A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #6530  by EP_X0FF
 Wed May 25, 2011 11:22 am
The only one thing is complete strange in this article - a set of totally out-dated software they used to detect SpyEye including BSOD-generator SVV. I lol'd.
 #6569  by EP_X0FF
 Sat May 28, 2011 2:03 pm
SpyEye v1.3

pass to decrypted config: 3D35AA71720D6920FCCE1AB4E417B81C

Gate:
hxxp://globallaty.ru/bambo/gzm.php;90
dropper and decrypted config attached.
Attachments
pass: malware
(167.87 KiB) Downloaded 60 times
 #6574  by EP_X0FF
 Sun May 29, 2011 12:44 pm
Some old SpyEye v1.09

pass for config.bin ('P' and 'K' signature overwritten with 0xFF): 2ED94EA60D42405F20F76A74D00F57DB
config used to build this crap
[settings]
Plugin3Config=
Plugin3=
Plugin2Config=
Plugin2=
Plugin1Config=
Plugin1=
WebInjectsPath=
ClearCookies=1
KillZeus=1
UpxCompress=1
ConnectorInterval=300
EncKey=azerty321
SpyEyeCollectorPath=78.47.59.236:53
MainCpPathBack=hxxp://kerneldz.dyndns.org/main/gate.php
MainCpPath=hxxp://kerneldz.dyndns.org/main/gate.php
comes from hxxp://kerneldz.dyndns.org/main/bin/
Attachments
pass: malware
(158.94 KiB) Downloaded 55 times
 #6586  by gritland
 Tue May 31, 2011 10:59 am
v 1.3
md5: DAF6AF245F7B1BB4A02706EB124D2B3E
Attachments
pass: infected
(125.18 KiB) Downloaded 49 times
Last edited by Alex on Wed Jun 01, 2011 6:26 am, edited 1 time in total. Reason: added pasword
 #6610  by EP_X0FF
 Wed Jun 01, 2011 3:23 pm
They event don't know how to configure properly the webshit, pathetic
It's common plague for SpyEye skiddie users :D

pass for decrypted config: 07B13B6B3BABA9A156D20C7DDED40639

v1.3

Gates:
hxxp://raz7pi7zop.com/gate.php;1800
hxxp://da3bom7ano.com/gate.php;1800
hxxp://tan6vop3ar.com/gate.php;1800
hxxp://to3rta7nol.com/gate.php;1800
hxxp://dan6tos7pt.com/gate.php;1800
hxxp://baxo6pa7bo.com/gate.php;1800
hxxp://to6mn3aslo.com/gate.php;1800
hxxp://pas6te7rtp.com/gate.php;1800
hxxp://pot6sa5noa.com/gate.php;1800
hxxp://san4di4pot.com/gate.php;1800
hxxp://n3ot6a4rl4op.com/gate.php;1800
hxxp://t3atu47g4ano.com/gate.php;1800
hxxp://so4p3sa47nop.com/gate.php;1800
hxxp://4t3an6bo4kit.com/gate.php;1800
hxxp://sos343na4gol.com/gate.php;1800
hxxp://po43n6c4hita.com/gate.php;1800
hxxp://l43ot4ra7nef.com/gate.php;1800
hxxp://bu43b3nut7ar.com/gate.php;1800
hxxp://sop35m5a3not.com/gate.php;1800
hxxp://raz47pi7z3op.com/gate.php;1800
hxxp://da3bom37a4no.com/gate.php;1800
hxxp://ta4n64o3p3ar.com/gate.php;1800
hxxp://to3rt3a57nol.com/gate.php;1800
hxxp://dan65t3os7pt.com/gate.php;1800
hxxp://to6n4m3a3dor.com/gate.php;1800
hxxp://ba3xo56pa7bo.com/gate.php;1800
hxxp://to365mn3aslo.com/gate.php;1800
hxxp://pa3s6t7e7rtp.com/gate.php;1800
hxxp://po3t6s6a5noa.com/gate.php;1800
hxxp://san34di74pot.com/gate.php;1800
bot and decrypted config in attach
Attachments
pass: malware
(129.97 KiB) Downloaded 56 times
 #6613  by EP_X0FF
 Wed Jun 01, 2011 4:21 pm
This is big one, also v1.3

In attach dropper original binary, dropper unpacked binary, decrypted config.
pass for decrypted config: 38E3CED8A9B5B60A1774E1F2C14A79F1

http://www.virustotal.com/file-scan/rep ... 1305495656

Gate:
hxxp://addleslawcenter.com/9999/gate.php;60
Plugins:

customconnector
socks5
ftp backconnect
C:\Data\Documents\My Projects\CC\CardNet\Progs\Client\SpyEye\plugins\BC\Client\Release\ftpbc.pdb
Attachments
pass: malware
(998.21 KiB) Downloaded 59 times
  • 1
  • 11
  • 12
  • 13
  • 14
  • 15
  • 42