A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #27499  by sysopfb
 Thu Dec 31, 2015 11:11 pm
nullptr wrote:
ikolor wrote:next

https://www.virustotal.com/en/file/6fe5 ... 449939246/
Yet another Muldrop, with Nitol.B + Waledac. Waledac downloads a Muldrop with Nitol.B + Kelihos.F.
The waledac you had in VT had the following ips, interesting little 'randomish' lookup table of obfuscated ips

  • 213.111.223.250
    89.69.185.137
    81.198.217.4
    46.219.55.66
    95.180.59.157
    14.54.155.141
    221.157.206.164
    114.42.115.63
    121.3.78.194
    36.227.73.97
    78.96.39.133
    77.109.23.44
    178.137.223.135
    158.181.250.212
    176.38.154.246
    176.126.184.173
    67.242.15.169
    46.108.231.46
    210.182.94.1
    220.77.106.216
    121.137.58.132
    31.43.101.178
    220.22.48.45
    36.238.98.105
    89.144.2.115
    46.240.225.204
    37.115.93.122
    61.15.182.14
    176.103.55.73
    37.190.200.6
    46.40.8.23
    168.70.88.108
    46.240.227.132
    89.148.110.129
    36.231.228.1
    219.124.22.175
    188.240.5.147
    62.182.64.159
    178.137.223.135
    181.31.34.216
    85.187.221.201
    94.254.80.10
    186.115.146.228
    176.103.54.73
    109.160.8.163
    221.133.86.220
    210.221.244.162
    80.252.255.84
    150.165.146.225
    77.122.184.24
    202.125.52.146
    49.206.247.59
    175.120.135.105
    118.130.23.45
    114.49.0.67
    46.164.181.223
    89.47.95.70
    219.121.137.3
    85.222.24.126
    77.108.238.169
    85.204.40.122
    77.36.73.36
    143.107.136.137
    125.134.98.46
    194.146.199.200
    77.65.126.173
    128.68.11.188
    220.122.4.169
    176.111.185.174
    221.127.92.132
    62.176.86.241
    120.50.66.106
    176.227.162.66
    94.176.116.43
    210.178.61.251
    31.131.123.143
    118.86.7.4
    221.132.105.181
    145.249.176.4
    178.137.223.135
    178.252.39.139
    113.253.147.162
    218.233.170.66
    116.74.152.24
    175.204.39.139
    178.252.39.139
    92.52.158.28
    78.137.35.170
    191.253.213.58
    46.185.107.99
    14.198.75.93
    94.53.101.55
    188.241.138.158
    89.144.2.119
    195.140.163.27
    190.188.139.184
    89.35.38.37
    178.235.177.176
    190.142.38.130
    144.122.111.239
    210.181.48.67
    113.253.254.182
    93.77.221.142
    87.120.178.57
    109.104.219.132
    49.101.245.248
    179.84.58.91
    60.246.50.53
    94.52.93.20
    79.121.114.150
    178.252.39.139
    5.58.67.110
    89.185.30.21
    69.55.249.136
    49.204.84.104
    222.119.213.18
    87.97.227.30
    178.165.122.186
    89.37.68.13
    95.76.50.230
    46.233.7.73
    5.105.34.220
    122.100.158.147
    105.153.206.110
    79.176.200.210
    89.35.206.85
    89.132.79.146
    42.127.223.62
    93.113.98.70
    121.154.175.87
    181.16.41.199
    178.136.213.198
    78.129.245.146
    165.166.167.168
The original payload isn't there it seems but you can now download /obsorbu.exe instead :)
 #28699  by rootjacker
 Fri Jun 17, 2016 1:49 pm
hxxp://marketingmas.in.net/00/b.exe

I see a lot of distribution point in a format of [domain]/00]/b.exe lately for this malware. The dropper decrypt and inject Nitol malware. The malware startup via Startup\x.vbs.

Anyone know why the malware set this string "19Y4NSiG8kkzwWjMD17euEaQ5PErpwxWkPu39GwAQ7PeH7fJTFa4DXguurfn7GULq2pTsu" into the Clipboard?
Attachments
(759.3 KiB) Downloaded 57 times