A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1460  by Meriadoc
 Sat Jul 10, 2010 6:50 am
[main]
version=3.273
quote=Everybody's a jerk. You, me, this jerk. That's just my philosophy
botid=
affid=
subid=
installdate=10.7.2010 6:38:40
builddate=9.7.2010 22:45:1
rnd=1645522239
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=hxxps://873hgf7xx60.com/;hxxps://jro1ni1l1.com/;hxxps://61.61.20.132/;hxxps://1iii1i11i1ii.com/;hxxps://61.61.20.135/;hxxps://0o0o0o0o0.com/;hxxps://68b6b6b6.com/;hxxps://34jh7alm94.asia/
wspservers=hxxp://lk01ha71gg1.cc/;hxxp://zl091kha644.com/;hxxp://a74232357.cn/;hxxp://a76956922.cn/;hxxp://91jjak4555j.com/
popupservers=hxxp://cri71ki813ck.com/
version=3.941
http://www.virustotal.com/analisis/0628 ... 1278744778

update
tdlcmd.dll
http://www.virustotal.com/analisis/2069 ... 1278744748
http://www.virustotal.com/analisis/5f41 ... 1278746184
C21H23N05, going through the alkaloids
Attachments
pass=infected
(71.84 KiB) Downloaded 66 times
Last edited by Meriadoc on Sat Jul 10, 2010 8:02 am, edited 1 time in total.
 #1461  by EP_X0FF
 Sat Jul 10, 2010 7:15 am
Thanks.

As I see new commands added

DownloadCryptedAndExecute2
DownloadCrypted2

VT for tdlcmd.dll
http://www.virustotal.com/analisis/2069 ... 1278744748

without UPX
http://www.virustotal.com/analisis/5f41 ... 1278746184

also if somebody can download this
hxxps://91.212.226.59/6Xq430f4wSCR
please attach
 #1462  by Meriadoc
 Sat Jul 10, 2010 7:41 am
EP_X0FF wrote:Thanks.

As I see new commands added

DownloadCryptedAndExecute2
DownloadCrypted2

VT for tdlcmd.dll
http://www.virustotal.com/analisis/2069 ... 1278744748

without UPX
http://www.virustotal.com/analisis/5f41 ... 1278746184
Thanks you were quicker :)
also if somebody can download this
getting server error
 #1464  by EP_X0FF
 Sat Jul 10, 2010 11:11 am
It's different version of tdlcmd.dll :)

edit: all bots updating to new tdlcmd.dll
 #1467  by Meriadoc
 Sat Jul 10, 2010 11:25 pm
DragonMaster Jay wrote:How much more relentless can the TDL authors become, before they give up?
While there is money to be made from redirecting victims and other rubbish it will be unrelenting.

All Your Clicks Belong To Us
 #1468  by nullptr
 Sun Jul 11, 2010 7:38 am
version=3.273
quote=Dude, meet me in Montana XX00, Jesus (H. Christ)
botid=1ac4685b-bf11-4c7c-939f-84930ea69dcc
affid=20427
subid=1
installdate=11.7.2010 16:43:31
builddate=10.7.2010 19:26:49
rnd=507931405
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=hxxps://19js810300z.com/;hxxps://lj1i16b0.com/;hxxps://li1i16b0.com/;hxxps://zz87jhfda88.com/;hxxps://n16fa53.com/;hxxps://01n02n4cx00.cc/
wspservers=hxxp://zl00zxcv1.com/;hxxp://zloozxcv1.com/;hxxp://71ha6dl01.com/;hxxp://axjau710h.com/;hxxp://rf9akjgh716zzl.com/;hxxp://dsg1tsga64aa17.com/;hxxp://l1i1e3e3oo8as0.com/;hxxp://7gafd33ja90a.com/;hxxp://n1mo661s6cx0.com/
popupservers=hxxp://clkh71yhks66.com/
version=3.941
VT 0/41
Attachments
password: malware
(79.57 KiB) Downloaded 68 times
Last edited by nullptr on Sun Jul 11, 2010 5:11 pm, edited 1 time in total.
 #1469  by Meriadoc
 Sun Jul 11, 2010 9:50 am
Just thought I'd post this hot sample :)
[main]
version=3.273
quote=I felt like putting a bullet between the eyes of every panda that wouldn't screw to save it's species. I wanted to open the dump valves on oil tankers and smother all those french beaches I'd never see. I wanted to breathe smoke
botid=
affid=
subid=
installdate=11.7.2010 9:35:5
builddate=11.7.2010 9:9:43
rnd=839522115
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=hxxps://19js810300z.com/;hxxps://lj1i16b0.com/;hxxps://li1i16b0.com/;hxxps://zz87jhfda88.com/;hxxps://n16fa53.com/;hxxps://01n02n4cx00.cc/
wspservers=hxxp://zl00zxcv1.com/;hxxp://zloozxcv1.com/;hxxp://71ha6dl01.com/;hxxp://axjau710h.com/;hxxp://rf9akjgh716zzl.com/;hxxp://dsg1tsga64aa17.com/;hxxp://l1i1e3e3oo8as0.com/;hxxp://7gafd33ja90a.com/;hxxp://n1mo661s6cx0.com/
popupservers=hxxp://clkh71yhks66.com/
version=3.941
VT 1/41
http://www.virustotal.com/analisis/f764 ... 1278839842

tdlcmd.dll
http://www.virustotal.com/analisis/1d2b ... 1278841485
unpack
http://www.virustotal.com/analisis/e033 ... 1278841590
Attachments
pass=infected
(80.47 KiB) Downloaded 71 times
 #1470  by Meriadoc
 Sun Jul 11, 2010 10:31 am
version=3.273
installdate=11.7.2010 10:18:8
builddate=10.5.2010 5:58:10
version=3.741
Still around.
  • 1
  • 23
  • 24
  • 25
  • 26
  • 27
  • 40