A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #31435  by tuxy0
 Wed Apr 11, 2018 5:53 pm
markusg wrote: Sat Apr 07, 2018 3:08 am https://www.virustotal.com/#/file/a0a3a ... /detection
proxy_z_obejsciem.rar

This is a password stealer. The author seems to call it "Educational Stealer".
Downloads and executes "http://www.blazingpacketv2.cba.pl/1.exe", "2.exe", "3.exe" and "4.exe".
Uploads results "1.txt", "2.txt", "3.txt" and "4.txt" via FTP to "ftp://cba.pl/", logs in as "admin@mkoesapi.cba.pl" with password "123Qweasdzxc".

Unpacked in attach
Attachments
Pass: infected
(251.76 KiB) Downloaded 31 times