[MalwareInfo]

This malware may be using OutputDebugString as an anti-debugging technique.I am not familiar with this technique,so how to fix it? Any help would be greatly appreciated!

[Xylitol]

in attachment unpacked keylogger, 8/64 on VT https://www.virustotal.com/en/file/5fb7 ... 506849125/
payload is took from ressource and then decoded, ending up with a file you can upx -d, appear coded in delphi

Code: Select all

ASCII "C:\\Downloads\\FUD\\XKey\\autorunreg.pas"
ASCII "----------------------------------------------------------------------------------------------------"
ASCII "\r\n"
ASCII "[<<]"
ASCII "[Tab]"
ASCII "[Esc]"
ASCII "[PrtScr]"
ASCII "[Del]"
ASCII "[Num Lock]"
ASCII "\r\n\r\n================================== 0USER0 - "
ASCII "[ Áóôåð îáìåíà - Clipboard - "
ASCII "nynewsguardianinternet.com"
ASCII "text="
ASCII "/upwin/index.php"
ASCII "Content-Type: application/x-www-form-urlencoded"
ASCII "GetAsyncKeyState"
KeyloggerTimer
AtivarTimer
DesativarTimer

host where it send datas is down and file is 2 years old.

[sysopfb]

Sorry for necroing but this is XKeyScore , found topic while looking at another sample

Panel attached from a different C2 server