A forum for reverse engineering, OS internals and malware analysis 

Trojan SpyEye (alias Pincav)

Forum for analysis and discussion about malware.

Re: Trojan SpyEye (alias Pincav)

 #6907  by EP_X0FF
 Wed Jun 22, 2011 1:39 pm
markusg wrote:9E7D3072864.exe
http://www.virustotal.com/file-scan/report.html?id=3e68f0fcf29952a7ee96d1c42ab23dd63932fca496c9544fd539b8ef62c19c09-1308748731
Gate:
hxxp://213.155.0.24/judo/sgx.php;90
Decrypted config pass: FE796A0BBD38E8299373D67E1932BEBA

All in attach (unpacked, decrypted config)
Attachments
pass: malware
(141.37 KiB) Downloaded 54 times

Re: Trojan SpyEye (alias Pincav)

 #6916  by EP_X0FF
 Thu Jun 23, 2011 3:03 pm
markusg wrote:found on infected pc
Recycle.Bin.exe
http://www.virustotal.com/file-scan/rep ... 1308839748
Contains fake gate entry used in attempt to discredit trackers.

In attach decrypted config (pass: 6CB7A652ECF6FD40F8CD644CA7B40352) and unpacked dropper binary (crypter and UPX removed).

http://www.virustotal.com/file-scan/rep ... 1308840851
Attachments
pass: malware
(136.58 KiB) Downloaded 50 times

Re: Trojan SpyEye (alias Pincav)

 #6922  by EP_X0FF
 Fri Jun 24, 2011 3:00 am
gritland wrote:http://www.virustotal.com/file-scan/report.html?id=6a2bbbeec4cd9458a029359f79bcaaf5bb8d5b206ea83132e9bea07043f1d542-1308860597
http://www.virustotal.com/file-scan/report.html?id=0cf727d7673917dc43a02c8f0c40b338012023260d057c55e1bf4aee94c1d6fd-1308860421
http://www.virustotal.com/file-scan/report.html?id=1fd5d0940224b4e5cb3af8821cb9a5eb30dca1d55d19554c84b9a9ef1e7e646f-1308860154
dmp.exe

Gate:
hxxp://kebbe.co.be/f/nr.php;90
Recycler(1).exe

Gates:
hxxp://124ffsaf.com/sadg/gate.php;90
hxxp://12412edaa.com/sadg/gate.php;90
hxxp://263rdasd.com/hfgf/gate.php;90
hxxp://634rfeds.com/fdgg/gate.php;90
hxxp://351rewad.com/gfdg/gate.php;90
hxxp://f53151245.com/wew/gate.php;90
hxxp://63fsdfas.com/ret/gate.php;90
hxxp://1241wdads.com/hdfh/gate.php;90
hxxp://21ewfsdaf.com/ytrr/gate.php;90
hxxp://qxxew2444.com/tret/gate.php;90
hxxp://gasgasd.com/hfgf/gate.php;90
hxxp://gsagas25s.com/fdgg/gate.php;90
hxxp://3gqe5235d.com/gfdg/gate.php;90
hxxp://623t3fsd.com/ret/gate.php;90
hxxp://12235rfs.com/hdfh/gate.php;90
hxxp://21ew325fsa.com/ytrr/gate.php;90
hxxp://qxx32523rfs.com/tret/gate.php;90
hxxp://124125rfa.com/sadg/gate.php;90
hxxp://26325rf5.com/hfgf/gate.php;90
hxxp://63432rfg.com/fdgg/gate.php;90
hxxp://35325r3fgsd.com/gfdg/gate.php;90
hxxp://63f523rf.com/ret/gate.php;90
hxxp://1245232fs.com/hdfh/gate.php;90
hxxp://21253fss.com/ytrr/gate.php;90
hxxp://qxxe2353rfs.com/tret/gate.php;90
hxxp://15325rfse.com/sadg/gate.php;90
hxxp://35tfsgsdasd.com/hfgf/gate.php;90
hxxp://6325rfaseds.com/fdgg/gate.php;90
hxxp://332rfaswad.com/gfdg/gate.php;90
hxxp://63523rfasfas.com/ret/gate.php;90
hxxp://132532rfs.com/hdfh/gate.php;90
hxxp://21235fsaf.com/ytrr/gate.php;90
hxxp://325fs444.com/tret/gate.php;90
hxxp://124sdgs32.com/sadg/gate.php;90
hxxp://26325rfsd.com/hfgf/gate.php;90
hxxp://634sdgsd523s.com/fdgg/gate.php;90
hxxp://351r235fsef.com/gfdg/gate.php;90
hxxp://63fgsdt25.com/ret/gate.php;90
hxxp://124235rfs.com/1/gate.php;90
hxxp://21e23rfsdfsd.com/2/gate.php;90
hxxp://qx235rfs4.com/1/gate.php;90
hxxp://qfafs35rfs4.com/1/gate.php;90
hxxp://qx2536f.com/1/gate.php;90
hxxp://qxcxvbn3.com/1/gate.php;90
Recycler.exe

Gates:
hxxp://deemno.com/okes/cr.php;90
hxxp://wlokow.com/olsw/pks.php;90
hxxp://eweeped.com/oes/df.php;90
hxxp://vffbrgbg.com/oes/df.php;90
Attachments
pass: 9358F8AA5B5FE770A5FC072EAC90F80B
(4.95 KiB) Downloaded 47 times
pass: B8861AB9ED87B79CC01DA26263373342
(5.38 KiB) Downloaded 46 times
pass: 9358F8AA5B5FE770A5FC072EAC90F80B
(4.9 KiB) Downloaded 46 times

Re: Trojan SpyEye (alias Pincav)

 #6940  by EP_X0FF
 Fri Jun 24, 2011 5:02 pm
Xylitol wrote:HoneyNet Forensic Challenge 8 - "Malware Reverse Engineering"
http://www.honeynet.org/node/668
SpyEye unpacking challenge for those who want try, questions are cool.
Questions about NtVdmControl/NtQueryDirectoryFile hooks are quite primitive. I would not give more than 0.5 points for each.

By the way config they attached is not from the same sample. But the pass goes well for both configs.

Unpacked binary (VB crap and UPX removed) and decrypted config (xor key 0xC4) in attach.

Pass for decrypted configs: FD433111A717A7184B1333B314CAE9C9

Gates:
hxxp://radiosci.info/1/gate.php;1800
hxxp://sc2wc.info/software/gate.php;3600
hxxp://rignorell.info/software/gate.php;3600
Ddos plugin configuration
ssyn spyeyetracker.abuse.ch 443 360
ssyn forum-seo.net 80 120
udp forum-seo.net 80 120
slowloris forum-seo.net 80 120
Attachments
pass: malware
(576.79 KiB) Downloaded 57 times

Re: Trojan SpyEye (alias Pincav)

 #6942  by rkhunter
 Sat Jun 25, 2011 1:35 pm
First questions from "old school" rootkit techniques. But next questions about threads and what they doing required strongly sample analyze.

Re: Trojan SpyEye (alias Pincav)

 #6944  by EP_X0FF
 Sun Jun 26, 2011 2:48 am
SpyEye v1.2.9

Pass for decrypted config: CFE00A774281F135702289DB2250DB14

Gate:
hxxp://www.koburana.ru/m9-main/gate.php
Dropper and config in attach.

http://www.virustotal.com/file-scan/rep ... 1309055066

Source hxxp://www.prosolv.se/img/ (public directory)
Attachments
pass: malware
(167.28 KiB) Downloaded 49 times

Re: Trojan SpyEye (alias Pincav)

 #6945  by EP_X0FF
 Sun Jun 26, 2011 2:59 am
SpyEye v1.3

Pass for decrypted config: AB39D0B8B0C6CFAD363E328D66C8ACB3

Gates:
hxxp://koburana.ru/m9-main/gate.php;90
hxxp://hhasdalkjjfasd.ru/m9-main/gate.php;90
hxxp://hdkajhslalskjd.ru/m9-main/gate.php;90
hxxp://iieiwuorwfssf.ru/m9-main/gate.php;90
hxxp://oasffjapsifenjk.ru/m9-main/gate.php;90
hxxp://igsfsdufiwpper.ru/m9-main/gate.php;90
hxxp://xjbchslkjdfpa.ru/m9-main/gate.php;90
hxxp://ieiapppppsfhpa.ru/m9-main/gate.php;90
hxxp://bdfsfowerpasf.ru/m9-main/gate.php;90
hxxp://osdhfsndmllllahdi.ru/m9-main/gate.php;90
Dropper and config in attach.

http://www.virustotal.com/file-scan/rep ... 1309008935
Attachments
pass: malware
(299.51 KiB) Downloaded 55 times
  • 1
  • 16
  • 17
  • 18
  • 19
  • 20
  • 42
 Return to “Malware”