[markusg]

SHA256:
6dab3848e53acbd9596578834befc18e8d9e6d04f8f154680226b8360315ff23 
File name:
srvm.exe 
Detection ratio:
3 / 43 
https://www.virustotal.com/file/6dab384 ... /analysis/

[markusg]

hmm, i cannot run the sample, perhaps some of you can

[forty-six]

Here are some strings:

Code: Select all

ASWgf02
user32
ntdll
shell32
explorer.exe
Shell_TrayWnd
\Windows NT\
shlwapi
ole32
Global\
Software\Microsoft\WAB\WAB4\Wab File Name
Software\Microsoft\WAB\DLLPath
version
 -update
-autorun
&ipcnf=
&sckport=
&cc=
&hh=
&pros=
/gate_urlzone/
&snh=
&gct=
%REQUNBR%
&email=
crypt32
gdi32
S:(ML;;NRNWNX;;;LW)
Global\Uz318E959A
.dll
\Internet Explorer\iexplore.exe
advapi32
ProductID
ProductName
CurrentVersion
InstallDate
video
setup
user
logon
mixer
pack
exec
play
Software\Microsoft\Windows\CurrentVersion\Run
|End
0#15^
HTTP/1.1 200 OK
Content-Type: application/x-javascript
Content-Length: 
UPD_ERR_TS
UPD_ERR_OPEN
 
£
−
share
\prefs.js
proxy.type", 
proxy.http", "
proxy.http_port", 
\Mozilla\Firefox\Profiles\*
INJECTFILE
*EXEUPDATE 
form-urlencoded
www.google.com
gzip
deflate
%AMOUNT%
%ITENABLED%
%ITSUCCESSHOST%
%BOTID%
%BOTSHID%
html
text
javascript
json
?tver=
&vcmd=
&shy;<wbr/>
<cite></cite>
<samp></samp>
<var></var>
<code></code>
<dfn></dfn>
<kbd></kbd>
<em></em>
ITOK 
ITERR 
IT_STOP
DIS1
Referer:
%ITSTATUS%
Location: 
https;
http;
mail;
ftp;
URL: 
CMD0
nspr4
nss3
chrome.dll
thebat.exe
msimn
.exe
iexplore.exe
explorer.exe
myie.exe
firefox.exe
mozilla.exe
avant.exe
maxthon.exe
OUTLOOK.EXE
ftpte.exe
coreftp.exe
filezilla.exe
TOTALCMD.EXE
cftp.exe
FTPVoyager.exe
SmartFTP.exe
WinSCP.exe
chrome.exe
opera.exe
<BEGIN>
<END>
%MG%
POST
.exe
USER 
PASS 
wsock32
%LOCKDOMAIN%
%LOCKMESSAGE%
&C4I89Op=
?C4I89Op=
https://
http://
FTP 
MAIL 
wininet
oleaut32
&keret=
Microsoft-CryptoAPI/6.1
HTTP/1.1
GET / HTTP/1.1
#EndSecGValue#
GET 
Host: 
 HTTP/1.
Transfer-Encoding: 
CHUNKED
Content-Length: 
Software\Microsoft\Windows\CurrentVersion\Internet Settings
User Agent
Win32
Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
&AUML;
&UUML;
&OUML;
Referer: 
value="&Uuml;berweisung"
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\8DF2968C\
Windows NT 
CurrentVersion
Content-Encoding: 
Content-Type: 
qwertyuiopasdfghjklzxcvbnm123945678
@v:k
0X1=
j78N#
"@-ANSTBrntlsmgpeoui .f
1.2.4
incorrect header check
unknown compression method
invalid window size
unknown header flags set
header crc mismatch
invalid block type
invalid stored block lengths
too many length or distance symbols
invalid code lengths set
invalid bit length repeat
invalid code -- missing end-of-block
invalid literal/lengths set
invalid distances set
invalid literal/length code
invalid distance code
invalid distance too far back
incorrect data check
incorrect length check
 inflate 1.2.4 Copyright 1995-2010 Mark Adler 
invalid distance too far back
invalid distance code
invalid literal/length code
takebook.net/forum/
cqshdbuidy
Z110000111

[patriq]

Here are some strings:

Code: Select all

ASWgf02
user32
ntdll
shell32
.....
cqshdbuidy
Z110000111

Strings from what?

[forty-six]

The injected module.

[N3mes1s]

Post about it

http://blog.gdatasoftware.com/blog/arti ... tions.html