A forum for reverse engineering, OS internals and malware analysis 

Trojan SpyEye (alias Pincav)

Forum for analysis and discussion about malware.

Re: Trojan SpyEye (alias Pincav)

 #10651  by EP_X0FF
 Wed Dec 28, 2011 3:34 pm
markusg wrote:2608DF019D1.exe
MD5   : 56a4404eec7596331da8edecde300797
https://www.virustotal.com/file-scan/re ... 1325081087
SpyEye v1.3x

pass for decrypted config: 5AA8ED297193F51DA1B893F23D6B574E

gate from customconnector cfg
hxxp://89.248.162.170/updates.php;180
In attach unpacked dropper and decrypted config.
Attachments
pass: malware
(764.22 KiB) Downloaded 74 times

Re: Trojan SpyEye (alias Pincav)

 #10730  by STRELiTZIA
 Sun Jan 01, 2012 8:54 am
Thanks for this sample: 8DF6283CC0E974663781F8EF8EF1236D.rar

Password for decrypted config: 1005D104CDAD1BFA5688FC3DF48BFF37

Collectors:
193.39.78.119:8081
193.39.78.175:8081
Gates
hxxp://193.39.78.175/gate.php;60
hxxp://193.39.78.119/gate.php;60
Attachments
(8.23 KiB) Downloaded 62 times

Re: Trojan SpyEye (alias Pincav)

 #10861  by EP_X0FF
 Fri Jan 06, 2012 8:29 am
rkhunter wrote:5/43 >> 11.6%

MD5: ab6cf6dd2a92b42d1ded0149e4999d30
That is the old sample, VT scan is outdated.

Pass for decrypted config: D905F14AB2108E5F7B9AEAE7921741A0

Gates:
hxxp://weddingbee.com/gate.php;180
hxxp://swistertwister.ru/_cp/gate.php;180
hxxp://listriskevish.ru/_cp/gate.php;180
hxxp://kaleidosskop.ru/_cp/gate.php;180
hxxp://goreeotuma.ru/_cp/gate.php;180
hxxp://stervyatniks.ru/_cp/gate.php;180
hxxp://plan2000putina.ru/_cp/gate.php;180
hxxp://optimizzzm.ru/_cp/gate.php;180
hxxp://pereostanovka.ru/_cp/gate.php;180
hxxp://pravilozhizzzni.ru/_cp/gate.php;180
hxxp://kommunizzzm.ru/_cp/gate.php;180
hxxp://sheregessh.ru/_cp/gate.php;180
hxxp://gannoover.ru/_cp/gate.php;180
Attached unpacked + decrypted config
Attachments
pass: malware
(241.83 KiB) Downloaded 68 times

Re: Trojan SpyEye (alias Pincav)

 #10949  by STRELiTZIA
 Tue Jan 10, 2012 7:16 pm
Thanks for these samples.

Sample by EX!:
Pass for decrypted config: 183520415D74F0E831DB4D79D3C7A339

Gates:
hxxp://www.johnsonforums3.com/login.php;580
hxxp://www.donttouchme739.com/login.php;580
hxxp://readmedocument83.com/admin.php;580
hxxp://iamnothere823.com/admin.php;320
hxxp://hellofromhere98213.com/backup.php;120
Collectors:
hbasdauadhg.com:995
jahsdiuasbdiaa.com:995
backupdomainmuie1245.com:995
930nbsdaiodsa.com:995
Sample by rkhunter:
Pass for decrypted config: D905F14AB2108E5F7B9AEAE7921741A0 already posted
http://www.kernelmode.info/forum/viewto ... 1A0#p10861

Gates:
hxxp://weddingbee.com/gate.php;180
hxxp://swistertwister.ru/_cp/gate.php;180
hxxp://listriskevish.ru/_cp/gate.php;180
hxxp://kaleidosskop.ru/_cp/gate.php;180
hxxp://goreeotuma.ru/_cp/gate.php;180
hxxp://stervyatniks.ru/_cp/gate.php;180
hxxp://plan2000putina.ru/_cp/gate.php;180
hxxp://optimizzzm.ru/_cp/gate.php;180
hxxp://pereostanovka.ru/_cp/gate.php;180
hxxp://pravilozhizzzni.ru/_cp/gate.php;180
hxxp://kommunizzzm.ru/_cp/gate.php;180
hxxp://sheregessh.ru/_cp/gate.php;180
hxxp://gannoover.ru/_cp/gate.php;180
Collectors:
weddingbee.com:444
swistertwister.ru:444
listriskevish.ru:444
kaleidosskop.ru
goreeotuma.ru
stervyatniks.ru
plan2000putina.ru
optimizzzm.ru
pereostanovka.ru
pravilozhizzzni.ru
kommunizzzm.ru
sheregessh.ru
gannoover.ru
Attachments
(388.92 KiB) Downloaded 74 times
  • 1
  • 32
  • 33
  • 34
  • 35
  • 36
  • 42
 Return to “Malware”