A forum for reverse engineering, OS internals and malware analysis 

Win32/Kegotip (PWS)

Forum for analysis and discussion about malware.

Win32/Kegotip (PWS)

 #26253  by sysopfb
 Wed Jul 08, 2015 7:45 pm
Downloaded by a Dyre sample

packed and unpacked in attachment
Attachments
infected
(270.42 KiB) Downloaded 100 times

Win32/Kegotip (PWS)

 #28081  by EP_X0FF
 Mon Mar 21, 2016 3:52 pm
Generic password stealer.

Some strings
Code: Select all
 software\microsoft\windows\currentversion   VendorId    rpcrt4.dll  UuidCreate  software\microsoft\windows\currentversion   VendorId    LoadLibraryExA  GetProcAddress      Mozilla 4.0 X-Real-IP:  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
  gzip        5629186B-0207-4659-AE5D-B09282932A86    Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.04506.30)    http://%s   Software\Microsoft\Windows\CurrentVersion\Run   regedit32   SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List    %s:*:Enabled:Microsoft Office   5629186B-0207-4659-AE5D-B09282932A86    %s_%d   %s_%d   \..\Local\VirtualStore  \*.*    g z i p     t e x t     Transfer-Encoding: chunked  Content-Length: Content-Encoding: gzip  

HTTP/1.1        Local\{FE1088A9-634A-48c0-8320-7F9EEF7CACBE}    Mozilla/5.0 (Windows; U; Windows NT 5.1)    GET index_get.php?key=YRHDXCF&action=ADD_FTP&id=%s&ftp_host=%s&ftp_login=%s&ftp_pass=%s SUCCESS _DEFAULT_   
  %08X-%04X-%04X-%02X%02X%02X%02X%02X%02X%02X%02X     ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/    ====    *:\ *:\ *   .   ..  \   MSWQ*.tmp   MSWQ*.tmp   .rar    .zip    .cab    .avi    .mp3    .jpg    .gif    name    biz info    org net edu com %s:%s:%s:%s 1   2   3   4   5   6   7   8   9   10  11  12  13  14  \*.ini  \   \*.*    \   Config Path Software\VanDyke\SecureFX   \Sessions   DataFolder  Software\FTPRush    RushSite.xml    Software\UltraFXP   Sites.xml   Estsoft\ALFTP\ESTdb2.dat    
d Software\Microsoft\Windows\CurrentVersion\Uninstall FTP Commander   FTP Navigator   InstallLocation UninstallString %s\TurboFTP\addrbk.dat  8   %s:%s:%s:%s 8   %s:%s:%s:%s:%d  %s\SmartFTP\Client 2.0\Favorites    %s\*.xml    %s\%s   %s\*.*  .   ..  %s\%s   <Host>  <Host>  </Host> <Port>  <Port>  </Port> <User>  <User>  </User> <Password>  <Password>  </Password> 7   %s:%s:%s:%s 7   %s:%s:%s:%s:%s  host    uid pwd software\ipswitch\ws_ftp    DataDir %s\sites\ws_ftp.ini %d  connections host    username    password    anonymous   e-mail  general GHISLER FtpIniName  Install_Dir InstallDir  :// :   @   pstorec.dll crypt32.dll PStoreCreateInstance    CryptUnprotectData  FileZilla\FileZilla.xml FileZilla\RecentServers.xml FileZilla\SiteManager.xml   Server  Site    Install_Dir FileZilla.xml   Last Server Pass    Last Server User    Last Server Host    8.  \QCToolbar  QCHistory   \GlobalSCAPE    sm.*    HostName    User    Password    %s\%s   software\far\plugins\ftp\hosts  software\far2\plugins\ftp\hosts
VT
https://www.virustotal.com/en/file/4cd5 ... /analysis/

unpacked
https://www.virustotal.com/en/file/1dd0 ... /analysis/
Attachments
pass: malware
(213.67 KiB) Downloaded 59 times

Re: Win32/Kegotip (PWS)

 #28130  by patriq
 Fri Mar 25, 2016 5:55 pm
sysopfb wrote:Downloaded by a Dyre sample

packed and unpacked in attachment
Do you have the Dyre sample or hash?

Also, C&C for sample:
195.154.126.159
Code: Select all
Host is up (0.12s latency).
Not shown: 96 closed ports
PORT    STATE    SERVICE
22/tcp  open     ssh
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
c2.png
c2.png (6.74 KiB) Viewed 446 times
 Return to “Malware”