[EP_X0FF]

Hello EP_XOFF, according to your response (page 24), I ´ve checked it and the spyeye version (.exe) is the same. But, I ´ve re-analyzed the sample and it seems the webinject is not the same. Could it be possible?
The C&C to where the malware connects is "263rdasd.com/hfgf/gate.php". Could give me a hand in order to get the webinject? Thanks!

Yes it is possible, servers list and other stuff of the same botmaster can be updated since they moving from server to server periodically after getting into trackers.
Pass for decrypted config of your sample B8861AB9ED87B79CC01DA26263373342

Both from binary and from archive configs attached

[pigindrin]

I supposed that. The webinjects could be updated by the botmaster. Thanks for your help. If u could share o give me a couple of tips, url, docs to follow in order to decrypt the spyeye v1.3x, it would be great. :)

[gritland]

decrypt: bpm ZwAllocaVirtualMemory+tracing

[EP_X0FF]

SpyEye v1.3.45

pass for decrypted config: 6CB5879FB91A3B0175742B5FEC117205

Gates:

hxxp://www.eharmony.co.uk/indexx.php;300
hxxp://www.classicandsportscar.com/seo/tran.php;300
hxxp://magicmartini4en1.com/g/login.php;200
hxxp://magicmartini4en10.com/g/login.php;200
hxxp://magicmartini4en117.com/g/login.php;200

Plugins: customconnector

Original, unpacked and decrypted config in attach.

Payload of the Blackhole exploit kit (gera5man5rire.cz.cc/forum.php?post=a728a0e7c4bbccfd)

Original 17/ 43 (39.5%)
http://www.virustotal.com/file-scan/rep ... 1314404611

Unpacked 28/ 44 (63.6%)
http://www.virustotal.com/file-scan/rep ... 1314405589

[EP_X0FF]

SpyEye v1.3.4x

Extracted as payload of downloader from Blackhole exploit kit.

Pass for decrypted config: 860E922737828539017E64299FB028D6

Gates:

hxxp://hydracock.ru/hydra/sneak.php;90
hxxp://womenlovetdqs.ru/women/calendar.php;90

Plugins: customconnector, ffcertgrabber, ftpbackconnect, rdp, socks5.

Original, unpacked and decrypted config in attach.

http://www.virustotal.com/file-scan/rep ... 1314630931

[EP_X0FF]

SpyEye v1.3.4x

Extracted as payload of Blackhole exploit kit (kapihuta.co.tv/x11/index.php?tp=b9d37c27031fd84e)

Pass for decrypted config: 9F6EBAF3531712646467F0C54E0D7D24

Gates:

hxxp://frandiss.ru/network/user.php;300
hxxp://gallopusik.ru/phpinfo.php;300

Plugins: customconnect, ccgrabber.

Original, unpacked and decrypted config in attach.

VT 1/ 44 (2.3%)
http://www.virustotal.com/file-scan/rep ... 1314716572

[Xylitol]

Review of the SpyEye Toolkit v1.3.45

[EP_X0FF]

SpyEye v1.3.4x

Payload of the Blackhole Exploit kit (erdgxrhtyjuyukopgf.cx.cc/main.php?page=c9d2deef18f3c158)

Pass for decrypted config: FD9EBD0F32D1D60DB9E58344C38FABEF

Gates:

hxxp://hoploit888.ru/dns.php;300
hxxp://karmemberitcnoit.ru/awstats.php;300
hxxp://babargeya789.ru/www-secure.php;300

Plugins: customconnect, ccgrabber.

Original, unpacked and decrypted config in attach.

308 Kb of webinjects

VT 1 /44 (2.3%)
http://www.virustotal.com/file-scan/rep ... 1314847523

[Xylitol]

remember of this ? http://www.kernelmode.info/forum/viewto ... =170#p6939
Solutions released ~ https://www.honeynet.org/node/766

[EP_X0FF]

SpyEye v1.3.4x

Payload of the Blackhole Exploit kit (samirko.in/main.php?page=a580bb1f867050f5)

Pass for decrypted config: F2F9A724A66B581CEB0065DC9DEEEA15

Gates:

hxxp://chesterfield.net.in/default.php;300
hxxp://helterhealh.net/twitted.php;350
hxxp://nofrostengland.com/pics4upload.php;500

Plugins: customconnect, ActiveAZ.

Original, unpacked and decrypted config in attach.

VT 2/ 44 (4.5%)
http://www.virustotal.com/file-scan/rep ... 1314888801