A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #20924  by Xylitol
 Mon Sep 23, 2013 7:05 am
morgan wrote:i will be realy happyfull if i can game with dexter v2 or alina and analysis it in full :) who have can contact me in pm thanks
search the web a lot of people have already wrote about how those malware work.
In attach more Dexter
https://www.virustotal.com/en/file/5ffd ... 379926774/
https://www.virustotal.com/en/file/4eab ... 379927702/
https://www.virustotal.com/en/file/621d ... 379928437/
Sample in the wild:
Code: Select all
hxxp://216.17.21.221/win33.exe
hxxp://216.17.21.221/win32.exe
Attachments
infected
(42.67 KiB) Downloaded 120 times
infected
(83.75 KiB) Downloaded 158 times
 #20992  by Xylitol
 Fri Sep 27, 2013 10:58 am
yeah 6.x isn't really new, but sample are still calling (like the previous samples of Dexter)
108.18.167.108 "Alina v6.0"
108.18.57.208 "Alina v6.0"
108.232.70.135 "Alina v6.0"
108.232.72.200 "Alina v6.0"
108.232.72.66 "Alina v6.0"
108.232.76.111 "Alina v6.0"
108.232.77.162 "Alina v6.0"
108.232.77.226 "Alina v6.0"
108.232.78.14 "Alina v6.0"
108.234.80.248 "Alina v5.4"
120.151.182.3 "Alina v5.4"
130.207.203.2 "Alina v6.0"
142.165.103.129 "Alina v6.1"
149.169.172.69 "Alina v5.4"
172.6.54.202 "Alina v6.0"
172.6.55.244 "Alina v6.0"
172.6.61.11 "Alina v6.0"
172.6.61.22 "Alina v6.0"
172.6.61.231 "Alina v6.0"
172.6.61.251 "Alina v6.0"
172.6.62.254 "Alina v6.0"
172.6.63.120 "Alina v6.0"
172.6.63.227 "Alina v6.0"
173.73.2.179 "Alina v6.0"
178.33.169.46 "Alina v6.1"
184.151.61.120 "Alina v6.0"
184.78.108.217 "Alina v6.0"
204.181.64.8 "Alina v6.1"
210.23.128.48 "Alina v5.4"
216.45.179.175 "Alina v6.0"
23.31.103.157 "Alina v6.0"
50.240.91.34 "Alina v6.0"
63.228.188.62 "Alina v5.4"
63.228.188.62 "Alina v6.0"
63.239.219.130 "Alina v5.4"
68.15.59.251 "Alina v5.4"
68.250.186.137 "Alina v6.0"
69.26.109.90 "Alina v5.4"
70.62.182.6 "Alina v5.4"
71.191.232.37 "Alina v6.0"
71.36.26.225 "Alina v5.4"
71.97.114.169 "Alina v5.4"
72.55.114.227 "Alina v5.4"
72.55.114.227 "Alina v6.1"
72.66.82.59 "Alina v5.4"
76.111.10.168 "Alina v6.0"
76.123.41.82 "Alina v5.4"
77.43.56.48 "Alina v5.4"
81.191.184.136 "Alina v6.0"
83.79.166.222 "Alina v6.0"
87.119.221.45 "Alina v6.0"
90.155.82.141 "Alina v5.4"
98.175.26.111 "Alina v6.0"
99.140.138.42 "Alina v5.4"
99.225.23.89 "Alina v6.0
more recent referers, there is even IPs who call with no referers but the reqs are constructed like Alina
 #21061  by EP_X0FF
 Fri Oct 04, 2013 2:36 am
btclord wrote:can anyone unpack this? i am not able to unpack it.
bp CreateProcessW, dump memory, upx -d.

C:\Users\dice\Desktop\src\grab\Debug\alina_dex.pdb
https://www.virustotal.com/en/file/1a26 ... 386173829/
Attachments
pass: malware
(126.59 KiB) Downloaded 145 times
 #21070  by bsteo
 Fri Oct 04, 2013 7:47 am
EP_X0FF wrote:
btclord wrote:can anyone unpack this? i am not able to unpack it.
bp CreateProcessW, dump memory, upx -d.

C:\Users\dice\Desktop\src\grab\Debug\alina_dex.pdb
Thanks for unpacked binary. Seems they compiled it debug mode, so many info in the PE file :)
  • 1
  • 11
  • 12
  • 13
  • 14
  • 15
  • 25