A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #3611  by nullptr
 Sat Nov 20, 2010 2:31 am
It seems highly aggressive compared to some early Ramnit.A. MSE identified the infected PE files as Ramnit.I and HTML as Ramnit.B
 #3915  by EP_X0FF
 Fri Dec 10, 2010 6:57 pm
Thanks. This is unusual SpyEye like bot.

It stores itself under %Program Files% folder and runs through autostart folder in Start menu. Bot payload dll named "hooker.dll" injected in memory of running processes.
When started bot spawned two IE copies and Windows Firewall blocked their activity.

Stuff from hooker.dll
{%08X-%04X-%04X-%04X-%08X%04X} ntdll.dll NtShutdownSystem kernel32.dll GetNativeSystemInfo
GetProductInfo SeDebugPrivilege SeShutdownPrivilege SeBackupPrivilege SeRestorePrivilege PROCESSOR_IDENTIFIER
HARDWARE\DESCRIPTION\System SOFTWARE\Microsoft\Windows\CurrentVersion SystemBiosVersion ProductId :///:
POSTGETHTTP/*.*
Host:{*}
Referer:{*}
/GET /%s HTTP/1.1
Host: %s
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Accept: text/html, application/xml;q=0.9, application/xhtml+xml;q=0.9, image/png, image/jpeg, image/gif, image/x-xbitmap, *\*;q=0.1
Accept-Charset: utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1
Pragma: no-cache
Connection: close
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: max-age=0
Pragma: no-cache
Connection: Keep-Alive
Content-Type: text/html
Location: Date: Last-Modified: ddd',' dd MMM yyyy hh':'mm':'ss GMT ntdll.dll ZwQuerySystemInformation
ZwQueryInformationProcess ZwQueryInformationThread LdrLoadDll LdrGetDllHandle LdrGetProcedureAddress
RtlInitUnicodeString RtlUnicodeStringToAnsiString RtlFreeAnsiString RtlInitString RtlAnsiStringToUnicodeString
RtlFreeUnicodeString ZwQueueApcThread ZwTerminateProcess ZwResumeThread ZwProtectVirtualMemory
RtlCreateUserThread ZwClose kernel32.dll ExitThread ExitProcess r e p l a c e k e y w o r d s r e f e r e r u r l
b l a c k l i s t w h i t e l i s t d n s c h a n g e r a l l u n i q A S C I I U T F 8 U N I C O D E { k e y w o r d } < * >
ntdll.dll LdrLoadDll ZwQueryDirectoryFile dnsapi.dll DnsQuery_A DnsQuery_W DnsQuery_UTF8 ws2_32.dll send
sendto recv recvfrom WSASend WSASendTo WSARecv WSARecvFrom closesocket {4F6F3382-2928-8E14-74D2-1A9D1CD12BCC}
 #3916  by markusg
 Fri Dec 10, 2010 7:10 pm
this spyeye variannt i saw today 2 timesfrom 2 different persons. i can not send the secound, user has deleted before i was able to collect :-)
have an other user and will try to collect the files.
 #4018  by EP_X0FF
 Wed Dec 15, 2010 5:29 pm
Not sure if this is still SpyEye. It has Autorunner behavior and misses rootkit functionality.

Cryptor + UPX

Payload dll "runner.dll" mapped to started Internet Explorer copy. IE blocked by Windows Firewall.
Last edited by EP_X0FF on Sat Feb 05, 2011 7:26 am, edited 1 time in total. Reason: edit: removed unuseful strings dump
 #4889  by EP_X0FF
 Sat Feb 05, 2011 6:42 am
markusg wrote:http://www.virustotal.com/file-scan/rep ... 1296831547
http://www.file-upload.net/download-318 ... j.rar.html
Autorunner worm (Cryptor + UPX -> MASM) with Stuxnet LNK vulnerability exploiting.
There are no evidences proving this is SpyEye.

Original dropper, unpacked dropper, payload dll (rmnsoft.dll) and exploit dll (runner.dll) in attach.
https://www.virustotal.com/file-scan/re ... 1296887112

This is Ramnit, posts moved.
Attachments
pass: malware
(236.33 KiB) Downloaded 117 times
Last edited by EP_X0FF on Sat Feb 05, 2011 7:27 am, edited 1 time in total. Reason: edit, posts moved
 #6456  by Xylitol
 Sat May 21, 2011 11:24 am
Image

0F15430C5BB59ED02D8703F89B6E8A00C53FF5C1.exe 17/42 >> 40.5%
http://www.virustotal.com/file-scan/rep ... 1305912106

A2B4DCB8A1E5BB706CFB13FE76CA363F7928EE4ACAF21FDADABC7AB36[...].exe 38/42 >> 90.5%
http://www.virustotal.com/file-scan/rep ... 1305929022

BF58D739006E38AA481000952CA28A0014EC963D.sys 9/43 >> 20.9%
http://www.virustotal.com/file-scan/rep ... 1305032323

found on 19 may 2k11 AMAG malware package.
Attachments
pwd: infected
(1.86 MiB) Downloaded 193 times
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8
  • 10