[EP_X0FF]

Cross platform trojan downloader.

Payload

hxxp://dgfvv.mydad.info/778/bod86.dat
hxxp://dgfvv.mydad.info/778/kres64.dat

both unavailable, if you have them - please attach.

Dropper

SHA256: cd9d72325d1a7cf55835f2e12f3dcba8c7d141e8b308ceb39c9e5f601522d06f
SHA1: 50b48d17912a40758031182c6e0a47ea293047e8
MD5: 04936bc5e3024826616afdf00a18ee51

https://www.virustotal.com/en/file/cd9d ... /analysis/

Extracted x86-32 stub

SHA256: 633ad444ce553c443cdf1eab5628e4d097a03e754f83062e5349cb3af83d5e42
SHA1: aebec6ebb9fe95198527b173a4a40a7fe304a684
MD5: 67e8ce50883e0416c1e879471065ab2c

https://www.virustotal.com/en/file/633a ... 366600343/

Extracted x64 stub

SHA256: 76a0842cf7547f0863863cbfafb6b9f3b338e22c5921708edaef09e9ac1d4269
SHA1: a8399951345d135e7d2ce102b40eec7d82e95e83
MD5: 686e90202180df9062897e609b74ff67

https://www.virustotal.com/en/file/76a0 ... 366600343/

[EP_X0FF]

Payload located. Seems they use Dynamic DNS and modules name partial randomization (leaving platform id untouched).

C&C IP 46.166.177.114

kres64.dat is a sort of shellcode.

SHA256: 3e631003106e7273d52d393bedaba6d100e9663b11a75ef7fcbd9a2c40f82dcd
SHA1: 9b3a47062c743d74e0ab63642d309e92c5c6eeb3
MD5: 0a78932485a9136ae9dbf4f98d6bfa3b

https://www.virustotal.com/en/file/3e63 ... 366601278/

Browser injects, banking, info stealing, av blacklist.

bik86.dat is x86-32 version of it.

SHA256: 473beb88a5b812ff7e5099aa74e4e3fc2a02ea47627c9d13a662badcab77b663
SHA1: 4b9ef8ed13285ec7b334916106ce8c174c127138
MD5: c217232df3ad8fafba6adb27415c5e89

https://www.virustotal.com/en/file/473b ... 366601854/

hxxp://noikiv.mydad.info/778/ is open directory, facepalm.

[Xylitol]

• dns: 1 ›› ip: 46.166.177.114 - adresse: NOIKIV.MYDAD.INFO
Additional hxxp://46.166.177.114/220/ Last modified: 21-Apr-2013, fresh.

bokv4.dat > https://www.virustotal.com/fr/file/b876 ... 366623570/
nor86.dat > https://www.virustotal.com/fr/file/9dc7 ... 366623572/

[R136a1]

Another x64 stub

SHA256: d9539a4b2400f56311c3fcc80d161d41b68ffe8edc11948864c923e92a78d246
SHA1: d911d4da8c8ba3a72ba381f814984b00c034959c
MD5: 8e13aadce747afb6c53810cea8ecaee9

https://www.virustotal.com/en/file/d953 ... /analysis/

[EP_X0FF]

SHA1, 25 samples

Code: Select all

0045b26f91e65258a5b7ddab5e3180c29dc222d3
066ed88b9c36a28c7693ba23eaf05381cab650f4
09b12fffc75b96828ec15eea057df45f47d706f7
1b99888caefaca395362771b531cc9acd896435e
210065d351faa1f46ba59c405dc3a8700a851042
55d5d20a5a028ac8e93db6cd8b47732b99eae318
5a3e9ac40093ee03397dc7931acc73bcf5eac28d
69ce8d7c1c33d7caaf7097929b66e8e089c6bfa8
6c22da8bcbe63174fb15582c54520f42dbac911f
6c46c37173a16f8a763120ea4c02f6407127b2ee
976683192f013e1b06c780345b960ae70fec0c48
9bdbe454d10f59b0034df3eeed5dc4452559d9c9
9e2e25f64a21c00b8298bb6c0e77fccad8def518
a93231c9f4c6e2f64bc523c0a752fd7a51ea03b2
b715f514840fa0d11ccb8a92b3756c51cb4397e2
b9c7d906ca9abaa6fe5e174dfe18e6262011fd85
bb6b0f51aa8f641116c85fc8b60a7cf82c270efa
bec2e892048caf4ec027c781ccb92afbc5605afd
c500523edb83767a0f4f37756c09cdd6937bae6e
d8c246f199fc58960de3aed2f703e75354edcd39
e982e7c60de315fb0268f05722c4f072e85475ad
ec7dde6eb4449e6255794716fc9340fe880d250b
f516bb5cf230d14c128aa772be090099a6375e13
fabae7de8e608d66190e89559416adfa2f2cad3a
feb1dfb28ac1a1ef99908b29e2ac1e295aeae5f7

[bao]

https://www.virustotal.com/ru/file/b0fe ... 372506454/
https://www.virustotal.com/ru/file/b65b ... 372506456/
http://anubis.iseclab.org/?action=resul ... ormat=html
http://anubis.iseclab.org/?action=resul ... ormat=html

[bao]

pass: infected

[rkhunter]

http://www.cnews.ru/news/2013/06/11/tro ... kte_531796
http://translate.google.ru/translate?hl ... 796#submit

[rkhunter]

http://www.symantec.com/connect/blogs/s ... r-scammers

[ikolor]

hello I'm back ..


https://www.virustotal.com/en/file/a42c ... 476902171/