A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #5295  by EP_X0FF
 Thu Mar 03, 2011 5:46 pm
markusg wrote:testIpad.exe
http://www.virustotal.com/file-scan/rep ... 1299172796
NSIS based trojan downloader.
Downloads more, including other trojan downloader Trojan Downloader FakeCodec / Renos

Additionally downloads and installs OfferBox Adware http://www.sophos.com/security/analyses ... erbox.html

Posts moved
Attachments
pass: malware
(1.25 MiB) Downloaded 38 times
pass: malware
(121.52 KiB) Downloaded 37 times
 #5311  by EP_X0FF
 Fri Mar 04, 2011 12:43 pm
markusg wrote:chkntfsa.exe
http://www.virustotal.com/file-scan/report.html?id=20bae6a000c15505ba4e2e2c0e4191ee4f2b1d1c653b369ace9b0cb4dd70bf06-1299238600
NSIS based downloader.
Downloads and starts hxxp://westray.info/docs/batserv2.exe
which is Trojan Downloader Renos (packed by UPX + Cryptor)

http://www.virustotal.com/file-scan/rep ... 1299241265
cofireb.exe
http://www.virustotal.com/file-scan/report.html?id=7900d6c71b124856a7e57f8bf17d36c2a29fddd2b092d54674e6fdec48f5ea4e-1299239490
NSIS based downloader.
Downloads and starts hxxp://westray.info/docs/dmcpyt.exe
which is Backdoor Cycbot (gbot/2.3)

http://www.virustotal.com/file-scan/rep ... 1299241434
dfrguib.exe
http://www.virustotal.com/file-scan/report.html?id=eb8cc22527d315fcda69dddeae4cc6a5c63917afff8c14cd2484b6920b77a655-1299239628
NSIS based downloader.
Downloads and starts hxxp://westray.info/docs/cfwan.exe
which is Backdoor Cycbot

https://www.virustotal.com/file-scan/re ... 1299241723
Dismb.exe
http://www.virustotal.com/file-scan/report.html?id=4151ab7fcd3e0e23be5b5e207bbea4cc07ac7e0b85971b43d96061c06d1c33e6-1299239752
NSIS based downloader.
Downloads and starts hxxp://westray.info/docs/checkp3.exe
which is Trojan Bamital (with Stuxnet exploit)

http://www.virustotal.com/file-scan/rep ... 1299241919

oskb.exe
http://www.virustotal.com/file-scan/report.html?id=e2f76c9583b2c6671d54f3b1c4d2f93fd5cf98f94dac2c475b5df8f43f393ea9-1299239891
NSIS based downloader
Downloads and starts hxxp://westray.info/docs/benser.exe
which is TDL4 (reviewed by nullptr)

http://www.virustotal.com/file-scan/rep ... 1299242246
diantza.exe
http://www.virustotal.com/file-scan/report.html?id=7498ce3ff6d02dc5b131f66c24cfcf8a730dee8bc014b167bbbc0facf3e4a352-1299240061
the same as dfrguib.exe
diskraidb.exe
http://www.virustotal.com/file-scan/report.html?id=0d91a3762b6a04626f282ac82b79ecea11d29c24be311e7664f4cf79e0516a38-1299240243
the same as cofireb.exe
logmana.exe
http://www.virustotal.com/file-scan/report.html?id=6b4c095914d167f18cd8e29b9664537dfc32c768aa8b2a0b066176764a2d6410-1299240635
the same as chkntfsa.exe


All payload attached.
Posts moved.
Attachments
pass: malware
(569.96 KiB) Downloaded 38 times
 #5326  by EP_X0FF
 Sat Mar 05, 2011 1:22 pm
markusg wrote:EULA.exe
http://www.virustotal.com/file-scan/rep ... 1299330493
NSIS based trojan downloader

Payload

hxxp://rvpvid.info/fido101/smvsys.exe [ TDL4 ]
hxxp://westray.info/docs/batserv2.exe [ Trojan Downloader FakeCodec/Renos aka Artro ]
hxxp://rvpvid.info/fido101/sysmsn.exe [ Trojan AdvLoad aka Harnig.S ]