A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #15096  by 360Tencent
 Fri Aug 10, 2012 1:52 pm
Hi,looking for this

http://www.trusteer.com/blog/tilon-son-of-silon
The net result is very low AV detection of the Tilon dropper (4 out of 41 AV engines, results obtained on August 8th for sample MD5 92613662ac735c91e7e25b16237c3ac5)
http://www.malware.com.br/cgi/search.pl ... VmLmJtbw==

https://www.virustotal.com/file/04a0479 ... /analysis/

and a dead link :?:

http://sdohnigad.com/fas.exe

...
 #15097  by rkhunter
 Fri Aug 10, 2012 2:00 pm
360Tencent wrote:Hi,looking for this

http://www.trusteer.com/blog/tilon-son-of-silon
SHA256: 04a04790e08da925ae0bd93a051139477cfb4e87b778b3170a614652c026cc95
SHA1: 2e31e94ac29f8d002149fa4d1af9b0901d01e42d
MD5: 92613662ac735c91e7e25b16237c3ac5
Attachments
pass:infected
(322.31 KiB) Downloaded 138 times
 #20782  by EP_X0FF
 Thu Sep 12, 2013 5:11 am
This dropper has the same MD5 as in Trusteer article. In attach all FakeAV's extracted. Have no idea where is Tilon here, but maybe I miss something.
Attachments
pass: infected
(464.2 KiB) Downloaded 70 times
 #20791  by R136a1
 Thu Sep 12, 2013 1:18 pm
Hi there,

today I release my samples of Tilon, one of the most complex banking trojans out there. What many do not know that Tilon is a cross-platform malware, although the x64 versions look like test versions.

Some info about Tilon:

Silon/Tilon (Trusteer)
http://www.trusteer.com/news/press-rele ... line-banks
http://www.trusteer.com/blog/tilon-son-of-silon

Magic (Seculert)
http://www.seculert.com/blog/2013/04/ma ... hreat.html
http://www.seculert.com/blog/2013/04/ma ... -iocs.html

Asetus (Sophos)
http://www.sophos.com/en-us/threat-cent ... lysis.aspx

Yebot (ESET)
http://www.virusradar.com/en/Win32_Yebot/detail

News about a Tilon suspect: http://news.softpedia.com/news/Man-Alle ... 8770.shtml

Despite the news, Seculert's statement is that Magic aka Tilon is still alive (see dates). Maybe the source was sold after this arrest, but that's just speculation. :-)

Also take a look at ESET Virusradar for x86 version: http://www.virusradar.com/en/Win32_Yebot/chart/history

Samples info: (download see attachment)

Timestamp 2012-12-07: https://www.virustotal.com/en/file/5e07 ... /analysis/ 2.0.3 (internal version)
Timestamp 2012-10-24: https://www.virustotal.com/en/file/e78e ... /analysis/ 2.0.3 (internal version) x64 dump
Timestamp 2012-08-11: https://www.virustotal.com/en/file/ef37 ... /analysis/ 2.0.3 (internal version)
Timestamp 2012-07-22: https://www.virustotal.com/en/file/610a ... /analysis/ 2.0.3 (internal version)
Timestamp 2012-07-22: https://www.virustotal.com/en/file/5d98 ... /analysis/ 2.0.3 (internal version) x64
Timestamp 2012-01-10: https://www.virustotal.com/en/file/7a70 ... /analysis/ 2.0.1 (internal version)

Leaked internal sourcecode structure (from strings inside x64 dump - e78e75c70911781cafeea5c439995aa18fedd16114e8ed17e31a7d4598bf3d8e):
..\..\Common\Dll\Source\ArchiveWorker\ArchiveWorker.cpp
..\..\Common\Dll\Source\Config\Config.cpp
..\..\Common\Dll\Source\Etc\DnsQuery.cpp
..\..\Common\Dll\Source\Etc\etc.cpp
..\..\Common\Dll\Source\Etc\GetBotGUID.cpp
..\..\Common\Dll\Source\Etc\http.cpp
..\..\Common\Dll\Source\Etc\MapFile.cpp
..\..\Common\Dll\Source\Etc\Screenshot.cpp
..\..\Common\Dll\Source\Hooks\Hook.cpp
..\..\Common\Dll\Source\Inet\DownloadFile.cpp
..\..\Common\Dll\Source\Inet\GetPage3.cpp
..\..\Common\Dll\Source\Inet\NetUtils.cpp
..\..\Common\Dll\Source\MemoryLoadLibrary.cpp
..\..\Common\Dll\Source\Modules\AntiRapport.cpp
..\..\Common\Dll\Source\Modules\Autorun\Autorun.cpp
..\..\Common\Dll\Source\Modules\AvExclusionList.cpp
..\..\Common\Dll\Source\Modules\BotInfo\BotInfo.cpp
..\..\Common\Dll\Source\Modules\Browsers\Common.cpp
..\..\Common\Dll\Source\Modules\Browsers\Firefox\FirefoxCookies.cpp
..\..\Common\Dll\Source\Modules\Browsers\IE\Hook_IE.cpp
..\..\Common\Dll\Source\Modules\Browsers\IE\IE.cpp
..\..\Common\Dll\Source\Modules\Certgrabber.cpp
..\..\Common\Dll\Source\Modules\Daemon\Daemon.cpp
..\..\Common\Dll\Source\Modules\Ftp\Ftp.cpp
..\..\Common\Dll\Source\Modules\FtpEmailHttp_Grabber.cpp
..\..\Common\Dll\Source\Modules\Ftp\FtpServer.cpp
..\..\Common\Dll\Source\Modules\Keylogger.cpp
..\..\Common\Dll\Source\Modules\Log\Veh.cpp
..\..\Common\Dll\Source\Modules\ModuleControl.cpp
..\..\Common\Dll\Source\Modules\Rdp\DisableCsrssMessageBox.cpp
..\..\Common\Dll\Source\Modules\Rdp\GuiTool.cpp
..\..\Common\Dll\Source\Modules\Rdp\Rdp.cpp
..\..\Common\Dll\Source\Modules\ScreenModule.cpp
..\..\Common\Dll\Source\Modules\Tasks\Internal\Internal.cpp
..\..\Common\Dll\Source\Modules\ProactiveEngine.cpp
..\..\Common\Dll\Source\Modules\UnSpyEyeModule.cpp
..\..\Common\Dll\Source\Modules\UpdateModule.cpp
..\..\Common\Dll\Source\Modules\Socks\ProxyServer.cpp
..\..\Common\Dll\Source\Modules\Socks\Socks.cpp
..\..\Common\Dll\Source\Modules\Socks\SockServer.cpp
..\..\Common\Dll\Source\Modules\Tasks\ProcessTasks.cpp
..\..\Common\Dll\Source\Modules\Tasks\Tasks.cpp
..\..\Common\Dll\Source\Modules\Webinjects\Buffer.cpp
..\..\Common\Dll\Source\Modules\Webinjects\Webinjects_IE.cpp
..\..\Common\Dll\Source\Modules\Webinjects\Injector.cpp
..\..\Common\Dll\Source\Modules\Webinjects\InjectRule.cpp
..\..\Common\Dll\Source\Modules\Webinjects\RequestContext.cpp
..\..\Common\Dll\Source\Modules\Webinjects\Webinjects.cpp
..\..\Common\Dll\Source\PeMemoryFuncs.cpp
..\..\Common\Dll\Source\PipeServer.cpp
..\..\Common\Dll\Source\PluginSystem.cpp
..\..\Common\Dll\Source\Processes\GetCurrentRunningExecutables.cpp
..\..\Common\Dll\Source\Processes\HookNewProcesses.cpp
..\..\Common\Dll\Source\Processes\ProcessFunctions.cpp
..\..\Common\Dll\Source\Processes\ProcessInject.cpp
..\..\Common\Dll\Source\Processes\UacBypass.cpp
..\..\Common\Dll\Source\RegistryStorage.cpp

Also attached is a list of process name hashes, because Tilon uses hashes instead of plain text strings for process detection.


Regards
Attachments
PW: infected
(731.56 KiB) Downloaded 90 times
PW: infected
(433.12 KiB) Downloaded 78 times
(43.65 KiB) Downloaded 56 times
 #22309  by EP_X0FF
 Wed Feb 26, 2014 8:05 am
SpyEye was a complex malware with multiple additions (plugins) created by other people. Having found some pieces of code elsewhere does not automatically means SpyEye 2.0, 3.0 etc.