A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #12665  by rkhunter
 Fri Apr 13, 2012 7:37 am
Kafeine wrote:6 items only.
Sinowal.
Kafeine wrote: 2 items...but strange BH EK...don't really understand why Sinowal was here with reveton and other stuff...(1 of both items confirmed as Sinowal by Rkhunter)
9c80e4bd9ba11083d3c97b8c61e8be32 -> Reveton
 #13177  by AaLl86
 Sat May 12, 2012 2:42 pm
Hi All!
After I was studing March 2012 Sinowal dropper, and starting to write an analysis of old sample, my physical machine auto-updated rootkit driver.
I had isolated it, but I haven't still start analyzing the new update.
I post here May2012 sample, unfortunally I haven't got the dropper but I included in this package a small utility I wrote to help KernelMode.info users in installation process.
See "readme.txt" for all info.

Hope this can be useful,
Andrea

ps. My english is bad :-(
Attachments
Sinowal.knf May2012 Sample
(530.08 KiB) Downloaded 104 times
 #13262  by Kafeine
 Wed May 16, 2012 8:33 pm
Can't tell you for sure it's sinowal, but based on where i found it am pretty confident it is. (36 items)
Attachments
Found on BH EK Sinowal - Password Infected
(1.76 MiB) Downloaded 98 times
 #13283  by Alex454
 Thu May 17, 2012 11:49 pm
many thanks, i think, it's sinowal loaders.
But, seems, greputrais.info is blocked :(
 #13447  by rkhunter
 Sun May 27, 2012 3:23 pm
Kafeine wrote:One fresh sample.
Seems wave of Sinowal distribution down...
Kafeine, are you confirm? :)
 #13449  by Kafeine
 Sun May 27, 2012 4:31 pm
I still have one. BH Ip shared in private...they are reading us (aren't you guys ? gg for the fast adaptation...)

7 items attached. (didn't check but as usual base on where and how it look like should be Sinowal).
Attachments
7 items
(2.08 MiB) Downloaded 71 times
 #13450  by rkhunter
 Sun May 27, 2012 4:57 pm
Kafeine wrote:I still have one. BH Ip shared in private...they are reading us (aren't you guys ? gg for the fast adaptation...)
Sinowal.
 #13451  by rkhunter
 Sun May 27, 2012 5:09 pm
I'm really interesting in count of bots. If anyone of AV-companies will sinkhole botnet, will be great :)
  • 1
  • 5
  • 6
  • 7
  • 8
  • 9
  • 12