[Xylitol]

SpyEye monitoring 5-25 Nov ~10Mb when unpack

• 05/11/2011 - build_cr.exe -> 7E736B70C974685E8378D97EB5A7A129 2/43 >> 4.7%
• 05/11/2011 - config.bin -> B35DDE3CB9F888B80B361BBEE47777AD 12/43 >> 27.9%
• 06/11/2011 - 16 (Grabbed from BH) -> 62D0915F2D31D0A060671D31419A0B80 27/42 >> 64.3%
• 08/11/2011 - build___6D397774.exe -> 4911590A2E81B66B3142F404CA83691E 3/41 >> 7.3%
• 08/11/2011 - info.exe -> 39F70B7D398098870C68962CF368BB03 28/42 >> 66.7%
• 09/11/2011 - build___6D397774.exe -> 96E8A34226EECF5F60F0C15BD60A2F55 2/41 >> 4.9%
• 09/11/2011 - build_cr.exe -> 8231F88EEEA4C60CBC7EFD0FB2C9D815 1/43 >> 2.3%
• 10/11/2011 - build_cr.exe -> 775487B2FF26C57EA683290CA3C7C8B7 1/42 >> 2.4%
• 11/11/2011 - build___6D397774.exe -> F7C77FB3764E95D6FA475ACBEC2B76D2 4/42 >> 9.5%
• 11/11/2011 - config.bin of F7C77FB3764E95D6FA475ACBEC2B76D2 -> DAD764C09751B3DA5EC058EB23108F4F 12/43 >> 27.9%
• 12/11/2011 - build_cr.exe -> CF929780DED27D9B78C294950847C225 3/41 >> 7.3%
• 12/11/2011 - build___6D397774_1(1).exe -> 31D4A32096C6F195E2FC77896CA1CEFB 1/41 >> 2.4%
• 13/11/2011 - build___6D397774(1).exe -> 28783E9E77C5155BBAC5C60EB6DE47F5 1/42 >> 2.4%
• 14/11/2011 - build___6D397774.exe -> E07E4BA98FF59FC76A5D6AD9487B4F29 2/42 >> 4.8%
• 14/11/2011 - config.bin of E07E4BA98FF59FC76A5D6AD9487B4F29 -> 4390851BBB71236F8D10E076FCFFCD35 12/42 >> 28.6%
• 15/11/2011 - build_cr.exe -> 02FE49A21F4EF7D33DE2DA5B46A5ABD0 1/42 >> 2.4%
• 15/11/2011 - build___6D397774.exe -> 03BB2BAACCABB8FFD6381D88AD2EEA21 3/42 >> 7.1%
• 15/11/2011 - 151111.exe -> 21A984F0C557F93C8C431D4A85396C1B 2/42 >> 4.8%
• 15/11/2011 - 151111.exe -> 4621C24F2FF3728706C21C594DE9260D 1/41 >> 2.4%
• 15/11/2011 - build_cr.exe -> 10C713428DEB243177371E6252F5C52A 1/42 >> 2.4%
• 16/11/2011 - 161111.exe -> 1BF65180FC15D9730D4D650802A2711F 2/41 >> 4.9%
• 17/11/2011 - 171111.exe -> E8A87C66A41EA37FEFA9DB05C5F5F14C 1/42 >> 2.4%
• 17/11/2011 - build___6D397774_cr.exe -> 68D838AE5C3D1DC66DA0763751B56415 1/42 >> 2.4%
• 17/11/2011 - de1.2.exe -> 5075ACB92CA86FAFF6DF59FB41B41C30 4/41 >> 9.8%
• 17/11/2011 - 18 (Grabbed from BH) -> BB462BEB8EB803063A240A4D0F38D555 10/42 >> 23.8%
• 17/11/2011 - build___6D397774_cr.exe -> 42960662408E6E221308EC9903C6AD69 1/42 >> 2.4%
• 17/11/2011 - 171111.exe -> F87D9E7DF82A9E1597CE38B5583C102E 8/41 >> 19.5%
• 17/11/2011 - config.bin of F87D9E7DF82A9E1597CE38B5583C102E -> F8A686EDBCD9896F1FE94848A430424E 12/42 >> 28.6%
• 18/11/2011 - 181111.exe -> B08A6DB88330CBB105CC7EC9D4A7579F 2/42 >> 4.8%
• 18/11/2011 - 181111.exe -> 628E78C35E0B25D7AB37943FA3CD4AB6 2/42 >> 4.8%
• 18/11/2011 - build___6D397774_cr.exe -> E8B66A32029BF3A99BD616EBD3898A43 7/42 >> 16.7%
• 19/11/2011 - 191111.exe -> 13DD2028348E75565C3F6888F79DC69A 3/42 >> 7.1%
• 19/11/2011 - build___6D397774_o_1.exe -> C73C8F91E7A314E204F85835BB93D352 2/42 >> 4.8%
• 20/11/2011 - 201111.exe -> 7592B213CEC0426D42CD3F38D353FFE6 1/42 >> 2.4%
• 20/11/2011 - build_cr.exe -> 558C19F23E7A2FD05B29F356345C5DB9 1/42 >> 2.4%
• 21/11/2011 - build___6D397774.exe -> 1235F1E9A97118D12190302A15B4C6BF 3/42 >> 7.1%
• 21/11/2011 - config file of 1235F1E9A97118D12190302A15B4C6BF -> D6014141716B0F3E10BA1CA03CEEA23E 12/42 >> 28.6%
• 21/11/2011 - info.exe (grabbed from BH) -> EA8E56CDBC2CACE9BF97357366A57AFA 23/42 >> 54.8%
• 21/11/2011 - 211111.exe -> 8D7EBDE4198888825EB2BC44D0911EDE 3/42 >> 7.1%
• 21/11/2011 - config.bin file of 8D7EBDE4198888825EB2BC44D0911EDE -> 1E9B01F95642427EE7ED5B90E11350A9 13/42 >> 31.0%
• 22/11/2011 - build___6D397774.exe -> 4988C0960EEA60EA33F8AD3CE52CB8B4 1/43 >> 2.3%
• 22/11/2011 - 221111.exe -> A7DD73EBED1857BCAAC54326EFBC9642 3/43 >> 7.0%
• 22/11/2011 - config.bin file of A7DD73EBED1857BCAAC54326EFBC9642 -> 6512E258B62E5E352E2A57016F8AEFCD13/43 >> 30.2%
• 23/11/2011 - 231111.exe -> D134DF160668A13F541E6B5E8F824845 2/43 >> 4.7%
• 23/11/2011 - config.bin of D134DF160668A13F541E6B5E8F824845 -> 032CD53991A33E68044ED0EC5E20675C 13/43 >> 30.2%
• 23/11/2011 - build___6D397774(3)(1).exe -> 2E118284D3E8365ADFC15DDAD85C0E7E 0/43 >> 0.0%
• 23/11/2011 - 231111.exe -> B3A83E18AB1A88A6BBC0AD011A7D25AB 3/43 >> 7.0%
• 23/11/2011 - config.bin of B3A83E18AB1A88A6BBC0AD011A7D25AB -> E38604757C92521D0D178FA2E27249CA 13/43 >> 30.2%
• 23/11/2011 - build___6D397774.exe -> B976134F55A3BBBC7E3A6EC7E944A2E3 3/42 >> 7.1%
• 23/11/2011 - 231111_2.exe -> FF8A1F6939B480E83779A6515E574B1F 3/43 7.0%
• 23/11/2011 - 38 (grabbed from BH) -> 0ADE213E3B5ED73DF71AC23E8BD07CE9 1/42 >> 2.4%
• 23/11/2011 - 231111.exe -> 171AF8D3430C78ED99A7507DFA525D18 1/43 >> 2.3%
• 24/11/2011 - 241111.exe -> 1AA40D10ACA3960B730DDB661673D74F 2/43 >> 4.7%
• 24/11/2011 - build___6D397774.exe -> BEE4FCB7BA99776858C0A9ADD7503F42 2/43 >> 4.7%
• 24/11/2011 - config.bin104 of BEE4FCB7BA99776858C0A9ADD7503F42 -> CF7054C15A6BF8772569E83FCD11E840 12/43 >> 27.9%
• 24/11/2011 - 241111.exe -> 96B6485FE1E4C633FA4B169DC9970794 1/43 >> 2.3%
• 25/11/2011 - 251111.exe -> 4AF35B5A11069DC778894173C4D1B3C4 1/43 >> 2.3%
• 25/11/2011 - build___6D397774.exe -> D5459418C93C411F4FD8783B6768E3AE 3/42 >> 7.1%

If you wonder how they can call the gate with a .pdf or .jpg that simple: with an .htaccess and:

Code: Select all

AddType application/x-httpd-php .php .phtml .jpg .pdf

Also one of the C&C monitored banned my IP if you read my comments on VT (403 Forbidden) it's due to script like that:

Code: Select all

<?php
$f = fopen(".htaccess", "a");
fputs($f, "Deny from ".$_SERVER["REMOTE_ADDR"].PHP_EOL);
fclose($f);
?>

A sort of anti-curious if someone try to brute force directories (:

[markusg]

873D3F8A24A.exe
MD5   : 4be7c443693bfc3a1f28193b52c78bf4
https://www.virustotal.com/file-scan/re ... 1322411692

[markusg]

CD165098A5F.exe
MD5   : 55127dcfbc5d0983c02ba8c09cebc807
https://www.virustotal.com/file-scan/re ... 1322414432

[EP_X0FF]

CD165098A5F.exe
MD5 : 55127dcfbc5d0983c02ba8c09cebc807

Pass for decrypted config: CFF435AE25709B701CDCB63A27BB2159

Gates:

hxxp://sex-anal-tits.com/te/pu.php;2000
hxxp://googlorama.com/te/pu.php;2000
hxxp://panerabreab.com/te/pu.php;2000
hxxp://mobilestaf.com/te/pu.php;2000
hxxp://paneradread.com/te/pu.php;2000
hxxp://panerabreab.com/te/pu.php;2000
hxxp://getnoregoole.com/te/pu.php;2000

Collectors:

91.196.216.130:8080
91.196.216.132:8080

873D3F8A24A.exe
MD5 : 4be7c443693bfc3a1f28193b52c78bf4

Pass for decrypted config: FCA737CDF22135424EACBC5EEA2D5B3B

Gates:

hxxp://minimart20.com/forum.php;90
hxxp://whatwasinyourheart.com/forum.php;90

Collector:

95.163.66.191:412

In attach.

[markusg]

CD16509844B.exe
MD5   : d430caeae2d973b2964649e37bdcf17a
https://www.virustotal.com/file-scan/re ... 1322498446

[EP_X0FF]

CD16509844B.exe
MD5   : d430caeae2d973b2964649e37bdcf17a
https://www.virustotal.com/file-scan/re ... 1322498446

Different recrypt of http://www.kernelmode.info/forum/viewto ... 9934#p9934
In attach decrypted.

[markusg]

873D3F8A1CB.exe
MD5   : fbfe9444d295a2b36bf14bf2e67d7184
https://www.virustotal.com/file-scan/re ... 1322682901

[STRELiTZIA]

873D3F8A1CB.exe
MD5   : fbfe9444d295a2b36bf14bf2e67d7184
https://www.virustotal.com/file-scan/re ... 1322682901

Hi, thanks for this sample.
The same config.bin above with FCA737CDF22135424EACBC5EEA2D5B3B zip password.

[Xylitol]

queued (#998)
https://www.virustotal.com/file-scan/re ... 1324511841

[EP_X0FF]

queued (#998)
https://www.virustotal.com/file-scan/re ... 1324511841

pass for config: D905F14AB2108E5F7B9AEAE7921741A0

decrypted config attached.