A forum for reverse engineering, OS internals and malware analysis 

Backdoor Bot (including unnamed IRC bots)

Forum for analysis and discussion about malware.

Re: Bot sample for unknown

 #13461  by EP_X0FF
 Mon May 28, 2012 2:08 am
According to preliminary results this is trojan with keylogger and backdoor functionality. It uses dll injection (target svchost.exe, explorer.exe) using FDM 2.x (Free Download Manager) as user agent for requests. Connect with 176.9.150.53
POST /Bild/abs.php HTTP/1.1
User-Agent: FDM 2.x
Host: hpmarquardt.de
Content-Length: 254
Cache-Control: no-cache
Project file
X:\release\file.pdb
not meaningful.

Contains following strings
RSHELL Could not resolve backconnect hostname %d
RSHELL reconnecting %d
RSHELL Connected succesfully , will fork a shell now
Additionally perform API hooking (FindFirstFileW) to hide dropper in X:\Documents and Settings\UserName\Application Data\[randomchars]
Runs through HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Log from keylogger is near the dropper. To removal - terminate zombie svchost (it is simple to find it - it parent will be explorer) and explorer in same time. Cleanup registry entry + delete dropper with folder.

Posts moved.

Re: Trojan Ransom / Pliqpay_monexy

 #15594  by thisisu
 Sun Sep 16, 2012 7:54 am
Not sure of the name of this one. Could someone take deeper look and provide details?

MD5: 5a9a1f683e08d5b3e134ef673ec8aa3a
https://www.virustotal.com/file/0b8da18 ... /analysis/
Code: Select all
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: "AudioDriver"
File Path: c:\windows\system32\windtr32.exe
Attachments
pass: infected
(186.86 KiB) Downloaded 48 times

Re: Trojan Ransom / Pliqpay_monexy

 #15603  by EP_X0FF
 Sun Sep 16, 2012 10:04 am
thisisu wrote:Not sure of the name of this one. Could someone take deeper look and provide details?

MD5: 5a9a1f683e08d5b3e134ef673ec8aa3a
https://www.virustotal.com/file/0b8da18e204d45e064782a3d5cf35370fe11391feed6ec73efcbf8c04233f945/analysis/
Code: Select all
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: "AudioDriver"
File Path: c:\windows\system32\windtr32.exe
It doesn't looks like ransom. Yes it's Delphi origin, but there a lot of network related code inside, so likely this is just a backdoor.
hxxp://lenatab.com/
hxxp://mixgolos.ru/
hxxp://jmu-klass.ru/
Posts moved.

Re: Trojan Ransom / Pliqpay_monexy

 #15604  by tachion
 Sun Sep 16, 2012 10:06 am
Hi thisisu

log
Code: Select all
[ Changes to filesystem ]
   * Creates file C:\Windows\System32\windtr32.exe

[ Changes to registry ]
* Creates value "AudioDriver=C:\Windows\system32\windtr32.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{07d4dec5-fcee-11e1-bab1-806e6f6e6963}
old value empty

[ Network services ]
* Queries DNS
jmu-klass.ru
* C:\Users\xx\Desktop\5a9a1f683e08d5b3e134ef673ec8aa3a\5a9a1f683e08d5b3e134ef673ec8aa3a.exe Connects to "37.9.53.68" on port 80 (TCP - HTTP).
   * C:\Users\xx\Desktop\5a9a1f683e08d5b3e134ef673ec8aa3a\5a9a1f683e08d5b3e134ef673ec8aa3a.exe Connects to "193.150.0.180" on port 80 (TCP - HTTP).
   * C:\Users\xx\Desktop\5a9a1f683e08d5b3e134ef673ec8aa3a\5a9a1f683e08d5b3e134ef673ec8aa3a.exe Connects to "217.112.35.78" on port 80 (TCP - HTTP).

Process/window/string information
 * Keylogger functionality.]
The world's largest Armenian singles and dating community with video chat.Browse the profiles and photos of armenian men and women for free

look

Image

Image

TrafficLight or address blocks
 Return to “Malware”