A forum for reverse engineering, OS internals and malware analysis 

Trojan SpyEye (alias Pincav)

Forum for analysis and discussion about malware.

Re: Trojan SpyEye (alias Pincav)

 #6773  by EP_X0FF
 Sat Jun 11, 2011 3:10 pm
rgotgktjgbt.exe
http://www.virustotal.com/file-scan/report.html?id=9041e0c723d4bc4a81634f835e4d389f86e4c428ba1368a80c10be8f39086920-1307803833
Ah, new crypter? Crashed at start, so it was unpacked manually. Unpacked dropper attached.

pass for decrypted config: 2FDA8FD09FD68A3C57AF34FA7AB83B21

Gates:
hxxp://analservice.eu/fuckthespain/kysokgovna.php;300
hxxp://pelletsn.com/generic/imap.php;300
hxxp://willdpelletsn.com/fixed/fxcs.php;300
Attachments
pass: malware
(191.73 KiB) Downloaded 45 times
(85.7 KiB) Downloaded 48 times

Re: Trojan SpyEye (alias Pincav)

 #6775  by EP_X0FF
 Sat Jun 11, 2011 3:25 pm
markusg wrote:
cjbi wrote:Interesting blog post from Trend Micro.

SpyEye 1.3.4.x Comes with Noteworthy Modifications http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications
some droppers, hope its from interest
Cool.

spyeye-binary-e11f467859d55c2c0d63f3592f662139.exe

is this one http://www.kernelmode.info/forum/viewto ... 6758#p6758

Re: Trojan SpyEye (alias Pincav)

 #6777  by EP_X0FF
 Sat Jun 11, 2011 3:34 pm
It's Ok.

spyeye-binary-4079b6a89a65e0b130ee3425dadc7c22.exe

Gates:
hxxp://ohbl.in/guest.php;180
hxp://yamarsian.in/guest.php;180
hxxp://worldns.info/guest.php;180
Fully unpacked dropper and decrypted config in attach


spyeye-binary-8918df86014d88eb742f4668529bda7b.exe

Gates:
hxxp://95.168.178.220/index.php;80
hxxp://188.72.201.213/index.php;80
hxxp://google-1aa.com/index.php;80
hxxp://avira-data.com/index.php;80
hxxp://212.95.58.129/index.php;80
hxxp://212.95.63.35/index.php;80
hxxp://212.95.63.36/index.php;80
Fully unpacked dropper and decrypted config in attach
Attachments
pass: malware
(110.77 KiB) Downloaded 47 times
pass: DC170F331378C7242C1213717EE584ED
(5.28 KiB) Downloaded 45 times
pass: CBE55B9FED19DAC289B2E42A6D62BDA7
(5.36 KiB) Downloaded 47 times
pass: malware
(92.53 KiB) Downloaded 48 times

Re: Trojan SpyEye (alias Pincav)

 #6786  by EP_X0FF
 Sun Jun 12, 2011 11:36 pm
markusg wrote:Recycle.Bin.exe
http://www.virustotal.com/file-scan/rep ... 1307905702
Signatures of Mark Zbikowski and Portable Executable corrupted.

attached fixed image.

http://www.virustotal.com/file-scan/rep ... 1306055610
Attachments
pass: malware
(133.58 KiB) Downloaded 51 times
pass: E32E1781E60A9570894685D30000006D
(25.05 KiB) Downloaded 52 times

Re: Trojan SpyEye (alias Pincav)

 #6787  by EP_X0FF
 Sun Jun 12, 2011 11:48 pm
markusg wrote:1.3.4.x
B6232F3AB5F.exe
http://www.virustotal.com/file-scan/report.html?id=052db52ad26e7ae6c0b744f66f872f2d337d6ad35fea0d07feece1e105ec6f49-1307915000
Gates:
hxxp://95.168.178.220/index.php;80
hxxp://188.72.201.213/index.php;80
hxxp://google-1aa.com/index.php;80
hxxp://avira-data.com/index.php;80
hxxp://212.95.58.129/index.php;80
hxxp://212.95.63.35/index.php;80
hxxp://212.95.63.36/index.php;80
Unpacked binary in attach.
Attachments
pass: malware
(110.76 KiB) Downloaded 47 times
pass: DC170F331378C7242C1213717EE584ED
(159.82 KiB) Downloaded 53 times

Re: Trojan SpyEye (alias Pincav)

 #6788  by EP_X0FF
 Mon Jun 13, 2011 3:57 am
Gates:
hxxp://karakumkonfetki.ru/spy.php;90
hxxp://beliimedvedkinfetki.ru/spy.php;90
hxxp://nemnogosladkogo.ru/spy.php;90
hxxp://ptichiemoloko.ru/spy.php;90
hxxp://solnechniikarakum.ru/spy.php;90
hxxp://trufelikonfetki.ru/spy.php;90
http://www.virustotal.com/file-scan/rep ... 1307770486
Attachments
pass: malware
(267.32 KiB) Downloaded 50 times
pass: B0381DD7D6CD7D76C4B71CA75D79C761
(159.85 KiB) Downloaded 53 times
  • 1
  • 13
  • 14
  • 15
  • 16
  • 17
  • 42
 Return to “Malware”