A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #9219  by rough_spear
 Mon Oct 17, 2011 7:06 pm
Hi All, :D
W32.Jorik/ngrbot sample. 8-)

Web link - hxxp://wiztechautomationsolutions.com/tols.exe
File Size - 158KB
VT Link - http://www.virustotal.com/file-scan/rep ... 1318862114
MD5 : d1876eea2443db6a8ed44bebff7081fa
SHA1 : 55fb9d1ff9e825a162f8d4f1b319453b4790aac5
SHA256: 3efd740fc805fe0e697b39cb153099def0187c5a5fb67ec7efcb52876df097ed
ssdeep: 3072:W3zyLTvBYetasoHQXyuxl4jzn9nJaHV/fizz6hl6p/DaZhuid0g9TrQLaN4:W3zeTlW4Dz
4VnJa1HizhDEuimgZUuN

Regards,

rough_spear. ;)
Attachments
password - malware.
(130.36 KiB) Downloaded 60 times
 #9225  by EP_X0FF
 Tue Oct 18, 2011 6:11 am
rough_spear wrote:Hi All, :D
W32.Jorik/ngrbot sample. 8-)
Attempt to read hxxp://www.hastyrefills.com/url.txt which is C&C data. Not available, only in search cache.
YwKCxcStcfSFAHXHVqVQ
12| Combien de bonnes photos!!#! :O hxxp://cudear.com/view.php?=Facebook-pic####-JPEG
20|hoh. interessante bilder?!!:) hxxp://cudear.com/view.php?=Facebook-pic####-JPEG
6|om det var dig??#= hxxp://cudear.com/view.php?=Facebook-pic####-JPEG
29| Vad ar det foto?#??# ? :) hxxp://cudear.com/view.php?=Facebook-pic####-JPEG
19| of je het leuk??!= :D hxxp://cudear.com/view.php?=Facebook-pic####-JPEG
21|Smieszne zdjecia?#?!:P hxxp://cudear.com/view.php?=Facebook-pic####-JPEG
16|hhhh,Dato di riconoscere una fotografia??!= hxxp://cudear.com/view.php?=Facebook-pic####-JPEG
5|Wow,To je neverjetno,,= photos - hxxp://cudear.com/view.php?=Facebook-pic####-JPEG
7| Sie in das Bild??#. _ hxxp://cudear.com/view.php?=Facebook-pic####-JPEG
39|L0l!!**, kuris t??? nuotrauk?#?!!* hxxp://cudear.com/view.php?=Facebook-pic####-JPEG
9| Who the F.#K is that?!#- hxxp://cudear.com/view.php?=Facebook-pic####-JPEG
10|,jaja mira esta foto?!!#_ es tu cabron?!#! hxxp://cudear.com/view.php?=Facebook-pic####-JPEG
24| haha, care este c?#! fotografie!# = hxxp://cudear.com/view.php?=Facebook-pic####-JPEG
22|si usted estaba en la imagen??!# :) hxxp://cudear.com/view.php?=Facebook-pic####-JPEG
26|hihihe ,to si ti na fotki?_ :) hxxp://cudear.com/view.php?=Facebook-pic####-JPEG
25|???!!!! :) hxxp://cudear.com/view.php?=Facebook-pic####-JPEG
0|Wow,! is this is you fotoo??#!= ;) hxxp://cudear.com/view.php?=Facebook-pic####-JPEG
downloads hxxp://cudear.com/view.php?=Facebook-pic####-JPEG which is trojan downloader which downloads ngrBot from hxxp://solarpanelscleveland.com/bbb.exe
Attachments
pass: malware
(125.76 KiB) Downloaded 60 times
 #9553  by rough_spear
 Sat Nov 05, 2011 8:19 pm
Hello All, :D
one more sample of Dorkbot. 8-)

Web link - hxxp://hotfile.com/dl/134029104/66497b1/FACEBOOK-DSC0000897643223311011.jpg.exe

VT link - http://www.virustotal.com/file-scan/rep ... 1320502037
MD5 : d4bd4e85105b81459a42b11a3303b526
SHA1 : a747f224ef864b66af440ed976e49fe8fad88419
SHA256: bf823e69b582262317857d26520ffac551ae2ff8c0b17a5c6cbd92175a2b9304
ssdeep: 6144:cnoK+2p8PW+MioJzQuZMi5ui6EgDlwJrf:woT++qJ0uZj5RE65
File size : 208896 bytes

Regards,


rough_spear. ;)
Attachments
password - malware.
(147.09 KiB) Downloaded 60 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 8