Trojan SpyEye (alias Pincav) - Page 41

Re: Trojan SpyEye (alias Pincav)

#17599 by EP_X0FF
Fri Jan 04, 2013 5:31 pm

Aleksandra wrote:MD5: 059789e2e3920a773d12c0706c80896b
SHA1: 685c517483788734538cef992ea35332f744908f
https://www.virustotal.com/file/f189b7accd52d6bd415f193c8ce9e1edb6248d712ef656b1ed6b53250bfad9f2/analysis/

Gate: hxxp://94.102.63.196/_cp/gate.php;300

pass for decrypted config: 2C6C79E4A55E89B12DB309127695B09A

Decrypted exe and config in attach (was VB runpe).

ver=10348

Attachments

spyeye.rar

pass: malware
(115.28 KiB) Downloaded 87 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Trojan SpyEye (alias Pincav)

#17606 by Xylitol
Fri Jan 04, 2013 6:31 pm

Code: Select all

SYN1: http://94.102.63.196/f1/
CN1: http://94.102.63.196/l1/
hydra -l admin -P pwd.lst -s 80 -w 64 -f -V 94.102.63.196 http-post-form "/f1/ajax/login.php:password=^PASS^:Wrong password"
hydra -l admin -P pwd.lst -s 80 -w 64 -f -V 94.102.63.196 http-post-form "/l1/mod/auth.php:pass=^PASS^:Wrong password"

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: Trojan SpyEye (alias Pincav)

#17677 by Xylitol
Fri Jan 11, 2013 1:36 pm

Code: Select all

hxxp://www.eurotitrisation.fr/js/deus4.exe

unpacked ver in attach

Attachments

Eye.zip

infected
(411.47 KiB) Downloaded 115 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: Trojan SpyEye (alias Pincav)

#17687 by STRELiTZIA
Sat Jan 12, 2013 2:55 pm

Gate:

hxxp://94.102.63.196/_cp/gate.php;300

Collector:

94.102.63.196:443

Password to unzip config: 6A2BBEA322BD4361121542A3855BA7CB

Attachments

Config_decrypted.zip

(140.26 KiB) Downloaded 89 times

Username

STRELiTZIA

Posts

104

Joined

Sun Mar 14, 2010 7:02 am

Re: Trojan SpyEye (alias Pincav)

#18790 by Xylitol
Mon Apr 01, 2013 12:03 pm

Code: Select all

hxx://SuperAdsDomain.ru/bl/build___0cf972e4.exe

hXXp://91.231.156.42/_cp/gate.php
http://91.231.156.42/adm/frmcp/
http://91.231.156.42/adm/maincp/

guid=6.1.7600!ADMIN-PC!78599FED&ver=10348&ie=8.0.7600.16385&os=6.1.7600&ut=Admin&ccrc=BDC13D7B&md5=f414ee4ce5ca2900932ec075aab76947&plg=ccgrabber;customconnector;ftpb
admin:16B21AE0C9A2D4EB106B505FB8F08510:521:35

http://www.virustotal.com/file/53d03128 ... 364817703/

Attachments

build___0cf972e4.zip

infected
(182.77 KiB) Downloaded 88 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: Trojan SpyEye (alias Pincav)

#18799 by EP_X0FF
Mon Apr 01, 2013 5:52 pm

Pass for decrypted config: AB39D0B8B0C6CFAD363E328D66C8ACB3

customconnector config

Code: Select all

hxxp://91.231.156.42/_cp/gate.php;300
hxxp://mrricco.com/_cp/gate.php;300
hxxp://mrpokko.com/_cp/gate.php;300
hxxp://mrdep.net/_cp/gate.php;300
hxxp://mrovi.net/_cp/gate.php;300
hxxp://mrtony.com/_cp/gate.php;300
hxxp://frenking.com/_cp/gate.php;300
hxxp://pidlisro.com/_cp/gate.php;300
hxxp://tiskaliorg.net/_cp/gate.php;300
hxxp://stradivarri.com/_cp/gate.php;300
hxxp://bet365x7.net/_cp/gate.php;300

Decrypted dropper attached.

https://www.virustotal.com/en/file/d985 ... /analysis/

Attachments

decrypted.rar

pass: infected
(110.4 KiB) Downloaded 77 times

decrypted13x.zip

(5.34 KiB) Downloaded 74 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Trojan SpyEye (alias Pincav)

#19185 by EP_X0FF
Sat May 04, 2013 5:14 am

One more SpyEye script-kiddie from the blacklist arrested

http://www.wired.com/threatlevel/2013/0 ... -indicted/

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Trojan SpyEye (alias Pincav)

#19186 by rkhunter
Sat May 04, 2013 6:14 am

EP_X0FF wrote:One more SpyEye script-kiddie from the blacklist arrested

http://www.wired.com/threatlevel/2013/0 ... -indicted/

bye bye boy.

http://krebsonsecurity.com/2013/05/alle ... ed-to-u-s/

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Trojan SpyEye (alias Pincav)

#19191 by Xylitol
Sat May 04, 2013 9:14 am

for info bx1 is the coder of SpySpreader module

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: Trojan SpyEye (alias Pincav)

#19192 by rkhunter
Sat May 04, 2013 9:39 am

I fear to ask what happened with Gribodemon.

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact