[360Tencent]

Hi,looking for this

http://www.trusteer.com/blog/tilon-son-of-silon

The net result is very low AV detection of the Tilon dropper (4 out of 41 AV engines, results obtained on August 8th for sample MD5 92613662ac735c91e7e25b16237c3ac5)

http://www.malware.com.br/cgi/search.pl ... VmLmJtbw==

https://www.virustotal.com/file/04a0479 ... /analysis/

and a dead link :?:

http://sdohnigad.com/fas.exe

...

[rkhunter]

Hi,looking for this

http://www.trusteer.com/blog/tilon-son-of-silon

SHA256: 04a04790e08da925ae0bd93a051139477cfb4e87b778b3170a614652c026cc95
SHA1: 2e31e94ac29f8d002149fa4d1af9b0901d01e42d
MD5: 92613662ac735c91e7e25b16237c3ac5

[EP_X0FF]

Tilon
http://www.kernelmode.info/forum/viewto ... lon#p15097

Have you got this Tilon code from dropper? I'm asking this because I only see FakeSysDef, three stages embedded in each other.

[N3mes1s]

Tilon
http://www.kernelmode.info/forum/viewto ... lon#p15097

Have you got this Tilon code from dropper? I'm asking this because I only see FakeSysDef, three stages embedded in each other.

No, but if you've searched with no lucky, maybe it's only FakeSysDef, anyway for now i haven't searched on it

[EP_X0FF]

This dropper has the same MD5 as in Trusteer article. In attach all FakeAV's extracted. Have no idea where is Tilon here, but maybe I miss something.

[R136a1]

Hi there,

today I release my samples of Tilon, one of the most complex banking trojans out there. What many do not know that Tilon is a cross-platform malware, although the x64 versions look like test versions.

Some info about Tilon:

Silon/Tilon (Trusteer)
http://www.trusteer.com/news/press-rele ... line-banks
http://www.trusteer.com/blog/tilon-son-of-silon

Magic (Seculert)
http://www.seculert.com/blog/2013/04/ma ... hreat.html
http://www.seculert.com/blog/2013/04/ma ... -iocs.html

Asetus (Sophos)
http://www.sophos.com/en-us/threat-cent ... lysis.aspx

Yebot (ESET)
http://www.virusradar.com/en/Win32_Yebot/detail

News about a Tilon suspect: http://news.softpedia.com/news/Man-Alle ... 8770.shtml

Despite the news, Seculert's statement is that Magic aka Tilon is still alive (see dates). Maybe the source was sold after this arrest, but that's just speculation.

Also take a look at ESET Virusradar for x86 version: http://www.virusradar.com/en/Win32_Yebot/chart/history

Samples info: (download see attachment)

Timestamp 2012-12-07: https://www.virustotal.com/en/file/5e07 ... /analysis/ 2.0.3 (internal version)
Timestamp 2012-10-24: https://www.virustotal.com/en/file/e78e ... /analysis/ 2.0.3 (internal version) x64 dump
Timestamp 2012-08-11: https://www.virustotal.com/en/file/ef37 ... /analysis/ 2.0.3 (internal version)
Timestamp 2012-07-22: https://www.virustotal.com/en/file/610a ... /analysis/ 2.0.3 (internal version)
Timestamp 2012-07-22: https://www.virustotal.com/en/file/5d98 ... /analysis/ 2.0.3 (internal version) x64
Timestamp 2012-01-10: https://www.virustotal.com/en/file/7a70 ... /analysis/ 2.0.1 (internal version)

Leaked internal sourcecode structure (from strings inside x64 dump - e78e75c70911781cafeea5c439995aa18fedd16114e8ed17e31a7d4598bf3d8e):
..\..\Common\Dll\Source\ArchiveWorker\ArchiveWorker.cpp
..\..\Common\Dll\Source\Config\Config.cpp
..\..\Common\Dll\Source\Etc\DnsQuery.cpp
..\..\Common\Dll\Source\Etc\etc.cpp
..\..\Common\Dll\Source\Etc\GetBotGUID.cpp
..\..\Common\Dll\Source\Etc\http.cpp
..\..\Common\Dll\Source\Etc\MapFile.cpp
..\..\Common\Dll\Source\Etc\Screenshot.cpp
..\..\Common\Dll\Source\Hooks\Hook.cpp
..\..\Common\Dll\Source\Inet\DownloadFile.cpp
..\..\Common\Dll\Source\Inet\GetPage3.cpp
..\..\Common\Dll\Source\Inet\NetUtils.cpp
..\..\Common\Dll\Source\MemoryLoadLibrary.cpp
..\..\Common\Dll\Source\Modules\AntiRapport.cpp
..\..\Common\Dll\Source\Modules\Autorun\Autorun.cpp
..\..\Common\Dll\Source\Modules\AvExclusionList.cpp
..\..\Common\Dll\Source\Modules\BotInfo\BotInfo.cpp
..\..\Common\Dll\Source\Modules\Browsers\Common.cpp
..\..\Common\Dll\Source\Modules\Browsers\Firefox\FirefoxCookies.cpp
..\..\Common\Dll\Source\Modules\Browsers\IE\Hook_IE.cpp
..\..\Common\Dll\Source\Modules\Browsers\IE\IE.cpp
..\..\Common\Dll\Source\Modules\Certgrabber.cpp
..\..\Common\Dll\Source\Modules\Daemon\Daemon.cpp
..\..\Common\Dll\Source\Modules\Ftp\Ftp.cpp
..\..\Common\Dll\Source\Modules\FtpEmailHttp_Grabber.cpp
..\..\Common\Dll\Source\Modules\Ftp\FtpServer.cpp
..\..\Common\Dll\Source\Modules\Keylogger.cpp
..\..\Common\Dll\Source\Modules\Log\Veh.cpp
..\..\Common\Dll\Source\Modules\ModuleControl.cpp
..\..\Common\Dll\Source\Modules\Rdp\DisableCsrssMessageBox.cpp
..\..\Common\Dll\Source\Modules\Rdp\GuiTool.cpp
..\..\Common\Dll\Source\Modules\Rdp\Rdp.cpp
..\..\Common\Dll\Source\Modules\ScreenModule.cpp
..\..\Common\Dll\Source\Modules\Tasks\Internal\Internal.cpp
..\..\Common\Dll\Source\Modules\ProactiveEngine.cpp
..\..\Common\Dll\Source\Modules\UnSpyEyeModule.cpp
..\..\Common\Dll\Source\Modules\UpdateModule.cpp
..\..\Common\Dll\Source\Modules\Socks\ProxyServer.cpp
..\..\Common\Dll\Source\Modules\Socks\Socks.cpp
..\..\Common\Dll\Source\Modules\Socks\SockServer.cpp
..\..\Common\Dll\Source\Modules\Tasks\ProcessTasks.cpp
..\..\Common\Dll\Source\Modules\Tasks\Tasks.cpp
..\..\Common\Dll\Source\Modules\Webinjects\Buffer.cpp
..\..\Common\Dll\Source\Modules\Webinjects\Webinjects_IE.cpp
..\..\Common\Dll\Source\Modules\Webinjects\Injector.cpp
..\..\Common\Dll\Source\Modules\Webinjects\InjectRule.cpp
..\..\Common\Dll\Source\Modules\Webinjects\RequestContext.cpp
..\..\Common\Dll\Source\Modules\Webinjects\Webinjects.cpp
..\..\Common\Dll\Source\PeMemoryFuncs.cpp
..\..\Common\Dll\Source\PipeServer.cpp
..\..\Common\Dll\Source\PluginSystem.cpp
..\..\Common\Dll\Source\Processes\GetCurrentRunningExecutables.cpp
..\..\Common\Dll\Source\Processes\HookNewProcesses.cpp
..\..\Common\Dll\Source\Processes\ProcessFunctions.cpp
..\..\Common\Dll\Source\Processes\ProcessInject.cpp
..\..\Common\Dll\Source\Processes\UacBypass.cpp
..\..\Common\Dll\Source\RegistryStorage.cpp

Also attached is a list of process name hashes, because Tilon uses hashes instead of plain text strings for process detection.


Regards

[N3mes1s]

Really nice job R136a1

Tricky Tilon: disappearing instruction, anti-debugging, deceptions and much more!

[p4r4n0id]

Not new sample but check strings.......

hash: F037D979111645EE41993B0DBF7B3A68

https://www.virustotal.com/en/file/610a ... /analysis/

attached

[Xylitol]

Tilon/SpyEye2 intelligence report ~ http://foxitsecurity.files.wordpress.co ... 140225.pdf

[EP_X0FF]

SpyEye was a complex malware with multiple additions (plugins) created by other people. Having found some pieces of code elsewhere does not automatically means SpyEye 2.0, 3.0 etc.