A forum for reverse engineering, OS internals and malware analysis 

Win32/Spatet

Forum for analysis and discussion about malware.

Re: backdoor

 #4231  by EP_X0FF
 Sun Jan 02, 2011 7:34 pm
Spawns winlogon.exe process copy with injected payload dll. Winlogon dies at start without action.

It includes detection of several debuggers, sandboxes
\\.\Syser
\\.\SyserDbgMsg
\\.\SyserBoot
\\.\SICE
\\.\NTICE
VBoxService.exe
SbieDll.dll
Autoruns through HKCU\Software\Microsoft\Windows\CurrentVersion\Run

edit:

Thread merged with thread about MSIL based malware samples.
Last edited by EP_X0FF on Sun Jan 02, 2011 7:38 pm, edited 1 time in total. Reason: edit

Re: Mal/MSIL-BA

 #4270  by xqrzd
 Tue Jan 04, 2011 10:56 pm
Same as others, disables task manager, command prompt, etc., runs through HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run etc...

Re: trojan.online game

 #4296  by EP_X0FF
 Thu Jan 06, 2011 9:30 am
This is container for dot net malware.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
DisableRegistryTools
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
DisableCMD
netsh.exe
firewall set opmode disable
spawns winlogon copy with injected code.

injected code itself is password stealer trojan written on Delphi, see attach as (MEMORY.rar).
https://www.virustotal.com/file-scan/re ... 1294306769

edit: more descriptive name to thread added
Attachments
pass: malware
(258.58 KiB) Downloaded 40 times
pass: malware
(395.37 KiB) Downloaded 41 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7
 Return to “Malware”