A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #8837  by rough_spear
 Thu Sep 29, 2011 5:15 pm
Hello, :D
Two variants of Sinowal-Mebroot rootkit. :mrgreen:

w1.php
hxxp://jabqnhijyus.com/w.php?f=26&e=1
File size - 124KB

http://www.virustotal.com/file-scan/rep ... 1317276316

MD5 : 6309cebbefdbc5efaddf80905f550034
SHA1 : b5ddf028954a92bb2b18a53d767f2804a738b0e0
SHA256: e4b0feb20c8173f00d6ad4a6a8d6d20e6a4d35c3cba60b08f06beb12bf43f64d
ssdeep: 1536:Kwu8V/nrS/qc0WckMks2GvpfduFK8ThzzBqem4:KKVz/WBMRRvlkrzzBqe


w.php
hxxp://jabqnhijyus.com/w.php?f=26&e=1
File size - 120KB

http://www.virustotal.com/file-scan/rep ... 1317273489

MD5 : 7b26093f4b871d72065b497eea850e96
SHA1 : 033533c6e262a542a299dbdb69de9810d7722536
SHA256: 66dc3eb8b6ff0288409d6b00febaa6f9d1abfe759b835eb4e700e775623381a4
ssdeep: 1536:n/8M2wlpXXjZaYV3J2+MvZZ1cSo4VvBxHPiyKT3hzzBqem:n/ywPjZxJ4+ML1LFvbchzzBqe

Regards,


rough_spear. ;)
Attachments
password - malware.
(64.75 KiB) Downloaded 110 times
 #8993  by rough_spear
 Thu Oct 06, 2011 5:44 pm
Hi, :D
Five variants of sinowal. :lol:


Regards,


rough_spear. ;)
Attachments
password - malware.
(165.06 KiB) Downloaded 106 times
 #9389  by rkhunter
 Mon Oct 24, 2011 1:33 pm
MDL wrote that Mebroot are now using fastflux.
 #9569  by rough_spear
 Sun Nov 06, 2011 5:55 pm
Hello All, :D
Two more samples of Sinowal/Mebroot. :lol:

web link - hxxp://lhjptpglncz.com/w.php?f=89&e=6
File name - about.exe
http://www.virustotal.com/file-scan/rep ... 1320592008
MD5 : 7873274c27522ff46fa34e8ee8948fac
SHA1 : ec98a7caead7a1e3d36fe743567b63675a0093b9
SHA256: 8ab70e565dc6c0d17d16d815129ea0c63afd295b1ae1c28b954b3a836e3c19f4
ssdeep: 768:6xbFAagWUCRrxL6VM1s8YgzRfMyKWdSEaP6gRz0OmwzxoatHxEFuxliX9A:6xZLNF7L6pzK
JEnygRzjzeaVxTlYA
File size : 57344 bytes

web link - hxxp://gbcnfpfgemo.com/w.php?f=65&e=5
File name - readme.exe
http://www.virustotal.com/file-scan/rep ... 1320593976
MD5 : b13aa1451b3041cfa6ddd9a6a28dbc8c
SHA1 : 46355baf90bbfa9d688ec7cd38660d4101e91a01
SHA256: 119bd470df5255f06a67dc1040889542015796660ece0a8b3529ebfdfefd9cb7
ssdeep: 768:6wrL9N258y/djpYEp6ES2ko674IlOqR1H1BsTe2Dmwgab2nsDyUX9A:6wrL9N2lvwES2ko6
rJl279bssDxA
File size : 61440 bytes

Regards,


rough_spear. ;)
Attachments
password - malware.
(43.24 KiB) Downloaded 92 times
 #9574  by PX5
 Mon Nov 07, 2011 1:50 pm
Noticed more changes for install since early last week.

Patchs tcpip.sys and ipsec.sys and installs own driver.

192.168.2.7:1228 hxxp://67.227.204.203/patcher.php

entweder oder entweder oder entweder oder entweder oder :lol:

F:\repack\build\release\obj\src\uniload\uniload-patchdate-stub.pdb
  • 1
  • 2
  • 3
  • 4
  • 5
  • 12