Win32/Dofoil

#12840 by kalptarunet
Sat Apr 21, 2012 1:00 pm

Hello,

I'm looking sample of

Dofoil”, also known as “Bredo”/ “Zurgop”,

AutoRun Value:

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\dxdiag.exe

Sorry not having any info or MD5.

Thanks,

Username

kalptarunet

Posts

12

Joined

Sun Feb 27, 2011 2:25 pm

Win32/Dofoil

#12843 by hx1997
Sat Apr 21, 2012 4:34 pm

kalptarunet wrote:Hello,

I'm looking sample of

Dofoil”, also known as “Bredo”/ “Zurgop”,

AutoRun Value:

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\dxdiag.exe

Sorry not having any info or MD5.

Thanks,

Maybe this one?
C1E5DAE72A51A7B7219346C4A360D867 - Win32/TrojanDownloader.Zurgop.AB trojan

Password "infected"

Attachments

C1E5DAE72A51A7B7219346C4A360D867.rar

(27.28 KiB) Downloaded 85 times

Username

hx1997

Posts

101

Joined

Sat Apr 07, 2012 12:16 am

Win32/Dofoil

#14363 by dumb110
Fri Jun 29, 2012 10:48 am

SHA256: 9b200cd9c38f78e589dbe259b34fbb3da0a292b1fa2710927823d7dc14800aee

sample please..

Username

dumb110

Posts

111

Joined

Tue Jun 05, 2012 1:29 pm

Win32/Dofoil

#14374 by rkhunter
Sat Jun 30, 2012 7:23 am

dumb110 wrote:SHA256: 9b200cd9c38f78e589dbe259b34fbb3da0a292b1fa2710927823d7dc14800aee

sample please..

MD5: c6b3a65256f0948d65ce38d6435a9db8
SHA1: 1654bed972c0b5d75f9431f5fe39a7a9cfc61133

Attachments

c6b3a65256f0948d65ce38d6435a9db8.zip

pass:infected
(37.55 KiB) Downloaded 89 times

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Win32/Dofoil

#19552 by EP_X0FF
Wed Jun 05, 2013 6:06 am

Dofoil using simplified version of PowerLoader style inject. Sample courtesy of noxnox. Dropper and payload attached.
Set breaks on NtCreateSection/SetWindowLongA to see more.

https://www.virustotal.com/en/file/83ed ... /analysis/

Attachments

Malware.rar

pass: infected
(574.28 KiB) Downloaded 84 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Win32/Dofoil

#19553 by sugar
Wed Jun 05, 2013 8:00 am

for zbot fix Imagebase to 108B0000

Username

sugar

Posts

12

Joined

Sat Jul 30, 2011 10:33 am

Re: Win32/Dofoil

#23179 by thisisu
Sat Jun 21, 2014 8:37 pm

Win32/Dofoil.T

MD5 8176a3ec0aec664fb4170fdf9c9ee261
SHA1 034cee51257195b9b29e68d5ec714671de9ccc0d
SHA256 3d773d150fa014625c9c8718068d91b6a32b05431601754808e91ec1932512a8
https://www.virustotal.com/en/file/3d77 ... /analysis/

Code: Select all

HKU\Owner\...\Policies\Explorer\Run: [Ukcmedia] => C:\Users\Owner\AppData\Roaming\udbsfdsv\sgfautuj.exe [128008 2010-11-21] ()

Attachments

sgfautuj.zip

pass: infected
(72.38 KiB) Downloaded 68 times

Username

thisisu

Posts

362

Joined

Sun Feb 26, 2012 8:57 am

Contact

Re: Win32/Dofoil

#25249 by Aleksandra
Sun Feb 15, 2015 4:23 am

http://www.virusradar.com/en/Win32_Troj ... escription
http://www.microsoft.com/security/porta ... 2/Dofoil.T

MD5: 4aec1448f93ba213efcad9a1ea9b377c
SHA1: 31f7d08659b54918c2654bd36dcc866ab5612cd1
https://www.virustotal.com/ru/file/428a ... /analysis/

Attachments

4aec1448f93ba213efcad9a1ea9b377c.rar

pass: virus
(25.32 KiB) Downloaded 53 times

Username

Aleksandra

Posts

79

Joined

Sun Jun 05, 2011 9:34 pm