A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #3648  by markusg
 Mon Nov 22, 2010 8:19 pm
Attachments
(157.9 KiB) Downloaded 123 times
Last edited by EP_X0FF on Thu Nov 01, 2012 3:00 am, edited 2 times in total. Reason: more descriptive name added
 #15452  by Peter Kleissner
 Fri Aug 31, 2012 4:13 pm
Let's create some awareness. Attached my sample collection, the latest one is version 761 and was compiled 10 days ago. MutliBanker (also called Patcher, BankPatch / BankPatcher) is still active (as fuck) and stealing peoples money - I no like that. Older versions used to modify system dlls but current versions all just write themselves into the winlogon registry key. It drops itself to %AppData%\appconf32.exe (but also comes with specific BHOs) and can be removed easily. MutliBanker is a very targeted operation, hence you don't read anything on AV blogs. AVs obviously don't care for such small botnets where only a few thousands of infected machines are involved while there are millions of infections on spam botnets and more noisy stuff like ZeuS/TDL4/etc. Here an overview of the samples I've analyzed:
Code: Select all
Version	Date compiled	Date domain registered	Command & Control server
335	01-26-2011	03-28-2011	aaaadminmont.com
358	03-01-2011	05-04-2011	okrpdminmont.com
381	03-29-2011	06-02-2011	ekmxefnomosk.com
663	04-15-2012	04-16-2012	uuqzggelds.com
688	05-21-2012	05-21-2012	kcknierihon.com
688	05-21-2012	05-20-2012	eifxednog.com
688	05-21-2012	05-20-2012	zhikedsafe.com
689	05-22-2012	05-22-2012	cccaedsafe.com
714	06-28-2012	06-28-2012	syskesroater.com
743	08-01-2012	07-31-2012	ucwbierihon.com
745	08-04-2012	08-04-2012	cwebierihon.com
761	08-21-2012	08-20-2012	kyyrierihon.com
Attachments
Pw: infected
(642.1 KiB) Downloaded 130 times