A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #22972  by Xylitol
 Sun May 25, 2014 11:37 am
moved.
also a 1.0.0.5 in attach
Code: Select all
7F 81 6D DC E0 2A 4E F2 59 85 E1 EE A8 B0 F6 1A 50 28 E8 CC 68 2D 79 DA 42 93 9E 11 26 32 B6 5C D5 3C FD CE 6B 0F 30 97 7E 3E 25 3A 06 D9 2B 35 4D A0 CF 8C 4B 60 54 76 22 DE 39 C7 45 8A 89 92 69 64 E6 FE D2 B5 23 BB 36 0C 52 A5 A6 5F A4 C5 7C BC 74 24 B2 C4 01 EB 03 DD 88 C8 CA 0B 00 20 0E EF 9A 6A 2F 14 71 63 86 B9 E9 AA D7 21 90 D1 0A 12 31 E4 8B E3 D4 7A C9 34 9C 41 D8 80 78 44 BD A2 53 FB B7 1F A9 84 3F 8F 6E 10 C6 C0 B3 B4 A3 DB A7 15 D6 05 08 82 07 6F 2C 18 17 43 E2 AF 4A AC D0 AD AB 47 8E 57 51 EA F3 7D 5B 8D 13 40 9B 1E 58 F0 95 4F 49 9D B1 F5 E7 99 A1 83 E5 BE EC 65 C1 BF 1C 77 48 72 ED 3B 94 46 5A 70 02 C3 6C 2E 96 D3 F9 3D 75 27 56 CB 0D F4 CD 38 F8 FA 09 5D AE 61 1D FC F7 98 29 66 DF F1 73 9F 5E 87 62 1B 19 04 FF B8 67 16 BA 91 4C 33 37 C2 55 7B
Attachments
infected
(206.46 KiB) Downloaded 100 times
 #22991  by comak
 Thu May 29, 2014 11:29 am
from p4r4n0id's sample:
Code: Select all
Version: 01.00.01.00
Botnet: HTM2
Botnet RC4: 38729b74b8310529434c8d400b2e88ce1364a7d33482d02c65b7aa06b1db4837ef0d1fbb5f92f150bc665e191b7a0f3a205a69d736a59359ca55011eadb5cd97cb73f06b2718dd2aa20e222b9fe204ece7325dd684c27da828444d95f6c400dcba904f765c353e51a1ea710cc0477521c3e39c7f790860988cccb089cf1770879945ee1c6830bfdfb95458b30394029d83867be425570a63eb2309f511a34a264bf4a0a6339a2fc81a8ebe1256fc494efbf91df753bd8fb4b23dded1c6786ae86eabaf398142e5c5fe8af2c79eedd9e1b6ae3bda167c0714416de967fa467e2dd4fd5b96e6ac10c9e0806ca43fd5f8621561a93c9185c18bff6f77d2d82452f30000
Botnet RC6: 340e74d2ddea02894f3754596ab9ef84b25abfb41c4422ea71020a9c312cae3c4edac489c0eb79f8fe0737d47f81f8bbf8649c95b28c1b55269ff07613d4c5fc33c1718bb6b2e1f2c85b7f1bb88321584c10735aa989b504ebf9c57fdabba95bf2d12ae17e39e1a132fd2920c79fa219bd3fc49e0b1ef07ac57e92172a1d713a836886052b8d2c7a211de514aef3a8685dd2cc30b7f2ba201e1c917d061ad1c3eae77ed9fd85e622e9862f63177cb3b8
URLs: ['https://img.mswguard.com/img2/pix2.jpg']
FakeUrl: http://ovjjy.com/fnsmh/cfg.bin
OtherEncStrings: ['1]_W3U', '5lr|1=']
OtherStrigns: ['ohttp://ovjjy.com/fnsmh/cfg.bin\x00']
sadly url seems to be dead
 #23072  by comak
 Mon Jun 09, 2014 4:39 pm
new version from http://blog.dynamoo.com/2014/06/inovice ... -spam.html
Code: Select all
{
'version': '02.00.00.00',
'botnet': 'C1',
 'cfg': 'https://62.76.185.30/c.jpg',
 'fakeurl': 'http://ilfahcn.com/cfg.bin',
 'rc4sbox': '56689c78c6122baaa6a52c6dfc75636ab873363de718fb8a77097c2622b5ccd4dc8e8f4a9f059447bd298c7b9e8d412855524921ac79b2873a92938bd1f7e2d82fa21fc74bb05af9ec74f5cb1746e4195d2db11d57d5f0cf9a15ff0e433c3f5b07d25432700b7f01c042e0973ea1041c000883dd445c8866d0aff159bf91c8fd24ce02a97a309953f30313c40c1b722e617e0da44e1a7d6e62eb9667a7ba38c5853348ad5fd67176a3a8eaede35169abdfc13580d390b7deae4d9be60a11d7b36c60e8a095814558f4149def20bbf64cee06cddaca644f1ed93110e1392ae5db820fb9fe6525f85ec2bebc8637b66b3b34506f98c923e984fac3b416f28940270000',
 'rc6sbox':'8a8d6d1aecc63fd1767bff112688165e67aaed426146d46f2ce3ef389a41ac48a397aefedee1c80215c857c1b31aba5035a20c088a2c5cbaf85400c5024427a75fd3d795f8fa4a3fa3535505e5b765fe02f6e591a73eb18991c2c37d9084a24808d150e67bfe7586e79160d098bda87df92e50f524d57ba6643f1f150a790049c682d2ea188548da8d5bbb3d10735c8142ff8e089d31d43d53e9d3e3b6c19f3a428e036835d2d74034ece6c5a6eb1103'
 'urls': "['https://62.76.185.30/c.jpg']"
}
many changes in binstorage... :(

attached binary raw cfg and decoded
Attachments
pw: infected
(497.28 KiB) Downloaded 108 times
 #23075  by forty-six
 Mon Jun 09, 2014 9:25 pm
@comak Looks like dropper in file:

In case file is removed, I've attached below
Code: Select all

ZVM file: 62.76.41.73:8080 /tst/b_cr.exe

Attachments
(186.35 KiB) Downloaded 85 times
 #23098  by tohitsugu
 Wed Jun 11, 2014 10:02 pm
Is there some new method of extracting RC6? I've never figured out how you guys get the RC6 from the binary.