A forum for reverse engineering, OS internals and malware analysis 

Malware/NSIS downloaders

Forum for analysis and discussion about malware.

Re: Trojan Multiple dropper (TDL4, Bamital, Harnig, Renos)

 #5386  by markusg
 Wed Mar 09, 2011 8:36 pm
its again extracted from one torrent file

DevicePropertiesa.exe
http://www.virustotal.com/file-scan/rep ... 1299702713
eventvwra.exe
http://www.virustotal.com/file-scan/rep ... 1299702820
MRINFOb.exe
http://www.virustotal.com/file-scan/rep ... 1299702847
msga.exe
http://www.virustotal.com/file-scan/rep ... 1299702873
netiougcb.exe
http://www.virustotal.com/file-scan/rep ... 1299702894
Attachments
(39.86 KiB) Downloaded 43 times

Re: Trojan Multiple dropper (TDL4, Bamital, Harnig, Renos)

 #5401  by EP_X0FF
 Thu Mar 10, 2011 11:39 am
markusg wrote:DevicePropertiesa.exe
http://www.virustotal.com/file-scan/rep ... 1299702713
NSIS based downloader
Download and execute hxxp://westray.info/docs/cfwan.exe Backdoor.Cycbot.B (gbot/2.3)
eventvwra.exe
http://www.virustotal.com/file-scan/rep ... 1299702820
NSIS based downloader
Download and execute hxxp://westray.info/docs/batserv2.exe TrojanDownloader:Win32/Renos.MJ
MRINFOb.exe
http://www.virustotal.com/file-scan/rep ... 1299702847
NSIS based downloader
Download and execute hxxp://vidmage.info/stssd/sptnd.exe TDL4
msga.exe
http://www.virustotal.com/file-scan/rep ... 1299702873
NSIS based downloader
Download and execute hxxp://westray.info/docs/checkp3.exe
password creation non malicious program. Previously this URL was giving Bamital as payload.
netiougcb.exe
http://www.virustotal.com/file-scan/rep ... 1299702894
NSIS based downloader
Download and execute hxxp://vidmage.info/stssd/tcs20.exe Trojan AdvLoad aka Harnig.S

Posts moved

Re: Malware/NSIS downloaders

 #5406  by EP_X0FF
 Thu Mar 10, 2011 1:43 pm
markusg wrote:Dismb.exe
http://www.virustotal.com/file-scan/report.html?id=61222b2d4c677d6a7f3a266bec358280bee3ed22cd037db20edebdd285830293-1299757652
Target hxxp://westray.info/docs/batserv2.exe TrojanDownloader:Win32/Renos.MJ
findstrb.exe
http://www.virustotal.com/file-scan/report.html?id=e45ca78099b2e89689140a5c85ba490481707eb2d995dafcd32aa9e01422d5d0-1299757755
Target hxxp://vidmage.info/stssd/sptnd.exe TDL4
makecaba.exe
http://www.virustotal.com/file-scan/report.html?id=2187676ac078207d49fbbc1f1acd7b33f9633f697ac54c337259d92fb89006bf-1299757890
Target hxxp://westray.info/docs/checkp3.exe (previously it was Bamital drop)
mtstocomb.exe
http://www.virustotal.com/file-scan/report.html?id=f7bb85774275ffbe52a902a75dffb99126dbe5d08c42bfacb87fff10284efe92-1299757975
Target hxxp://vidmage.info/stssd/tcs20.exe TrojanDownloader:Win32/Harnig.S
netiougca.exe
http://www.virustotal.com/file-scan/report.html?id=7ec43633379c67bb5c163a8d12948918bff95f3f441e56c0c51067ac3919cf72-1299758063
Target hxxp://westray.info/docs/cfwan.exe Backdoor:Win32/Cycbot.B
DisplaySwitcha.exe
http://www.virustotal.com/file-scan/report.html?id=244e54b112ee4de99e5423323139da723941c7537b03f9ded4ae1b85c38607e1-1299760539
Target hxxp://westray.info/docs/cfwan.exe Backdoor:Win32/Cycbot.B
gpscriptb.exe
http://www.virustotal.com/file-scan/report.html?id=8a7da39a3cf4a1a6ec18b30ef487d93824a3f678e883986829155130487190d8-1299760648
Target hxxp://westray.info/docs/batserv2.exe TrojanDownloader:Win32/Renos.MJ
nslookupa.exe
http://www.virustotal.com/file-scan/report.html?id=997354f9a31aac7fa9e0d0053f1ad85c1d951ea257b36e36a21b252e37214b1e-1299760553
Target hxxp://vidmage.info/stssd/tcs20.exe TrojanDownloader:Win32/Harnig.S
openfilesb.exe
http://www.virustotal.com/file-scan/report.html?id=f2d798cea2ceced5103c1c864ba426392845c9f4316cf8aaa30b58544b6112c8-1299760769
Target hxxp://vidmage.info/stssd/sptnd.exe TDL4
psrb.exe
https://www.virustotal.com/file-scan/report.html?id=15b48247d989604f2fc83a06bdc2b739b82890639b0e412ad535b15c109dbdf3-1299764517
Target hxxp://westray.info/docs/checkp3.exe (previously it was Bamital drop)

Nothing new, even payload it not re-crypted. All these trash were reviewed many times.

Re: Malware/NSIS downloaders

 #5465  by nullptr
 Tue Mar 15, 2011 5:27 am
Nothing special apart from zero detection of NSIS dropper and recrypt of well known friends.
hxxp://dnusax.com/ic/ic2.exe
TDL4, Hiloti, Renos, Bamital.I
Attachments
pwd: malware
(367.56 KiB) Downloaded 40 times

Re: Malware/NSIS downloaders

 #5501  by EP_X0FF
 Wed Mar 16, 2011 3:02 pm
markusg wrote:cgagent.exe
http://www.virustotal.com/file-scan/report.html?id=e5ab101a7e697551a0b7ec0e969c7ba4de37ec5c933f69972d51ab2ade42e236-1300217037
not NSIS. Trojan Hosts.

Modified host file
74.208.73.101 hxxp://www.qvc.com/
whoamia.exe
http://www.virustotal.com/file-scan/report.html?id=867c93ed9424f04e40f7c9a6a4a8628d8336f3d5c6f57747fe464420d4490941-1300217373
NSIS downloader. Drops unaccessible here. Likely the same ex-DogmaMillions creative: TDL4/Renos/Bamital/AdvLoad

hxxp://qvc.com/cds/rspdc.exe
hxxp://qvc.com/cds/dvcds.exe
hxxp://qvc.com/dxs/icpsc.exe
hxxp://qvc.com/dxs/etdsc.exe
hxxp://qvc.com/cds/hstsi.exe

Re: Malware/NSIS downloaders

 #5700  by EP_X0FF
 Mon Mar 28, 2011 5:01 pm
markusg wrote:dpnsvrb.exe
http://www.virustotal.com/file-scan/report.html?id=899a2569bf24caea13886ef00274f3ffbb387761005cded5dcf7ceb6983df1fb-1301325216
lvrl.exe
http://www.virustotal.com/file-scan/report.html?id=fc3eb62232dcdb98ad82c1d686f82eba27ed1f72908993a42e76a84b41064f1e-1301326376
NSIS downloader + Host changer.
127.0.0.1 localhost
213.203.216.114 marketsamurai.com
204.9.178.11 typepad.com
74.113.152.32 istockphoto.com
208.94.0.38 yfrog.com
63.309.5.102 virustotal.com
123.125.50.22 126.com
24.29.138.10 telegraph.co.uk
174.36.28.11 SlideShare.com
213.238.60.190 xing.com
59.106.98.139 seesaa.net
184.72.253.170 hootsuite.com
211.151.146.16 soku.com
74.208.73.101 qvc.com
67.221.174.30 tagged.com
72.32.120.222 metacafe.com
89.105.6.98 bitdefender.com
204.11.109.133 tribalfusion.com
207.154.14.31 tripadvisor.com
216.52.240.133 ustream.tv
174.36.244.132 linkwithin.com
80.82.137.230 thefreedictionary.com
121.67.203.61 scan.novirusthanks.org
209.172.34.139 imagevenue.com
91.206.232.220 booking.com
118.69.251.6 vnexpress.net
64.34.110.174 plentyoffish.com
140.211.166.21 drupal.org
103.67.101.13 trendmicro.com
208.85.40.80 pandora.com
194.116.241.57 softonic.com
208.83.243.15 match.com
main payload (all them are executables)

hxxp://qvc.com/cgen/cdi.jpg
hxxp://qvc.com/qvcapp/icsx.jpg
hxxp://qvc.com/cgen/bch.jpg
hxxp://qvc.com/qvcapp/ehds.jpg

unavailable for me.
 Return to “Malware”