@Xylit0l, thanks for the notice, friend. I got the config and have it decoded, yet can not post it here for banking stuff.
This Citadel aimed banking urls were old ones, nothing updated (we won't let them) unless the phishing domain's part used to form grabber.The credentials grabber scheme also not that new. Xylit0l mentioning MITB is correct (also the fast flux, see next post)
Thanks for the sample from @kafeine so I can confirm each taken data.
Sample is:
https://www.virustotal.com/en/file/05c3 ... /analysis/
File sample is attahced in zip, pwd: infected, included the pcap data, and downloaded configs)
See also my comment in V for the hashes of config/saved files by this citadel.
Then
see the comment in attachment. For KM registered users only.
Don't buy what TrendMicro said in their blog, was so f* untrue, here's the sh*tlist why:
- No hash, no samples, no analysis ground, with big bullsh*t of BIG INFECTION OF CITADEL TARGETING JAPAN BANKS?
What had been targeted? Which url?? Are those Url UP and ALIVE now?? < No data (LOL)
--> I got the data, is OLD (known) URLS, like 7-8months, my PoC is in JP-CERT/CC now, come and get them.
- In order to verdict what had been stolen ones MUST PoC the verdict of the stolen data. = no verdict, no PoC . zips.
- For the respect in saying many access to CnC in past 6ays < even the domains was already vanished? C'mon...
See.. NO exposure of access of CnC side, assumption based by QUERY of domains calculation < not equal to CnC creds stolen traffic access as per stated in their blog.
- The last thing is I can't see NOTHING of Banking Credential grabbed in any CNC!! Just bunch usual "data" (non-banking) grabbed by form grabber.
Look, we reversed this by teamwork, for what we thought was urgency, we feel so upset after revealing facts of what is REALLY going on! < Everything is Not like TM says. I can PoC-ing every detail I stated here by comparison of current findings to the data 6months ago.
If I don't HIGHLY respect my two friends mentioned above I will go to Full Disclosure about this mess..with all CnC data I just snapped.
This is why
I asked TrendMicro to put HASH in their analysis and they did not listen.
Now we KNOW WHY they didn't even do it, to make a cheap marketing buff like this and call it "analysis".
Additionally see the text of memory snapshot below, good enough for all of us who can analyze malware to PoC the sample we counter analysis is the Citadel botnet trojan. Also see the rest cracked data in the attachment comment, has more CnC access than was exposed in previous posts.
Code: Select allZwk
ywo
Global\%08X%08X%08X
nspr4.dll
chrome.dll
VQW
PDQ
kernel32.dll
SafenSoft
SysWatch
McAfee
McAfee
Security Center
McAfee
SecurityCenter
Symantec
Client
Symantec
Protection
Symantec
Shared
Symantec
Security
Norton
Protection
Kaspersky
Security
Kaspersky
Anti-Virus
avast!
Antivirus
AntiVir
Desktop
AVG
Monitor
AVG
Service
AVG
Security
ESET
Security
ESET
Antivirus
Microsoft
Inspection
Microsoft
Malware
Microsoft
Security
SOFTWARE\Microsoft
.dat
SysListView32
MDIClient
CiceroUIWndFrame
ConsoleWindowClass
SysShadow
Chrome
Firefox
Internet Explorer
|@x@t@p@l@h@d@`@\@X@T@P@L@H@D@@@
s%08X%08X%08X%08X
d.exe
open
udp
disabled
single
dual
SeShutdownPrivilege
AntivirusProduct
companyName
displayName
versionNumber
Unknown
Company: %s
Product: %s
Version: %s
FirewallProduct
Software\Microsoft\Windows\CurrentVersion\Uninstall
Publisher
DisplayName
DisplayVersion
%u: %s | %s | %s
SeTcbPrivilege
.tmp
pbc
S:(ML;;NW;;;LW)
DISPLAY
.txt
ProductName
ProductVersion
CompanyName
\VarFileInfo\Translation
\StringFileInfo\%04x%04x\%s
ntdll.dll
bat
ComSpec
S:(ML;;NRNWNX;;;LW)
SeSecurityPrivilege
S:(ML;CIOI;NRNWNX;;;LW)
cab
Global\
Local\
file
tmp
%s%08x.%s
ROOT\SECURITYCENTER
ROOT\SECURITYCENTER2
SELECT * FROM %s
WQL
QEP
VEP
VEPH
VEP
D}Xb
PEP
PEP
PBP
auX
duX
SEP
`uXU
PEP
PEP
MfE
MfU
MfU
MfU
MfU
MfEfE
SEP
SEP
.text
`.data
.reloc
wbU
wPI
wwp
Wgv
Mgv
fv_Zhv
qfv9]lvS
mvY0lv
`gv'0lv
ygvR4gvd
hvIugv
qog
qyi
qUj
<5IkQ
<5IkQ
<5IkQ
fKg
QZN
socks
vnc
shell
powershell
.swf
.flv
facebook.com
%BOTID%
%BOTNET%
%VIDEO%
HTTP/1.1
POST
GET
Cookie: %s
Referer: %s
Accept: %s
Accept-Language: %s
Accept-Encoding: %s
_getFirefoxCookie
PR_GetNameForIdentity
PR_SetError
PR_GetError
HTTP/1.0
Host
Content-Length
http://
NSS layer
https://
User-Agent
Cookie
Accept-Language
Accept-Encoding
Referer
Content-Type
Authorization
HTTP/1.
Transfer-Encoding
chunked
Connection
close
Proxy-Connection
X-Frame-Options
identity
If-Modified-Since
D52C3A25FB86B4660219344E1BC5A755
RFB 003.003
RFB
0X0X0X4X4X4X4X4X4X4X0N0N0N0N4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X
SVW
QSV
0X0X0X4X4X4X4X0N0N0N0N4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X
QSVW
QSV3
SVW
QSVW
QSV
QSV3
SVW
0X0X0X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X0N0N0N0N4X4X4X4X4X4X4X4X4X4X4X4X0N
0X0X0X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X
0X0X0X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X0N0N0N0N4X4X4X4X4X4X4X4X4X0X0X4X4X4X4X4X4X
0X0X0X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X4X0N0N0N0N4X4X4X4X4X
QSVW
0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0N0N0N0N0X0X0X0X0X0X0X0X0X0X0X
QSV
0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0N0N0N0N0X0X0X0X0X0X0X0X0X0X0X0X0X
0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0N0N0N0N0X0X0X0X0X0N0N0N0N0X0X0X0X0X0X0X0X0N0N0N0N0X
QSV3
0X0X0X0X0X0X0X0X0X0X0X0X0X0X0N0N0N0N0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0X0N0N0N0N
SVW
QQSUVW
QSV
QSVW
0X0X0X4X4X4X4X4X4X4X4X4X4X0N
0X0X0X4X4X4X4X0N0N0N0N4X4X4X
SUVW
QSVW
0X0X0X4X4X4X4X4X4X4X4X4X4X4X
PR_OpenTCPSocket
PR_Close
PR_Read
PR_Write
WL_VQ
07"4rrm&!
AFSEU_D
XQR
QLFUQFV@VFaj|`
btgLF
ypzmh8WJC_hPQEORqAWYBGG
hhp
iyqyzjh
Jeq~
Bmyv
Ytfo
eq`ypzp8|`~
^J[BF@_Y
FXD
@@@FUMV
#Odej`j$
`GLZFYDBQ
+Mlxlhkg#
1735,6y58983=4q/;l!#%-ic2j
Aglhff!t`.htni||r6v{~
p~{>|h;vpvB
Pph=
uwlq
CY^Q]AAI`KMXZN\
^YLZpHAMPJQLF_@VdH\UPHX
@GRDnVGB^PV[WLHeBAS
vqdrXswhT
gjcang
@GRDnSV@IO`Y\L
~ylzPkui`wue
q}eO
badrts}|jBymcclb
_SKa[[d[QP
mp_scekj~
|akx|k{m{UHEQVGTOb^PR_WL
oATD{gckxVkidmpt
H\HHSS_S
WSE[G_CMZ
WJ@SW@PFP~cnz}l
dIu{yt|g</0/Dj
oPLH@S}EFBH\NDuLJBZD^DTA
qAPQRKUB
Ytj|XKL
M_LKNUIP
GBUE
rlruhrigoy
LJUSN@OF
lq{hl{k}k[TFG[_
_\DGYSEtPOKW@R
Cmxohsvvd
afse~p
Fvgf
danvcf
MKTR
]QQLRXN
M@BCOH\@IIW
FSKmS@G
PVR
R@AH?YG2 B5_A
BQV
DZF$
@obSTAG_d{VPQY^VJOO
?hGJ{mjx`
Hwsxtmj8[
cq3_pyc
Ce}aq5Dxwm
^eg~z{|6\`khxol>Se`kumbh}{
zWVF\_TTV_azW[JP
vIEZGS
vUCQS_
zZ@TVXN
HEFCFK^
\[NXr\]KG
L@PPIKS
YRSTWT
P]Z_^SKmck{e`|#,#2,?
lk~hBlm{w81bg}aw
:-bq@F:=$2
HDXO
"$TSFPzTUC_
IX_JLXDJ
BUEXV{~h`e{Qhnpgfquc7ksujCppru1>5rvz
BQ`f
OlzhjkeYLbzlh`t
iLFHFFKI
xCGKR
Gdg`rw-D`lciceo36~pp|gyeg
PVS[
hU_LH_OYo
XSEYF[M^uaAZH^MGU
b^UHth|jCNouesri
@fpbc6Eu|
MPSV!avveiaz`kj~|{y69u}qrxzz0";?v.
%=48AZ\+z|
("6nus$EC
zqmnb
+.$=rws
SHR%
ia?$&Q
Sl|hie"~2
p(tSJ\
EEZ\\
B`pmi
TMI
pfe-w.#(
k|;5F48G126a/
|m($Y%+V&#%p 06MZ
LPBYQ
E2(0~=UQ33t2.8#'roi<li/$>*d#KK)%b
wmkoipj
VP)*03-(sv
e`+Z$\8sw
'!MQG[!'
'"lag&~k
xKOEE@LKSU
LBQ
BZ[S
XUTH^ZPP
O(U"+[T
c(tfo
7c6v{vjptz>jyakojbeqw%
1bsuy
TPFRkPXS53
NJ\HqFBGG@T,,
N@FNbLCJ
AQU_hUG[
P^dlIYO><2[1z&4=^Z6
vpfrts
lhw{
iou}l
`|scosjmc
xjnq
{mnrh
.$0pkm:CE
$6/%{fb7Hp2
9JLX
BhA
lpHP
AOg
L&&jl66Z~??A
Oh44\Q
sb11S*
RF##e
uB!!c
D""fT**~;
;d22Vt::N
Cn77Y
J%%o\..r8
ooT
gg}V++
vvE
jL&&Zl66A~??
qqs
RRMv;;a
SSh
jjF
XXJ
MMUf33
PPDx<<
fD""~T**
Vd22Nt::
xxoJ%%r\..$8
ppB|>>
aa_j55
iip
UUxP((z
&jL&6Zl6?A~?
R;Mv;
9Kr9J
M3Uf3
P<Dx<
~=Gz=d
"fD"*~T*
2Vd2:Nt:
7Yn7m
x%oJ%.r\.
a5_j5W
U(xP(
Mvv
Srr
=&&jL66Zl??A~
g99KrJJ
KQQ
==Gzdd
""fD**~T
22Vd::Nt
Cbb
77Ynmm
Ill
oxx
%%oJ..r\
qff
55_jWW
P~AeS
Q3`bS
pHhX
WfU
lZrN
ZwKi
T~Fb
FeQ
pHl\t
WBPQ
S~Ae
Xt!)I
Q3EbS
+XpHh
@Cwg
pNlZr
iZwK
bT~F
f7tN
FeQ
tHl\B
eS~A
bZI
Xti)I
EbSw
hXpH
rNlZ
KiZw
j_FbT~
One
2\tHlWB
PQAeS~
U vm
Ebdw
HhXpE
FMT
ZrNl
awKiZ
j~FbT
l\tH
XaC#GdG3QM[I
D_LK"^ Ri]6
W7l7t7|7
PHL4
9$9,949<9D9L9T9\9d9l9t9|9
<,V+u?J
SvWiPpW)
PIJ
NLNkX%R1
"mt1[s
Coded by BRIAN KREBS for personal use only. I love my job & wife.
%s%s%s
GetSystemPowerStatus
GetProcAddress
LoadLibraryA
NtCreateThread
NtCreateUserProcess
NtQueryInformationProcess
RtlUserThreadStart
LdrLoadDll
LdrGetDllHandle
.reloc
FIXME
__startRecord@16
__stopRecord@4
__freeRecord@4
__isRecord@4
__waitRecord@8
unknown
system
registry
setvalue
getvalue
video_start
bc_remove
bc_add
test
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
Sat
Fri
Thu
Wed
Tue
Mon
Sun
utf-8
ansi
image/tiff
image/png
image/jpeg
image/gif
text/xml
text/html
text/javascript
text/plain
Not found
Forbidden
Bad Request
%s, %02u %s %u %02u:%02u:%02u GMT
; charset=%s
HTTP/1.1 %u %s
Server: Apache
Date: %s
Accept-Ranges: bytes
Content-Length: %u
Cache-control: no-cache
Pragma: no-cache
Expires: %s
Connection: close
Content-Type: %s%s
HTTP/1.1 %u %s
Server: Apache
Date: %s
Connection: close
arg0
DEFAULT
ID: %s
RESULT: OK
arg1
arg2
arg3
global
value_%s
local
value_%s_%s
NULL
text
api
cmd
update.exe
config.bin
GET
POST
http://www.google.com/webhp
gdiplus.dll
GdiplusStartup
GdiplusShutdown
GdipCreateBitmapFromHBITMAP
GdipDisposeImage
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipSaveImageToStream
ole32.dll
CreateStreamOnHGlobal
gdi32.dll
CreateDCW
CreateCompatibleDC
CreateCompatibleBitmap
GetDeviceCaps
SelectObject
BitBlt
DeleteObject
DeleteDC
cookie_module
cit_ffcookie.module
video_module
cit_video.module
div
|$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopq
ZwQueryInformationProcess
IsWow64Process
userenv.dll
CreateEnvironmentBlock
DestroyEnvironmentBlock
del "%s"
if exist "%s" goto d
@echo off
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
Connection: close
urlmon.dll
ObtainUserAgentString
cabinet.dll
FCICreate
FCIAddFile
FCIFlushCabinet
FCIDestroy
bcdfghklmnpqrstvwxz
aeiouy
http://%02x%02x%02x%02x%02x%02x%02x%02x.com/%02x%02x%02x%02x/%02x%02x%02x%02x.php
file
script
nbsp;
Basic
FAIL
PWWj%W
jDZRW
D$XP
D$,PW
D$TPWW
WWWh
D$D+fA
D$H.fA
D$L1fA
D$PUfA
D$\+fA
SVWh
lhx
uRf
uJj
\SVWj
PWVh
tlS
SVW
uSGW
GWPh
SVW
FVWh
(SVW
WPV
SVWu
SVh
tFS
SVWh
QQSVWh
SVW
tkh
$SVW
GHj&j
;wHu
SVW
xYC
!tGHHt=
!t'HHt
j<ZRV
j<ZRV
tsP
@!r2jD
t%jE
wLP
tMjF
9wHvG
@;GHr
j<ZRV
PVSRQ
SVW
VRP
RVP
T$(RQ
D$D9D$8
j<_WS
D$XPSS
D$HP
D$NP
D$NP
t$0Pj
WPj
D$XPj
D$hP
xYC
VVV
SVj
D$0Pj,
D$0Pj#
D$0Pj
D$0Pj
D$0Pj
VVVV
VVj
t$,QP
VVVPVV
SVW
tOj
uhGW
PVj
SVW
FVWh
tFj
SVW3
SVWj^
VVj
VWj
D$ PVVj
VWj
SVj_
SSj
j\Yf
VWj`
Sje
PWQ
SVW
tDjf
VWu)j
<SWjpj
WSP
PhD
PhT
Phl
FPP
FLP
QQS
XPZ
WPZ
,SVW
L$4PQV
C4VP
C4;C0u
YYW
SVW
tDk
D$|hD
t$lV
tiS
SVW
VWj
Ct#Ht
HHt
HuMf
AJu
t%fF
t%fB
t%fB
t%fB
PWQ
QSVWj
tQV3
pZC
=TZC
pZC
TZC
TZC
=pZC
pZC
=TZC
pZC
TZC
TZC
=pZC
SVW
=TVFSt
=QDPR
hXZC
hXZC
hXZC
U\SDt
G@BUt
QDPWu
djH
RQBUt
MLPU
ejI
D$DP
dubjJ
XZC
W8D$ t
SVW
HHt
HHt
t&Ht
uNj
SWtMj
QSVW
uTj
Pjd
PSj!
jdY
SWh
SWh
SWh
SWh
SWh
SWh
SWh
SVWtE
VVV3
VVW
PPP3
VtK
SPPP3
PEP
PEP
EPE
EfE
PEP
PEP
fEf
fEf
jVB
EfM
ZHI
ZHI
PEP
uWEP
VEP
PEP
PEP
PEP
VEh
QEP
EPE
SEP]
SEP]
PEj
EPE
pMQ
EPEPE
EPE
EWm
SMQ
jVE
PEP
EPEPE
h@PE
SVW
HHtGH
PSS
tEj
PSh
HHt:H
QPP
uQh
uAj
SSS
VWS
PWW
jZVS
PjZWS
jZVS
QQSV
0SVW3
,SVW3
4SA;M
,SVW3
tZC
DSV3
j`Zf;
GAi
tZC
GAHt8Ht HHt
SVWjT
PQS
vMf
vFV
GHf
f;GHsJ
GDj
f;OHr
tRf
t(VW
tES
QVW
$Sj@h
PVj
tQC
tQC
pQC
PRC
pRC
PSC
pSC
PTC
pTC
j>hpQC
pUC
hpUC
5xUC
u/FI
SVW
QSV
H<SV
D$<Pj
|$81ugf
pVC
Vh0{C
tZj
t$ WVUj
xZC
tdR
pUC
xWuQ
s+SW
<Nf;P
SVW
Phx
jDZRW
PWWWj
SVW
9t$Xt~
t;Sh,
SVW3
Vhe@A
PVW
@8EvuY
uPj
K8Mvt
VWj7
tfSj
SVf
t4SSSS
PWV
SVWj
f;t$lt
D$8Pf
VhaGA
WWWW
SVW
SVW
hxYC
DcC
hXZC
TZC
pZC
PUC
hPUC
t;UW
SZC
SZC
hxZC
DhC
RZC
D$8Ph
u#SSj
HcC
PzC
D$hP
SVW
Af9X
QPW
QPW
EpP
EdP
u|Pj<Z
PPV
uSV
PPV
uCV
PPV
PPV
PPV
PPV
Ph _C
D$pP
t,Ht Ht&Ht
Huh
t(WS
t Ht
HuZ
t#SV
SVh
Sh.HA
@t5Sh
Sh0rA
SVWj
D$@@uFj
SVW
D$4Ph0
D$0Pj
D$4Ph?SC
D$0Pj
D$4Ph
Ph`c
xhP`C
D$ PSVS
thj
D$4Ph?SC
D$0PSj
VVh
SVWh
SWh
PSj
Ph"(x
PSW
SSSj
PSS
FLh
FPP
PSh
tIP
Qjd
L$xQj
NuEj
Qjd
Nu'j
Qjd
SVW
~$VSW
VSW
VSW
tESW
PSW
tSj
JiA
SVW
D$$PhH
D$ PSh
QSVj
SSSh
QSWj
uCh
PVR
SSSh
SVWj
PSS
SSSV
8VWjHj
ZRh
WQP
PhT
tCP
Phl
SVh
t4SSSS
,SVW3
tj9M
VSW
QSV
QSV
SVh
ttW
SVWu
jHP
D$DP
9t$$t&9t$(v
F;t$(r
SVWj
uTS
D$(Pf
=HcC
hHcC
hHcC
SVW
Wh!N
Wh"N
PhZ
v?SS
thh
hHcC
SVW
D$xP2
D$xP
SVWj
QSV3
FW9u
QQPh|
<SVW
ds7PWS
D$4PW
ds7PWS
ds7PWS
txW
trW
QSVW
tVPj
tWV
PhG
rdW
QQSVW
RQj
RQj
SVW
D$,PWWV
PWW
RQj
RQj
SVWj
PPP
SVW
SVW
tBj
WVh
SVW3
SVWj
D$HP
UVW
DcC
DcC
DcC
HQP
-DcC
DcC
DcC
DcC
5DcC
j Zf
SVW
D$DVP
D$xP
usSW
0SVW3
PWj
QSh
QSh,
QShD
0SVW3
PWj
QSh
QSh,
QShD
SVW3
WWWWWWW
PWWW
PWhH
PWh\
PWht
QQSVW
VWj
uyj
O +G(i
lSVWj
tHj
hVj
SVj@X
j.Xf
tsS
PSh
tsh
SVW
D$PP
D$LP
D$LP
D$PP
D$LPh _C
D$PP
SVWh0
\u)SPW
*GWS:
j"Qi:
jGT
UbN
jGT
UbN
GFP
tCj
SVWj
VWS
VWS
VWS
SVW3
VWj@h
j(WR
8SWjpj
PSW
PhD
PhT
Phl
FPP
FLP
w,t'Ht
SVW
I j@h
Wj@h
Vj4X
SVW
D$lh
4SVW
D$$Ph
L$<PQV
C0;C,u
t)Ht
SVWu
9p,w09p
vrW
H0;H,u
t+Ht Ht
WVSQ
WVSQ
WVSQ
WVSQ
VWSQ
SQP
VWSQQP
VWSQ
SQP
VWSQ
SQP
QSV
Shz
taWS
SSS
PSSV
SWV
SVW3
QQSV
tfW
SUVWj
SVWj
SVj
SVW
uCh
PSV
QSVW
PWh
PWh('
PWh)'
PWh
PWh
PWh
D$LPj
D$LPj
D$LPj
D$LPVh
D$@PS
D$DPS
D$ 9t$ tHj
tDS
WUj
RQPP
unj
SVW
tzj
TSWj
SVW
t2j(j
tLV
SVW3
VWW
u_WVWWW
tKW
WWWj
SVS
QSW
SVW
ukV
SVj
SSj
u,j@j
Vto
Vtp
jDZRS
PShD
VWj
GPP
SEPE
WEPE
EPEP
EPE
jWx
jjPc
kuX
PEP
PEP
zuX
quX
jjj
SEP
PEP
PEP
SEP
PEP
WEP
EPE
WEP
ESEP
PEP
WEP
WEP
}SEP
PEP
WEP
WEP
PEP
EPEPE
PEPEP
PEV
PEPEP
EPE
fEfE
SEP
SEP
fEV
cEW
cEW
fESEP
PEPE
VEPE
[EPE
EPEPE
EPEPE
SSSh
SSj
VSS
FVS
vGj
QSP
PSVWj
uH9E
t%WWWW
h hC
t6f9;t1jL
uPX
PSj
EPP
uTX
Mtu
uLX
EtPj
ELP
EpPj
ELP
PjOZ
Mhu
Mpu
tfW
t6SV
VWjZ
D$0PWWj!W
uXj[
WWW
D$0PP
WWW
PVj
dSVW
3u8VW
D$,Vj
VWh
uO+C
VWjp3
K,QWWP
K,QPW
CHj
jXX
jXj
G$Pj
G Pj
TjU
ZRVP
ZRVP
t8VW
t8VW
tJS
tZVW
tGVW
tGVW
PVj
j|Yf
SVW3
Pj>Z
SWh
Pj>Z
PWj
tQf9:tL
DDHP
PWj
0Vji
VVj
Vjk
Rj j
uw!E
t7Wj
QSj
D$lP
SVW
SVW
RQP
juX
Pj(Z
PSSS
SVj~
VRQ
PPP
SVWjm
RSP
0t$Iuj
tYW
t9Wj
jlX
SVW
Rhp
Pj4Z
jdY
u:j@Z
joX
VWj
tBO3
KAF;
PPP
SVWQ
D$tP
D$pPh
D$pP
D$pPj
D$pPV
D$Hj
D$pPVSj
SVWj
PSS
SSS
SVW
SVW
VWWW
VWP
VWj
tNV
SVWj
PPVP
PPP
Ph:6B
PPP
SVWQ
VWWW
D$LP
VWj
D$PP
SVWj
PSS
SSS
SVWQ
PPP
txf9;ts
PVV
VVV
SVW
WWWW
PPPP
SVWj
WWWW
WPQ
PPPP
SVWQ
PPP
T$,h.EB
L$XQ
D$dP
th<0t
PVV
VVV
Ph.EB
SVWj
WWWW
WPQ
PPPP
EDjwXf
Etf
f3TE
SVW
PPPWh|OB
SVWj
VW9M
FPj@;
tdWS
;Pts
;Pts
PSV
SVW
tBV
D$pt
SVW3
h8vC
SVW
PVh
tvj
tdj
h8vC
xPC
pPC
rb;M
SVW
ush
VWj
h8vC
s@Wh
SVWj
=PzC
PzC
PVW
5HzC
h$vC
hPzC
5HzC
QRV
E#+E/^ZY
WaitForSingleObject
GetCurrentThread
SetThreadPriority
lstrcmpiA
InitializeCriticalSection
LeaveCriticalSection
GetLastError
EnterCriticalSection
GetLocalTime
CloseHandle
GetSystemTime
CreateThread
GetModuleHandleW
GetPrivateProfileStringW
WriteFile
GetFileAttributesW
CreateFileW
FlushFileBuffers
GetPrivateProfileIntW
GetProcAddress
ExitThread
GetTickCount
SetLastError
GetCurrentThreadId
ReleaseMutex
ExitProcess
GetModuleFileNameW
lstrcmpiW
GetFileAttributesExW
GetThreadContext
SetThreadContext
VirtualFreeEx
VirtualAlloc
GetProcessId
CreateProcessW
SetHandleInformation
ReadFile
CreatePipe
GetNativeSystemInfo
GetVersionExW
LocalFree
CreateEventW
WaitForMultipleObjects
GetCommandLineW
SetErrorMode
GetComputerNameW
SetEvent
VirtualFree
Sleep
OpenEventW
DuplicateHandle
GetCurrentProcessId
WriteProcessMemory
CreateMutexW
MapViewOfFile
UnmapViewOfFile
CreateFileMappingW
TlsAlloc
TlsFree
GetCurrentProcess
OpenProcess
TerminateProcess
ExpandEnvironmentStringsW
GlobalLock
GlobalUnlock
FreeLibrary
CreateDirectoryW
LoadLibraryW
WTSGetActiveConsoleSessionId
SetFileAttributesW
CreateRemoteThread
Process32FirstW
Process32NextW
CreateToolhelp32Snapshot
MoveFileExW
GetUserDefaultUILanguage
TlsGetValue
TlsSetValue
ResetEvent
LoadLibraryA
GetEnvironmentVariableW
FileTimeToDosDateTime
GetTempFileNameW
HeapReAlloc
FindFirstFileW
SetEndOfFile
HeapAlloc
SystemTimeToFileTime
SetFilePointerEx
GetLogicalDriveStringsW
HeapFree
GetProcessHeap
IsBadReadPtr
SetFileTime
VirtualQueryEx
Thread32First
WideCharToMultiByte
ReadProcessMemory
HeapDestroy
HeapCreate
lstrcpynW
Thread32Next
GetTimeZoneInformation
MultiByteToWideChar
lstrlenW
GetTempPathW
GetFileSizeEx
OpenMutexW
VirtualProtectEx
VirtualAllocEx
FindClose
RemoveDirectoryW
QueryDosDeviceW
FindNextFileW
VirtualProtect
GetFileTime
FileTimeToLocalFileTime
GetVolumeNameForVolumeMountPointW
DeleteFileW
GetFileInformationByHandle
GetModuleHandleA
KERNEL32.dll
CharLowerBuffA
GetDC
IsRectEmpty
GetWindowThreadProcessId
GetMessagePos
MapWindowPoints
SendMessageW
ReleaseCapture
IsWindow
SendMessageTimeoutW
GetCursorPos
SetWindowPos
PeekMessageA
PeekMessageW
GetAncestor
GetWindowLongW
SetCursorPos
GetCapture
GetClassLongW
GetWindowInfo
GetParent
PostMessageW
SetCapture
GetMessageW
GetWindowRect
GetMessageA
GetSystemMetrics
RegisterClassA
DefFrameProcW
DefWindowProcW
CallWindowProcW
CallWindowProcA
RegisterClassW
DefMDIChildProcA
DefDlgProcA
SwitchDesktop
DefMDIChildProcW
DefWindowProcA
ReleaseDC
GetDCEx
GetClipboardData
RegisterClassExW
TranslateMessage
GetUpdateRect
BeginPaint
OpenInputDesktop
DefFrameProcA
DefDlgProcW
GetWindowDC
RegisterClassExA
GetUpdateRgn
EndPaint
GetKeyboardLayoutList
MessageBoxA
ExitWindowsEx
GetShellWindow
EndMenu
GetUserObjectInformationW
HiliteMenuItem
PostThreadMessageW
GetMenuItemCount
GetMenuState
GetClassNameW
SystemParametersInfoW
TrackPopupMenuEx
GetMenuItemRect
GetMenu
MenuItemFromPoint
OpenDesktopW
GetSubMenu
SetKeyboardState
GetMenuItemID
GetThreadDesktop
RegisterWindowMessageW
ToUnicode
GetKeyboardState
CharToOemW
OpenWindowStationW
SetThreadDesktop
CloseDesktop
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
CreateDesktopW
MapVirtualKeyW
PrintWindow
EqualRect
IntersectRect
DrawEdge
FillRect
GetIconInfo
DrawIcon
CharLowerW
DispatchMessageW
GetWindow
SetWindowLongW
CharUpperW
CharLowerA
WindowFromPoint
MsgWaitForMultipleObjects
LoadImageW
GetTopWindow
USER32.dll
CreateProcessAsUserA
CreateProcessAsUserW
ConvertSidToStringSidW
IsWellKnownSid
GetLengthSid
InitiateSystemShutdownExW
RegCreateKeyW
RegEnumKeyW
RegQueryValueExW
RegQueryInfoKeyW
RegCloseKey
EqualSid
ConvertStringSecurityDescriptorToSecurityDescriptorW
SetSecurityInfo
GetSecurityDescriptorSacl
CryptGetHashParam
OpenProcessToken
GetSidSubAuthority
CryptAcquireContextW
OpenThreadToken
GetSidSubAuthorityCount
GetTokenInformation
RegCreateKeyExW
CryptReleaseContext
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
SetNamedSecurityInfoW
LookupPrivilegeValueW
AllocateAndInitializeSid
CryptCreateHash
FreeSid
RegOpenKeyExW
CheckTokenMembership
SetSecurityDescriptorSacl
CryptDestroyHash
AdjustTokenPrivileges
RegSetValueExW
CryptHashData
RegEnumKeyExW
ADVAPI32.dll
StrCmpNIA
PathRenameExtensionW
PathRemoveBackslashW
PathIsURLW
PathRemoveFileSpecW
StrCmpNIW
PathQuoteSpacesW
UrlUnescapeA
wvnsprintfW
PathIsDirectoryW
PathFindFileNameW
PathAddBackslashW
SHDeleteValueW
PathSkipRootW
SHDeleteKeyW
PathCombineW
PathAddExtensionW
PathUnquoteSpacesW
PathMatchSpecW
wvnsprintfA
StrStrIA
StrStrIW
SHLWAPI.dll
SHGetFolderPathW
CommandLineToArgvW
ShellExecuteW
SHELL32.dll
GetUserNameExW
Secur32.dll
CoCreateInstance
CoSetProxyBlanket
CoUninitialize
CLSIDFromString
StringFromGUID2
CoInitializeSecurity
CoInitialize
CoInitializeEx
ole32.dll
GetDeviceCaps
SelectObject
DeleteObject
CreateCompatibleBitmap
CreateCompatibleDC
DeleteDC
RestoreDC
SaveDC
SetRectRgn
GdiFlush
SetViewportOrgEx
GetDIBits
CreateDIBSection
GDI32.dll
WSASend
getaddrinfo
freeaddrinfo
WSAEventSelect
WSAAddressToStringW
WSAIoctl
WS2_32.dll
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CryptUnprotectData
CRYPT32.dll
HttpQueryInfoA
InternetConnectA
InternetSetStatusCallbackA
InternetCrackUrlA
HttpAddRequestHeadersW
HttpOpenRequestA
HttpAddRequestHeadersA
InternetOpenA
InternetCloseHandle
HttpSendRequestExA
HttpSendRequestExW
InternetQueryDataAvailable
InternetReadFileExA
InternetReadFile
HttpSendRequestW
HttpOpenRequestW
InternetSetFilePointer
HttpEndRequestA
HttpSendRequestA
HttpEndRequestW
GetUrlCacheEntryInfoW
InternetSetStatusCallbackW
InternetGetCookieA
InternetQueryOptionA
InternetQueryOptionW
InternetSetOptionA
WININET.dll
OLEAUT32.dll
NetUserGetInfo
NetApiBufferFree
NetUserEnum
NETAPI32.dll
GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW
VERSION.dll
PlaySoundA
PlaySoundW
waveOutSetVolume
waveOutGetVolume
WINMM.dll
VWQ
PWQ
VPQS
VPQj
QSVW
xSP
SVW
PQR
PQR
HIy
PVW
HIy
QRW
QSV
Xui
XuF
XuW
j Xf
j"Xf
j"Xf
SVW
tNF
SVW
PSRW
PRWV
j\Xf
WtRj V
WtSj V
f9Tx
f9TX
j*Xj?f
LlC
HlC
HlC
pYC
HlC
HlC
pYC
HlC
pYC
xrC
HlC
PSSh
uFS
DhC
DhC
HlC
HlC
=RZC
HhC
RZC
HhC
FOu
vcSVW
JSW
te9u
te9u
SVW
WQPh(
XVP
Pj j
t!SSS
QSV
SSj
zuc
QQS
PSSj
zuc
jDZRV
VVVQV
jDZ3
PSSSQS
PPh
PhL
w@jDZRj
tBV3
WWj
SPh(PC
E Ph
QQSVW
w0PV
tEV
VSj"
QSV
HD9M
PXSV
F,;F8u
zXi
V;Q$s
vwSV
wLi
K@;KHv
sDQ
rHu
wA9H
H4;H8s
r-Vj
jLW
s(;L$<t"
9D$0vh=
PWV
QQSWf
PWW
VWj
QPP
PVW
uLh
]lVh
|TVP
;Ehu=
E|VV
QPPj
Q@Pj
QPPj
Ph~f
PVW
YVW
tkSW
QVV
HSP
t!VV
PVVS
SSj
thS
SSSj
PSSSSSSh
SUVW
UUU
#MalwareMustDie! Thank's to all good researchers that join forces to solve this matter.
#12th Lord's CommandMen: "Thou Salt Not Lie About Malware Analysis!
#13th: Put the sample's HASH in your analysis "
At least we all have same result. 