A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17905  by Xylitol
 Sun Jan 27, 2013 7:09 pm
i don't think we will broke it, for sure the pw used isn't in a dir brute list
for /if_Career/:
Code: Select all
-l admin -P pwd.lst -s 80 -w 64 -f -V 62.76.177.123 http-post-form "/if_Career/admin.php:pass=^PASS^:Log in"
but i'm sure this is a waste of time
 #17906  by unixfreaxjp
 Sun Jan 27, 2013 7:19 pm
Xylitol wrote:i don't think we will broke it, for sure the pw used isn't in a dir brute list
Roger. Thank you very much.
 #17918  by unixfreaxjp
 Tue Jan 29, 2013 7:51 am
Xylitol wrote:i don't think we will broke it, for sure the pw used isn't in a dir brute list
Fortunately, I broke, wacked, and flushed all of this evil moronz service. All are evidence and tt's sent to FBI now.
These moronz lifetime is going to come.. If they think their evil service can fool us forever they'd better start to pray..

Friends, please see the data pasted below well, and learn it, spread it into your colleages so people can be MORE aware o fthis threat in real, and the court can be faster to issue the arrest warrant for my captured ID sooner.
I always thank Xylit0l who invited here & guide me from day zero.

PoC:

login panel:
Image
this is for xylit0l w/thx! :-)
Image
the first layer of the DB:
Image
second layer of the DB:
Image
(all of the privacy ID IS NOT EXPOSED, the ID exposed above are malware related ID for evidence)
Wacked, PoC↓
Image
This time I am sorry can not share database, I even erased it already from my PC.

God loves the braves! Slain Malware! Made them go to Jail! #MalwareMustDie!
 #17933  by unixfreaxjp
 Wed Jan 30, 2013 9:36 pm
Xylitol wrote:yup webinject panel, btw 62.76 is a nginx proxy
Xylit0l! Congrats friend. Is down DOWNNNNNNNN!! :D
No more Spam to Redirector Injector to BHEK to Cridex / Fareit no more!!!
yesss!! I'll drink for this, hahaha!
I am sorry, so happy! forgive my language! )))
 #18258  by d.l.
 Tue Feb 19, 2013 7:12 am
Code: Select all
http://37.139.47.124/if_Career/admin.php
http://37.139.47.124/mx/4A/in/cp.php
 
Another encoded IP's
http://188.117.44.241:8080
http://88.119.156.20:8080
http://217.65.100.41:8080
http://46.175.224.21:8080
http://203.114.112.156:8080

sample: 5050a5bdf164767ba6a8432a273942983737b3553c2f0d8fdbab42bbdaab3f6e
 #18749  by EP_X0FF
 Fri Mar 29, 2013 2:22 am
Cridex, payload of BH EK + deobfuscated dropper in attach.

SHA256: 875b0dd79d8bf426963a6de4b7ff83aea602a576e32d92b739d48e81bd5c6c41
SHA1: 0662abda182c3ac34adbefdd91d098994e917d79
MD5: f5955fbaeb424a7021e2f6fb5ece05b9

https://www.virustotal.com/en/file/875b ... /analysis/
Attachments
pass: malware
(103.63 KiB) Downloaded 89 times
  • 1
  • 5
  • 6
  • 7
  • 8
  • 9
  • 15