Win32/Spatet

Re: trojan

#4486 by EP_X0FF
Sun Jan 16, 2011 1:25 pm

It drops something winrar.exe which renames itself to logon.exe and runs through HKCU\....\Run registry key. Extracted from VBC.exe payload dll attached.

Attachments

extracted_from_vbc.rar

pass: malware
(248.74 KiB) Downloaded 38 times

winrar.rar

pass: malware
(414.23 KiB) Downloaded 38 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

#4543 by markusg
Tue Jan 18, 2011 8:04 pm

WinInstall.exe
http://www.virustotal.com/file-scan/rep ... 1295375352

Attachments

WinInstall.rar

(481.21 KiB) Downloaded 41 times

Username

markusg

Posts

737

Joined

Mon Mar 15, 2010 2:53 pm

Win32/Spatet

#4563 by EP_X0FF
Wed Jan 19, 2011 10:21 am

markusg wrote:WinInstall.exe
http://www.virustotal.com/file-scan/rep ... 1295375352

That's Spatet. Same winlogon.exe execution with payload PWS dll written on Delphi. Additionally works like Autorunner worm.

Posts moved.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Malware/MSIL-BA

#4640 by markusg
Sat Jan 22, 2011 5:07 pm

Photoshop.exe
http://www.virustotal.com/file-scan/rep ... 1295705389

Attachments

Photoshop.rar

(254.66 KiB) Downloaded 38 times

Username

markusg

Posts

737

Joined

Mon Mar 15, 2010 2:53 pm

Re: Malware/MSIL-BA

#4642 by EP_X0FF
Sat Jan 22, 2011 5:21 pm

markusg wrote:Photoshop.exe
http://www.virustotal.com/file-scan/rep ... 1295705389

Thanks,

this is PWS.Spatet, payload dll runs through vbc.exe (Visual Basic Command Line Compiler)

posts moved

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Malware/MSIL-BA

#4764 by markusg
Thu Jan 27, 2011 3:33 pm

Norton360Keygen.exe
http://www.virustotal.com/file-scan/rep ... 1296141829

Attachments

Norton360Keygen.rar

(290.56 KiB) Downloaded 41 times

Username

markusg

Posts

737

Joined

Mon Mar 15, 2010 2:53 pm

Re: Malware/MSIL-BA

#4766 by EP_X0FF
Thu Jan 27, 2011 4:26 pm

markusg wrote:Norton360Keygen.exe
http://www.virustotal.com/file-scan/rep ... 1296141829

Dot net container with UPX packed PWS Spatet inside.

unpacked VT results
http://www.virustotal.com/file-scan/rep ... 1296145687

Posts moved.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Malware/MSIL-BA

#4767 by markusg
Thu Jan 27, 2011 4:46 pm

keygen.exe
http://www.virustotal.com/file-scan/rep ... 1296146333

Attachments

keygen.rar

(566.05 KiB) Downloaded 37 times

Username

markusg

Posts

737

Joined

Mon Mar 15, 2010 2:53 pm

Re: Malware/MSIL-BA

#4771 by markusg
Thu Jan 27, 2011 7:43 pm

Dead Space 2 Keygen.exe
http://www.virustotal.com/file-scan/rep ... 1296155901

Attachments

Dead Space 2 Keygen.rar

(638.67 KiB) Downloaded 42 times

Username

markusg

Posts

737

Joined

Mon Mar 15, 2010 2:53 pm

Re: Malware/MSIL-BA

#4776 by EP_X0FF
Fri Jan 28, 2011 5:45 am

markusg wrote:Dead Space 2 Keygen.exe
http://www.virustotal.com/file-scan/rep ... 1296155901

Drops s#chost.exe, but due to incorrect decryption dropper crashes and dropped payload file is not a valid executable image.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact