Spotted by benkow_ here https://twitter.com/benkow_/status/689568349102161920
Signatures are too generic for having a correct name..
Delivered via spam according to screenshots from the cnc and TechHelpList.com
Password stealer targeting various browsers,ftp clients,email clients and poker applications, ability to keylog datas and taking screenshots.
https://www.virustotal.com/en/file/5c41 ... 453681028/
https://www.virustotal.com/en/file/c9c8 ... 453680851/
Patched version (40E3CD on the unpacked binary) to help tracing behavior with hybrid-analysis:
https://www.hybrid-analysis.com/sample/ ... onmentId=1
Strings list:
405642, 403240 for crypto part and 41061E for CryptDecrypt
Gates:
Signatures are too generic for having a correct name..
Delivered via spam according to screenshots from the cnc and TechHelpList.com
Password stealer targeting various browsers,ftp clients,email clients and poker applications, ability to keylog datas and taking screenshots.
https://www.virustotal.com/en/file/5c41 ... 453681028/
https://www.virustotal.com/en/file/c9c8 ... 453680851/
Patched version (40E3CD on the unpacked binary) to help tracing behavior with hybrid-analysis:
https://www.hybrid-analysis.com/sample/ ... onmentId=1
Strings list:
Code: Select all
Spawn a svchost.exe process, inject itself and Resume at 40DC73Text strings referenced in 00090000..0012EFFF
00092750 PUSH EBP (Initial CPU selection)
000928FB MOV ESI,0A2090 UNICODE "Kernel32.dll"
0009290B MOV ESI,0A20AC UNICODE "ntdll.dll"
0009292D MOV ESI,0A20C0 UNICODE "SHLWAPI.dll"
00092943 MOV ESI,0A20D8 UNICODE "CRYPT32.dll"
00092959 MOV ESI,0A20F0 UNICODE "WININET.dll"
0009296F MOV ESI,0A2108 UNICODE "urlmon.dll"
00092986 MOV ESI,0A2120 UNICODE "NETAPI32.dll"
00092991 MOV ESI,0A213C UNICODE "WS2_32.dll"
000929AE MOV ESI,0A2154 UNICODE "USER32.dll"
000929BF MOV ESI,0A216C UNICODE "ADVAPI32.dll"
000929CA MOV ESI,0A2188 UNICODE "SHELL32.dll"
000929DD MOV ESI,0A21A0 UNICODE "gdiplus.dll"
000929ED MOV ESI,0A21B8 UNICODE "gdi32.dll"
00093587 PUSH 0A2258 UNICODE "%s\%s\%s%s"
00093598 PUSH 0A224C UNICODE "%s\%s"
000935CC PUSH 0A2270 UNICODE "%s\%s%s"
0009364D PUSH 0A2214 UNICODE "%s\*"
0009369E PUSH 0A2220 UNICODE "Windows"
000936B5 PUSH 0A2230 UNICODE "Program Files"
000936EE PUSH 0A224C UNICODE "%s\%s"
00093763 PUSH 0A224C UNICODE "%s\%s"
000937D0 PUSH 0A224C UNICODE "%s\%s"
00093A4A PUSH 0A2208 UNICODE ".tmp"
00093B21 PUSH 0A21FC UNICODE "open"
000944A8 PUSH 0A224C UNICODE "%s\%s"
000948B0 MOV ESI,0A2294 ASCII "SQLite format 3"
00094ABE PUSH 0A2288 ASCII "UNIQUE"
00095545 MOV ESI,0A2368 ASCII "http://"
00095558 MOV ESI,0A2370 ASCII "https://"
000955DA MOV ESI,0A2384 ASCII "80"
00095642 MOV ESI,0A22A4 ASCII "DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW"
000956C0 MOV ESI,0A22E8 UNICODE "U2XpekVvtYq0fwsx7EDuZjrCo9GcF1B6Hl358mbznyLWdMANa4TSKJhIiOPgQR"
00095BB1 PUSH 0A2388 UNICODE "%s"
00095E10 PUSH 0A23C4 UNICODE "SeDebugPrivilege"
00095F17 PUSH 0A23E8 UNICODE " %02d-%02d-%02d %02d:%02d"
00095F30 PUSH 0A2398 ASCII "MachineGuid"
00095F35 PUSH 0A23A4 ASCII "SOFTWARE\Microsoft\Cryptography"
000960D8 PUSH 0A2220 UNICODE "Windows"
00096156 PUSH 0A2390 UNICODE "exe"
00096737 PUSH 0A24EC ASCII "ZwResumeThread"
00096874 PUSH 0A2480 ASCII "RtlCreateUserThread"
000968F9 PUSH 0A20AC UNICODE "ntdll.dll"
00096906 PUSH 0A2434 ASCII "RtlNtStatusToDosError"
00096912 PUSH 0A244C ASCII "RtlSetLastWin32Error"
00096965 PUSH 0A2494 ASCII "ZwAllocateVirtualMemory"
00096A0C PUSH 0A24AC ASCII "NtFreeVirtualMemory"
00096AA6 PUSH 0A24C0 ASCII "NtWriteVirtualMemory"
00096E63 PUSH 0A241C ASCII "LdrGetProcedureAddress"
00096F49 PUSH 0A20AC UNICODE "ntdll.dll"
00096FB3 PUSH 0A2464 ASCII "ZwQueryInformationProcess"
00097029 PUSH 0A24D8 ASCII "ZwReadVirtualMemory"
000970C9 PUSH 0A24FC ASCII "/%s"
000972B4 PUSH 0A2558 UNICODE "%s\%s\User Data\Default\Login Data"
000972E2 PUSH 0A25A0 UNICODE "%s\%s\User Data\Default\Web Data"
0009730C PUSH 0A25E4 UNICODE "%s%s\Login Data"
00097336 PUSH 0A2604 UNICODE "%s%s\Default\Login Data"
000973AD MOV ESI,0A2634 UNICODE "Comodo\Dragon"
000973BA MOV ESI,0A2650 UNICODE "MapleStudio\ChromePlus"
000973E5 MOV ESI,0A2680 UNICODE "Google\Chrome"
000973F2 MOV ESI,0A269C UNICODE "Nichrome"
00097412 MOV ESI,0A26B0 UNICODE "RockMelt"
00097431 MOV ESI,0A26C4 UNICODE "Spark"
0009744D MOV ESI,0A26D0 UNICODE "Chromium"
00097476 MOV ESI,0A26E4 UNICODE "Titan Browser"
00097485 MOV ESI,0A2700 UNICODE "Torch"
000974A4 MOV ESI,0A270C UNICODE "Yandex\YandexBrowser"
000974CE MOV ESI,0A2738 UNICODE "Epic Privacy Browser"
000974ED MOV ESI,0A2764 UNICODE "CocCoc\Browser"
000974FF MOV ESI,0A2784 UNICODE "Vivaldi"
0009751C MOV ESI,0A2794 UNICODE "Comodo\Chromodo"
00097532 MOV ESI,0A27B4 UNICODE "Superbird"
00097556 MOV ESI,0A27C8 UNICODE "Coowon\Coowon"
00097569 MOV ESI,0A27E4 UNICODE "Mustang Browser"
0009758B MOV ESI,0A2804 UNICODE "360Browser\Browser"
000975A5 MOV ESI,0A282C UNICODE "CatalinaGroup\Citrio"
000975C3 MOV ESI,0A2858 UNICODE "Google\Chrome SxS"
00097625 MOV ESI,0A287C UNICODE "\Opera\Opera Next\data"
00097648 MOV ESI,0A28AC UNICODE "\Opera Software\Opera Stable"
0009766F MOV ESI,0A28E8 UNICODE "\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer"
00097685 MOV ESI,0A2950 UNICODE "\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer"
000977BA PUSH 0A2524 ASCII "password_value"
000977BF PUSH 0A2534 ASCII "username_value"
000977C4 PUSH 0A2544 ASCII "origin_url"
000977CD PUSH 0A2550 ASCII "logins"
00097851 PUSH 0A250C ASCII "last_compatible_version"
00097AB6 PUSH 0A29BC UNICODE "vaultcli.dll"
00097AD8 PUSH 0A29D8 ASCII "VaultEnumerateItems"
00097AE0 PUSH 0A29EC ASCII "VaultEnumerateVaults"
00097AF2 PUSH 0A2A04 ASCII "VaultFree"
00097B04 MOV EBX,0A2A10 ASCII "VaultGetItem"
00097B25 PUSH 0A2A20 ASCII "VaultOpenVault"
00097B37 PUSH 0A2A30 ASCII "VaultCloseVault"
00097D4F PUSH 0A2AC8 UNICODE "file:///"
00097F7C PUSH 0A2AE0 UNICODE "Software\Microsoft\Internet Explorer\TypedURLs"
00098095 PUSH 0A2A40 UNICODE "Software\Microsoft\Internet Explorer\IntelliForms\Storage2"
000981A0 PUSH 80800 UNICODE "="6595b64144ccf1df",type="win32",version="5.2.2.3"C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows."
0009831B PUSH 0A2AB8 UNICODE "%s%02X"
00098485 MOV ESI,0A2C90 UNICODE "%s\Mozilla\Firefox\profiles.ini"
00098495 MOV ESI,0A2CD0 UNICODE "%s\Mozilla\Firefox\Profiles\%s"
000984B2 MOV ESI,0A2D10 UNICODE "%s\Mozilla\SeaMonkey\profiles.ini"
000984D1 MOV ESI,0A2D58 UNICODE "%s\Mozilla\SeaMonkey\Profiles\%s"
000984EE MOV ESI,0A2D9C UNICODE "%s\Flock\Browser\profiles.ini"
0009850D MOV ESI,0A2DD8 UNICODE "%s\Flock\Browser\Profiles\%s"
0009852A MOV ESI,0A2E14 UNICODE "%s\Thunderbird\profiles.ini"
00098547 MOV ESI,0A2E4C UNICODE "%s\Thunderbird\Profiles\%s"
0009856D MOV ESI,0A2E84 UNICODE "%s\K-Meleon\profiles.ini"
0009858F MOV ESI,0A2EB8 UNICODE "%s\K-Meleon\%s"
000985B1 MOV ESI,0A2ED8 UNICODE "%s\Comodo\IceDragon\profiles.ini"
000985CB MOV ESI,0A2F20 UNICODE "%s\Comodo\IceDragon\Profiles\%s"
000985EC MOV ESI,0A2F60 UNICODE "%s\NETGATE Technologies\BlackHawk\profiles.ini"
00098610 MOV ESI,0A2FC0 UNICODE "%s\NETGATE Technologies\BlackHawk\Profiles\%s"
0009862D MOV ESI,0A301C UNICODE "%s\Postbox\profiles.ini"
0009863D MOV ESI,0A304C UNICODE "%s\Postbox\Profiles\%s"
00098667 MOV ESI,0A3080 UNICODE "%s\8pecxstudios\Cyberfox\profiles.ini"
00098674 MOV ESI,0A30D0 UNICODE "%s\8pecxstudios\Cyberfox\Profiles\%s"
00098698 MOV ESI,0A3120 UNICODE "%s\Moonchild Productions\Pale Moon\profiles.ini"
000986AF MOV ESI,0A3180 UNICODE "%s\Moonchild Productions\Pale Moon\Profiles\%s"
000986D7 MOV ESI,0A31E0 UNICODE "%s\FossaMail\profiles.ini"
000986EA MOV ESI,0A3214 UNICODE "%s\FossaMail\Profiles\%s"
0009870F PUSH 0A3248 UNICODE "%s\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}\data"
0009877F PUSH 0A32F4 UNICODE "Path"
000987A3 PUSH 0A3300 UNICODE "Profiles/"
00098806 PUSH 0A32E0 UNICODE "Profile%i"
0009884E PUSH 0A364C UNICODE "(x86)"
0009885F PUSH 0A3658 UNICODE "%ProgramW6432%"
0009886E PUSH 0A3678 UNICODE "%s\NETGATE\Black Hawk"
000988AC PUSH 0A37F4 UNICODE "RootDir"
000988B1 PUSH 0A3808 UNICODE "SOFTWARE\8pecxstudios\Cyberfox86"
000988E2 PUSH 0A3498 UNICODE "CurrentVersion"
000988E7 PUSH 0A35F0 UNICODE "SOFTWARE\Mozilla\Flock"
000988FC PUSH 0A3620 UNICODE "SOFTWARE\Flock\Flock"
00098901 PUSH 0A34FC UNICODE "%s\%s\Main"
00098915 PUSH 0A3514 UNICODE "Install Directory"
00098956 PUSH 0A3498 UNICODE "CurrentVersion"
0009895B MOV EDI,0A3584 UNICODE "SOFTWARE\Mozilla\FossaMail"
00098972 PUSH 0A34FC UNICODE "%s\%s\Main"
0009898A PUSH 0A3514 UNICODE "Install Directory"
000989C9 PUSH 0A3794 UNICODE "SetupPath"
000989CE PUSH 0A37A8 UNICODE "SOFTWARE\ComodoGroup\IceDragon\Setup"
000989FE PUSH 0A3498 UNICODE "CurrentVersion"
00098A03 MOV EDI,0A3770 UNICODE "SOFTWARE\K-Meleon"
00098A1A PUSH 0A34FC UNICODE "%s\%s\Main"
00098A32 PUSH 0A3514 UNICODE "Install Directory"
00098A72 PUSH 0A36E0 UNICODE "%s\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}"
00098AA5 PUSH 0A3498 UNICODE "CurrentVersion"
00098AAA MOV EDI,0A34B8 UNICODE "SOFTWARE\Mozilla\Mozilla Firefox"
00098AC5 PUSH 0A34FC UNICODE "%s\%s\Main"
00098AE7 PUSH 0A3514 UNICODE "Install Directory"
00098C5C PUSH 0A3498 UNICODE "CurrentVersion"
00098C61 MOV EDI,0A36A4 UNICODE "SOFTWARE\Mozilla\Pale Moon"
00098C78 PUSH 0A34FC UNICODE "%s\%s\Main"
00098C90 PUSH 0A3514 UNICODE "Install Directory"
00098CF9 PUSH 0A2B48 ASCII "SELECT encryptedUsername, encryptedPassword, formSubmitURL, hostname FROM moz_logins"
00098E28 PUSH 0A2BA8 ASCII "{,""
00098E5E PUSH 0A2BAC ASCII "hostname"
00098EC7 PUSH 0A2BB8 ASCII "encryptedUsername"
00098F37 PUSH 0A2BCC ASCII "encryptedPassword"
00098FEC PUSH 0A2BA8 ASCII "{,""
00099040 PUSH 0A2BA0 ASCII ""
00099146 PUSH 0A2BA0 ASCII ""
00099178 PUSH 0A3498 UNICODE "CurrentVersion"
0009917D MOV EDI,0A35BC UNICODE "SOFTWARE\Postbox\Postbox"
00099194 PUSH 0A34FC UNICODE "%s\%s\Main"
000991AC PUSH 0A3514 UNICODE "Install Directory"
000991F3 MOV EBX,0A3498 UNICODE "CurrentVersion"
000991FA PUSH 0A384C UNICODE "SOFTWARE\mozilla.org\SeaMonkey"
00099212 PUSH 0A384C UNICODE "SOFTWARE\mozilla.org\SeaMonkey"
00099217 PUSH 0A34FC UNICODE "%s\%s\Main"
00099238 PUSH 0A3514 UNICODE "Install Directory"
0009926B PUSH 0A388C UNICODE "%s\Mozilla\Profiles"
000992A3 PUSH 0A38B4 UNICODE "*.s"
000992DE MOV EBX,0A38BC UNICODE "SOFTWARE\Mozilla\SeaMonkey"
000992F8 PUSH 0A34FC UNICODE "%s\%s\Main"
00099316 PUSH 0A3514 UNICODE "Install Directory"
000993AD PUSH 0A3498 UNICODE "CurrentVersion"
000993B2 MOV EDI,0A3538 UNICODE "SOFTWARE\Mozilla\Mozilla Thunderbird"
000993C9 PUSH 0A34FC UNICODE "%s\%s\Main"
000993E1 PUSH 0A3514 UNICODE "Install Directory"
0009947A MOV ESI,0A3314 UNICODE "PATH"
000994C7 PUSH 0A3324 UNICODE "%s\nss3.dll"
0009950E PUSH 0A333C ASCII "NSS_Init"
00099546 PUSH 0A3348 ASCII "NSS_Shutdown"
00099558 PUSH 0A3358 ASCII "PK11_GetInternalKeySlot"
0009956A PUSH 0A3370 ASCII "PK11_FreeSlot"
0009957C PUSH 0A3380 ASCII "PK11_Authenticate"
0009958E PUSH 0A3394 ASCII "PK11SDR_Decrypt"
000995A0 PUSH 0A33A4 ASCII "PK11_CheckUserPassword"
000995B2 PUSH 0A33BC ASCII "SECITEM_FreeItem"
0009962E PUSH 0A33D0 UNICODE "sqlite3.dll"
00099634 PUSH 0A224C UNICODE "%s\%s"
00099658 MOV DWORD PTR SS:[ESP],0A33E8 UNICODE "mozsqlite3.dll"
00099660 PUSH 0A224C UNICODE "%s\%s"
00099684 MOV DWORD PTR SS:[ESP],0A3408 UNICODE "nss3.dll"
0009968C PUSH 0A224C UNICODE "%s\%s"
000996CC PUSH 0A341C ASCII "sqlite3_finalize"
000996F2 PUSH 0A3430 ASCII "sqlite3_step"
00099704 PUSH 0A3440 ASCII "sqlite3_close"
00099716 PUSH 0A3450 ASCII "sqlite3_column_text"
00099728 PUSH 0A3464 ASCII "sqlite3_open16"
0009973A PUSH 0A3474 ASCII "sqlite3_prepare_v2"
00099755 PUSH 0A3488 ASCII "sqlite3_prepare"
0009981F PUSH 0A2BE0 UNICODE "%s\prefs.js"
00099845 PUSH 0A2BF8 UNICODE "%s\signons.sqlite"
00099871 PUSH 0A2C1C UNICODE "%s\logins.json"
000998A1 MOV ESI,0A2C3C UNICODE "signons.txt"
000998B5 MOV ESI,0A2C54 UNICODE "signons2.txt"
000998C4 MOV ESI,0A2C70 UNICODE "signons3.txt"
000998D8 PUSH 0A224C UNICODE "%s\%s"
00099952 MOV EDI,128D30 UNICODE "C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem"
00099973 PUSH 0A3314 UNICODE "PATH"
00099991 PUSH 128D30 UNICODE "C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem"
00099996 PUSH 0A3314 UNICODE "PATH"
00099A09 PUSH 0A3910 UNICODE "%s\Opera"
00099A0F PUSH 0A3924 UNICODE "wand.dat"
00099A28 MOV ESI,0A3938 ASCII "X!2$6*9(SKiasb+!v<.qF58_qwe~QsRTYvdeTYb"
00099AEF MOV ESI,0A39B8 UNICODE "Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete"
00099B45 PUSH 0A3960 UNICODE "form_password_control"
00099B72 PUSH 0A398C UNICODE "form_username_control"
00099C19 PUSH 0A3A28 UNICODE "%s\QupZilla\profiles\default\browsedata.db"
00099EC8 PUSH 0A3AAC UNICODE "InstallDir"
00099ECD PUSH 0A3AC8 UNICODE "SOFTWARE\Apple Computer, Inc.\Safari"
00099EEE PUSH 0A3B18 UNICODE "%s\Apple Computer\Preferences\keychain.plist"
00099F14 PUSH 0A3B78 UNICODE "%s\Apple Application Support\plutil.exe"
00099F40 PUSH 0A3BC8 UNICODE ".xml"
00099F59 PUSH 0A3BD4 UNICODE "-convert xml1 -s -o %s "%s""
0009A020 PUSH 0A3A84 ASCII "array"
0009A03B PUSH 0A3A8C ASCII "dict"
0009A058 PUSH 0A3A8C ASCII "dict"
0009A067 PUSH 0A3A94 ASCII "data"
0009A095 PUSH 0A3A9C ASCII "string"
0009A0A4 PUSH 0A3AA4 ASCII "Server"
0009A0B9 PUSH 0A3A9C ASCII "string"
0009A135 MOV DWORD PTR SS:[ESP],0A3A8C ASCII "dict"
0009A170 PUSH 0A3C0C UNICODE "*Mailbox.ini"
0009A186 PUSH 0A3C28 UNICODE "%s\DeskSoft\CheckMail"
0009A18D PUSH 0A3C54 UNICODE "Account*.dcf"
0009A1A5 PUSH 0A3C70 UNICODE "%s\Data\AccCfg\Accounts.tdat"
0009A1D3 PUSH 0A3CAC UNICODE "%s\Storage"
0009A1FB PUSH 0A3CC4 UNICODE "Account.rec0"
0009A23A PUSH 0A3CE0 UNICODE "%s\Foxmail\mail"
0009A263 PUSH 0A3D00 UNICODE "*.stg"
0009A283 PUSH 0A3D0C UNICODE "%SYSTEMDRIVE%"
0009A29D PUSH 0A3D28 UNICODE "Foxmail*"
0009A2C6 PUSH 0A3D40 UNICODE "%s\GmailNotifierPro\ConfigData.xml"
0009A2E9 MOV ESI,0A3E70 UNICODE "Software\IncrediMail\Identities"
0009A350 PUSH 0A3D88 UNICODE "EmailAddress"
0009A369 PUSH 0A3DA4 UNICODE "Technology"
0009A375 PUSH 0A3DBC UNICODE "PopServer"
0009A383 PUSH 0A3DD0 UNICODE "PopPort"
0009A392 PUSH 0A3DE0 UNICODE "PopAccount"
0009A3AC PUSH 0A3DF8 UNICODE "PopPassword"
0009A3B8 PUSH 0A3E10 UNICODE "SmtpServer"
0009A3C7 PUSH 0A3E28 UNICODE "SmtpPort"
0009A3D6 PUSH 0A3E3C UNICODE "SmtpAccount"
0009A3F3 PUSH 0A3E54 UNICODE "SmtpPassword"
0009A50E PUSH 0A3D0C UNICODE "%SYSTEMDRIVE%"
0009A521 PUSH 0A3EB0 UNICODE "%s\Softwarenetz\Mailing\Daten\mailing.vdt"
0009A568 MOV ESI,0A3F54 UNICODE "Software\WinChips\UserAccounts"
0009A5BE PUSH 0A3F04 UNICODE "UserName"
0009A5E7 PUSH 0A3F18 UNICODE "Passwd"
0009A5F3 PUSH 0A3F28 UNICODE "POP3Server"
0009A601 PUSH 0A3F40 UNICODE "POP3Port"
0009A69E PUSH 0A3F98 UNICODE "%s\Opera Mail\Opera Mail\wand.dat"
0009A6CB PUSH 0A4340 UNICODE "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook"
0009A6D9 PUSH 0A43F8 UNICODE "Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook"
0009A6E7 PUSH 0A4468 UNICODE "Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook"
0009A722 PUSH 0A3FDC UNICODE "Email"
0009A759 MOV ESI,0A3FE8 UNICODE "SMTP Email Address"
0009A76C MOV ESI,0A4010 UNICODE "SMTP Server"
0009A77F MOV ESI,0A4028 UNICODE "SMTP User Name"
0009A7AF MOV ESI,0A4048 UNICODE "SMTP User"
0009A7BF MOV ESI,0A405C UNICODE "POP3 Server"
0009A7D9 MOV ESI,0A4074 UNICODE "POP3 User Name"
0009A807 MOV ESI,0A4094 UNICODE "POP3 User"
0009A814 MOV ESI,0A40A8 UNICODE "NNTP Email Address"
0009A82F MOV ESI,0A40D0 UNICODE "NNTP User Name"
0009A854 MOV ESI,0A40F0 UNICODE "NNTP Server"
0009A864 MOV ESI,0A4108 UNICODE "IMAP Server"
0009A87F MOV ESI,0A4120 UNICODE "IMAP User Name"
0009A8AD MOV ESI,0A4140 UNICODE "IMAP User"
0009A8BA MOV ESI,0A4154 UNICODE "HTTP User"
0009A8D8 MOV ESI,0A4168 UNICODE "HTTP Server URL"
0009A902 MOV ESI,0A4188 UNICODE "HTTPMail User Name"
0009A90E MOV ESI,0A41B0 UNICODE "HTTPMail Server"
0009A965 MOV ESI,0A41D0 UNICODE "POP3 Port"
0009A970 MOV ESI,0A41E4 UNICODE "SMTP Port"
0009A97D MOV ESI,0A41F8 UNICODE "IMAP Port"
0009A9B5 MOV ESI,0A420C UNICODE "POP3 Password2"
0009A9D6 MOV ESI,0A422C UNICODE "IMAP Password2"
0009A9F3 MOV ESI,0A424C UNICODE "NNTP Password2"
0009AA11 MOV ESI,0A426C UNICODE "HTTPMail Password2"
0009AA1C MOV ESI,0A4294 UNICODE "SMTP Password2"
0009AA41 MOV ESI,0A42B4 UNICODE "POP3 Password"
0009AA4E MOV ESI,0A42D0 UNICODE "IMAP Password"
0009AA6A MOV ESI,0A42EC UNICODE "NNTP Password"
0009AA86 MOV ESI,0A4308 UNICODE "HTTP Password"
0009AA9F MOV ESI,0A4324 UNICODE "SMTP Password"
0009AB6B PUSH 0A44D8 UNICODE "%s\.purple\accounts.xml"
0009AB7E MOV ESI,0A4508 UNICODE "%s\Pocomail\accounts.ini"
0009ABBA PUSH 0A454C UNICODE "imap.auth.pass"
0009ABBF MOV EBX,0A456C UNICODE "SOFTWARE\flaska.net\trojita"
0009ABD9 PUSH 0A45A4 UNICODE "imap.host"
0009ABEC PUSH 0A45B8 UNICODE "imap.auth.user"
0009ABF1 MOV ESI,0A456C UNICODE "SOFTWARE\flaska.net\trojita"
0009AC03 PUSH 0A45D8 UNICODE "imap.port"
0009AC89 MOV EBX,0A456C UNICODE "SOFTWARE\flaska.net\trojita"
0009AC8F PUSH 0A45EC UNICODE "msa.smtp.auth.pass"
0009ACA9 PUSH 0A4614 UNICODE "msa.smtp.host"
0009ACBC PUSH 0A4630 UNICODE "msa.smtp.auth.user"
0009ACC1 MOV ESI,0A456C UNICODE "SOFTWARE\flaska.net\trojita"
0009ACD3 PUSH 0A4658 UNICODE "msa.smtp.port"
0009AD68 PUSH 0A4678 UNICODE "SOFTWARE\flaska.net\trojita\identities"
0009ADA3 PUSH 0A453C UNICODE "address"
0009ADE7 PUSH 0A46C8 UNICODE "%s\TrulyMail\Data\Settings\user.config"
0009ADFC PUSH 0A4718 UNICODE "%s\yMail2\POP3.xml"
0009AE09 PUSH 0A4740 UNICODE "%s\yMail2\SMTP.xml"
0009AE15 PUSH 0A4768 UNICODE "%s\yMail2\Accounts.xml"
0009AE22 PUSH 0A4798 UNICODE "%s\yMail\ymail.ini"
0009AE38 PUSH 0A47C0 UNICODE "%s\32BitFtp.TMP"
0009AE46 PUSH 0A47E0 UNICODE "%s\32BitFtp.ini"
0009AE5B PUSH 0A4800 UNICODE "%s\Estsoft\ALFTP\ESTdb2.dat"
0009AE70 PUSH 0A4838 UNICODE "%s\site.xml"
0009AE82 PUSH 0A4850 UNICODE "%s\BitKinex\bitkinex.ds"
0009AEA2 PUSH 0A4880 UNICODE "*.tlp"
0009AEB2 PUSH 0A488C UNICODE "*.bscp"
0009AEC1 PUSH 0A489C UNICODE "LastUsedProfile"
0009AEC6 PUSH 0A48BC UNICODE "Software\Bitvise\BvSshClient"
0009AF3D PUSH 0A48F8 UNICODE "%s\BlazeFtp\site.dat"
0009AF4A MOV ESI,0A4928 UNICODE "Software\FlashPeak\BlazeFtp\Settings"
0009AF5F PUSH 0A4974 UNICODE "LastPassword"
0009AF7B PUSH 0A4990 UNICODE "LastUser"
0009AF8C PUSH 0A49A4 UNICODE "LastAddress"
0009AF9E PUSH 0A49BC UNICODE "LastPort"
0009B036 PUSH 0A49D0 UNICODE "Server"
0009B04F PUSH 0A3F04 UNICODE "UserName"
0009B05B PUSH 0A49E0 UNICODE "Password"
0009B074 PUSH 0A49F4 UNICODE "_Password"
0009B11C MOV ESI,0A4A08 UNICODE "Software\NCH Software\ClassicFTP\FTPAccounts"
0009B1A1 PUSH 0A4A64 ASCII "settings"
0009B1E6 PUSH 0A4A74 ASCII "name"
0009B1F1 PUSH 0A4A7C ASCII "value"
0009B29F PUSH 0A4A84 UNICODE "%s\Cyberduck"
0009B2A6 MOV ESI,0A4AA0 UNICODE "user.config"
0009B2B4 PUSH 0A4AB8 UNICODE "%s\iterate_GmbH"
0009B2D1 PUSH 0A4AD8 UNICODE "%s\EasyFTP\data"
0009B303 MOV ESI,0A4B20 UNICODE "%s\ExpanDrive"
0009B30D PUSH 0A4B3C UNICODE "*favorites.js"
0009B31D PUSH 0A4B58 UNICODE "drives.js"
0009B3B8 PUSH 0A4AFC ASCII "%s"
0009B3CA PUSH 0A4B00 ASCII "server"
0009B407 PUSH 0A4AFC ASCII "%s"
0009B419 PUSH 0A4B08 ASCII "username"
0009B434 PUSH 0A4AFC ASCII "%s"
0009B448 PUSH 0A2BCC ASCII "encryptedPassword"
0009B4DE PUSH 0A4B14 ASCII "protocol"
0009B55E PUSH 0A49E0 UNICODE "Password"
0009B57E MOV DWORD PTR SS:[ESP],0A4B78 UNICODE "User"
0009B58E PUSH 0A4B84 UNICODE "HostName"
0009B656 PUSH 0A4B6C UNICODE "%s%c"
0009B697 PUSH 0A4B98 UNICODE "Software\Far\Plugins\FTP\Hosts"
0009B6A5 PUSH 0A4BD8 UNICODE "Software\Far2\Plugins\FTP\Hosts"
0009B6D2 PUSH 0A4C18 UNICODE "%s\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db"
0009B6E9 PUSH 0A4CB0 UNICODE "%s\FileZilla\Filezilla.xml"
0009B6F6 PUSH 0A4CE8 UNICODE "%s\FileZilla\filezilla.xml"
0009B703 PUSH 0A4D20 UNICODE "%s\FileZilla\recentservers.xml"
0009B710 PUSH 0A4D60 UNICODE "%s\FileZilla\sitemanager.xml"
0009B736 MOV ESI,0A4D9C UNICODE "%s\FlashFXP"
0009B742 MOV EBX,0A4DB4 UNICODE "*Sites.dat"
0009B75F MOV ESI,0A4DCC UNICODE "*quick.dat"
0009B773 PUSH 0A4D9C UNICODE "%s\FlashFXP"
0009B789 PUSH 0A4D9C UNICODE "%s\FlashFXP"
0009B811 PUSH 0A4DE4 UNICODE "FtpServer"
0009B82A PUSH 0A4DF8 UNICODE "FtpUserName"
0009B836 PUSH 0A4E10 UNICODE "FtpPassword"
0009B84F PUSH 0A4E28 UNICODE "_FtpPassword"
0009B8F7 MOV ESI,0A4E48 UNICODE "Software\NCH Software\Fling\Accounts"
0009B959 PUSH 0A4E98 UNICODE "%s\FreshWebmaster\FreshFTP\FtpSites.SMF"
0009B96B PUSH 0A4EE8 UNICODE "%s\FTPBox\profiles.conf"
0009B97D PUSH 0A4F18 UNICODE "%s\FTPGetter\Profile\servers.xml"
0009B98B PUSH 0A4F5C UNICODE "%s\FTPGetter\servers.xml"
0009B9A0 PUSH 0A4F90 UNICODE "%s\FTPInfo\ServerList.xml"
0009B9AE PUSH 0A4FC4 UNICODE "%s\FTPInfo\ServerList.cfg"
0009B9C3 PUSH 0A4FF8 UNICODE "%s\FTP Navigator\Ftplist.txt"
0009B9D8 PUSH 0A5034 UNICODE "%s\FTP Now\sites.xml"
0009B9ED PUSH 0A5034 UNICODE "%s\FTP Now\sites.xml"
0009BA02 PUSH 0A5060 UNICODE "%s\FTPShell\ftpshell.fsi"
0009BA17 PUSH 0A5098 UNICODE "%s\.config\fullsync\profiles.xml"
0009BA2C PUSH 0A50DC UNICODE "%s\DeluxeFTP\sites.xml"
0009BA41 PUSH 0A5110 UNICODE "%s\GoFTP\settings\Connections.txt"
0009BA52 PUSH 0A5164 UNICODE "AbleFTP"
0009BA5E PUSH 0A5174 UNICODE "Automize"
0009BA87 PUSH 0A5188 UNICODE "%s\%s%i\encPwd.jsd"
0009BAB2 PUSH 0A51B0 UNICODE "%s\%s%i\data\settings\sshProfiles-j.jsd"
0009BADD PUSH 0A5200 UNICODE "%s\%s%i\data\settings\ftpProfiles-j.jsd"
0009BB15 PUSH 0A5154 UNICODE "JaSFtp"
0009BB36 MOV ESI,0A5274 UNICODE "Software\LinasFTP\Site Manager"
0009BB8C PUSH 0A5250 UNICODE "Pass"
0009BBA5 PUSH 0A4B78 UNICODE "User"
0009BBB1 PUSH 0A525C UNICODE "Host"
0009BBBF PUSH 0A5268 UNICODE "Port"
0009BC5B PUSH 0A52B4 UNICODE "%s\oZone3D\MyFTP\myftp.ini"
0009BC71 PUSH 0A52EC UNICODE "%s\NetDrive\NDSites.ini"
0009BC7E MOV ESI,0A531C UNICODE "%s\NetDrive2\drives.dat"
0009BCA1 PUSH 0A5350 UNICODE "%s\Fastream NETFile\My FTP Links"
0009BCBD PUSH 0A5398 UNICODE "%s\NexusFile\userdata\ftpsite.ini"
0009BCCB PUSH 0A53DC UNICODE "%s\NexusFile\ftpsite.ini"
0009BCE0 PUSH 0A5410 UNICODE "%s\INSoftware\NovaFTP\NovaFTP.db"
0009BCF5 PUSH 0A5458 UNICODE "%s\Notepad++\plugins\config\NppFTP\NppFTP.xml"
0009BD0A PUSH 0A54B8 UNICODE "%s\Odin Secure FTP Expert\QFDefault.QFQ"
0009BD18 PUSH 0A5508 UNICODE "%s\Odin Secure FTP Expert\SiteInfo.QFP"
0009BD42 MOV ESI,0A55A8 UNICODE "Software\9bis.com\KiTTY\Sessions"
0009BD5C MOV ESI,0A55F0 UNICODE "Software\SimonTatham\PuTTY\Sessions"
0009BDDB PUSH 0A4B84 UNICODE "HostName"
0009BE04 PUSH 0A49E0 UNICODE "Password"
0009BE10 PUSH 0A3F04 UNICODE "UserName"
0009BE1F PUSH 0A5558 UNICODE "PublicKeyFile"
0009BE2E PUSH 0A5574 UNICODE "TerminalType"
0009BE3C PUSH 0A5590 UNICODE "PortNumber"
0009BF55 PUSH 0A56F8 UNICODE "lck"
0009BFAB MOV EBX,0A5700 UNICODE "%s\Microsoft\Credentials"
0009BFF4 PUSH 0A5638 UNICODE "_dec"
0009C335 PUSH 0A5644 UNICODE "%s_dec"
0009C624 PUSH 0A5654 UNICODE "lsasrv.dll"
0009C641 PUSH 0A566C ASCII "LsaICryptUnprotectData"
0009C65E PUSH 0A5684 UNICODE "kernel32.dll"
0009C678 PUSH 0A56A0 ASCII "CloseHandle"
0009C695 PUSH 0A56AC ASCII "CreateFileW"
0009C6B2 PUSH 0A56B8 ASCII "WriteFile"
0009C70F PUSH 0A56C4 UNICODE "lsass.exe"
0009C730 PUSH 0A56D8 ASCII "GetProcAddress"
0009C735 PUSH 0A5684 UNICODE "kernel32.dll"
0009C740 PUSH 0A56E8 ASCII "LoadLibraryW"
0009C745 PUSH 0A5684 UNICODE "kernel32.dll"
0009C767 PUSH 0A5684 UNICODE "kernel32.dll"
0009C783 PUSH 0A56D8 ASCII "GetProcAddress"
0009C78C PUSH 0A5684 UNICODE "kernel32.dll"
0009C7AE PUSH 0A56E8 ASCII "LoadLibraryW"
0009C7E6 PUSH 0A56C4 UNICODE "lsass.exe"
0009C80D PUSH 0A56C4 UNICODE "lsass.exe"
0009C959 PUSH 0A5734 UNICODE "Config Path"
0009C95E PUSH 0A574C UNICODE "Software\VanDyke\SecureFX"
0009C973 PUSH 0A5780 UNICODE "%s\Sessions"
0009C9A6 PUSH 0A5798 UNICODE "*.ini"
0009C9E9 PUSH 0A57C8 UNICODE "%s\SftpNetDrive"
0009C9F0 PUSH 0A57E8 UNICODE "*.cfg"
0009CA47 PUSH 0A3AA4 ASCII "Server"
0009CA61 PUSH 0A57A4 ASCII "Port"
0009CA6C PUSH 0A57AC ASCII "<>"
0009CAB1 PUSH 0A4AFC ASCII "%s"
0009CAC1 PUSH 0A57B0 ASCII "UserName"
0009CAE7 PUSH 0A4AFC ASCII "%s"
0009CAFA PUSH 0A57BC ASCII "Password"
0009CB14 PUSH 0A57AC ASCII "<>"
0009CBDA PUSH 0A57F8 UNICODE "%s\Sherrod Computers\sherrod FTP\favorites"
0009CBE1 PUSH 0A5850 UNICODE "#document.favoriteManager*"
0009CBF7 PUSH 0A5888 UNICODE "%s\SmartFTP"
0009CBFE PUSH 0A58A0 UNICODE "{*.xml"
0009CC13 PUSH 0A58B0 UNICODE "%s\Staff-FTP\sites.ini"
0009CC28 PUSH 0A58E0 UNICODE "%s\Steed\bookmarks.txt"
0009CC3F PUSH 0A5910 UNICODE "%s\SuperPutty"
0009CC46 PUSH 0A592C UNICODE "Sessions*"
0009CCAC PUSH 0A59E4 UNICODE "%s\Syncovery"
0009CCB3 PUSH 0A5A00 UNICODE "Syncovery.ini"
0009CDD9 PUSH 0A5940 UNICODE "sftp://"
0009CDEC PUSH 0A5950 UNICODE "ftp://"
0009CDFF PUSH 0A5960 UNICODE "ftps://"
0009CE12 PUSH 0A5970 UNICODE "http://"
0009CE25 PUSH 0A5980 UNICODE "https://"
0009CE48 MOV EBX,0A5998 UNICODE "{.:CRED:.}"
0009CE61 PUSH 0A59B0 UNICODE "{CREN}"
0009CE78 PUSH 0A59C0 UNICODE "{CRDB}"
0009CE86 PUSH 0A59C0 UNICODE "{CRDB}"
0009CEF3 PUSH 0A59D0 UNICODE "Profiles"
0009CF1D PUSH 0A59D0 UNICODE "Profiles"
0009CF75 MOV ESI,0A5A1C UNICODE "*.vnc"
0009CF9F MOV ESI,0A5A28 UNICODE "%s\wcx_ftp.ini"
0009CFC0 PUSH 0A5A48 UNICODE "%s\GHISLER\wcx_ftp.ini"
0009CFCF PUSH 0A5A78 UNICODE "FtpIniName"
0009CFD4 PUSH 0A5A90 UNICODE "Software\Ghisler\Total Commander"
0009D018 PUSH 0A5AD4 UNICODE "%s\UltraFXP\sites.xml"
0009D02D PUSH 0A5B00 UNICODE "%s\WinFtp Client\Favorites.dat"
0009D050 MOV ESI,0A5B58 UNICODE "Software\Martin Prikryl"
0009D0B7 PUSH 0A4B84 UNICODE "HostName"
0009D0E0 PUSH 0A49E0 UNICODE "Password"
0009D0EC PUSH 0A3F04 UNICODE "UserName"
0009D0FB PUSH 0A5558 UNICODE "PublicKeyFile"
0009D10A PUSH 0A5B40 UNICODE "FSProtocol"
0009D118 PUSH 0A5590 UNICODE "PortNumber"
0009D230 PUSH 0A5B88 UNICODE "%s\WS_FTP\WS_FTP.INI"
0009D23D PUSH 0A5BB4 UNICODE "%s\WS_FTP.INI"
0009D24A PUSH 0A5BD0 UNICODE "%s\Ipswitch"
0009D251 PUSH 0A5BE8 UNICODE "ws_ftp.ini"
0009D26B MOV EDI,0A5C00 UNICODE "%s\NetSarang\Xftp\Sessions"
0009D278 MOV ESI,0A5C38 UNICODE "*xfp"
0009D31E PUSH 0A5C44 UNICODE "%s\NoteFly\notes"
0009D324 PUSH 0A5C68 UNICODE "*.nfn"
0009D37E PUSH 0A5C78 UNICODE "%s\Conceptworld\Notezilla\Notes8.db"
0009D3A2 PUSH 0A5CC0 UNICODE "%s\stickies\images"
0009D3A8 PUSH 0A5CE8 UNICODE "*.png"
0009D3BE PUSH 0A5CF4 UNICODE "%s\stickies\rtf"
0009D3C4 PUSH 0A5D14 UNICODE "*.rtf"
0009D440 PUSH 0A5D20 UNICODE "%s\Microsoft\Sticky Notes\StickyNotes.snt"
0009D46B MOV ESI,0A5D74 UNICODE "*.spn"
0009D4D5 PUSH 0A5D80 UNICODE "%s\To-Do DeskList\tasks.db"
0009D4E6 PUSH 0A5DD4 UNICODE "Full Tilt Poker"
0009D4FD PUSH 0A7010 UNICODE "Software"
0009D502 PUSH 0A224C UNICODE "%s\%s"
0009D549 PUSH 0A49E0 UNICODE "Password"
0009D56B PUSH 0A5DC0 UNICODE "Username"
0009D628 PUSH 0A7010 UNICODE "Software"
0009D66C PUSH 0A5DB8 UNICODE "c:\"
0009D729 PUSH 0A5DF4 UNICODE "InstanceA"
0009D72E MOV EBX,0A5E08 UNICODE "Software\VB and VBA Program Settings\Plugin"
0009D741 PUSH 0A5E60 UNICODE "InstanceB"
0009D763 PUSH 0A5E74 ASCII "INSTALL=%08X%08X;"
0009D88A PUSH 0A5E88 ASCII "MAC=%02X%02X%02X%02X%02X%02X;"
0009D8F7 PUSH 0A5EA8 ASCII "SYSVOL=%08X;"
0009D93C PUSH 0A5ED0 UNICODE "PokerStars*"
0009D968 PUSH 0A5EB8 UNICODE "%s\user.ini"
0009DA63 PUSH 0A3D0C UNICODE "%SYSTEMDRIVE%"
0009DB73 PUSH 0A3D0C UNICODE "%SYSTEMDRIVE%"
0009DC0A PUSH 0A5EE8 UNICODE "%s\mSecure"
0009DC11 PUSH 0A5F00 UNICODE "*.mscw"
0009DDCC SUB EAX,10000 UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All Users"
0009DDE9 MOV ESI,0A5F10 UNICODE "-k netsvcs"
0009DE5C PUSH 0A5F38 UNICODE "explorer.exe"
0009DE9B PUSH 0A5F54 UNICODE "svchost.exe"
0009DEBC PUSH 0A21FC UNICODE "open"
0009DEC1 PUSH 0A5F28 UNICODE "http"
0009E01B MOV DWORD PTR SS:[EBP-28],10004 UNICODE "LUSERSPROFILE=C:\Documents and Settings\All Users"
0009E63F PUSH 0A5FA0 UNICODE "CB: %s"
0009E709 PUSH 0A5F80 UNICODE "Window: %s"
0009E7BC PUSH 0A5FE4 UNICODE "[DEL]"
0009E7CA PUSH 0A5FB8 UNICODE ""
0009E7D1 PUSH 0A5FD8 UNICODE "[TAB]"
0009E7D8 PUSH 0A5FC0 UNICODE "[BACKSPACE]"
0009E9AD PUSH 0A5F78 UNICODE "kdb"
0009E9D4 PUSH 0A5F78 UNICODE "kdb"
0009EA86 PUSH 0A5F6C UNICODE "KL-%s"
0009EE36 PUSH 0A61E4 ASCII ""
0009EF52 PUSH 0A6208 UNICODE "hdb"
0009EFAA PUSH 0A61EC UNICODE ".exe"
0009EFE6 PUSH 0A61FC UNICODE ".dll"
0009F004 PUSH 0A61EC UNICODE ".exe"
0009F08E PUSH 0A6210 UNICODE "-u"
0009F098 PUSH 0A61EC UNICODE ".exe"
0009F1D1 PUSH 0A6164 UNICODE "%s\%s\%s.exe"
0009F204 PUSH 0A224C UNICODE "%s\%s"
0009F379 PUSH 0A6218 ASCII "XXXXX11111"
0009F67E PUSH 0A3D0C UNICODE "%SYSTEMDRIVE%"
0009F6E0 PUSH 0A6224 UNICODE "%c:\"
0009F986 PUSH 0A6250 UNICODE "img"
0009FE0E PUSH 9BA52 ASCII "hdQ"
0009FE1A PUSH 9BB15 ASCII "hTQ"
0009FE26 PUSH 9BA5E ASCII "htQ"
0009FF17 PUSH 9B722 ASCII "SVWh"
000A000F PUSH 9AB79 ASCII "Vj"
000A00C3 PUSH 9ADF5 ASCII "Vj"
000A0234 PUSH 0A6210 UNICODE "-u"
000A02DD MOV ESI,0A6258 ASCII "KOSFKF"
000A06EF PUSH 0A224C UNICODE "%s\%s"
000A0719 PUSH 0A62E8 UNICODE "%s\%s.%s"
000A0B1A PUSH 0A6218 ASCII "XXXXX11111"
000A0EB0 PUSH 0A6208 UNICODE "hdb"
405642, 403240 for crypto part and 41061E for CryptDecrypt
Gates:
Code: Select all
Files from VT positively reacting to "/ight.php":
trafcounters.com/webstatBETA/ight.php
mompelie.ru/webstatBETA/ight.php
Code: Select all
092f07af0b41409b1295947b56af2e0187cad4de
778e238c33426b7ec5dea807f6896899ce4ed8ea
4b350e37bb9a4b2a33162a46c34565f5010e8457
61a2114b55090144c3ef2eb5d788d163ff5444c2
a4d0d0694f271f42381ba5a2cc08c88659dd7ba1
60260e08b290cb6747b9b92a20b194daa577bda3
9fbc50624ad1e47b75ae053f05a6caa9bd422d7c
7fcdb17391c0e47afbb9d04c8f69f112d9d538ed
Attachments
infected
(143.38 KiB) Downloaded 104 times
(143.38 KiB) Downloaded 104 times