A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17032  by EX!
 Wed Dec 05, 2012 2:33 pm
#Zbot

SHA256: ff6949caabf682b6f38df69613dad4f195e2b7c5dfe689f7f7dc9961b84b7067
SHA1: 45b80e5b19fca1a971b66d3a8fa421ffa1312ddc
MD5: 7ee9fb68bb80d25148a2e1543e62cd9f
Tamaño: 305.0 KB ( 312320 bytes )
Nombre: dhxs.exe
Tipo: Win32 EXE
Etiquetas: peexe
Detecciones: 7 / 46


:mrgreen:
Attachments
password = infected
(296.11 KiB) Downloaded 74 times
 #17037  by AaLl86
 Wed Dec 05, 2012 6:26 pm
Hi All Kernelmode folks!! :-)
I found this sample from a PC here in Italy. I've just scanned it with some AVs but none of them reveals what is it.
I've started to disassemble it, I found no especially interesting features... A lot of ntdll, wininet, wsock4 functions hooked and a pair of encryption layers + 1 watchdog thread. It install itself in the classic HKLM\Microsoft\Windows\CurrentVersion\Run key.
Unfortunally I don't have much spare time to deeply analyze it.
I report here a picture representing hooked procedures....
HookedAPI.jpg
Hooked API picture
HookedAPI.jpg (183.09 KiB) Viewed 489 times
I hope that this could be interesting... I apologize if this trojan could be already present in KM database.... I searched and doesn't find anything similar...
Regards,
Andrea
Attachments
Dropper
(507.69 KiB) Downloaded 79 times
 #17039  by markusg
 Wed Dec 05, 2012 7:23 pm
Zeus gameover i think, sends data to /Pony
89.166.50.40
Comes often via spam,

And is often active in italy
 #17049  by AaLl86
 Thu Dec 06, 2012 10:39 am
Buster_BSA wrote:http://www.symantec.com/connect/blogs/b ... euszbot-20

None of the attached files seem to be the dropper. I was unable to get any of the files registering itself at AutoStart registry key (HKLM\Microsoft\Windows\CurrentVersion\Run).
Hi Buster_BSA!
I personally used "FAX_281290192982.pdf.exe" file and it infected my Windows Xp Sp3 machine.... You have just to rename it. For me it worked.... Btw thanks for signalization....

Andrea
 #17051  by markusg
 Thu Dec 06, 2012 1:49 pm
Yes this fax... exe works.
this is why i think the malware comes from an spam campagne, because i see such in some spams
  • 1
  • 13
  • 14
  • 15
  • 16
  • 17
  • 29