A forum for reverse engineering, OS internals and malware analysis 

Trojan SpyEye (alias Pincav)

Forum for analysis and discussion about malware.

Re: Trojan SpyEye (alias Pincav)

 #11814  by rkhunter
 Sun Feb 26, 2012 8:47 am
May be some will be interesting, there are 7 droppers that I captured in Feb.

MD5:
CF96443E09E2DEC5CC6A692CBCCF5451
6ED1CCC1A647905A6A8BDAEA186CAD45
5E28FE70C2BC119D31F8555C46AE7D1E
0530A823FC719F495DF66DCC2652E900
235A2733ABC701F9AD0E153FE3210798
796F68D8C78E2D9D395E17750BB0D633
77BA6C4C7585620A64DE9BB0E50AE3D1
Attachments
pass:infected
(1.1 MiB) Downloaded 77 times

Re: Trojan SpyEye (alias Pincav)

 #11819  by Albus
 Sun Feb 26, 2012 1:07 pm
rkhunter wrote:May be some will be interesting, there are 7 droppers that I captured in Feb.

MD5:
CF96443E09E2DEC5CC6A692CBCCF5451
6ED1CCC1A647905A6A8BDAEA186CAD45
5E28FE70C2BC119D31F8555C46AE7D1E
0530A823FC719F495DF66DCC2652E900
235A2733ABC701F9AD0E153FE3210798
796F68D8C78E2D9D395E17750BB0D633
77BA6C4C7585620A64DE9BB0E50AE3D1
The following samples have the same config:
5E28FE70C2BC119D31F8555C46AE7D1E
6ED1CCC1A647905A6A8BDAEA186CAD45
77BA6C4C7585620A64DE9BB0E50AE3D1
235A2733ABC701F9AD0E153FE3210798
CF96443E09E2DEC5CC6A692CBCCF5451

The rest is unique. I attached the unpacked configs with their decryption keys.
Attachments
pw: infected
(41.46 KiB) Downloaded 73 times

Re: Trojan SpyEye (alias Pincav)

 #11942  by EP_X0FF
 Fri Mar 02, 2012 10:48 pm
markusg wrote:SHA256:
21b4ba046de2e8d772701a19cf77ea4b4d0edcdd3897032b01a69970fe28a61a 
File name:
56B02FD41A0.exe 
Detection ratio:
7 / 43 
https://www.virustotal.com/file/21b4ba0 ... 330713963/
v1.3.48 similar to http://www.kernelmode.info/forum/viewto ... 025#p11025
Attachments
pass: malware
(147.33 KiB) Downloaded 70 times

Re: Trojan SpyEye (alias Pincav)

 #12145  by Pandas
 Thu Mar 15, 2012 6:02 pm
Avira on SpyEye:

http://techblog.avira.com/wp-content/up ... SpyEye.pdf

SpyEye/ZeuS interactions (also contains a fairly comprehensive analysis of SpyEye):

http://www.sans.org/reading_room/whitep ... yeye_33393

Not much to see, pretty classic five-byte splice to trampoline code for forming the usermode rootkit. I guess the NtCreateFile/NtCreateSection/NtMapViewOfSection sequence to obfuscate API calls in r3 is somewhat unique.

Re: Trojan SpyEye (alias Pincav)

 #12146  by rkhunter
 Thu Mar 15, 2012 6:08 pm
Pandas wrote:Not much to see, pretty classic five-byte splice to trampoline code for forming the usermode rootkit.
Common practice for rootkit that fully user mode.

Re: Trojan SpyEye (alias Pincav)

 #12178  by STRELiTZIA
 Fri Mar 16, 2012 5:55 pm
Thanks for the sample.

The same password for decrypted config: 130CBE0950491F6148A65482B9B50CC4
http://www.kernelmode.info/forum/viewto ... CC4#p11171
http://www.kernelmode.info/forum/viewto ... 0CC4#p8398

But different gate:
hxxp://bys1nessbank1ng.info:8080/im3g9ios.php;150
Collector:
93.186.104.43:80
Attachments
(5.7 KiB) Downloaded 58 times

Re: Trojan SpyEye (alias Pincav)

 #12188  by kmd
 Sat Mar 17, 2012 8:30 am
spyeye kit died, gribo disappered and Citadel is the next-gen banking trojan now.
  • 1
  • 34
  • 35
  • 36
  • 37
  • 38
  • 42
 Return to “Malware”