A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #27030  by benkow_
 Wed Oct 21, 2015 9:55 pm
Hum I don't know the name for these:

2 sample of the same family:
a077a9dc0c191621b1b4ca3e9801da2a https://www.virustotal.com/fr/file/a253 ... 445461460/
16e0879b63ffd98ab5adfca27e78a7aa https://www.virustotal.com/fr/file/cf06 ... 445461458/
Code: Select all
Fuck OFF
Hello AV
GetProcAddress
CreateProcessW
SetThreadContext
VirtualAllocEx
WriteProcessMemory
NtUnmapViewOfSection
CreateProcessW
VirtualFree
ReadProcessMemory
NtUnmapViewOfSection
ntdll.dll
0xDEADBEEF
FindResource
Kernel32.dll
GetWindowsDirectoryW
Kernel32.dll
SYSTEMROOT
\system32\drivers\avc3.sys
\system32\drivers\aswSP.sys
\system32\drivers\aswFsBlk.sys
\system32\drivers\pavproc.sys
\system32\drivers\pavboot64.sys
\system32\drivers\cmdhlp.sys
\system32\drivers\inspect.sys
\system32\drivers\cmdmon.sys
\system32\drivers\AVGIDSErHr.sys
\system32\drivers\avgdiskx.sys
\system32\drivers\avgidsdriverlx.sys
\system32\drivers\mbam.sys
\system32\drivers\mbamchameleon.sys
\system32\drivers\kl1.sys
\system32\drivers\klif.sys
ExitProcess
CreateMutexW
VirtualFree
GetConsoleWindow
GetLastError
VirtualAlloc
GetEnvironmentVariableA
FindFirstFileA
Sleep
GetModuleFileNameW
GetProcAddress
GetModuleHandleA
GetFileSize
CreateProcessW
WriteFile
ReadFile
CreateFileW
CloseHandle
FindResourceW
LoadResource
SizeofResource
LockResource
VirtualProtect
GetThreadContext
GetCurrentProcess
GetModuleHandleW
ReadProcessMemory
TerminateProcess
ResumeThread
KERNEL32.dll
ShowWindow
USER32.dll
SHGetFolderPathW
SHELL32.dll
RtlUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
ping -n 1 127.0.0.1 > nul
start /b "" "%AppData%\EEbeFAMMrx.exe"
ping -n 3 127.0.0.1 > nul
del "%AppData%\EEbeFAMMrx.exe"
(goto) 2>nul & del "%~f0"
BM60
fa1e987e4290da75f3bdb661f51f8e2b - https://www.virustotal.com/fr/file/52b6 ... 445461458/
Code: Select all
MSVBVM60.DLL
ance  
0g62l
Form1
Stpe
POS_TIME
RCount
Arial
LCount
Arial
S_USB
GHOST
VB5!
INSTALL_B
UNISTALL_B
UPDATE_B
DW_EXEC
N_CONNECT
F_UAC
F_EXIST
S_EXEC
MELT
MY_PATH
G_OS
FTPUPLOAD
A_ANUBIS
D_REG
D_TASK
A_OLLY
A_SAND
A_SYS
A_BOX
A_VM
D_API
DropBox
S_PROTECT
C_DATA
R_DATA
A_MALWR
A_NORMAN
A_WINE
A_FIREWALL
M_BYTES
E_286
G_ARC
D_PROTECT
S_XOR
G_RAM
G_CPU
G_GPU
G_HD
B_64
G_BETWEEN
A_RES
P_PWD
P_FTP
P_MAIL
P_UDP
P_HTTP
P_SCREEN
P_WALLET
P_SPAM
P_KEYLOGGER
C_EOF
P_DSPREAD
N_COMMANDS
PING_SITE
GR_COMMAND
0g62l
LCount
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
POS_TIME
S_USB
GHOST
Stpe
Form
RCount
wininet.dll
DeleteUrlCacheEntryA
SHELL32
IsUserAnAdmin
hhO@
KERNEL32
Sleep
LoadLibraryA
FindExecutableA
hXP@
ShellExecuteA
GetModuleFileNameA
GetStartupInfoW
h4Q@
CreateToolhelp32Snapshot
Process32First
Process32Next
h$U@
CloseHandle
hhU@
GetCurrentProcessId
NTDLL
NtUnmapViewOfSection
h8X@
NtWriteVirtualMemory
NtSetContextThread
NtResumeThread
h$Y@
NtGetContextThread
hpY@
NtAllocateVirtualMemory
CreateProcessW
VBA6.DLL
:u9k
InternetCloseHandle
InternetOpenA
InternetOpenUrlA
+ VB stuff inside this one.

All attached
Attachments
infected
(170.49 KiB) Downloaded 106 times
 #27093  by p1nk
 Thu Oct 29, 2015 1:24 am
First two have some references to KeepFUD.PW in them.

Does a nice little AV check also at the start [Attached screenshot], looks to be based on known A/V drivers.
 #27219  by Blaze
 Fri Nov 13, 2015 9:13 am
AbaddonPOS.

https://www.proofpoint.com/us/threat-in ... To-Vawtrak
AbaddonPOS Exfiltration C2 IP addresses:
5.8.60.23:21910
5.8.60.23:21930
50.7.138.138:13030
50.7.138.138:15050
91.234.34.44:20940
91.234.34.44:20970
149.154.64.167:20910
149.154.64.167:20920
49.154.64.167:20940
149.154.64.167:20940
176.114.0.165:20910
176.114.0.165:21910
176.114.0.165:21940
Attached.
Attachments
(196.83 KiB) Downloaded 105 times
 #28139  by Xylitol
 Mon Mar 28, 2016 1:50 pm
TreasureHunt / TreasureHunter
https://www.fireeye.com/blog/threat-res ... _cust.html

Image Image
v0.1.1:
https://www.virustotal.com/en/file/e706 ... 459182718/
must be run with an argument to go on the interesting stuff, initialization start at 0x405B84

v0.1:
https://www.virustotal.com/en/file/6a6b ... 459185958/
https://www.virustotal.com/en/file/046d ... 459185956/
https://www.virustotal.com/en/file/7eca ... 459185955/
https://www.virustotal.com/en/file/442b ... 459186379/
https://www.virustotal.com/en/file/6835 ... 459186380/
https://www.virustotal.com/en/file/ab7a ... 459186377/
https://www.virustotal.com/en/file/ceed ... 459186505/
https://www.virustotal.com/en/file/fe5f ... 459186507/
Code: Select all
• dns: 10 ›› ip: 109.87.81.22 - adress: FRILTOPYES.COM
• dns: 1 ›› ip: 209.99.16.57 - adress: LOGMEINRESCUE.US.COM
• dns: 1 ›› ip: 72.52.4.91 - adress: CORTYKOPL.COM
• dns: 0 ›› ip: - adress: MILLIONJAM.EU
• dns: 0 ›› ip: - adress: 3SIPIOJT.COM
• dns: 0 ›› ip: - adress: SEATRIP888.EU
Attachments
infected
(363.23 KiB) Downloaded 112 times
 #28255  by benkow_
 Sat Apr 09, 2016 6:53 pm
another alina spotted today.
Code: Select all
SHELLCODE_MUTEX
7YhngylKo09H
explorer.exe
Windows Host Process
appdata
%s\drv.sys
C:\drv.sys
chrome.exe
firefox.exe
iexplore.exe
svchost.exe
smss.exe
csrss.exe
wininit.exe
steam.exe
devenv.exe
thunderbird.exe
skype.exe
pidgin.exe
services.exe
dllhost.exe
lsass.exe
winlogon.exe
alg.exe
wscntfy.exe
taskmgr.exe
spoolsv.exe
QML.exe
AKW.exe
{[!11!]}{[!4!]}
{[!12!]}{[!10!]}http://%s:%d{[!4!]}
HTTP/1.1
POST
{[!13!]}{[!4!]}
Accept: application/octet-stream
Content-Type: application/octet-stream
Connection: close
{[!14!]}{[!4!]}
{[!15!]}{[!4!]}
%%%02x
vector<T> too long
map/set<T> too long
{[!16!]}{[!46!]}%s (%d)
{[!46!]}%d{[!1!]}
Unknown::
cards
card
~eventual/wplog/push.php
181.224.137.233
~eventual/wplog/loading.php
update
diag
updateinterval=
cardinterval=
log=1
{[!17!]}{[!18!]}
log=0
{[!17!]}{[!19!]}
chk=
update=
{[!23!]}{[!22!]}, {[!24!]}{[!4!]}%d{[!25!]}
dlex=
{[!22!]}%s{[!5!]}
\\.\pipe\spark
{[!16!]}{[!20!]}{[!26!]}%s
{[!27!]}{[!30!]}{[!4!]}%s.{[!2!]}
{[!28!]}%d.%d, {[!29!]}%d.%d.{[!1!]}
{[!30!]}{[!31!]}{[!4!]}
{[!29!]}{[!32!]}%s
http://
Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22
{[!22!]}{[!18!]}{[!33!]}{[!4!]}{[!34!]}= %d, {[!35!]}= 0x%x.{[!36!]}
{[!37!]}{[!35!]}{[!4!]}{[!38!]}0x%x,{[!39!]}0x%x.{[!36!]}
{[!40!]}{[!4!]}{[!36!]}
{[!41!]}{[!4!]}{[!42!]}= 0x%x, {[!34!]}= 0x%x.{[!36!]}
{[!22!]}{[!5!]}%s -> %s [%d]{[!35!]}= 0x%x (== 0x%x)
{[!43!]}{[!4!]}
{[!4!]}{[!10!]}{[!44!]}{[!43!]}{[!21!]}
{[!4!]}{[!45!]}{[!21!]}
{[!37!]}{[!35!]}{[!4!]}{[!38!]}0x%x,{[!39!]}0x%x.
C:\Users\Own\Desktop\sursa alina\sursa v2\Source\Debug\Spark.pdb
6f9O
PWVS
PWVS
0@;E
[^_]
Password7YhngylKo09H
\ntkrnl
\Installed\windefender.exe
shell32.dll
SHGetSpecialFolderPathA
ShellExecuteA
open
SHELLCODE_MUTEX
!This program cannot be run in DOS mode.
c:\drivers\test\objchk_win7_x86\i386\ssdthook.pdb
RtlEqualUnicodeString
ZwEnumerateValueKey
ZwQueryDirectoryFile
ZwQuerySystemInformation
RtlInitUnicodeString
MmMapLockedPages
MmBuildMdlForNonPagedPool
MmCreateMdl
KeServiceDescriptorTable
IoFreeMdl
MmUnmapLockedPages
KeTickCount
ntoskrnl.exe
panel: http://181.224.137\.233/~eventual/wplog/adm.php
  • 1
  • 21
  • 22
  • 23
  • 24
  • 25