unixfreaxjp wrote:Few hours ago this campaign via spam was spotted:You work on linux too much lately. :D This is "dridex" variant of Feodo.
The attachment (downloader part): https://www.virustotal.com/en/file/595b ... /analysis/
It downloads the set: https://www.virustotal.com/en/file/d45e ... 410358503/
Details distribution and CNC information I wrote in VT & the pictures, pls bear the hurry pace...
A forum for reverse engineering, OS internals and malware analysis
[REVOKED BY THE WRITER]Wow, hold on, the attachment is Zbot yes? You mean the downloaded one? [/REVOKED]
I made a mistake! I am sorry. This is not a Zeus at all. Please kindly move the previous post to the proper malware threat.
I know is a pws (the downloaded one) , poc: https://twitter.com/MalwareMustDie/stat ... 1030629378 but first time seeing this type..
Well..That explains the 8080 gates called. How old this "D"ridex variant started?
I made a mistake! I am sorry. This is not a Zeus at all. Please kindly move the previous post to the proper malware threat.
forty-six wrote:You work on linux too much lately. :D This is "dridex" variant of Feodo.Haha, Ouch! yes, :) too much ELF recently. But I think I'll focus on this platform for the future.
I know is a pws (the downloaded one) , poc: https://twitter.com/MalwareMustDie/stat ... 1030629378 but first time seeing this type..
Well..That explains the 8080 gates called. How old this "D"ridex variant started?
from http://malware.dontneedcoffee.com/2014/ ... -0569.html
sample: 831098a9d8db43bebf3d6ee67914888d
it looks like strange/old kins - with out aes and other stuff...
any way:
sample: 831098a9d8db43bebf3d6ee67914888d
it looks like strange/old kins - with out aes and other stuff...
any way:
Code: Select all
version: 02.00.04.00
botnet: fruit
cc:
http://chmaghotpipe.com/www/
http://micagentudate14.com/www/
http://reportcollecsysdump.com/www/
rc4key: 4032af8d61035123906e58e067140cc5 - md5(0123456789abcdef)
UserAgent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2)
Attachments
pw: infected
(36.7 KiB) Downloaded 101 times
(36.7 KiB) Downloaded 101 times
mak - @maciekkotowicz
Can someone help me to find the active C&C of the following Zeus botnet used to launch paid DDoS attacks?
http://www.nuccioirc.altervista.org/
http://www.nuccioirc.altervista.org/
Attachments
password: infected
(104.14 KiB) Downloaded 81 times
(104.14 KiB) Downloaded 81 times
Does not look like Zeus:
..:: TierBlackout IRC Bot v2.7 {Registered To:****Anonymous-IT****} ::..This could be the CnC:
nucciowebseason.pw
Lame zeus 2.1.0.1 with cowboy theme targeting germany, italia, spain, usa...
https://zeustracker.abuse.ch/monitor.ph ... smalta.com
https://zeustracker.abuse.ch/monitor.ph ... smalta.com
Code: Select all
http://kihsmalta.com/secure.php
http://kihsmalta.com/ppptp.jpg
21 DB 88 B0 13 FF 66 61 79 97 A9 90 F0 83 DF 91 AC 73 27 B6 42 87 56 9A 37 6A 5A 63 EE 4A BF 23 4D A4 3D 2E 75 86 44 C9 19 78 8B C0 92 00 95 7D 7B 04 08 4F A6 DC 15 03 E7 53 F5 02 57 F1 0B 12 1C AE A2 54 C5 BE 6D 55 FB AA 07 D2 1B 77 7E 2A 67 10 0F F2 7C 60 72 D3 43 CA 9D BC 80 EB 2F 2C CD 52 93 71 1A E6 D9 C3 65 B5 F8 F3 DD D8 35 50 18 9C 3A 41 8A 8C 94 06 B9 6B CE 25 CB 38 D4 D0 69 5F 89 99 E8 D7 FA 0C 01 3C 28 33 E5 A5 CF CC 5E 14 C6 1E 81 6C A0 4B B2 C1 BA C7 76 17 0A DA F4 51 32 2D 40 E9 E2 EF 3E A3 BB 11 45 6F E1 D5 29 4E 0E EA 1D FC 85 B3 8D F9 D6 59 39 31 74 26 34 47 B4 EC 5B 84 F7 0D 58 DE B8 5C A7 98 C8 48 C2 8E 05 F6 7A E3 9B ED 9F 64 70 62 E4 7F 68 2B 20 96 09 C4 FE 6E B1 1F 4C AF 8F 22 D1 A1 82 A8 AB B7 3F 3B 16 24 FD 36 46 5D BD AD 30 9E E0 49Attachments
infected
(162.93 KiB) Downloaded 93 times
(162.93 KiB) Downloaded 93 times
Can any person stop it?
Code: Select all
http://www.learninginstitute.co.uk/rewind/cp.php?m=login
http://menumaterno.com.br/skins/tango/_labe/cp.php?m=login
http://ansfitness.com/system/engine/paypal/cp.php?m=login
http://nk-slaven-belupo.hr/images/jss/cp.php?m=login
http://motoecarro.com.br/images/cp.php?m=login
http://sonbachtuyet.net/htc/cp.php?m=login
http://agrupacionestrella.net/plugins/system/php/cp.php?m=login
http://www.onenewmanthailand.com/wp-blog/cp.php?letter=login
http://arabiaholding.com/bin/adm/index.php?m=login
http://www.impm.upel.edu.ve/Imagenes/cp.php?letter=login
http://www.jeanbas.com/fonts/cp.php?letter=login
http://www.ipb.upel.edu.ve/personal/cp.php?letter=login
http://puresoccer.com/info/adm/index.php?m=login
http://guruofnew.com/images/adm/index.php?m=logini got kins in memory thats looks like a version i dumped before
Code: Select all
version: 02.00.07.00
urls:
['http://bruonlinearchive.com/',
'http://mostusefullthingsvoting.com/',
'http://hoplessmaincatalogue.com/',
'http://herbonlineshop.com/']
botname: fish
rc4key: 8733af628b9b2f189bec5c67ce615312 -- md5(MicroProductions)
UserAgent: Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.2; SV1)
mak - @maciekkotowicz
Split. New Zeus with Andromeda code moved to separate thread.
Ring0 - the source of inspiration
kins
both exe and jpg are in attached
certomenom.ru/BRaxz7sN92BjcNzK/jason.exe
config
certomenom.ru/BRaxz7sN92BjcNzK/jason.jpg
adenosdere.ru/BRaxz7sN92BjcNzK/jason.jpg
Post config taffic
yandex.ru
certomenom.ru/invests.php -- was down for me
other domains/urls in memory
evennoterom.ru/BRaxz7sN92BjcNzK/jason.exe
brokelowi.com/flashplayer/mod_vnc.bin
heromeftet.ru/BRaxz7sN92BjcNzK/jason.jpg
Ip at the time is 188.127.249.224
both exe and jpg are in attached
certomenom.ru/BRaxz7sN92BjcNzK/jason.exe
config
certomenom.ru/BRaxz7sN92BjcNzK/jason.jpg
adenosdere.ru/BRaxz7sN92BjcNzK/jason.jpg
Post config taffic
yandex.ru
certomenom.ru/invests.php -- was down for me
other domains/urls in memory
evennoterom.ru/BRaxz7sN92BjcNzK/jason.exe
brokelowi.com/flashplayer/mod_vnc.bin
heromeftet.ru/BRaxz7sN92BjcNzK/jason.jpg
Ip at the time is 188.127.249.224
Attachments
infected
(475.89 KiB) Downloaded 95 times
(475.89 KiB) Downloaded 95 times