A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #4298  by EP_X0FF
 Thu Jan 06, 2011 11:30 am
This is Backdoor Fynloski.

Keeps connection with 89.242.128.36:1337

Here is decrypted.

https://www.virustotal.com/file-scan/re ... 1294312860
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!
Written on Delphi. Below is a detailed list of units used.
server
EditServer
UntMain
uFZ
ShlObj
UrlMon
ActiveX
Windows
Types
SysInit
System
Messages
WinInet
RegStr
ShellAPI
CommCtrl
UntServices
Registry
RTLConsts
IniFiles
Classes
SysConst
TypInfo
SysUtils
ImageHlp
Variants
VarUtils
WinSvc
UntShell
UntSendStream
MD5Api
MD5Core
UntControlKey
UntRC4
UntGFXResize
Graphics
Consts
UntWebCam
jpeg
JConsts
MMSystem
untFunctions
PsAPI
TlHelp32
UntProcess
UntResizePic
GDIPUTIL
GDIPOBJ
GDIPAPI
Math
DirectDraw
UntCore
UntFWB
untMainFunctions
untBypass
PELoad
ComObj
ComConst
UntSinInfo
Nb30
CryptApi
WinSock
UntIE7
Pstoreclib
PSTORECLib_TLB
UntKeylogger
UntFTP
Clipbrd
Forms
UxTheme
SyncObjs
DwmApi
Themes
Controls
ActnList
Menus
ImgList
Contnrs
Imm
MultiMon
StdActns
StrUtils
Dialogs
HelpIntfs
WideStrUtils
Dlgs
ExtCtrls
GraphUtil
StdCtrls
Printers
WinSpool
CommDlg
FlatSB
UntUDPFlood
UntSynFlood
UntScanPorts
UntSound
ACMConvertor
MSAcm
ACMIn
ListUnit
UntActivePorts
USock
UntRPCScan
UntInfections
untstartup
UntFireFox
SHFolder
UntFun
UntPasswordAndData
UntMClipboard
UntDesktopCapture
UntBot
UntMSN
MessengerAPI_TLB
StdVCL
OleServer
OleConst
UntMsConfig
UntWindowManager
UntRegEdit
UntNetShareLister
UntHTTPFlood
UntCPU
UntMiscFunc
UntIP
Sockets
uMir
uTrill
RASReader
UntRootKit
UntServerReader
uRes
UntAntiSB
Attachments
pass: malware
(284.16 KiB) Downloaded 120 times
 #5383  by EP_X0FF
 Wed Mar 09, 2011 1:19 pm
markusg wrote:LESSOL~1.EXE
http://www.virustotal.com/file-scan/rep ... 1299667963
Password protected SFX archive with Backdoor:Win32/Fynloski.A inside.

http://www.virustotal.com/file-scan/rep ... 1299676442

Posts moved.
Attachments
pass: malware
(296.08 KiB) Downloaded 101 times
 #5812  by Xylitol
 Mon Apr 04, 2011 4:54 pm
markusg wrote:http://www.virustotal.com/file-scan/rep ... 1301928073
Keylogger/stealer/trojan
Real 'crack' dropped in \%temp%\ and the malicious exe binded is sent into \%systemroot%\system32 with the name 'explorer.exe' and system/hidden attributs
Code: Select all
attrib -s -h C:\WINDOWS\system32\explorer.exe
Keylogged datas are stored in \%Temp%\ file named 'dclogs.sys'
Code: Select all
------------------------------------------
@ Caption : [Process Explorer]
@ at 18:46:19 the 04/04/2011

------------------------------------------

------------------------------------------
@ Caption : [explorer.exe:1512 Properties]
@ at 18:46:22 the 04/04/2011

------------------------------------------

------------------------------------------
@ Clipboard Change : size = 0 Bytes
@ at 18:46:22 the 04/04/2011

------------------------------------------

------------------------------------------
@ Caption : [Poste de travail]
@ at 18:46:26 the 04/04/2011


------------------------------------------

------------------------------------------
@ Caption : [C:\WINDOWS\system32]
@ at 18:46:59 the 04/04/2011
.txt
------------------------------------------

------------------------------------------
@ Clipboard Change : size = 20 Bytes
@ at 18:46:59 the 04/04/2011
C:\WINDOWS\system32\
------------------------------------------

------------------------------------------
@ Caption : [explorer.exe:1512 Properties]
@ at 18:48:08 the 04/04/2011

------------------------------------------

------------------------------------------
@ Caption : [Exécuter]
@ at 18:48:53 the 04/04/2011
%temp%

------------------------------------------

------------------------------------------
@ Caption : [Program Manager]
@ at 18:49:07 the 04/04/2011
testtestesttesttesttesttest
------------------------------------------

------------------------------------------
@ Caption : [Exécuter]
@ at 18:49:10 the 04/04/2011
lol[<-][<-][<-]

------------------------------------------

------------------------------------------
@ Caption : [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp]
@ at 18:49:26 the 04/04/2011
*
------------------------------------------

------------------------------------------
@ Caption : [Program Manager]
@ at 18:50:17 the 04/04/2011
.y[<-]txt
------------------------------------------

------------------------------------------
@ Caption : [Process Explorer - Sysinternals: www.sysinternals.com [XYLITOL-28E1A19\Administrateur]]
@ at 18:54:31 the 04/04/2011

------------------------------------------
Memory strings: http://pastebin.com/t3DccT3a
ThreatExpert: http://www.threatexpert.com/report.aspx ... 4b9325a28c