Address:
http://whatismyip.com/automation/n09230945.asp
Computer-Name:
User-Name:
Is Admin: Yes
Is Admin: No
Platform:
Windows Key:
USERPROFILE
GetDirectories
config
\data.db
~~~~~Nexus~~~~~
File Found:
\data.db
~~~~~Nexus~~~~~
SEtFWQ==
_CURRENT_USER\
U09GVFdBUkU=
VmFsdmU=
U3RlYW0=
SteamPath
\config\SteamAppData.vdf
~~~~~Steam~~~~~
Steam Username:
~~~~~Steam~~~~~
U29mdHdhcmU=
SetValue
RefreshLoginRequired
Close
Steam
No Pin
~~~~~RSBot~~~~~
Username:
Pin:
~~~~~RSBot~~~~~
RSBot_Accounts.ini

[markusg]

LeagueOfLegendsHack.exe
http://www.virustotal.com/file-scan/rep ... 1301479787