A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #6946  by EP_X0FF
 Sun Jun 26, 2011 3:09 am
SpyEye v1.3

Pass for decrypted config: 267DF570EEC20209E3CAACFD79B6B0F9

Gates:
hxxp://koburana.ru/m9-main/gate.php;90
hxxp://russiantraff.ru/m9-main/gate.php;90
http://www.virustotal.com/file-scan/report.html?id=b83d7489f573678478a936b9d8a827275fc0887e3be4e2f13f4b9e08630bc766-1309055060

Comes with WebFakes plugin.

Dropper and config attached as 025d07f4610605031e501e6745d663aa_Malware.rar

http://www.virustotal.com/file-scan/rep ... 1309055060


SpyEye v1.3 (recrypt of http://www.virustotal.com/file-scan/rep ... 1309008935)

Pass for decrypted config: AB39D0B8B0C6CFAD363E328D66C8ACB3

Gates:
hxxp://koburana.ru/m9-main/gate.php;90
hxxp://hhasdalkjjfasd.ru/m9-main/gate.php;90
hxxp://hdkajhslalskjd.ru/m9-main/gate.php;90
hxxp://iieiwuorwfssf.ru/m9-main/gate.php;90
hxxp://oasffjapsifenjk.ru/m9-main/gate.php;90
hxxp://igsfsdufiwpper.ru/m9-main/gate.php;90
hxxp://xjbchslkjdfpa.ru/m9-main/gate.php;90
hxxp://ieiapppppsfhpa.ru/m9-main/gate.php;90
hxxp://bdfsfowerpasf.ru/m9-main/gate.php;90
hxxp://osdhfsndmllllahdi.ru/m9-main/gate.php;90
Dropper and config attached as df04c2cd2b5f7e471cb0435fdb9b3014_Malware.rar

http://www.virustotal.com/file-scan/rep ... 1309058399
Attachments
pass: malware
(115.27 KiB) Downloaded 53 times
pass: malware
(114.11 KiB) Downloaded 51 times
 #6951  by EP_X0FF
 Sun Jun 26, 2011 11:26 am
SpyEye v1.3

Pass for decrypted config: 82D08B4D0BFA7404843CCA2C3EEE32B0

Gates:
hxxp://allin2right4you.com/web_u/gate.php;30
hxxp://fireterrynetsell.net/web-u/gate.php;30
hxxp://firrero00foru.com/web_u/gate.php;30
hxxp://zihermantopse.net/web_u/gate.php;30
hxxp://pleresttonin4u.com/web-u/gate.php;30
hxxp://gl2telgrepping.net/web-u/gate.php;30
hxxp://triomatrixfaq1.com/web_u/gate.php;30
Dropper and config in attach.

http://www.virustotal.com/file-scan/rep ... 1309084042
Attachments
pass: malware
(180.51 KiB) Downloaded 61 times
 #6976  by EP_X0FF
 Wed Jun 29, 2011 9:57 am
SpyEye v1.3

Pass for decrypted config: 1AF762F88CB02F1774FF636D0B0412CF

Gates (there also few fakes like google.com, microsoft.com, yahoo.com):
hxxp://ziabslikino47.in/pictures/may/gate.php;90
hxxp://halkozukin33.in/pictures/may/gate.php;90
hxxp://burunral233.in/pics/iqy/news.php;90
hxxp://mqferrirum5.in/hooks/cache/mail.php;90
hxxp://hunweibean83.in/hooks/cache/mail.php;90
Dropper, unpacked dropper and config in attach.

http://www.virustotal.com/file-scan/rep ... 1309338079
Attachments
pass: malware
(252.51 KiB) Downloaded 58 times
 #6987  by EP_X0FF
 Thu Jun 30, 2011 2:58 am
SpyEye v1.2.x

Pass for decrypted config: 8609217780153E481BD40CCA73FCAC5A

Gate
hxxp://theimageshare.com/kurac/gate.php
Dropper, decrypted dropper and config in attach.

dropper 7 /42 (16.7%)
http://www.virustotal.com/file-scan/rep ... 1309402494

decrypted 32 /42 (76.2%)
http://www.virustotal.com/file-scan/rep ... 1309402270

Source hxxp://89.207.135.198/pas.exe
Attachments
pass: malware
(324.7 KiB) Downloaded 50 times
 #6997  by EP_X0FF
 Thu Jun 30, 2011 4:20 pm
markusg wrote:http://www.virustotal.com/file-scan/rep ... 1309445334
Fake gate entry used in attempt to discredit trackers.

Decrypted config pass: F318E70D252C8067D286E75113D95679

Fully unpacked dropper and config in attach.
Attachments
pass: malware
(151.24 KiB) Downloaded 54 times
 #7011  by EP_X0FF
 Fri Jul 01, 2011 4:59 pm
markusg wrote:491B57F0621.exe
http://www.virustotal.com/file-scan/rep ... 1309536025
SpyEye v1.3.4.x

Pass for decrypted config: CCBE31E415444CB5128C53A7CC894674

Gate:
hxxp://92.241.164.226/cp/gate.php;90
In attach unpacked dropper and decrypted config.

Plugins:

webfakes (C:\Data\Documents\My Projects\CC\CardNet\Progs\Client\SpyEye\plugins\webfakes\Release\webfakes.pdb)
firefox cert grabber
rdp (downloads portable TC http://92.241.164.226/ptcmd.exe)
socks5
jabber notifier (C:\Data\Documents\My Projects\CC\CardNet\Progs\Client\SpyEye\plugins\jabbernotifier\Release\jabbernotifier.pdb)
custom connector
Attachments
pass: malware
(575.41 KiB) Downloaded 61 times
 #7015  by EP_X0FF
 Sat Jul 02, 2011 1:54 am
Pass for decrypted config: 92E06E57C74BE0C0079606B99D9B5291

Gates:
hxxps://hireiar.ru/web/trope.php;3600
hxxps://interwirez.ru/ale/one.php;3600
hxxps://sepostin.ru/update/womt.php;3600
hxxps://100wiles.ru/ars/being.php;3600
hxxps://krifis.ru/da/net.php;3600
hxxps://poleposx.ru/nit/big.php;3600
hxxps://jivat.ru/lo/bus.php;3600
hxxps://kresheb.ru/images/fill.php;3600
Dropper, unpacked dropper, decrypted config in attach.

dropper 3 /42 (7.1%)
http://www.virustotal.com/file-scan/rep ... 1309566790

decrypted 22/ 42 (52.4%)
http://www.virustotal.com/file-scan/rep ... 1309570637
Attachments
pass: malware
(281.62 KiB) Downloaded 59 times
 #7029  by EP_X0FF
 Sat Jul 02, 2011 10:31 am
SpyEye v1.3

Pass for decrypted config: 9E0E0743B96B02B13D49924E914ECA36

Gates:
hxxp://210.211.108.213/~ishigo/sp/main/gate.php;30
hxxp://210.211.108.215/~ishigo/sp/main/gate.php;30
Plugins:

Firefox cert grabber
Jabber Notifier (zeus alike feature)
RDP (portable TC, http://210.211.108.213/~ishigo/ptcmd.exe)
Custom Connector
Web Fakes
spySpread (target hxxp://www.myp2pnet.net/forum.php?tp=b99b0b89734e000d)
Socks5

Dropper 7 /42 (16.7%)
http://www.virustotal.com/file-scan/rep ... 1309599284

Unpacked 24/ 42 (57.1%)
http://www.virustotal.com/file-scan/rep ... 1309601940
Attachments
pass: malware
(1.27 MiB) Downloaded 72 times
  • 1
  • 17
  • 18
  • 19
  • 20
  • 21
  • 42