A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19011  by Xylitol
 Fri Apr 19, 2013 12:24 pm
Nothing new in the VISA report we know already all these files.
Infostealer.Somabix in attach, i've sent the sample to ESET for detection, i've read the symantec review and seem it's another already see stuff targeting Retalix POS softwares.
https://www.virustotal.com/fr/file/320a ... 366373692/
edit: Now know by Microsoft as TrojanSpy:Win32/PointOfSale.A
Attachments
infected
(52.26 KiB) Downloaded 126 times
 #19248  by bsteo
 Fri May 10, 2013 11:57 am
360Tencent wrote:http://blog.spiderlabs.com/2013/05/alin ... amily.html
Good read. Anyway does somebody have the sample from this read? MD5 is c9e5752eea81f7d3521b1d2232afd3b8

Alina's panel is at: hxtp://208.98.63.228/wordpress/sam.php

208.98.63.228 ssh 22/tcp Secure Shell - RSA encrypted rsh
208.98.63.228 http 80/tcp www www-http World Wide Web HTTP
#208.98.63.228 www 80/tcp World Wide Web HTTP [TXL]
208.98.63.228 sunrpc 111/tcp rpcbind SUN Remote Procedure Call
208.98.63.228 unknown 3306/tcp unassigned
208.98.63.228 unknown 46228/tcp unassigned

SSH and MySQL open, time for a little brute? :)
Last edited by Xylitol on Fri May 10, 2013 1:46 pm, edited 1 time in total. Reason: http obfuscation
 #19251  by Xylitol
 Fri May 10, 2013 1:04 pm
exitthematrix wrote:Anyway does somebody have the sample from this read? MD5 is c9e5752eea81f7d3521b1d2232afd3b8
Alina 3.5, maybe i will do a small response post for spiderlabs about the C&C but not today, i've already posted something.
Also about the panel of this one: wordpress/admin.php
Attachments
infected
(59.45 KiB) Downloaded 174 times
 #19402  by Xylitol
 Fri May 24, 2013 4:28 pm
wow, Josh Grunzweig have really do a heavy work.

List of hashs and version of Alina associated:
D31EB6E7F39DDE0C2015DC2804C84A85 - 0.1
0DE9765C9C40C2C2F372BF92E0CE7B68 - 1.0
7CF5A421C3403441D84A0E34F81C3F0C - 2.0
99A307128DAA407147D1C69D2824D703 - 2.1
6686EED5875F622F5ED21397ACB41D86 - 2.1
2139E613DC20DF19DAA6D90A0FF05591 - 2.1
E7E13912AF192ABE2F6EC90F6D429C6C - 3.1
04474D2723D328CE28029C050EC6C0BB - 3.2
5D333312E3DD0FB7B5823696E99000E9 - 3.3
A31E549C1919DD4EE3C78D3265D86EFC - 3.4
1EFEB85C8EC2C07DC0517CCCA7E8D743 - 3.4
C9E5752EEA81F7D3521B1D2232AFD3B8 - 3.5
37493EB319D126D0AB8F5A55DA85563D - 4.0
8CDB63B3BFE16C0517E96B316EDA3514 - 5.2
71FBCA87E863DB0ACA080B4F87CC36F2 - 5.3
A418410FA8B2617F3109DC289FA151C5 - 5.5

In attach
https://www.virustotal.com/en/file/195d ... 369412682/
https://www.virustotal.com/en/file/442d ... 369412684/
https://www.virustotal.com/en/file/8782 ... 369412688/
https://www.virustotal.com/en/file/e4a4 ... 369412690/
Attachments
infected
(343.19 KiB) Downloaded 146 times
 #19430  by Xylitol
 Mon May 27, 2013 1:09 am
Alina 5.6 in attach
https://www.virustotal.com/en/file/2cb5 ... 369616232/
Josh Grunzweig will be interested ;)
unpacked: https://www.virustotal.com/en/file/334c ... 369689145/
Compilation timestamp 2013-05-16 23:58:26
Attachments
infected
(62.59 KiB) Downloaded 158 times
infected
(67.43 KiB) Downloaded 190 times
 #20380  by Xylitol
 Sun Aug 04, 2013 10:58 pm
Attachments
infected
(42.75 KiB) Downloaded 187 times
infected
(679.35 KiB) Downloaded 188 times
infected
(67.03 KiB) Downloaded 159 times
  • 1
  • 9
  • 10
  • 11
  • 12
  • 13
  • 25