[kmd]

1) trojan inside spam attachment
2) SHA1: fc265634d8628ef3b47bdcb0658714ea66977dc4
3) http://www.sophos.com/en-us/threat-cent ... lysis.aspx

ty

[r2nwcnydc]

Here you go.

[Horgh]

I took a quick glance at it, it's the Power Loader eset mentionned. Lame stuff.

In attach unpacked + dropper x64.

Config :
srvurls=http://seantit.ru/power/c1.php;http://p ... wer/c1.php;
srvdelay=15
srvretry=2
buildid=test

Power.zip

pwd : infected
(38.34 KiB) Downloaded 112 times

[EP_X0FF]

Part of Win32/Alureon family with Gapz style inject (see @004049C0 and @004045D0). Moved.

Expect more and more copy-paste, see this trojan development topic as example (and for original inject method author see post #4)
hxxp://wasm.ru/forum/viewtopic.php?id=47590

[grum]

:D cracked public now

annloader_1d 2011

http://goo.gl/wUIBl

pass: gangcash@jabber.org


PowerLoader_v2.0

http://goo.gl/LLJXT

pass: gangcash@jabber.org

[EP_X0FF]

@readyde

You chose wrong forum to post this. Solve your malware "business" problems elsewhere. We do not create/support malware here and this forum is not script-kiddie malware marketplace for this kind of "blacklisting". This behaviour is not welcomed and furthermore, next time whoever gonna try to do this again, will be immediatelly and permanently banned.

Posts disapproved.

[EP_X0FF]

Another power loader + payload (bitcoin miner). Both in attach.

SHA256: 9507b7eabaf22758ad6724f4e63c6772e04992f42b56e1281571b3fbeba00a3a
SHA1: 9d9ae3d4d8a0f0959e84a098483debe19811adf6
MD5: 06708d4bb90b6d3761b62302dbf96f36

https://www.virustotal.com/en/file/9507 ... /analysis/

SHA256: 10bfd9746863fd90e7c7b204a2a0a0c529f12b5a7dea51858e81f32698c168f8
SHA1: 745fbaf750124630f9c440f24d7753c582a748ad
MD5: 5c99411fa8a11691771a476ff52a9344

https://www.virustotal.com/en/file/10bf ... /analysis/

[rinn]

:D cracked public now

annloader_1d 2011

http://goo.gl/wUIBl

pass: gangcash@jabber.org


PowerLoader_v2.0

http://goo.gl/LLJXT

pass: gangcash@jabber.org

It is a bit out-dated. Power Loader available since last autumn and except using public explorer.exe ACE bug in addition has a specific code against Outpost product. Well, it is using same trick I've been using last 2 years in penetration testing toolkit (alongside with couple of other still private unseen in itw malware methods), mentioned here http://www.kernelmode.info/forum/viewto ... 5&start=60

Code: Select all

	PCLIENT_ID pcid;
	OBJECT_ATTRIBUTES obja;
	DWORD fOldProtect;

	if (IsProcessRunning(L"op_mon.exe")) {

		pcid = (CLIENT_ID *)VirtualAlloc(NULL, PAGE_SIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
		pcid->UniqueProcess = ExplorerPID;
		VirtualProtect(pcid, PAGE_SIZE, PAGE_READWRITE | PAGE_GUARD, &fOldProtect);
		InitializeObjectAttributes(&obja, 0, 0, 0, NULL);
		NtStatus = NtOpenProcess(&hProcess, PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, &obja, pcid);
		if ( !NT_SUCCESS(NtStatus) ) {
			hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, ExplorerPID);
		}
	}

Idea of this method - abuse badly written handler of SDT hook. When Outpost will try to access NtOpenProcess parameters it will catch a exception because CLIENT_ID is memory marked with PAGE_GUARD flag. Once exception occurred Outpost transfers control to original Windows service, thinking all OK. This is a example of mindless coding style, so often seen in security drivers. Lack of professionalism as it is.

Attached loader retrieved from from EP_X0FF sample. For code I mention look at function located at address 0x00404830.

Best Regards,
-rin

[EP_X0FF]

SHA256: a5d9b4226432b63eac41b5e47e1e277730fcd31d00d25bec31095de12c7777b3
SHA1: c2b50af1220aeaf076ada73665a734634d15ec5d
MD5: 2dff72099f977da97672e01e7f4ca2e1

https://www.virustotal.com/en/file/a5d9 ... /analysis/

Original, decrypted dropper + extracted x64 binary in attach.

x86-32
https://www.virustotal.com/en/file/4b88 ... 368612442/

x64
https://www.virustotal.com/en/file/53e1 ... 368612443/

x86-32 quote (OutputDebugString)

Is what you've seen too much to take, or are you blind and seeing nothing? Through senses, what can we explain? Not joy, not guilt, not pain So run my baby run my baby run

x64 quote (OutputDebugString)

I'm tired holding up the weight,the weight of the motherfucking world! Am I too last to be saved? Am I too last? The boys wanna fight

[kekieres]

I've recently received a malware sample .

Spreading mechanisms: you receive a chat message from an skype contact saying (in spanish)
"esta es una foto muy amable de tu parte "
(It's gramatically correct but it doesn't sound natural in spanish)
And the the following URL:
hXXp://goo.gl/lLGdM?png=<your_skype_contact_name>
In fact parameters are irelevant.
Independently to the parameters it allways expands to:
hXXp://dc663.4shared.com/download/arUNCWir?clientType=BASE_WEB

The malware comes into a ZIP file and inside the EXE named: fotos_facebook-20052013-png.exe
SHA1: 882da1b7838bc087c753a14b0dd1e40cd3db78d3
Here you have the sample.
Right now it's almost undetected in virustotal (3/47).
I'm not good at reverse engineering and deep malware analysis, but I've used malwr.com to do a dynamic analysis (https://malwr.com/analysis/ZDdkOWViY2Qy ... TJjZTU5N2E)
Obviously it's nothing good. It tries to contact hXXp://r.gigaionjumbie.biz/images/gx.php

Is it a known malware?