A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #25025  by teddybear
 Fri Jan 23, 2015 3:59 pm
sample e2d8c4f3f0d9fd684a3ca489888002fc2cc3c2c716e25dec8fc483048ae72e47
distributed via spammed malicious .doc with macro inside
downloads config from hxxps://sus.nieuwmoer .info/f3332fl34.jpg
(SSL certificate already in sslbl.abuse.ch)

exe and "jpeg" conf attached
Attachments
 #25419  by d.l.
 Sun Mar 08, 2015 10:37 am
@teddybear
e2d8c4f3f0d9fd684a3ca489888002fc2cc3c2c716e25dec8fc483048ae72e47 is Andromeda bot, inject in msiexec and wait for C&C to provide the payload.
 #26060  by comak
 Wed Jun 10, 2015 4:38 pm
seems to be broken?
Code: Select all
{
  "binary": "436f04004901a18c3c49079a6f9bab1f",
  "family": "vmzeus2",
  "rc4sbox": "274324999664d852c93570b677c307098a826b5a2e2c3074cf834026bc84ad2b21282a7dff3a76599415c049e1733dd14c0bc64ff91b295cb9ab3edd4278be31e3a611b3f447b4ea12d380fc7a10a21fdb61f1c55565b872fbd720817c6a0fe08b9e9318a3f3173bd439989ce7c80257d25819139db762a4f6b1f7d66db0066745e4acae71de7f5b919b0eba926e44ec4ad01c480d6caa2369ee05ed018908503cd5a0bf5f66c7ca7b22c234bd97afe8567925a9ced9fe53cbfafd1df533686f5d367e3fa84d1e2df82f03e9e60ccdcc85b246df1460b58604370aa55ec1f2548c8da18700bb6341e5a79a38daf016e24beb908e4e8fc488dc517595ef9f321a0000",
  "cfg": "http://kendra.fr/KINS/panel/config.jpg",
  "strings": [
    "&;\"http://bzfdcp.com/cfg.bin"
  ],
  "version": "02.00.00.00",
  "urls": [
    "http://kendra.fr/KINS/panel/config.jpg"
  ],
  "fakeurl": "http://bzfdcp.com/cfg.bin",
  "rc6sbox": "228a11ba1abad2e29db763aff4343a9bcdd893aa23f3385e8d0cbba9e36c878948412fda68738341b9284cc6daf7e96aab013e29edc8f6bb56fc2ec1ada19b11f592c994266d5c1b0dbcce46a026311c2e9c3b774b1a3eb140ea84f81e052899bd6d7317a5869c3c6d4b051b27c54aa82214ccc1e0df991c968f44b269de7ed734e8b42d67b0af5dbdb48b11f7710f9e7bc92c836017739a8603938f6c29ed8cfc4ddd761020d0b6d11215f9277229f9",
  "botname": "\u00fb"
}

 #26086  by Xylitol
 Mon Jun 15, 2015 11:46 am
kendra.fr got take down but is back, config in attachement.
[syntax="php"]
$config['botnet_cryptkey'] = 'Hello';
$config['botnet_cryptkey_bin'] = array(72, 174, 59, 139, 180, 33, 182, 231, 179, 244, 136, 58, 86, 56, 69, 218, 108, 141, 106, 16, 126, 109, 217, 92, 227, 68, 77, 74, 184, 135, 170, 165, 186, 71, 94, 67, 202, 93, 73, 133, 61, 101, 166, 142, 64, 137, 216, 189, 36, 63, 107, 18, 171, 76, 241, 95, 192, 212, 88, 28, 134, 167, 210, 125, 10, 194, 23, 105, 116, 54, 127, 236, 223, 239, 176, 47, 151, 83, 60, 24, 70, 190, 43, 2, 119, 121, 104, 102, 129, 219, 82, 232, 4, 29, 144, 112, 252, 111, 55, 35, 187, 160, 221, 3, 11, 169, 215, 172, 130, 90, 118, 45, 14, 206, 175, 44, 52, 140, 80, 17, 233, 242, 34, 7, 30, 220, 120, 198, 91, 162, 193, 51, 62, 100, 207, 25, 85, 255, 40, 234, 204, 96, 196, 173, 48, 251, 150, 65, 147, 185, 152, 6, 53, 155, 164, 163, 5, 81, 197, 228, 237, 20, 131, 50, 66, 0, 229, 98, 208, 235, 158, 114, 199, 188, 37, 225, 9, 250, 230, 209, 254, 32, 123, 226, 211, 89, 19, 128, 78, 253, 168, 79, 13, 145, 181, 248, 8, 38, 195, 161, 200, 22, 117, 177, 201, 97, 46, 224, 214, 27, 42, 110, 1, 178, 87, 146, 75, 238, 99, 138, 159, 157, 148, 113, 103, 26, 132, 39, 249, 243, 153, 41, 203, 240, 205, 246, 122, 12, 149, 191, 222, 245, 143, 247, 21, 31, 156, 49, 213, 57, 183, 84, 15, 154, 115, 124);[/syntax]
And another one in attach calling 193.169.189.45.
https://www.virustotal.com/en/file/1bd1 ... 434376067/ detected as PWS:Win32/Zbot.gen!VM by Microsoft.
Attachments
infected
(109.56 KiB) Downloaded 56 times
infected
(44.56 KiB) Downloaded 61 times