Win32/Fareit - Page 2 - KernelMode.info

Re: Fareit - BlackHole loader of ZBot

#12413 by rkhunter
Fri Mar 30, 2012 4:40 pm

http://blog.webroot.com/2012/03/29/spam ... crimeware/
https://twitter.com/#!/msftmmpc/status/ ... 3912094720

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Fareit - BlackHole loader of ZBot

#12496 by thisisu
Tue Apr 03, 2012 5:10 am

Is this Fareit?
MD5: eb3ef30274d4c79a70262596525c31be

Code: Select all

G Data	Trojan.ZBot.HUJ (Engine A)
DrWeb	 Trojan.PWS.Siggen.35074
Ikarus	Trojan.Crypt!IK

https://www.virustotal.com/file/264fc19 ... /analysis/

Attachments

eb3ef30274d4c79a70262596525c31be.zip

pass: infected
(83.23 KiB) Downloaded 70 times

Username

thisisu

Posts

362

Joined

Sun Feb 26, 2012 8:57 am

Contact

Re: Fareit - BlackHole loader of ZBot

#12497 by rkhunter
Tue Apr 03, 2012 5:43 am

thisisu wrote:Is this Fareit?
MD5: eb3ef30274d4c79a70262596525c31be

Yep.

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Trojan Ransom / FakePoliceAlert

#14586 by dumb110
Wed Jul 11, 2012 2:45 pm

http://www3.malekal.com/malwares/index. ... 6da4490289
anybody??

also does anybody have the new files for the police themed and UKASH ransom??

Username

dumb110

Posts

111

Joined

Tue Jun 05, 2012 1:29 pm

Re: Trojan Ransom / FakePoliceAlert

#14589 by Win32:Virut
Wed Jul 11, 2012 3:28 pm

dumb110 wrote:http://www3.malekal.com/malwares/index. ... 6da4490289
anybody??

Attachments

20120711_122413_de56d065b92c19183aac896da4490289.exe.7z

Password: infected
(72.1 KiB) Downloaded 78 times

Username

Win32:Virut

Posts

324

Joined

Sat Jun 02, 2012 2:22 pm

Re: Fareit - BlackHole loader of ZBot

#14669 by Xylitol
Sun Jul 15, 2012 9:19 pm

From bh 108.178.59.25/a.php?e=5&f=0e44a
Just got interested into this threat
exploits -> payloads -> zeusV3 -> pwd stealer and/or rogue/fake soft
https://www.virustotal.com/file/bfd5046 ... 342385814/
https://www.virustotal.com/file/a1b36aa ... 342385371/
Microsoft don't detect it :mrgreen:

Code: Select all

hxxp://sam-latrilogie.com:8080/pony/gate.php
hxxp://loceanic.fr:8080/pony/gate.php
hxxp://viveroparadiso.com.ar/NSyf.exe
hxxp://uppalneurohospital.com/x7nx.exe
hxxp://greatroastcoffee.com/w1HjW1.exe

gate.php <- If gate/pony so Blackhole and the rest
.exe files -> zeus & cie.

Pony C&C:

Code: Select all

hxxp://80.248.208.162:8080/pony/admin.php (sam-latrilogie.com)
hxxp://194.146.227.48:8080/pony/admin.php (loceanic.fr)
hxxp://176.31.255.41:81/pony/admin.php (etsiunjour.fr)

Abuse already sent to OVH but no reaction.
Look's like they use pony to get accounts/credentials and use them for bh/pony/etc or to host pe on compromised machines

Also have a look here, kafeine have do an awesome work:
http://malware.dontneedcoffee.com/2012/ ... ny-17.html

Attachments

pony.zip

infected
(158.92 KiB) Downloaded 77 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: Fareit - BlackHole loader of ZBot

#14763 by Xylitol
Fri Jul 20, 2012 6:36 am

Just got my virtual machine infected with blackhole at 80.248.208.162:8080/view.php
Pony c&c: akamaifilms.com:81/pony/admin.php
• dns: 1 ›› ip: 69.175.8.106 - adresse: AKAMAIFILMS.COM
https://www.virustotal.com/file/c1399c5 ... 342765865/

Attachments

toip0_tmp.exe.zip

infected
(94.03 KiB) Downloaded 84 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: Fareit - BlackHole loader of ZBot

#15229 by Xylitol
Thu Aug 16, 2012 11:18 am

https://www.virustotal.com/file/167e561 ... 345115834/

Attachments

167e561cda0731765d3316a8cd27808995d18fe30404ec936d936d8bf3175070.zip

infected
(53.48 KiB) Downloaded 81 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: Trojan SpyEye (alias Pincav)

#15324 by resercher
Thu Aug 23, 2012 10:09 am

EP_X0FF wrote: TModule_CuteFTP
TModule_FlashFXP
TModule_FileZilla
TModule_FTPCommander
TModule_BProofFTP
TModule_SmartFTP
TModule_TurboFTP
TModule_FFFTP
TModule_CoreFTP
...

These strings are from PWS:Win32/LdPinch family

Username

resercher

Posts

2

Joined

Thu Aug 23, 2012 9:49 am

Location

München, Deutschland

Re: Fareit - BlackHole loader of ZBot

#17120 by kloent
Tue Dec 11, 2012 11:21 am

https://www.virustotal.com/file/6c5c151 ... 355224213/
SHA1: 99285fb02077d1b794fa2bfc71d8137ad19c47e7
MD5: 736fd0887eabaffcfefbf7dfa47cac0a

Attachments

Fareit.zip

pass: infected
(66.61 KiB) Downloaded 73 times

Username

kloent

Posts

10

Joined

Sat Nov 10, 2012 9:00 am