A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #27015  by Xylitol
 Mon Oct 19, 2015 8:17 pm
06/10/2015 - https://www.virustotal.com/en/file/97e4 ... 445285676/
Or just look for Upatre, here is a fresh one: http://malwaredb.malekal.com/index.php? ... f9ee1643b3
Also: http://www.dyretracker.com/
Here is a list of uniq IPs used by Dyre based on the site:
Code: Select all
31.134.100.179:443
31.135.166.140:443
31.135.28.66:443
31.216.190.18:443
36.72.228.22:443
36.75.164.100:443
41.168.11.125:443
41.191.118.234:443
41.203.118.202:443
41.215.182.109:443
41.215.30.106:443
41.215.4.206:443
41.222.11.250:443
41.222.15.207:443
41.57.19.24:443
41.57.98.254:443
41.77.130.160:443
46.10.166.141:443
46.174.214.195:443
46.174.237.115:443
46.198.143.60:443
46.238.89.52:443
46.249.181.138:4443
46.44.28.44:443
50.21.230.211:4443
50.21.230.226:4443
50.24.53.233:4443
50.24.94.197:4443
51.254.99.221:443
5.57.144.173:443
62.233.252.206:443
62.233.252.247:443
64.111.36.52:443
64.141.86.154:4443
66.38.33.225:4443
67.221.146.107:4443
67.221.146.148:4443
67.221.146.67:4443
67.221.147.103:4443
67.221.156.105:4443
67.221.156.165:443
67.221.156.188:4443
67.221.156.216:4443
67.221.195.53:4443
67.222.205.69:443
69.193.145.138:4443
69.27.128.203:443
69.27.57.164:4443
73.38.228.117:4443
73.54.199.157:4443
76.123.134.89:4443
76.22.212.251:443
78.11.94.141:443
78.58.131.116:443
78.8.174.25:443
78.84.30.94:443
78.8.9.55:443
81.12.120.36:4443
81.12.120.37:4443
81.163.36.163:443
82.100.4.60:443
82.160.24.241:443
83.241.176.230:4443
84.46.208.141:443
84.46.215.97:443
84.54.191.170:443
85.113.129.155:443
89.140.63.207:443
89.161.51.115:4443
89.174.116.76:443
89.234.208.115:443
91.187.75.75:4443
91.232.45.149:443
91.232.45.40:443
91.238.241.26:443
91.238.29.152:443
91.238.29.154:443
91.239.244.187:443
91.239.246.171:443
92.53.5.255:443
92.62.254.225:443
93.175.224.143:4443
93.185.4.90:4443
94.40.19.13:443
94.40.82.91:443
96.45.9.66:4443
98.102.44.38:4443
98.143.217.69:443
103.230.220.8:443
103.28.157.202:443
103.28.157.210:443
105.235.192.144:443
109.185.180.17:443
109.196.1.13:4443
109.86.226.85:443
109.87.63.98:443
114.30.73.130:443
115.119.250.245:443
12.206.248.195:443
130.0.92.76:443
130.0.92.79:443
150.129.48.147:443
150.129.49.139:443
150.129.49.162:443
150.129.49.163:443
154.66.248.44:443
154.73.140.26:443
154.73.4.224:4443
154.73.76.24:443
159.224.247.133:4443
172.242.228.68:4443
172.250.73.193:4443
172.73.21.168:4443
173.185.166.94:4443
173.248.18.187:4443
173.248.22.227:443
173.252.48.79:443
173.252.50.124:4443
176.100.195.216:4443
176.106.122.32:443
176.120.201.9:443
176.98.140.92:443
177.8.255.6:443
178.168.109.92:443
178.18.75.14:443
178.18.75.159:4443
179.49.117.33:4443
180.233.123.210:443
181.112.153.202:443
181.174.76.17:4443
181.174.85.99:443
181.174.91.90:443
184.190.64.35:4443
184.59.100.51:443
185.23.14.198:443
185.24.161.183:4443
185.49.69.36:443
185.74.84.55:443
186.46.142.66:443
188.120.194.101:4443
188.122.24.154:443
188.125.38.100:443
188.137.77.31:443
188.138.102.233:443
188.162.170.156:443
188.253.113.142:443
188.255.150.199:443
188.255.154.180:4443
190.110.214.50:443
190.111.20.50:443
190.196.228.120:443
190.216.55.64:443
190.90.213.166:4443
193.13.37.183:443
193.189.77.76:443
193.43.231.104:443
194.28.188.132:443
194.28.188.147:443
194.28.188.231:443
194.28.188.88:443
194.28.191.254:443
195.117.104.102:443
195.117.119.187:443
195.117.74.208:443
195.189.19.156:443
195.191.34.245:443
197.155.67.190:443
197.210.196.26:443
197.210.214.12:443
197.220.99.14:443
197.231.198.234:4443
197.231.198.76:443
197.232.19.23:443
197.232.21.167:443
197.254.104.166:4443
197.254.108.178:443
197.254.49.246:443
197.255.62.203:443
197.255.62.254:443
197.97.122.197:443
199.120.97.238:4443
202.137.4.5:443
202.69.38.234:443
202.95.137.247:443
203.176.134.110:443
203.189.148.116:443
206.116.171.216:443
206.123.58.42:4443
206.123.60.93:4443
206.248.12.19:4443
206.248.15.194:4443
208.123.135.106:4443
208.90.85.112:4443
209.169.171.191:443
209.169.187.196:443
209.225.109.57:443
209.32.67.128:443
212.109.14.145:443
212.109.179.197:443
212.182.101.2:4443
213.250.199.170:443
213.92.204.37:443
216.57.165.182:443
217.11.135.88:443
217.168.210.34:443
217.30.78.174:443
217.69.255.2:4443
222.124.183.233:443
Attachments
infected
(323.01 KiB) Downloaded 70 times
 #27029  by sysopfb
 Wed Oct 21, 2015 9:12 pm
Attachment: dyre77_ver1157.zip

Dyre 1910us77 campaign, version 1157
The crypter I've seen before has a few stupid GetCPInfo checks for single processor systems
Also checks for the FDIV bug IsProcessFeaturePresent(0)

C2 list:
Code: Select all
31.216.190.18:443
41.57.19.24:443
41.168.11.125:443
41.191.118.234:443
46.10.166.141:443
46.44.28.44:443
46.174.237.115:443
78.8.174.25:443
78.58.131.116:443
91.238.29.152:443
91.238.29.154:443
92.53.5.255:443
154.66.248.44:443
154.73.140.26:443
176.98.140.92:443
176.106.122.32:443
178.168.109.92:443
186.46.142.66:443
188.255.150.199:443
193.189.77.76:443
197.231.198.234:4443
212.109.14.145:443
216.57.165.182:443
217.69.255.2:4443
217.168.210.34:443
5.57.144.173:443
62.233.252.206:443
62.233.252.247:443
69.27.57.164:4443
73.38.228.117:4443
73.54.199.157:4443
76.123.134.89:4443
81.12.120.36:4443
81.12.120.37:4443
83.241.176.230:4443
84.46.208.141:443
91.187.75.75:4443
91.232.45.149:443
91.238.241.26:443
109.86.226.85:443
109.196.1.13:4443
150.129.49.139:443
150.129.49.162:443
154.73.4.224:4443
172.242.228.68:4443
173.185.166.94:4443
173.252.50.124:4443
176.120.201.9:443
195.117.104.102:443
212.182.101.2:4443
attachment dyre21_ver1158.zip

Dyre 2110uk21 campaign, version 1158

Crypter on the loader does some sandboxing check by calling GetPhysicalCursorPos twice and comparing the values

C2 list:
Code: Select all
67.221.146.148:4443
67.221.156.188:4443
69.193.145.138:4443
93.175.224.143:4443
93.185.4.90:4443
98.102.44.38:4443
159.224.247.133:4443
172.73.21.168:4443
172.250.73.193:4443
176.100.195.216:4443
178.18.75.159:4443
184.59.100.51:443
188.122.24.154:443
188.253.113.142:443
193.13.37.183:443
199.120.97.238:4443
202.69.38.234:443
209.169.171.191:443
209.169.187.196:443
217.11.135.88:443
64.141.86.154:4443
91.239.246.171:443
130.0.92.76:443
177.8.255.6:443
213.250.199.170:443
46.174.214.195:443
46.249.181.138:4443
50.24.53.233:4443
50.24.94.197:4443
89.234.208.115:443
94.40.82.91:443
105.235.192.144:443
150.129.49.163:443
173.248.22.227:443
178.18.75.14:443
180.233.123.210:443
185.23.14.198:443
190.110.214.50:443
190.196.228.120:443
193.43.231.104:443
194.28.188.132:443
194.28.188.231:443
194.28.188.147:443
194.28.188.231:443
194.28.188.88:443
194.28.191.254:443
195.117.119.187:443
197.210.196.26:443
197.255.62.203:443
206.248.15.194:4443
Attachments
infected
(398.1 KiB) Downloaded 78 times
infected
(392.05 KiB) Downloaded 78 times
 #27255  by pinifiux
 Tue Nov 17, 2015 8:09 am
md5 50328f5e33f3713ecab95b0afe624002

Active Uri:
  • 37.1.200.112:443
Closed Uri:
  • 162.243.249.68:443
  • 188.167.93.231:443
  • 85.25.218.70:443
Attachments
(369.12 KiB) Downloaded 69 times
Last edited by Xylitol on Tue Nov 17, 2015 8:13 am, edited 1 time in total. Reason: obfuscate links