A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #6882  by Xylitol
 Mon Jun 20, 2011 10:30 am
markusg wrote:info[1].exe
http://www.virustotal.com/file-scan/rep ... 1308559296
Hello, in attach unpacked sample

Image

20/41 >> 48.8%
http://www.virustotal.com/file-scan/rep ... 1308565159
Attachments
pwd: xylibox
(70.39 KiB) Downloaded 160 times
 #9317  by EP_X0FF
 Thu Oct 20, 2011 2:53 pm
markusg wrote:explorer.exe
MD5   : 412cc709170aff1a15e895e16c397244
http://www.virustotal.com/file-scan/report.html?id=73f1f147380c03dad7fccfb5639e9d784d53f6a971821a772908d7aeb7f600f0-1319118846
Calls home hxxp://91.228.160.157/de/2/gate.php?cmd=ul&id=gpo5fv71j6hfh3x2

Replaces explorer.exe with malware copy.

Terminates taskmanager and process explorer.

In attach decrypted.
W:\locker\locker\Release\locker.pdb
Attachments
pass: malware
(72.36 KiB) Downloaded 85 times
 #9747  by EP_X0FF
 Fri Nov 18, 2011 2:29 pm
Interesting. Internally this sample looks equal to those posted by markusg earlier.
y:\src\_cpp\bwin_nl\Release\bwin3.pdb
Take a look on debug path string, bwin_nl.

Also the same call home address hxxp://89.248.165.131

The only difference is in resources part. Different HTML and images.

Fully decrypted workable sample in attach.
Attachments
pass: malware
(84.72 KiB) Downloaded 77 times
 #9833  by Xylitol
 Tue Nov 22, 2011 6:06 pm
Image

Switzerland version
it do a GET req and call tools.ip2location.com as usual later
Code: Select all
GET /i.php?a=2 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible;)
Host: 89.248.165.131
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Tue, 22 Nov 2011 17:22:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
Following url was found on the server:
Code: Select all
http://89.248.165.131:80/cgi-bin/
http://89.248.165.131:80/icons/
http://89.248.165.131:80/webmail/
http://89.248.165.131:80/error/
http://89.248.165.131:80/manager/
http://89.248.165.131:80/disabled/
Attachments
infected
(119.67 KiB) Downloaded 96 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 14