A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #9857  by EP_X0FF
 Wed Nov 23, 2011 3:29 pm
ithurricane wrote:Hi everyone,

I am looking for the following samples:
Win32/TrojanDownloader.Carberp trojan

This month ESET Virus Researchers discovered new information on a new modification in the
Win32/TrojanDownloader.Carberp trojan family.

Evolution of Win32Carberp: going deeper
http://blog.eset.com/2011/11/21/evoluti ... ing-deeper

new Carberp modification use VBR bootkit infector.
At the time the only known malware utilizing the same bootkit component was the Rovnix bootkit
Thanks
Rovnix is the Cidox/Mayachok.2, posted http://www.kernelmode.info/forum/viewto ... =16&p=7094
Overall engine does not seems changed, VBR for example is the same and detected as Cidox/Mayachok - http://www.virustotal.com/file-scan/rep ... 1322031891
I am sorry i don't have MD5 or SHA for them.
http://www.virustotal.com/file-scan/rep ... 1321988779
 #10207  by EP_X0FF
 Wed Dec 07, 2011 1:04 pm
Yes, its Carberp with BKLOADER similar to used by Cidox/Mayachok.2
V B R \ ? ? \ P H Y S I C A L D R I V E 0 \ ? ? \ P H Y S I C A L D R I V E 0 BKSETUP: Payload of %u bytes successfully written at sector %x.
\ D e v i c e \ H a r d d i s k 0 \ P a r t i t i o n % u \ D e v i c e \ H a r d d i s k 0 \ P a r t i t i o n % u NTFS BKSETUP_%04x: BK setup dll version 2.1.
BKSETUP_%04x: Attached to a 32-bit process at 0x%x.
BKSETUP_%04x: Detached from a 32-bit process.
{%08X-%04X-%04X-%04X-%08X%04X} IsWow64Process KERNEL32.DLL open %lu.bat "%s" attrib -r -s -h%1
:klabel
del %1
if exist %1 goto klabel
del %0
Software\Classes\CLSID\ runas BKSETUP: Failed generating program key name.
BKSETUP: Already installed.
BKSETUP: OS not supported.
BKSETUP: Not enough privileges to complete installation.
BKSETUP: No joined payload found.
BKSETUP: Installation failed because of unknown reason.
BKSETUP: Successfully installed.
BKSETUP: Version: 1.0
BKSETUP: Started as win32 process 0x%x.
BKSETUP: Process 0x%x finished with status %u.
BKSETUP: Version: 1.0
BKSETUP: Started as win32 process 0x%x
BKSETUP: Process 0x%x finished with status %u

Just one note about dropper. It is packed with Mystic Compressor and has a feature to restore possible hooked ntdll.dll routines, this is a trick it uses to fool debugging with breakpoints.
 #11138  by Maxstar
 Thu Jan 19, 2012 10:55 am
Hi,

I'm looking for the Carberp trojan. that attacks Facebook: http://www.trusteer.com/blog/carberp-st ... book-users
I don't know if this is the sample, but this was the only recent information i've found.

SHA256: af002908118a721cfc3fa83958ad9b9a1630d36dc9f7454db9079bfc97829f08
SHA1: e2357e7b369925910440a6a731d120a99f4db53e
MD5: 4b9f2dd6d5ff86a72bffbc5b861d75e5

Thanks in advance,

Maxstar
 #11141  by Xylitol
 Thu Jan 19, 2012 1:47 pm
Maxstar wrote:Hi,

I'm looking for the Carberp trojan. that attacks Facebook: http://www.trusteer.com/blog/carberp-st ... book-users
I don't know if this is the sample, but this was the only recent information i've found.

SHA256: af002908118a721cfc3fa83958ad9b9a1630d36dc9f7454db9079bfc97829f08
SHA1: e2357e7b369925910440a6a731d120a99f4db53e
MD5: 4b9f2dd6d5ff86a72bffbc5b861d75e5

Thanks in advance,

Maxstar
Attachments
pw: infected
(133.63 KiB) Downloaded 90 times
 #11453  by onthar
 Sun Feb 05, 2012 9:38 pm
Two fresh Carberp samples from blackhole kit ( hxxp://dopefriends.doesntexist.org/main.php?page=e3784aae890797ae )
About.exe ( 13 / 43, b208bed5ecfc2f43260fa23abaa8eb76)
https://www.virustotal.com/file/9538f76 ... 328473568/

0.2648087536073538.exe ( 4 / 43, 007d1807415c41c132436dfe4eef8e86)
https://www.virustotal.com/file/23bd6ff ... 328473468/

Got them via ICQ-spam.
Attachments
pass: infected
(317.43 KiB) Downloaded 116 times