A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #20684  by kloent
 Mon Sep 02, 2013 8:07 am
It's a banking malware, authors internal name is "EQ" ("EQFramework", "X32 EQ PID", "T:\Develop\EQ2\bin\tmp\client_32.pdb").
extracted x32 and x64 inject modules (DLL's) attached. x32 module contains the code of Pony password stealer.
Attachments
pwd: infected
(142.25 KiB) Downloaded 134 times
 #21223  by SomeUnusedName
 Tue Oct 22, 2013 2:31 pm
kloent wrote:It's a banking malware
I didn't see anything banking related though. Looks like Pony password stealing + formgrabbing + VNC/SOCKS backconnect or something.
 #21233  by SomeUnusedName
 Wed Oct 23, 2013 11:55 am
Care to enlighten me? I've checked the client_32 file and all I see is password stealing. What do you see that I don't?
 #21461  by teddybear
 Tue Nov 26, 2013 8:33 pm
http://www.securelist.com/en/analysis/2 ... new_threat

Has anybody heard of this banking malware before? I don't know any aliases for that.
Of all the hashes listed in the article, I've found only the following on VT:

https://www.virustotal.com/en/file/0b27 ... /analysis/
https://www.virustotal.com/en/file/70d5 ... /analysis/
https://www.virustotal.com/en/file/06b8 ... /analysis/

They are detected by the AVs with the following names:
  • Tepfer (forum search: Kelihos?)
    Sinowal (Torpig)
    Reveton?
I'm really confused... :? Any help appreciated.