A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23851  by forty-six
 Wed Sep 10, 2014 3:51 pm
unixfreaxjp wrote:Few hours ago this campaign via spam was spotted:
Image
The attachment (downloader part): https://www.virustotal.com/en/file/595b ... /analysis/
It downloads the set: https://www.virustotal.com/en/file/d45e ... 410358503/
Details distribution and CNC information I wrote in VT & the pictures, pls bear the hurry pace...
You work on linux too much lately. :D This is "dridex" variant of Feodo.
 #23852  by unixfreaxjp
 Wed Sep 10, 2014 4:10 pm
[REVOKED BY THE WRITER]Wow, hold on, the attachment is Zbot yes? You mean the downloaded one? [/REVOKED]
I made a mistake! I am sorry. This is not a Zeus at all. Please kindly move the previous post to the proper malware threat.
forty-six wrote:You work on linux too much lately. :D This is "dridex" variant of Feodo.
Haha, Ouch! yes, :) too much ELF recently. But I think I'll focus on this platform for the future.
I know is a pws (the downloaded one) , poc: https://twitter.com/MalwareMustDie/stat ... 1030629378 but first time seeing this type..
Well..That explains the 8080 gates called. How old this "D"ridex variant started?
 #24206  by comak
 Fri Oct 24, 2014 4:28 pm
from http://malware.dontneedcoffee.com/2014/ ... -0569.html
sample: 831098a9d8db43bebf3d6ee67914888d

it looks like strange/old kins - with out aes and other stuff...
any way:
Code: Select all
version: 02.00.04.00
botnet: fruit
cc:
http://chmaghotpipe.com/www/
http://micagentudate14.com/www/
http://reportcollecsysdump.com/www/

rc4key: 4032af8d61035123906e58e067140cc5  - md5(0123456789abcdef)
UserAgent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2)

Attachments
pw: infected
(36.7 KiB) Downloaded 102 times
 #24304  by Xylitol
 Mon Nov 10, 2014 11:32 am
Lame zeus 2.1.0.1 with cowboy theme targeting germany, italia, spain, usa...
Image
https://zeustracker.abuse.ch/monitor.ph ... smalta.com
Code: Select all
http://kihsmalta.com/secure.php
http://kihsmalta.com/ppptp.jpg
21 DB 88 B0 13 FF 66 61 79 97 A9 90 F0 83 DF 91 AC 73 27 B6 42 87 56 9A 37 6A 5A 63 EE 4A BF 23 4D A4 3D 2E 75 86 44 C9 19 78 8B C0 92 00 95 7D 7B 04 08 4F A6 DC 15 03 E7 53 F5 02 57 F1 0B 12 1C AE A2 54 C5 BE 6D 55 FB AA 07 D2 1B 77 7E 2A 67 10 0F F2 7C 60 72 D3 43 CA 9D BC 80 EB 2F 2C CD 52 93 71 1A E6 D9 C3 65 B5 F8 F3 DD D8 35 50 18 9C 3A 41 8A 8C 94 06 B9 6B CE 25 CB 38 D4 D0 69 5F 89 99 E8 D7 FA 0C 01 3C 28 33 E5 A5 CF CC 5E 14 C6 1E 81 6C A0 4B B2 C1 BA C7 76 17 0A DA F4 51 32 2D 40 E9 E2 EF 3E A3 BB 11 45 6F E1 D5 29 4E 0E EA 1D FC 85 B3 8D F9 D6 59 39 31 74 26 34 47 B4 EC 5B 84 F7 0D 58 DE B8 5C A7 98 C8 48 C2 8E 05 F6 7A E3 9B ED 9F 64 70 62 E4 7F 68 2B 20 96 09 C4 FE 6E B1 1F 4C AF 8F 22 D1 A1 82 A8 AB B7 3F 3B 16 24 FD 36 46 5D BD AD 30 9E E0 49
Attachments
infected
(162.93 KiB) Downloaded 94 times
 #24336  by granit12
 Wed Nov 12, 2014 11:37 pm
Can any person stop it?
Code: Select all
http://www.learninginstitute.co.uk/rewind/cp.php?m=login
http://menumaterno.com.br/skins/tango/_labe/cp.php?m=login
http://ansfitness.com/system/engine/paypal/cp.php?m=login
http://nk-slaven-belupo.hr/images/jss/cp.php?m=login
http://motoecarro.com.br/images/cp.php?m=login
http://sonbachtuyet.net/htc/cp.php?m=login
http://agrupacionestrella.net/plugins/system/php/cp.php?m=login
http://www.onenewmanthailand.com/wp-blog/cp.php?letter=login
http://arabiaholding.com/bin/adm/index.php?m=login
http://www.impm.upel.edu.ve/Imagenes/cp.php?letter=login
http://www.jeanbas.com/fonts/cp.php?letter=login
http://www.ipb.upel.edu.ve/personal/cp.php?letter=login
http://puresoccer.com/info/adm/index.php?m=login
http://guruofnew.com/images/adm/index.php?m=login
 #24492  by comak
 Mon Dec 01, 2014 3:27 pm
i got kins in memory thats looks like a version i dumped before
Code: Select all
version: 02.00.07.00
urls: 
['http://bruonlinearchive.com/',
 'http://mostusefullthingsvoting.com/',
 'http://hoplessmaincatalogue.com/',
 'http://herbonlineshop.com/']

botname: fish
rc4key: 8733af628b9b2f189bec5c67ce615312 -- md5(MicroProductions)
UserAgent:  Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.2; SV1)

 #24686  by EP_X0FF
 Sun Dec 21, 2014 2:22 pm
Split. New Zeus with Andromeda code moved to separate thread.
 #24906  by sysopfb
 Sun Jan 11, 2015 1:18 am
kins
both exe and jpg are in attached

certomenom.ru/BRaxz7sN92BjcNzK/jason.exe

config
certomenom.ru/BRaxz7sN92BjcNzK/jason.jpg
adenosdere.ru/BRaxz7sN92BjcNzK/jason.jpg

Post config taffic
yandex.ru
certomenom.ru/invests.php -- was down for me

other domains/urls in memory
evennoterom.ru/BRaxz7sN92BjcNzK/jason.exe
brokelowi.com/flashplayer/mod_vnc.bin
heromeftet.ru/BRaxz7sN92BjcNzK/jason.jpg

Ip at the time is 188.127.249.224
Attachments
infected
(475.89 KiB) Downloaded 95 times
  • 1
  • 25
  • 26
  • 27
  • 28
  • 29