A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19264  by ISergey256
 Mon May 13, 2013 1:39 pm
Internet Security
original https://www.virustotal.com/ru/file/c6c0 ... /analysis/
unpacked https://www.virustotal.com/ru/file/93ac ... /analysis/
Strings
Code: Select all
Houdsodu!Rdbtshux
X79SDV,U67GE0,T2WBG4@
iuuq;..rdbtshuxidmqrtqqnsu/bnl.nqdo/qiq
iuuq;..`tunhourdbtshux/bnl.ctxonv/qiq>che<$`ewhe$
iuuq;..`tunhourdbtshux/bnl.rtqqnsu/iulm
iuuq;..rnguqnsu`m271/bnl.515/qiq>he<$`ewhe$
iuuq;..mhbdobdbidbj35/bnl.`buhw`ud.`buhw`ud/qiq>he<$the$'l`hm<$dl`hm$'nseds^he<$nseds$
iuuq;..mhbdobdbidbj35/bnl.`buhw`ud.`buhw`ud/qiq>he<$the$'
iuuq;..2erdbtsdhoudso`uhno`m/bnl.rtqqnsu/qiq
ogdbude;!Usnk`o,Envomn`eds/Vho23/@fdou
Decript
Code: Select all
Internet Security
Y68REW-T76FD1-U3VCF5A
hxxp://securityhelpsupport.com/open.php
hxxp://autointsecurity.com/buynow.php?bid=%advid%
hxxp://autointsecurity.com/support.html
hxxp://softportal360.com/404.php?id=%advid%
hxxp://licencecheck24.com/activate/activate.php?id=%uid%&mail=%email%&order_id=%order%
hxxp://licencecheck24.com/activate/activate.php?id=%uid%&
hxxp://3dsecureinternational.com/support.php
nfected: Trojan-Downloader.Win32.Agent!
Attachments
pass: infected
(2.81 MiB) Downloaded 135 times
 #19468  by Xylitol
 Thu May 30, 2013 1:29 am
http://malware.dontneedcoffee.com/2013/ ... rausy.html
http://vxvault.siri-urz.net/ViriList.ph ... 211.98.159
193 System Care Antivirus in attach
grabbed directly from the affiliate (BestAV distribution filter are broken)
if you want to do it yourself, just install wget and save this as batch:
Code: Select all
@echo off
color 17
cls
set target=test.bestavsoft2.com/soft/download/?affid=
set droppath=BestAVsoft1
set start=1
set affiday=00
set end=999
set step=1
if not exist %droppath% (
mkdir %droppath% )
FOR /L %%G IN (%start%, %step%, %end%) DO wget -U "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" -S -t 100 -P / "%target%%%G%affiday%" -O "%droppath%/%%G"
FOR %%i IN (%droppath%\*) do if %%~zi LEQ 2 DEL %%i
echo Done.
pause
urls:
Code: Select all
hxxp://test.bestavsoft2.com/soft/download/?affid=400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=600&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=1400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=1900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=2400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=3200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=3400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=3800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=4200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=4300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=4400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=4600&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=4700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=4800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=4900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=5100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=5400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=5500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=5700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=5800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=5900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=6100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=6300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=6700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=6900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=7100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=7500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=8300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=8500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=8600&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=8900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=9200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=9500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=9700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=10200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=10300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=10400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=10700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=12200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=12400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=12600&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=12700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=12900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=13200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=13300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=13500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=14400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=14700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=15000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=15100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=16000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=16700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=16800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=17100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=17300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=18200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=18400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=18700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=18900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=19000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=19800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=20200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=20300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=20400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=20500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=20700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=21000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=21700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=21800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=21900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=22200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=22300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=26800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=26900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=27200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=28800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=30300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=30800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=31200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=31700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=32100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=32300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=32400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=32800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=34600&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=34800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=35000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=35200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=35400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=36200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=36400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=36500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=36800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=37100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=38000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=38200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=38300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=38400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=42900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=46000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=46300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=46700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=46800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=47700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=47800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=48500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=48800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=48900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=49000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=49500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=50200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=50900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=51100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=51300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=52100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=52200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=53500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=53900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=54600&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=54700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=54800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=55000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=56900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=57800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=58400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=58600&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=59200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=59300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=65400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=65700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=66200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=66900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=67600&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=67800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=69400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=69600&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=70000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=70100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=70200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=71000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=71200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=71700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=72000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=72600&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=72800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=73900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=74100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=74300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=74600&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=74700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=74800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=74900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=75000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=75400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=75500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=75700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=75800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=75900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=76000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=76100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=76200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=76300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=76400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=76500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=76700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=76800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=76900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=77000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=77200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=77300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=77400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=77500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=77700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=77800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=77900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=78200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=78300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=78800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=78900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=79000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=79100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=79200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=79300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=79500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=79700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=80000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=80100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=80200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=80300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=80800&aggr=1&timeout=300
domain start to be burned by AVs :D https://www.virustotal.com/en/domain/te ... formation/
Attachments
infected
(1.51 MiB) Downloaded 88 times
infected
(9 MiB) Downloaded 83 times
infected
(9 MiB) Downloaded 77 times
infected
(9 MiB) Downloaded 82 times
infected
(9 MiB) Downloaded 78 times
infected
(9 MiB) Downloaded 81 times
infected
(9 MiB) Downloaded 78 times
infected
(9 MiB) Downloaded 84 times
infected
(9 MiB) Downloaded 97 times
 #19522  by EP_X0FF
 Sun Jun 02, 2013 11:06 am
System Doctor 2014

Sample courtesy of markusg.

Fresh and agressive FakeAV. Script-kiddie crypter over Visual C++ 2010 written application packed with UPX to reduce size.

Loading screen
Image

Main screen
Image

Detected items
Image

original
https://www.virustotal.com/en/file/e072 ... /analysis/

unpacked
https://www.virustotal.com/en/file/aec9 ... 370170170/

Possible author profile at script-kiddie wasm.ru forum, author post history speaks for itself
hxxp://wasm.ru/forum/profile.php?id=11196

The following code snippet almost directly used in this malware (primitive VM detection using Setup API)
hxxp://wasm.ru/forum/viewtopic.php?pid=465992

VM detection procedure located in unpacked binary at @00413EDB

Malware runs via HKCU\Software\Microsoft\Windows\CurrentVersion\Run key. Scan list of processes with short delay, terminates any new with a fake warning box.

List of available "detections"
Code: Select all
Random access memory  Virus Malware Trojan  %WINDIR%\System32\mdm.exe %WINDIR%\System32\smss.exe  %WINDIR%\System32\rundll.exe  %WINDIR%\System32\pp.exe  %WINDIR%\System32\drivers\hide2.sys %WINDIR%\System32\drivers\spy.sys   %WINDIR%\System32\constrols.ocx %WINDIR%\System32\audio.dll HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices  HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices  HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce  HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce  HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce  HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce  HKCU\Software\Microsoft\Windows\CurrentVersion\Run  HKLM\Software\Microsoft\Windows\CurrentVersion\Run  taskeng.exe nvvsvc.exe  lsass.exe wininit.exe spoolsv.exe smss.exe  services.exe  dwm.exe csrss.exe explorer.exe  svchost.exe winlogon.exe  Low Medium  High    Win32/Ciucio is a family of trojans that connect to certain websites in order to download arbitrary files.  PWS:Win32/Chedap.A is a password stealer that targets SSH user accounts.    This threat is classified as a backdoor trojan. A backdoor trojan provides remote, usually surreptitious, access to affected systems.   This is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected computer. Win32/Zafi is a family of mass-mailing worms. The worm sends itself to e-mail addresses that it finds on the infected computer. This threat is classified as a trojan that steals data. A data theft trojan gathers personal data, often of a financial nature, from affected systems.  This threat is classified as a worm that spreads over the network. A pure network worm propagates without any user interaction. Virus:Win32/Quervar is a virus that infects specific Microsoft Office document files and executable files.  Win32/Malword is a detection used to identify maliciously formed Word documents that contain code that attempts to exploit a vulnerability in Wordpad.  Worm:Win32/Mabezat.A is a worm that attempts to spread by copying itself to newly attached media devices, such as USB drives or USB media cards.    Worm:Win32/Hary.A is a worm that poses as a copy of J K Rowling's book "Harry Potter and the Deathly Hallows". The worm spreads between USB drives. This threat is classified as a password-stealing troian. This trojan installs a keystroke logger which records keystrokes and sends it to remote attackers. This is a trojan that is contained within websites that are malicious. It may redirect your browser to a website other than the one you expect. Win32/Dorkbot.A is a worm that spreads via instant messaging and removable drives. Also it allows control of the affected computer. Win32/Ramnit is a trojan that allows limited remote access and control to an affected computer. BrowserModifier:Win32/Zwangi is a program that runs as a service in the background and modifies Internet browser search functionality.  Win32/Ifnapod.X contains malicious software which it ⁤rops†and installs on the affected system. Also it allows remote access to infected systems. Win32/Sinowal is a family of password-stealing and backdoor programs. It may  capture banking credentials and send the data to the attacker.    Win32/Tracur is a malware that redirects Internet search queries to a malicious URL and allows backdoor access and control. Win32/Nitol.A is a malware that performs DDOS (Distributed Denial of Service) attacks against a target system, which is usually a website.  Win32/OpenCandy is an adware program that may be bundled with certain third-party software installation programs.   Win32/Pramro.F is a trojan that creates a proxy on an infected computer. Proxy servers may be used by attackers to hide the origin of malicious activity.   JS/Seedabutor.B is a JavaScript trojan that attempts to redirect your browser to another website.   Win32/Sality.AT is a detection for a virus that spreads by infecting Windows executable files and by copying itself to removable and remote drives. Win32/Conficker.X is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE).    JS/Medfos.B is a malicious JavaScript file that redirects search queries when using websites such as AOL, Ask, Bing, Google and Yahoo.  PriceGong is an adware program that displays certain deals related to search terms you enter in any webpage's search field. Win32/Pameseg.XX is the detection for a fake installer that asks users to send SMS messages to a premium number.    Win32/Kelihos is a trojan family that distributes spam email messages. The spam messages could contain hyperlinks to installers of Win32/Kelihos malware.   Win32/Zbot, also called Zeus, is a Trojan horse that attempts to steal confidential information from the compromised computer.  Win32/Ciucio  Win32/Chedap.A  Win32/Casus.2_0 Win32/Cameobe.X Win32/Zafi  Win32/Xinkey  Win32/Usen  Win32/Quervar.X Win32/Malword.X Win32/Mabezat.A Win32/Hary.A  Win32/Daurso  JS/Redirector.XX  Win32/Dorkbot.A Win32/Ramnit.X  Win32/Zwangi  Win32/Ifnapod.X 
In attach original dropper and unpacked patched (removed AntiVM) version.
Attachments
pass: infected
(1.17 MiB) Downloaded 151 times
 #19631  by EX!
 Thu Jun 13, 2013 11:11 pm
Internet Security

Image


https://www.virustotal.com/es-ar/file/2 ... 371150073/

hxxp://globalofficesolution.net/tmp/file1.exe (fakeAV downloaded by 1eETvOm.exe )
hxxp://globalofficesolution.net/tmp/file2.exe (zbot type downloaded by 1eETvOm.exe )


Files in attach

(fakeAv)file1.exe ----> FakeAV
(pwd.stealer).1eETvOm.exe ----> [downloader]
file2(1).exe ----> zbot (?)
Attachments
password = infected
(1.02 MiB) Downloaded 128 times
 #19632  by EP_X0FF
 Fri Jun 14, 2013 1:56 am
EX! wrote:hxxp://globalofficesolution.net/tmp/file2.exe (zbot type downloaded by 1eETvOm.exe )
It is Sirefef.

cfg 32
Code: Select all
[000] 2013.6.12 20:19:50	222.254.253.254
[001] 2013.6.12 20:19:50	206.254.253.254
[002] 2013.6.12 20:19:50	197.254.253.254
[003] 2013.6.12 20:19:50	122.219.185.60
[004] 2013.6.12 20:19:50	190.254.253.254
[005] 2013.6.12 20:19:50	5.15.253.1
[006] 2013.6.12 20:19:50	184.254.253.254
[007] 2013.6.12 20:19:50	72.177.53.2
[008] 2013.6.12 20:19:50	183.254.253.254
[009] 2013.6.12 20:19:50	83.24.252.60
[010] 2013.6.12 20:19:50	182.254.253.254
[011] 2013.6.12 20:19:50	24.208.8.4
[012] 2013.6.12 20:19:50	180.254.253.254
[013] 2013.6.12 20:19:50	66.30.34.4
[014] 2013.6.12 20:19:50	166.254.253.254
[015] 2013.6.12 20:19:50	114.165.194.64
[016] 2013.6.12 20:19:50	158.254.253.254
[017] 2013.6.12 20:19:50	106.186.53.67
[018] 2013.6.12 20:19:50	135.254.253.254
[019] 2013.6.12 20:19:50	95.81.51.4
[020] 2013.6.12 20:19:50	134.254.253.254
[021] 2013.6.12 20:19:50	190.39.68.5
[022] 2013.6.12 20:19:50	119.254.253.254
[023] 2013.6.12 20:19:50	86.169.7.76
[024] 2013.6.12 20:19:50	117.254.253.254
[025] 2013.6.12 20:19:50	173.217.165.57
[026] 2013.6.12 20:19:50	115.254.253.254
[027] 2013.6.12 20:19:50	37.237.166.84
[028] 2013.6.12 20:19:50	113.254.253.254
[029] 2013.6.12 20:19:50	37.75.73.85
[030] 2013.6.12 20:19:50	78.84.208.253
[031] 2013.6.12 20:19:50	111.253.53.253
[032] 2013.6.12 20:19:50	180.31.45.251
[033] 2013.6.12 20:19:50	70.83.221.250
[034] 2013.6.12 20:19:50	189.110.145.248
[035] 2013.6.12 20:19:50	85.64.168.247
[036] 2013.6.12 20:19:50	188.252.135.247
[037] 2013.6.12 20:19:50	96.48.56.246
[038] 2013.6.12 20:19:50	95.86.8.246
[039] 2013.6.12 20:19:50	71.19.210.54
[040] 2013.6.12 20:19:50	75.68.206.244
[041] 2013.6.12 20:19:50	37.237.197.243
[042] 2013.6.12 20:19:50	216.163.200.88
[043] 2013.6.12 20:19:50	68.179.247.53
[044] 2013.6.12 20:19:50	151.0.38.49
[045] 2013.6.12 20:19:50	24.217.197.48
[046] 2013.6.12 20:19:50	62.98.57.228
[047] 2013.6.12 20:19:50	86.123.201.94
[048] 2013.6.12 20:19:50	66.229.124.102
[049] 2013.6.12 20:19:50	99.249.194.45
[050] 2013.6.12 20:19:50	66.97.59.103
[051] 2013.6.12 20:19:50	78.22.122.44
[052] 2013.6.12 20:19:50	71.8.17.39
[053] 2013.6.12 20:19:50	59.161.2.123
[054] 2013.6.12 20:19:50	92.237.86.36
[055] 2013.6.12 20:19:50	123.195.1.196
[056] 2013.6.12 20:19:50	46.237.12.36
[057] 2013.6.12 20:19:50	99.110.120.128
[058] 2013.6.12 20:19:50	67.55.204.35
[059] 2013.6.12 20:19:50	2.193.61.189
[060] 2013.6.12 20:19:50	125.201.5.188
[061] 2013.6.12 20:19:50	103.24.189.33
[062] 2013.6.12 20:19:50	66.244.109.32
[063] 2013.6.12 20:19:50	95.154.179.140
[064] 2013.6.12 20:19:50	95.92.146.31
[065] 2013.6.12 20:19:50	24.196.231.29
[066] 2013.6.12 20:19:50	89.136.119.29
[067] 2013.6.12 20:19:50	219.204.116.29
[068] 2013.6.12 20:19:50	66.225.167.8
[069] 2013.6.12 20:19:50	200.84.52.152
[070] 2013.6.12 20:19:50	85.65.128.153
[071] 2013.6.12 20:19:50	74.57.170.26
[072] 2013.6.12 20:19:50	118.160.218.24
[073] 2013.6.12 20:19:50	184.161.168.15
[074] 2013.6.12 20:19:50	24.0.195.173
[075] 2013.6.12 20:19:50	95.94.54.174
[076] 2013.6.12 20:19:50	68.96.28.10
[077] 2013.6.12 20:19:50	24.241.34.175
[078] 2013.6.12 20:19:50	68.145.105.12
[079] 2013.6.12 20:19:50	50.132.15.58
[080] 2013.6.12 20:19:49	76.90.148.177
[081] 2013.6.12 20:19:49	68.45.155.177
[082] 2013.6.12 20:19:49	79.110.149.173
[083] 2013.6.12 20:19:49	46.5.73.171
[084] 2013.6.12 20:19:49	98.236.234.170
[085] 2013.6.12 20:19:49	79.114.72.179
[086] 2013.6.12 20:19:49	67.182.13.170
[087] 2013.6.12 20:19:49	79.113.16.18
[088] 2013.6.12 20:19:49	98.24.212.18
[089] 2013.6.12 20:19:49	98.122.27.166
[090] 2013.6.12 20:19:49	78.251.108.19
[091] 2013.6.12 20:19:49	176.201.251.164
[092] 2013.6.12 20:19:49	31.192.2.164
[093] 2013.6.12 20:19:49	83.7.136.163
[094] 2013.6.12 20:19:49	173.179.43.22
[095] 2013.6.12 20:19:49	79.116.180.161
[096] 2013.6.12 20:19:49	173.17.70.23
[097] 2013.6.12 20:19:49	71.225.235.179
[098] 2013.6.12 20:19:49	93.118.201.180
[099] 2013.6.12 20:19:49	76.14.182.158
[100] 2013.6.12 20:19:49	5.147.210.26
[101] 2013.6.12 20:19:49	89.177.13.28
[102] 2013.6.12 20:19:49	75.185.60.181
[103] 2013.6.12 20:19:49	2.68.2.9
[104] 2013.6.12 20:19:49	88.207.125.28
[105] 2013.6.12 20:19:49	76.103.166.28
[106] 2013.6.12 20:19:49	70.234.96.8
[107] 2013.6.12 20:19:49	68.13.74.148
[108] 2013.6.12 20:19:49	46.246.54.182
[109] 2013.6.12 20:19:49	68.62.164.145
[110] 2013.6.12 20:19:49	79.113.146.182
[111] 2013.6.12 20:19:49	24.145.70.145
[112] 2013.6.12 20:19:49	143.225.223.144
[113] 2013.6.12 20:19:49	46.162.84.144
[114] 2013.6.12 20:19:49	92.55.77.183
[115] 2013.6.12 20:19:49	188.25.106.184
[116] 2013.6.12 20:19:49	79.121.64.139
[117] 2013.6.12 20:19:49	174.44.217.137
[118] 2013.6.12 20:19:49	95.81.219.136
[119] 2013.6.12 20:19:49	188.167.146.186
[120] 2013.6.12 20:19:49	79.112.187.7
[121] 2013.6.12 20:19:49	95.42.174.133
[122] 2013.6.12 20:19:49	147.143.239.34
[123] 2013.6.12 20:19:49	175.107.226.189
[124] 2013.6.12 20:19:49	203.234.209.132
[125] 2013.6.12 20:19:49	187.68.252.35
[126] 2013.6.12 20:19:49	213.118.248.129
[127] 2013.6.12 20:19:49	108.185.173.129
[128] 2013.6.12 20:19:49	77.238.203.190
[129] 2013.6.12 20:19:49	93.85.153.127
[130] 2013.6.12 20:19:49	79.22.75.126
[131] 2013.6.12 20:19:49	203.115.76.195
[132] 2013.6.12 20:19:49	66.97.58.197
[133] 2013.6.12 20:19:49	188.27.65.124
[134] 2013.6.12 20:19:49	5.14.251.123
[135] 2013.6.12 20:19:49	95.163.161.199
[136] 2013.6.12 20:19:49	141.138.96.122
[137] 2013.6.12 20:19:49	121.144.244.36
[138] 2013.6.12 20:19:49	24.35.57.37
[139] 2013.6.12 20:19:49	99.254.134.37
[140] 2013.6.12 20:19:49	114.37.230.202
[141] 2013.6.12 20:19:49	178.175.49.117
[142] 2013.6.12 20:19:49	46.181.73.115
[143] 2013.6.12 20:19:49	68.192.36.113
[144] 2013.6.12 20:19:49	24.235.235.109
[145] 2013.6.12 20:19:49	79.33.143.40
[146] 2013.6.12 20:19:49	213.112.182.106
[147] 2013.6.12 20:19:49	24.250.36.41
[148] 2013.6.12 20:19:49	98.122.68.106
[149] 2013.6.12 20:19:49	98.192.244.105
[150] 2013.6.12 20:19:49	71.75.65.203
[151] 2013.6.12 20:19:49	31.176.130.103
[152] 2013.6.12 20:19:49	37.214.244.203
[153] 2013.6.12 20:19:49	67.81.82.205
[154] 2013.6.12 20:19:49	72.224.125.213
[155] 2013.6.12 20:19:49	24.55.35.46
[156] 2013.6.12 20:19:49	49.124.192.100
[157] 2013.6.12 20:19:49	81.24.241.224
[158] 2013.6.12 20:19:49	178.169.149.94
[159] 2013.6.12 20:19:49	72.223.105.93
[160] 2013.6.12 20:19:49	60.34.117.92
[161] 2013.6.12 20:19:49	50.90.139.46
[162] 2013.6.12 20:19:49	93.114.171.229
[163] 2013.6.12 20:19:49	94.251.140.235
[164] 2013.6.12 20:19:49	95.52.202.49
[165] 2013.6.12 20:19:49	151.41.79.236
[166] 2013.6.12 20:19:49	2.92.221.242
[167] 2013.6.12 20:19:49	82.209.173.245
[168] 2013.6.12 20:19:49	174.100.136.86
[169] 2013.6.12 20:19:49	109.197.81.55
[170] 2013.6.12 20:19:49	95.166.162.7
[171] 2013.6.12 20:19:49	176.97.45.7
[172] 2013.6.12 20:19:49	12.27.26.7
[173] 2013.6.12 20:19:49	2.192.140.78
[174] 2013.6.12 20:19:49	117.109.231.77
[175] 2013.6.12 20:19:49	46.214.149.5
[176] 2013.6.12 20:19:49	178.152.218.75
[177] 2013.6.12 20:19:49	89.42.80.74
[178] 2013.6.12 20:19:49	109.53.57.73
[179] 2013.6.12 20:19:49	212.152.20.69
[180] 2013.6.12 20:19:49	31.192.201.68
[181] 2013.6.12 20:19:49	98.213.70.67
[182] 2013.6.12 20:19:49	221.31.51.4
[183] 2013.6.12 20:19:49	50.7.216.66
[184] 2013.6.12 20:19:49	24.229.186.65
[185] 2013.6.12 20:19:49	68.179.144.65
[186] 2013.6.12 20:19:49	24.55.40.4
[187] 2013.6.12 20:19:49	222.151.13.64
[188] 2013.6.12 20:19:49	184.152.107.62
[189] 2013.6.12 20:19:49	84.90.92.3
[190] 2013.6.12 20:19:49	125.195.47.1
[191] 2013.6.12 20:19:49	58.0.228.59
[192] 2013.6.12 20:19:49	24.146.224.59
[193] 2013.6.12 20:19:49	24.23.61.177
[194] 2013.6.12 20:19:49	24.69.33.0
[195] 2013.6.12 20:19:48	177.65.91.86
[196] 2013.6.12 20:19:48	46.49.25.88
[197] 2013.6.12 20:19:48	2.184.227.186
[198] 2013.6.12 20:19:48	86.122.43.89
[199] 2013.6.12 20:19:48	68.82.14.90
[200] 2013.6.12 20:19:48	46.237.80.90
[201] 2013.6.12 20:19:48	78.61.254.90
[202] 2013.6.12 20:19:48	114.24.18.91
[203] 2013.6.12 20:19:48	74.199.68.101
[204] 2013.6.12 20:19:48	93.178.200.102
[205] 2013.6.12 20:19:48	201.75.194.105
[206] 2013.6.12 20:19:48	170.51.116.106
[207] 2013.6.12 20:19:48	211.127.18.107
[208] 2013.6.12 20:19:48	69.244.120.117
[209] 2013.6.12 20:19:48	95.76.176.117
[210] 2013.6.12 20:19:48	95.86.13.120
[211] 2013.6.12 20:19:48	218.103.235.121
[212] 2013.6.12 20:19:48	76.29.81.124
[213] 2013.6.12 20:19:48	187.101.165.125
[214] 2013.6.12 20:19:48	24.20.34.132
[215] 2013.6.12 20:19:48	200.7.161.133
[216] 2013.6.12 20:19:48	98.71.44.35
[217] 2013.6.12 20:19:48	71.70.163.133
[218] 2013.6.12 20:19:48	5.20.50.134
[219] 2013.6.12 20:19:48	210.1.188.32
[220] 2013.6.12 20:19:48	185.12.169.134
[221] 2013.6.12 20:19:48	121.162.17.32
[222] 2013.6.12 20:19:48	77.221.85.142
[223] 2013.6.12 20:19:48	111.188.15.31
[224] 2013.6.12 20:19:48	70.2.139.145
[225] 2013.6.12 20:19:48	190.201.125.146
[226] 2013.6.12 20:19:48	174.134.77.148
[227] 2013.6.12 20:19:48	75.138.84.149
[228] 2013.6.12 20:19:48	86.22.216.149
[229] 2013.6.12 20:19:48	95.180.246.153
[230] 2013.6.12 20:19:48	5.57.165.27
[231] 2013.6.12 20:19:48	95.85.166.158
[232] 2013.6.12 20:19:48	86.122.207.159
[233] 2013.6.12 20:19:48	184.57.163.26
[234] 2013.6.12 20:19:48	109.184.228.25
[235] 2013.6.12 20:19:48	116.193.135.160
[236] 2013.6.12 20:19:48	78.20.170.160
[237] 2013.6.12 20:19:48	69.246.128.22
[238] 2013.6.12 20:19:48	184.66.0.163
[239] 2013.6.12 20:19:48	42.147.9.22
[240] 2013.6.12 20:19:48	24.155.12.21
[241] 2013.6.12 20:19:48	220.208.220.19
[242] 2013.6.12 20:19:48	194.28.69.165
[243] 2013.6.12 20:19:48	77.179.201.168
[244] 2013.6.12 20:19:48	108.252.47.18
[245] 2013.6.12 20:19:48	188.237.23.18
[246] 2013.6.12 20:19:48	70.83.17.18
[247] 2013.6.12 20:19:48	84.236.13.169
[248] 2013.6.12 20:19:48	82.127.22.170
[249] 2013.6.12 20:19:48	177.143.224.12
[250] 2013.6.12 20:19:48	89.40.49.175
[251] 2013.6.12 20:19:48	93.77.3.11
[252] 2013.6.12 20:19:48	2.193.103.177
[253] 2013.6.12 20:19:48	85.122.80.181
[254] 2013.6.12 20:19:48	70.82.125.181
[255] 2013.6.12 20:19:48	202.161.250.181
cfg 64
Code: Select all
[000] 2013.6.12 20:19:45	222.254.253.254
[001] 2013.6.12 20:19:45	206.254.253.254
[002] 2013.6.12 20:19:45	197.254.253.254
[003] 2013.6.12 20:19:45	190.254.253.254
[004] 2013.6.12 20:19:45	184.254.253.254
[005] 2013.6.12 20:19:45	183.254.253.254
[006] 2013.6.12 20:19:45	182.254.253.254
[007] 2013.6.12 20:19:45	180.254.253.254
[008] 2013.6.12 20:19:45	166.254.253.254
[009] 2013.6.12 20:19:45	158.254.253.254
[010] 2013.6.12 20:19:45	135.254.253.254
[011] 2013.6.12 20:19:45	134.254.253.254
[012] 2013.6.12 20:19:45	119.254.253.254
[013] 2013.6.12 20:19:45	117.254.253.254
[014] 2013.6.12 20:19:45	115.254.253.254
[015] 2013.6.12 20:19:45	113.254.253.254
[016] 2013.6.12 20:19:45	188.2.179.145
[017] 2013.6.12 20:19:45	78.96.236.123
[018] 2013.6.12 20:19:45	75.134.127.155
[019] 2013.6.12 20:19:45	5.248.135.157
[020] 2013.6.12 20:19:45	68.173.189.9
[021] 2013.6.12 20:19:45	69.41.149.251
[022] 2013.6.12 20:19:45	82.225.96.112
[023] 2013.6.12 20:19:45	68.36.242.9
[024] 2013.6.12 20:19:45	68.112.138.163
[025] 2013.6.12 20:19:45	178.155.241.103
[026] 2013.6.12 20:19:45	67.242.140.169
[027] 2013.6.12 20:19:45	76.107.65.244
[028] 2013.6.12 20:19:45	70.115.201.243
[029] 2013.6.12 20:19:45	24.23.224.97
[030] 2013.6.12 20:19:45	178.148.215.14
[031] 2013.6.12 20:19:45	75.132.39.97
[032] 2013.6.12 20:19:45	178.206.115.81
[033] 2013.6.12 20:19:45	76.109.152.78
[034] 2013.6.12 20:19:45	69.210.242.74
[035] 2013.6.12 20:19:45	174.50.62.213
[036] 2013.6.12 20:19:45	117.201.116.57
[037] 2013.6.12 20:19:45	109.235.54.216
[038] 2013.6.12 20:19:45	78.20.16.219
[039] 2013.6.12 20:19:45	31.147.112.54
[040] 2013.6.12 20:19:45	69.31.207.228
[041] 2013.6.12 20:19:45	84.113.225.229
[042] 2013.6.12 20:19:45	69.132.137.141
[043] 2013.6.12 20:19:44	184.162.64.42
[044] 2013.6.12 20:19:44	109.254.11.43
[045] 2013.6.12 20:19:44	173.48.11.48
[046] 2013.6.12 20:19:44	188.25.22.49
[047] 2013.6.12 20:19:44	24.231.150.35
[048] 2013.6.12 20:19:44	95.68.40.49
[049] 2013.6.12 20:19:44	78.78.18.35
[050] 2013.6.12 20:19:44	24.253.78.226
[051] 2013.6.12 20:19:44	96.42.85.50
[052] 2013.6.12 20:19:44	78.106.29.51
[053] 2013.6.12 20:19:44	2.195.176.52
[054] 2013.6.12 20:19:44	91.214.46.223
[055] 2013.6.12 20:19:44	69.246.246.52
[056] 2013.6.12 20:19:44	27.0.57.33
[057] 2013.6.12 20:19:44	125.196.155.54
[058] 2013.6.12 20:19:44	72.48.251.31
[059] 2013.6.12 20:19:44	105.225.187.56
[060] 2013.6.12 20:19:44	68.34.84.22
[061] 2013.6.12 20:19:44	24.190.37.236
[062] 2013.6.12 20:19:44	188.26.179.58
[063] 2013.6.12 20:19:44	98.249.188.21
[064] 2013.6.12 20:19:44	177.82.182.211
[065] 2013.6.12 20:19:44	87.99.109.59
[066] 2013.6.12 20:19:44	203.237.214.61
[067] 2013.6.12 20:19:44	130.43.145.62
[068] 2013.6.12 20:19:44	67.173.14.210
[069] 2013.6.12 20:19:44	98.220.42.67
[070] 2013.6.12 20:19:44	75.76.216.72
[071] 2013.6.12 20:19:44	78.232.205.73
[072] 2013.6.12 20:19:44	170.224.169.74
[073] 2013.6.12 20:19:44	85.238.222.200
[074] 2013.6.12 20:19:44	173.30.9.196
[075] 2013.6.12 20:19:44	67.164.202.20
[076] 2013.6.12 20:19:44	5.165.139.75
[077] 2013.6.12 20:19:44	189.61.165.190
[078] 2013.6.12 20:19:44	94.191.197.188
[079] 2013.6.12 20:19:44	68.189.185.188
[080] 2013.6.12 20:19:44	108.171.20.239
[081] 2013.6.12 20:19:44	74.197.105.18
[082] 2013.6.12 20:19:44	77.95.50.89
[083] 2013.6.12 20:19:44	50.90.8.184
[084] 2013.6.12 20:19:44	186.94.173.183
[085] 2013.6.12 20:19:44	98.184.94.182
[086] 2013.6.12 20:19:44	24.214.165.92
[087] 2013.6.12 20:19:44	82.38.86.94
[088] 2013.6.12 20:19:44	212.5.130.94
[089] 2013.6.12 20:19:44	72.199.118.180
[090] 2013.6.12 20:19:44	50.138.9.176
[091] 2013.6.12 20:19:44	174.102.50.96
[092] 2013.6.12 20:19:44	89.176.152.17
[093] 2013.6.12 20:19:44	24.108.61.97
[094] 2013.6.12 20:19:44	71.45.52.243
[095] 2013.6.12 20:19:44	173.23.208.100
[096] 2013.6.12 20:19:44	69.127.74.14
[097] 2013.6.12 20:19:44	46.105.52.168
[098] 2013.6.12 20:19:44	96.27.250.246
[099] 2013.6.12 20:19:44	72.209.19.110
[100] 2013.6.12 20:19:44	24.153.162.111
[101] 2013.6.12 20:19:44	71.45.155.10
[102] 2013.6.12 20:19:44	166.142.0.251
[103] 2013.6.12 20:19:44	83.157.33.162
[104] 2013.6.12 20:19:44	69.119.122.160
[105] 2013.6.12 20:19:44	74.122.94.160
[106] 2013.6.12 20:19:44	74.58.58.113
[107] 2013.6.12 20:19:44	110.47.155.9
[108] 2013.6.12 20:19:44	98.164.156.5
[109] 2013.6.12 20:19:44	184.78.181.116
[110] 2013.6.12 20:19:44	88.206.133.154
[111] 2013.6.12 20:19:44	118.86.37.121
[112] 2013.6.12 20:19:44	216.158.252.152
[113] 2013.6.12 20:19:44	76.112.173.151
[114] 2013.6.12 20:19:44	50.154.150.123
[115] 2013.6.12 20:19:44	109.87.128.2
[116] 2013.6.12 20:19:44	1.114.119.129
[117] 2013.6.12 20:19:44	74.210.225.129
[118] 2013.6.12 20:19:44	97.81.249.254
[119] 2013.6.12 20:19:44	201.51.86.145
[120] 2013.6.12 20:19:44	120.29.95.130
[121] 2013.6.12 20:19:44	69.125.192.144
[122] 2013.6.12 20:19:44	78.251.191.134
[123] 2013.6.12 20:19:44	91.136.168.142
[124] 2013.6.12 20:19:44	109.175.142.137
[125] 2013.6.12 20:19:44	178.116.137.36
[126] 2013.6.12 20:19:43	96.27.213.140
[127] 2013.6.12 20:19:43	190.54.94.139
[128] 2013.6.12 20:19:43	98.237.138.142
[129] 2013.6.12 20:19:43	75.141.249.7
[130] 2013.6.12 20:19:43	75.183.103.253
[131] 2013.6.12 20:19:43	94.253.69.247
[132] 2013.6.12 20:19:43	125.197.83.2
[133] 2013.6.12 20:19:43	70.62.132.11
[134] 2013.6.12 20:19:43	50.146.104.130
[135] 2013.6.12 20:19:43	24.1.73.145
[136] 2013.6.12 20:19:43	76.169.194.146
[137] 2013.6.12 20:19:43	186.147.7.3
[138] 2013.6.12 20:19:43	1.22.157.127
[139] 2013.6.12 20:19:43	213.150.36.148
[140] 2013.6.12 20:19:43	71.76.196.11
[141] 2013.6.12 20:19:43	24.211.27.3
[142] 2013.6.12 20:19:43	109.190.113.119
[143] 2013.6.12 20:19:43	50.88.103.155
[144] 2013.6.12 20:19:43	65.191.189.113
[145] 2013.6.12 20:19:43	114.134.139.3
[146] 2013.6.12 20:19:43	185.4.8.163
[147] 2013.6.12 20:19:43	24.167.4.245
[148] 2013.6.12 20:19:43	68.35.227.242
[149] 2013.6.12 20:19:43	77.78.217.107
[150] 2013.6.12 20:19:43	24.51.147.239
[151] 2013.6.12 20:19:43	79.177.106.7
[152] 2013.6.12 20:19:43	193.126.157.102
[153] 2013.6.12 20:19:43	69.139.126.170
[154] 2013.6.12 20:19:43	203.136.99.173
[155] 2013.6.12 20:19:43	69.250.41.4
[156] 2013.6.12 20:19:43	188.29.149.173
[157] 2013.6.12 20:19:43	142.217.249.173
[158] 2013.6.12 20:19:43	67.149.51.96
[159] 2013.6.12 20:19:43	71.74.3.176
[160] 2013.6.12 20:19:43	31.46.189.22
[161] 2013.6.12 20:19:43	50.80.104.95
[162] 2013.6.12 20:19:43	123.202.201.23
[163] 2013.6.12 20:19:43	71.77.57.26
[164] 2013.6.12 20:19:43	188.29.92.182
[165] 2013.6.12 20:19:43	70.124.27.184
[166] 2013.6.12 20:19:43	70.172.227.26
[167] 2013.6.12 20:19:43	84.238.55.185
[168] 2013.6.12 20:19:43	68.1.42.81
[169] 2013.6.12 20:19:43	90.56.111.80
[170] 2013.6.12 20:19:43	72.135.244.187
[171] 2013.6.12 20:19:43	178.141.136.192
[172] 2013.6.12 20:19:43	116.75.7.75
[173] 2013.6.12 20:19:43	93.78.176.193
[174] 2013.6.12 20:19:43	50.130.39.4
[175] 2013.6.12 20:19:43	46.98.130.74
[176] 2013.6.12 20:19:43	83.33.163.234
[177] 2013.6.12 20:19:43	62.65.54.206
[178] 2013.6.12 20:19:43	79.118.37.232
[179] 2013.6.12 20:19:43	67.84.21.37
[180] 2013.6.12 20:19:43	82.121.84.64
[181] 2013.6.12 20:19:43	77.53.70.37
[182] 2013.6.12 20:19:43	98.193.197.210
[183] 2013.6.12 20:19:43	198.72.210.210
[184] 2013.6.12 20:19:43	119.241.33.60
[185] 2013.6.12 20:19:43	94.23.152.59
[186] 2013.6.12 20:19:43	68.60.137.211
[187] 2013.6.12 20:19:43	75.252.83.214
[188] 2013.6.12 20:19:43	89.184.141.40
[189] 2013.6.12 20:19:43	188.112.128.216
[190] 2013.6.12 20:19:43	173.182.134.43
[191] 2013.6.12 20:19:43	75.141.135.44
[192] 2013.6.12 20:19:43	176.36.74.45
[193] 2013.6.12 20:19:43	75.136.134.54
[194] 2013.6.12 20:19:43	84.228.169.220
[195] 2013.6.12 20:19:43	188.26.146.45
[196] 2013.6.12 20:19:43	50.81.223.223
[197] 2013.6.12 20:19:43	77.122.62.224
[198] 2013.6.12 20:19:43	184.189.88.47
[199] 2013.6.12 20:19:43	91.231.82.229
[200] 2013.6.12 20:19:43	76.29.164.230
[201] 2013.6.12 20:19:43	65.254.160.7
[202] 2013.6.12 20:19:42	177.179.228.225
[203] 2013.6.12 20:19:42	24.72.78.221
[204] 2013.6.12 20:19:42	142.129.106.220
[205] 2013.6.12 20:19:42	71.56.10.56
[206] 2013.6.12 20:19:42	74.192.221.43
[207] 2013.6.12 20:19:42	124.125.46.56
[208] 2013.6.12 20:19:42	72.23.152.231
[209] 2013.6.12 20:19:42	173.21.182.231
[210] 2013.6.12 20:19:42	151.29.157.215
[211] 2013.6.12 20:19:42	208.123.42.63
[212] 2013.6.12 20:19:42	83.233.163.66
[213] 2013.6.12 20:19:42	109.55.254.231
[214] 2013.6.12 20:19:42	78.20.68.36
[215] 2013.6.12 20:19:42	114.148.97.208
[216] 2013.6.12 20:19:42	2.192.110.232
[217] 2013.6.12 20:19:42	134.130.183.204
[218] 2013.6.12 20:19:42	212.251.147.201
[219] 2013.6.12 20:19:42	24.8.196.31
[220] 2013.6.12 20:19:42	68.148.175.29
[221] 2013.6.12 20:19:42	184.162.228.81
[222] 2013.6.12 20:19:42	218.250.5.182
[223] 2013.6.12 20:19:42	176.41.244.181
[224] 2013.6.12 20:19:42	174.19.202.95
[225] 2013.6.12 20:19:42	173.32.208.235
[226] 2013.6.12 20:19:42	84.176.129.97
[227] 2013.6.12 20:19:42	95.235.178.166
[228] 2013.6.12 20:19:42	130.43.148.19
[229] 2013.6.12 20:19:42	65.4.128.106
[230] 2013.6.12 20:19:42	71.201.235.239
[231] 2013.6.12 20:19:42	70.176.4.16
[232] 2013.6.12 20:19:42	78.239.20.4
[233] 2013.6.12 20:19:42	177.131.164.164
[234] 2013.6.12 20:19:42	65.31.235.148
[235] 2013.6.12 20:19:42	68.49.224.254
[236] 2013.6.12 20:19:42	85.65.206.0
[237] 2013.6.12 20:19:42	24.167.215.249
[238] 2013.6.12 20:19:42	68.56.226.252
[239] 2013.6.12 20:19:42	99.47.72.143
[240] 2013.6.12 20:19:42	93.100.167.136
[241] 2013.6.12 20:19:42	82.235.17.230
[242] 2013.6.12 20:19:42	178.218.42.0
[243] 2013.6.12 20:19:41	72.213.190.6
[244] 2013.6.12 20:19:41	2.68.203.254
[245] 2013.6.12 20:19:41	173.240.39.5
[246] 2013.6.12 20:19:41	91.148.21.5
[247] 2013.6.12 20:19:41	24.129.69.236
[248] 2013.6.12 20:19:41	178.123.222.234
[249] 2013.6.12 20:19:41	178.126.200.165
[250] 2013.6.12 20:19:41	98.215.70.160
[251] 2013.6.12 20:19:41	66.169.40.153
[252] 2013.6.12 20:19:41	115.241.230.147
[253] 2013.6.12 20:19:41	82.147.170.131
[254] 2013.6.12 20:19:41	24.101.137.132
[255] 2013.6.12 20:19:41	89.173.166.134
 #19649  by thisisu
 Fri Jun 14, 2013 11:06 pm
EX! wrote:Internet Security

(fakeAv)file1.exe ----> FakeAV
OEP @ 00401414? Is that correct?
Code: Select all
00401414  |> /55            PUSH EBP

Is this custom cryption part?
Code: Select all
0040144D  |.  68 513A0100   PUSH 13A51                               ; /MaximumSize = 13A51 (80465.)
00401452  |.  68 6E6F0000   PUSH 6F6E                                ; |InitialSize = 6F6E (28526.)
00401457  |.  56            PUSH ESI                                 ; |Flags
00401458  |.  FF15 30024700 CALL DWORD PTR DS:[<&kernel32.HeapCreate>; \HeapCreate


Trying to learn how to unpack this.

Attached what I THINK is the proper dump + IAT fix (dumped_.exe). Where do I go from here (if even on the right track) to view interesting/decrypted strings? Thank you :)

EDIT: Added dumped2_.exe. SEEMS a bit more complete and reveals program written in Delphi v2.25. Please correct if wrong.
Attachments
pass: infected
(1.27 MiB) Downloaded 69 times
pass: infected
(808.12 KiB) Downloaded 65 times
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7
  • 15