[Pave]

Hi guys!
I am kind of new in the field of reverse engineering, so sorry if it is a silly question.

I am currently analyzing a trojan for a school thesis that has similarities with the trojans Fareit and Tepfer.
I already know that the main purpose of the malware is to steal user credentials and to send them then to a c & c server via HTTP.

But there are two functionalities that I stillt don't understand:
- How is the malware encrypting the sent payload?
- Why is the malware creating a new CMD process? Does the malware maybe also function as an reverse shell?

Virustotal link: https://www.virustotal.com/de/file/8dc6 ... /analysis/
The malware sample is attached

[Xylitol]

related to this sample i've seen it the 14 Dec 2016 23:15:30 according to my system.
this one is also know as 'pony 3 gates' usually delivered by hancitor, here is a screenshot of one of their pony panel https://twitter.com/CyberCrimeWHQ/statu ... 0349409280
related to your questions i don't remember how pony encryption work etc but there is literally tons of white papers about pony and you can even find the code, so it shouldn't be hard to find your answers.
and nope, Fareit/Tepfer don't do a reverse shell.

[Antelox]

The encryption used is RC4. For the sample you linked the key is: 1RcpNUE12zpJ8uDaDqlygR70aZl2ogwes

And yes, this has been spread by Hancitor (AKA Chanitor) by the following URLs:

hxxp://angatutiradentes.com/wp-includes/pm2.dll
hxxp://bargainshop.councilofcoders.com/wp-includes/pm2.dll
hxxp://guusmeuwissen.nl/wp-admin/includes/pm2.dll
hxxp://www.butterfly.idv.tw/wp-content/themes/dust-317/pm2.dll
hxxp://www.machankin.ru/wp-includes/pomo/pm2.dll
hxxp://www.marcinkwasny.com/wp-admin/includes/pm2.dll

The campaign/build number for this is: 1412b

BR,

Antelox