A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19280  by EP_X0FF
 Wed May 15, 2013 4:02 pm
TDL4 clones.

SHA1
Code: Select all
065d563acc3cfa7154f8b9e0529ade42b9aab978
ba2f0ce88c4d6dc49445af71f2aead9dbeb73104
bb5c6b439ae76c36e4a165c7643f8273ac686a16
c020e2828efbe477ea9cac010d440a49edcc9716
cd46aeca6828792bf51c8b0f0c8a13b3c9810e33
Attachments
pass: infected
(918.84 KiB) Downloaded 190 times
 #19471  by EP_X0FF
 Thu May 30, 2013 2:30 am
Alureon based trojan downloader, uses original TDL4 dropper (spooler injection, scheduler exploit - CVE-2010-3888, HIPS "ZwConnectPort" bypass) as platform.

Call home: agertioned.com (unavailable)

SHA256: f3361462f41cf5d4deed536ee1e81f8a67b7ffe03b94af99800c950caa2986aa
SHA1: 0bf188adc65a9ff9c267331c9c52457b9c2b53f2
MD5: 1508be0180316cac932dc70780ca7b94

https://www.virustotal.com/en/file/f336 ... /analysis/
Attachments
pass: infected
(39.9 KiB) Downloaded 129 times
 #19472  by EP_X0FF
 Thu May 30, 2013 3:01 am
Few more Alureon droppers, this time with classic TDL4 rootkit.

SHA1
Code: Select all
0e84a749c3c066bfa1f5dc2ef018cf6c7f7ad415
11b8350cd652268e91db566b8e8fa6e3a98de0ff
11ffe008e024157ba1803d58dc3f86b6c2fa1cda
28459404426ea56536fdb8dd7e3c8a309e594c8a
2d5007b3bc7c60959956efccef6fbece337a9bd1
401a50f0582a1b568fc052b5e5523a883b79bc44
4c93b38a571e2626f419a2b79f6bba71ae783a47
4e94c6dacce8aa84ba7e277b3160bb7d76df0930
61611632c7099440818b561f78a432576201afb0
7f2b0acae0f95e15aa20e4926f7259cac622f73d
7f5dee89c9e95aef29ce2d12a5e24740c85d9652
8072bb24b40d7d5110995725fb701977e616a7aa
808d9239cefa2cae9e43429209998e506ce3dfb2
8213a4f39fd2453ecb3e417025e435cd760e5ecb
880504006c58e1014a8f0e92d69ec6fa0359543b
8ab7a97e6cee2deacb28ddc69e892b17114e1437
a763efb742d8c03cba16998611549b03d8eb20d3
b0c3e3742cb874326fc5c011bdf1360ec7dc6845
c2aea90c3c2330bddcd38324b714a3ae61149746
c4145c1cdc257776fc5bb03e22031c49a66fd7d5
c47629d0aa7d52af313f1c8d3524f68f6d6a532d
d1cc4b3b9d88b6e3d3557d4a0e92cbc6713fea34
dd7f8c48c75a4d05ad84411cb6fa0e1143f842f9
e03df3ff196b5ead1acb3a285f319c7d4f72f175
e0592aa2af4c1802b515dbb820bf1c564002f62c
e2489159d050745414b53110b911024af7a80206
e96bfae511c8d94213f5827175a6c8e159fce0e4
ff142c3f89ef3ae7cc81661df9c2c65d9385bde4
Attachments
pass: infected
(3.61 MiB) Downloaded 210 times
 #19540  by EP_X0FF
 Tue Jun 04, 2013 7:54 am
Attachments
pass: infected
(305.3 KiB) Downloaded 201 times
 #20981  by p4r4n0id
 Thu Sep 26, 2013 6:52 pm
New TDL dropper variants exploit CVE-2013-3660 ( EPATHOBJ vuln.)

SHA1: abf99c02caa7bba786aecb18b314eac04373dc97

http://www.f-secure.com/weblog/archives/00002612.html

p4r4n0id
Attachments
pwd: infected
(231.68 KiB) Downloaded 142 times
 #20985  by EP_X0FF
 Fri Sep 27, 2013 3:23 am
That's actually not a *new* TDL or anything new in general. This is the same copy-paste variant -> http://www.kernelmode.info/forum/viewto ... 540#p19540 unrelated to MaxSS fork. 2013-3660 copy-pasted in PowerLoader (well everybody now has it source) and now in this low quality crap as they seems just share same codebase.
  • 1
  • 56
  • 57
  • 58
  • 59
  • 60