[Xylitol]

Adobe Flash Player + Winrar who have a Winzip icon (lol)

[bitx]

SMSHaox SmartZip

[Xylitol]

Phishings applications

[Xylitol]

Tiny storyboard about this spyeye sample who conduct to ms removal tool download


--------------
Fake.HDD Windows XP Recovery + insulated rk stuff

[Xylitol]

fake.hdd winxp recovery again and braviax again

[EP_X0FF]

Windows XP Recovery

(also mentioned by Xylitol here)

GUI



"Give me money" dialog



Probably also installs ZeroAccess, but dropper currently unavailable (has option "adw: download rootkit" and comes from site, which yesterday hosted ZAccess sample).

Muldrop, crypted then packed by UPX, payload it drops also crypted and packed by UPX. Uses IE injection. Dropper has AntiVM on board (VMWare, Virtual Box, Virtual PC).

In attach original dropper and extracted payload.

http://www.virustotal.com/file-scan/rep ... 1306508426

[Xylitol]

QS81-OPGD-786F
OH6G-H76G-985A
JA7J-JHA7-QPL9

Code: Select all

Text strings referenced in kniga_is:, item 640
 Address=0052FF3A
 Disassembly=MOV EDX,5300E0
 Text string=UNICODE "http://zipfilez.ru/payarch/smscheck/log.php?v=%MAINVER%&cid=%CID%&s=%SCHEME%&wid=%WID%&fid=%FID%&fq="

25/42 >> 59.5%
http://www.virustotal.com/file-scan/rep ... 1306925764

[bitx]

SMS.Hoax, another one

[EP_X0FF]

WinRAR 2011

from hxxp://allinstrret.ru/ (any downloaded exe is the same)



Written on CodeGear RAD Studio v15.0.3890.34076 (CBuilder) and crypted.

Yet another SMS Hoax.

[EP_X0FF]

Windows XP Repair

Muldrop VT http://www.virustotal.com/file-scan/rep ... 1308221793

GUI



Has antivm and anti-debugging on board (likely part of crypter code).

Perfect example of Matryoshka (crypter+UPX->crypter+UPX)

All original + unpacked in attach (all stages + some additional payload dll extracted from end layer code)