A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #14608  by EX!
 Thu Jul 12, 2012 7:55 pm
Hallo,

Can you guys help me unpacking this malware?


The sample launches an svchost.exe process and injects the executable code into its address space, also connect with c&c
(vmware, Sboxie, qemu & debugging protection)


Thanks :mrgreen:
Attachments
password = infected
(8.92 KiB) Downloaded 44 times
 #14654  by Xylitol
 Sun Jul 15, 2012 11:07 am
Got a look to your SmokeBot C&C..
Code: Select all
++ IP Address: xxx.xx.58.187 | From: EC | ID: A60D47A8CB6C4C5516C8E03084CFB3413E727418 | Date: 15.07.2012 00:06:47 ++
=============================
Windows Live Messenger
=============================
UIN/Name: xxxxmoll@hotmail.com
...
UIN/Name: xxxxolita2009@hotmail.com
=============================
Internet Explorer
=============================
http://www.facebook.com/index.php@@@xxxxnavega@yahoo.es:
http://www.facebook.com/index.php@@@xxxxolita2009@hotmail.com:
http://www.facebook.com/index.php@@@xxxxavito20-19@hotmail.com:xxxx2011
http://www.facebook.com/index.php@@@xxxxl0218@hotmail.com:
http://www.facebook.com/index.php@@@xxxxissvc@hotmail.com:xxxx1991
http://www.facebook.com/index.php@@@xxxxl0218@hotmal.com :
http://www.facebook.com/index.php@@@xxxxysaltos@hotmail.es:
http://www.facebook.com/index.php@@@xxxxsarmiento13@hotmail.com:
http://www.facebook.com/index.php@@@xxxxnavega@yaho.es:
http://www.facebook.com/index.php@@@xxxxnavega@yahoo.es:
http://www.facebook.com/index.php@@@xxxxolita2009@hotmail.com:
http://www.facebook.com/index.php@@@xxxxavito20-19@hotmail.com:xxxx2011
http://www.facebook.com/index.php@@@xxxxl0218@hotmail.com:
http://www.facebook.com/index.php@@@xxxxissvc@hotmail.com:xxxx1991
http://www.facebook.com/index.php@@@xxxxl0218@hotmal.com :
http://www.facebook.com/index.php@@@xxxxysaltos@hotmail.es:
http://www.facebook.com/index.php@@@xxxxsarmiento13@hotmail.com:
etc...

--
• dns: 1 ›› ip: 76.72.169.3 - adresse: STRELOKFANCY.COM

hxxp://strelokfancy.com/viaweb/mods/socks
hxxp://strelokfancy.com/viaweb/mods/grab
hxxp://strelokfancy.com/viaweb/mods/hosts
Crypted modules, uploaded the 22 june.
Campaign started the 4 jully, ten days so, and looks like the guys removed exes from panel.
Also the guest login is defaut credential, but nothing interesting.