A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19682  by r3shl4k1sh
 Tue Jun 18, 2013 8:56 am
r3shl4k1sh wrote:Sample of Fareit downloaded by ransomeware

VT 8/41
https://www.virustotal.com/en/file/e1da ... 370942073/
Unpacked version.

Contact with:

hxxp://kaplq.ru
hxxp://ecrj.ru/f/sc.exe
hxxp://ecrj.ru/f/pkc.exe
hxxp://ecrj.ru/f/skc.exe
hxxp://fpku.ru/forum.php

IPs:
kaplq.ru --> 62.173.147.254
ecrj.ru --> 62.173.147.254


Admin panel, Pony (not TF):
hxxp://kaplq.ru/admin.php

In its strings we find a long list of general passwords phrases, Does Fareit try to brute force:
Code: Select all
hwemkpircuu54fc3c
http://kaplq.ru/
http://ecrj.ru/
http://ecrj.ru/f/sc.exe
http://ecrj.ru/f/pkc.exe
http://ecrj.ru/f/skc.exe
123456
password
qwerty
12345678
abc123
letmein
password1
monkey
dragon
trustno1
111111
iloveyou
1234567
shadow
123456789
christ
sunshine
master
computer
princess
tigger
football
jesus1
123123
whatever
freedom
killer
soccer
superman
michael
cheese
internet
joshua
fuckyou
blessed
baseball
starwars
000000
purple
jordan
summer
ashley
buster
heaven
pepper
7777777
hunter
lovely
andrew
thomas
angels
charlie
daniel
jennifer
single
hannah
qazwsx
matrix
aaaaaa
654321
amanda
nothing
ginger
mother
snoopy
jessica
welcome
pokemon
iloveyou1
mustang
helpme
justin
jasmine
orange
testing
michelle
secret
william
iloveyou2
nicole
666666
muffin
gateway
fuckyou1
asshole
hahaha
blessing
blahblah
myspace1
matthew
canada
silver
robert
forever
asdfgh
rachel
rainbow
guitar
peanut
batman
cookie
bailey
soccer1
mickey
biteme
hello1
eminem
dakota
samantha
compaq
diamond
taylor
john316
richard
blink182
peaches
flower
scooter
banana
asdfasdf
victory
london
123qwe
123321
startrek
george
winner
maggie
trinity
online
123abc
chicken
junior
passw0rd
austin
sparky
merlin
google
friends
shalom
nintendo
looking
harley
smokey
joseph
digital
thunder
spirit
bandit
anthony
corvette
hockey
benjamin
iloveyou!
1q2w3e
genesis
knight
qwerty1
creative
foobar
adidas
rotimi
slayer
wisdom
praise
zxcvbnm
samuel
dallas
testtest
maverick
onelove
mylove
church
friend
destiny
microsoft
222222
bubbles
11111111
cocacola
jordan23
ilovegod
football1
loving
nathan
emmanuel
scooby
fuckoff
maxwell
1q2w3e4r
red123
blabla
prince
chelsea
angel1
hardcore
dexter
112233
jasper
danielle
kitten
cassie
stella
prayer
hotdog
windows
mustdie
billgates
ghbdtn
gfhjkm
1234567890
YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
UninstallString
DisplayName
Software\WinRAR
kernel32.dll
WTSGetActiveConsoleSessionId
ProcessIdToSessionId
netapi32.dll
NetApiBufferFree
NetUserEnum
ole32.dll
StgOpenStorage
advapi32.dll
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
CredEnumerateA
CredFree
CryptGetUserKey
CryptExportKey
CryptDestroyKey
CryptReleaseContext
RevertToSelf
OpenProcessToken
ImpersonateLoggedOnUser
GetTokenInformation
ConvertSidToStringSidA
LogonUserA
LookupPrivilegeValueA
AdjustTokenPrivileges
CreateProcessAsUserA
crypt32.dll
CryptUnprotectData
CertOpenSystemStoreA
CertEnumCertificatesInStore
CertCloseStore
CryptAcquireCertificatePrivateKey
msi.dll
MsiGetComponentPathA
pstorec.dll
PStoreCreateInstance
userenv.dll
CreateEnvironmentBlock
DestroyEnvironmentBlock
shell32.dll
SHGetFolderPathA
My Documents
AppData
Local AppData
Cookies
History
My Documents
Common AppData
My Pictures
Common Documents
Common Administrative Tools
Administrative Tools
Personal
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
explorer.exe
S-1-5-18
SeImpersonatePrivilege
SeTcbPrivilege
SeChangeNotifyPrivilege
SeCreateTokenPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeIncreaseQuotaPrivilege
SeAssignPrimaryTokenPrivilege
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: %lu
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Content-Length:
Location:
GET %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
GetNativeSystemInfo
kernel32.dll
IsWow64Process
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
Password
HostName
wcx_ftp.ini
\GHISLER
InstallDir
FtpIniName
Software\Ghisler\Windows Commander
Software\Ghisler\Total Commander
\Ipswitch
Sites\
\Ipswitch\WS_FTP
\win.ini
WS_FTP
DEFDIR
CUTEFTP
QCHistory
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
\sm.dat
Software\FlashFXP\3
Software\FlashFXP
Software\FlashFXP\4
InstallerDathPath
Install Path
DataFolder
\Sites.dat
\Quick.dat
\History.dat
\FlashFXP\3
\FlashFXP\4
\FileZilla
\sitemanager.xml
\recentservers.xml
\filezilla.xml
Software\FileZilla
Software\FileZilla Client
Install_Dir
Remote Dir
Server Type
Server.Host
Server.User
Server.Pass
Server.Port
ServerType
Last Server Host
Last Server User
Last Server Pass
Last Server Port
Last Server Path
Last Server Type
FTP Navigator
FTP Commander
ftplist.txt
\BulletProof Software
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
LastSessionFile
SitesDir
InstallDir1
\SmartFTP
Favorites.dat
History.dat
addrbk.dat
quick.dat
\TurboFTP
Software\TurboFTP
installpath
Software\Sota\FFFTP
CredentialSalt
CredentialCheck
Software\Sota\FFFTP\Options
Password
UserName
HostAdrs
RemoteDir
HostName
Username
Password
HostDirName
Software\CoffeeCup Software\Internet\Profiles
Software\FTPWare\COREFTP\Sites
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Buttons
Software\FTP Explorer\Profiles
Password
PasswordType
InitialPath
FtpSite.xml
\Frigate3
_VanDyke\Config\Sessions
\Sessions
Software\VanDyke\SecureFX
Config Path
UltraFXP
\sites.xml
\FTPRush
RushSite.xml
Server
Username
Password
FtpPort
Software\Cryer\WebSitePublisher
\BitKinex
bitkinex.ds
Hostname
Username
Password
Software\ExpanDrive\Sessions
\ExpanDrive
\drives.js
"password" : "
Software\ExpanDrive
ExpanDrive_Home
Server
UserName
Password
_Password
Directory
Software\NCH Software\ClassicFTP\FTPAccounts
FtpServer
FtpUserName
FtpPassword
_FtpPassword
FtpDirectory
SOFTWARE\NCH Software\Fling\Accounts
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
ftplast.osd
\GPSoftware\Directory Opus
\SharedSettings.ccs
\SharedSettings_1_0_5.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.sqlite
\CoffeeCup Software
leapftp
unleap.exe
sites.dat
sites.ini
\LeapWare\LeapFTP
SOFTWARE\LeapWare
InstallPath
DataDir
Password
HostName
UserName
RemoteDirectory
PortNumber
FSProtocol
Software\Martin Prikryl
\32BitFtp.ini
NDSites.ini
\NetDrive
PassWord
UserName
RootDirectory
Software\South River Technologies\WebDrive\Connections
ServerType
FTP CONTROL
FTPCON
\Profiles
http://
https://
ftp://
wand.dat
_Software\Opera Software
Last Directory3
Last Install Path
Opera.HTML\shell\open\command
wiseftpsrvs.bin
\AceBIT
Software\AceBIT
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
wiseftpsrvs.ini
wiseftp.ini
FTPVoyager.ftp
FTPVoyager.qc
\RhinoSoft.com
nss3.dll
NSS_Init
NSS_Shutdown
NSSBase64_DecodeBuffer
SECITEM_FreeItem
PK11_GetInternalKeySlot
PK11_Authenticate
PK11SDR_Decrypt
PK11_FreeSlot
sqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
mozsqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
profiles.ini
Profile
IsRelative
PathToExe
prefs.js
signons.sqlite
signons.txt
signons2.txt
signons3.txt
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
Firefox
\Mozilla\Firefox\
Software\Mozilla
ftp://
http://
https://
fireFTPsites.dat
SeaMonkey
\Mozilla\SeaMonkey\
\Flock\Browser\
Mozilla
\Mozilla\Profiles\
Software\LeechFTP
AppDir
LocalDir
bookmark.dat
SiteInfo.QFP
Favorites.dat
WinFTP
sites.db
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
servers.xml
\FTPGetter
ESTdb2.dat
QData.dat
\Estsoft\ALFTP
Internet Explorer
WininetCacheCredentials
MS IE FTP Passwords
DPAPI:
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Microsoft_WinInet_*
ftp://
Software\Adobe\Common
SiteServers
SiteServer %d\Host
SiteServer %d\WebUrl
SiteServer %d\Remote Directory
SiteServer %d-User
SiteServer %d-User PW
%s\Keychain
SiteServer %d\SFTP
DeluxeFTP
sites.xml
Web Data
Login Data
SQLite format 3
CONSTRAINT
PRIMARY
UNIQUE
FOREIGN
logins
origin_url
password_value
username_value
ftp://
http://
https://
\Google\Chrome
\Chromium
\ChromePlus
Software\ChromePlus
Install_Dir
\Bromium
\Nichrome
\Comodo
\RockMelt
K-Meleon
\K-Meleon
\Profiles
\Epic\Epic
Staff-FTP
sites.ini
\Sites
\Visicom Media
\Global Downloader
SM.arch
FreshFTP
BlazeFtp
site.dat
LastPassword
LastAddress
LastUser
LastPort
Software\FlashPeak\BlazeFtp\Settings
\BlazeFtp
FTP++.Link\shell\open\command
Connections.txt
3D-FTP
sites.ini
\3D-FTP
\SiteDesigner
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
\NetSarang
TERMSRV/*
password 51:b:
username:s:
full address:s:
TERMSRV/
FTP Now
FTPNow
sites.xml
SOFTWARE\Robo-FTP 3.7\Scripts
SOFTWARE\Robo-FTP 3.7\FTPServers
FTP Count
FTP File%d
Password
ServerName
UserID
InitialDirectory
PortNumber
ServerType
2.5.29.37
Software\LinasFTP\Site Manager
Remote Dir
\Cyberduck
user.config
<setting name="
value="
Software\SimonTatham\PuTTY\Sessions
HostName
UserName
Password
PortNumber
TerminalType
NppFTP.xml
\Notepad++
Software\CoffeeCup Software
FTP destination server
FTP destination user
FTP destination password
FTP destination port
FTP destination catalog
FTP profiles
FTPShell
ftpshell.fsi
Software\MAS-Soft\FTPInfo\Setup
DataDir
\FTPInfo
ServerList.xml
NexusFile
ftpsite.ini
FastStone Browser
FTPList.db
\MapleStudio\ChromePlus
Software\Nico Mak Computing\WinZip\FTP
Software\Nico Mak Computing\WinZip\mru\jobs
UserID
xflags
Folder
winex="
\Yandex
My FTP
project.ini
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
NovaFTP.db
\INSoftware\NovaFTP
.oeaccount
<POP3_Password2
<SMTP_Password2
<IMAP_Password2
<HTTPMail_Password2
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Mail
Software\Microsoft\Windows Mail
Software\RimArts\B2\Settings
DataDir
DataDirBak
Mailbox.ini
Software\Poco Systems Inc
\PocoSystem.ini
Program
DataPath
accounts.ini
\Pocomail
Software\IncrediMail
EmailAddress
Technology
PopServer
PopPort
PopAccount
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
account.cfg
account.cfn
\BatMail
\The Bat!
Software\RIT\The Bat!
Software\RIT\The Bat!\Users depot
Working Directory
ProgramDir
Default
Dir #%d
SMTP Email Address
SMTP Server
POP3 Server
POP3 User Name
SMTP User Name
NNTP Email Address
NNTP User Name
NNTP Server
IMAP Server
IMAP User Name
HTTP User
HTTP Server URL
POP3 User
IMAP User
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTP Password
SMTP Password
Software\Microsoft\Internet Account Manager\Accounts
Identities
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Internet Account Manager
Outlook
\Accounts
identification
identitymgr
inetcomm server passwords
outlook account manager passwords
identities
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Thunderbird
\Thunderbird
FastTrack
ftplist.txt
Client Hash
STATUS-IMPORT-OK
%d.exe
%d.bat
"%s"
ShellExecuteA
:ktk
del
exist
%1
goto
shell32.dll
;3+#>6.&
'2, /+0&7!4-)1#
CreateFileA
ReadFile
CloseHandle
WriteFile
lstrlenA
GlobalLock
GlobalUnlock
LocalFree
LocalAlloc
GetTickCount
lstrcpyA
lstrcatA
GetFileAttributesA
ExpandEnvironmentStringsA
GetFileSize
CreateFileMappingA
MapViewOfFile
UnmapViewOfFile
LoadLibraryA
GetProcAddress
GetTempPathA
CreateDirectoryA
DeleteFileA
GetCurrentProcess
WideCharToMultiByte
GetLastError
lstrcmpA
CreateToolhelp32Snapshot
Process32First
OpenProcess
Process32Next
FindFirstFileA
lstrcmpiA
FindNextFileA
FindClose
GetModuleHandleA
GetVersionExA
GetLocaleInfoA
GetSystemInfo
GetWindowsDirectoryA
GetPrivateProfileStringA
SetCurrentDirectoryA
GetPrivateProfileSectionNamesA
GetPrivateProfileIntA
GetCurrentDirectoryA
lstrlenW
MultiByteToWideChar
GetModuleFileNameA
LCMapStringA
ExitProcess
SetUnhandledExceptionFilter
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
RegOpenKeyA
RegEnumKeyExA
RegCreateKeyA
RegSetValueExA
IsTextUnicode
RegOpenCurrentUser
RegEnumValueA
GetUserNameA
CreateStreamOnHGlobal
GetHGlobalFromStream
CoCreateGuid
CoTaskMemFree
CoCreateInstance
OleInitialize
ShellExecuteA
StrStrIA
StrRChrIA
StrToIntA
StrStrA
StrCmpNIA
StrStrIW
wsprintfA
LoadUserProfileA
UnloadUserProfile
InternetCrackUrlA
InternetCreateUrlA
inet_addr
gethostbyname
socket
connect
closesocket
select
setsockopt
WSAStartup
`.rdata
@.data
fM:2.5h9.:
1p-#c
V\o(kh
{74FF1730-
-4Dv926B568FAE61DBp
%Subsm
Rq-Ci]>0
JTATUS-h
RT-OKa
;3+#>6.&
'2, /+0&7!4-)1#
7Bn.{'
{wKO/Gg
#*os]S
ViewOfwU
X32SnTc;8,fP
&=Xo]Gu
=CmpNgW
XV>A%P
XPTPSW
KERNEL32.DLL
advapi32.dll
ole32.dll
shell32.dll
shlwapi.dll
user32.dll
userenv.dll
wininet.dll
wsock32.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
RegCloseKey
CoCreateGuid
ShellExecuteA
StrStrA
wsprintfA
LoadUserProfileA
InternetCrackUrlA
kernel32.dll
CreateFileA
ReadFile
CloseHandle
WriteFile
lstrlen
GlobalLock
GlobalUnlock
LocalFree
LocalAlloc
GetTickCount
lstrcpy
lstrcat
GetFileAttributesA
ExpandEnvironmentStringsA
GetFileSize
CreateFileMappingA
MapViewOfFile
UnmapViewOfFile
LoadLibraryA
GetProcAddress
GetTempPathA
CreateDirectoryA
DeleteFileA
GetCurrentProcess
WideCharToMultiByte
GetLastError
lstrcmp
CreateToolhelp32Snapshot
Process32First
OpenProcess
Process32Next
FindFirstFileA
lstrcmpi
FindNextFileA
FindClose
GetModuleHandleA
GetVersionExA
GetLocaleInfoA
GetSystemInfo
GetWindowsDirectoryA
GetPrivateProfileStringA
SetCurrentDirectoryA
GetPrivateProfileSectionNamesA
GetPrivateProfileIntA
GetCurrentDirectoryA
lstrlenW
MultiByteToWideChar
GetModuleFileNameA
LCMapStringA
ExitProcess
SetUnhandledExceptionFilter
ole32.dll
CreateStreamOnHGlobal
GetHGlobalFromStream
CoCreateGuid
CoTaskMemFree
CoCreateInstance
OleInitialize
user32.dll
wsprintfA
advapi32.dll
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
RegOpenKeyA
RegEnumKeyExA
RegCreateKeyA
RegSetValueExA
IsTextUnicode
RegOpenCurrentUser
RegEnumValueA
GetUserNameA
shell32.dll
ShellExecuteA
wininet.dll
InternetCrackUrlA
InternetCreateUrlA
shlwapi.dll
StrStrIA
StrRChrIA
StrToIntA
StrStrA
StrCmpNIA
StrStrIW
wsock32.dll
inet_addr
gethostbyname
socket
connect
closesocket
select
setsockopt
WSAStartup
userenv.dll
LoadUserProfileA
UnloadUserProfile
You can see the analysis of this trojan at Malwr sandbox, here:
https://malwr.com/analysis/YWI1MTkyNGU3 ... ZlNWZiNjU/

VT 25/47
https://www.virustotal.com/en/file/912d ... /analysis/
Attachments
pass: infected
(42.41 KiB) Downloaded 73 times
 #19694  by Blaze
 Wed Jun 19, 2013 8:24 am
New WellsFargo spam runs.
Code: Select all
 hXXp://thinkgreensupply.com/ponyb/gate.php 
Attachments
(829.52 KiB) Downloaded 90 times
 #19711  by unixfreaxjp
 Fri Jun 21, 2013 10:27 am
Shortly, it's a new malvertisement campaign of Fareit variant, sending data to the Pony panel, downloading Medfos...
I have a problem to figure to where to post this info..ok, I dare to write it here,
So please kindly help me to put this post in the right place, thank you in advance.

It started in a rainy day with the below malvertisement:
Image
For the convenient, the spam header analysis is below:
Code: Select all
Received: from unknown (HELO my.firewall) (71.62.225.78)  // <==== IP with fake hostname...
  by x.x.x.x with SMTP; 20 Jun 2013 23:39:44 +0900
Received: from 71.62.225.78(helo=kpytyxyylz.znebfunknejafs.su) // <==== HELO w/fake randomize subdomain.domain.SU
	by my.firewall with esmtpa (Exim 4.69) // <==== A suspected compromised machin's MTA used, 
	(envelope-from )                       //       ..no client relay, is likely a #webshell #spambot
	id 1MMT5S-2939nx-Y6        // <=== grep this "1MMT5S-2939nx-Y6" in maillog & we'll have the compromised evidence!
	for xxx@xxx; Thu, 20 Jun 2013 09:39:49 -0500
Date:Thu, 20 Jun 2013 09:39:49 -0500
From:"QuickBooks Invoice" <auto-invoice@quickbooks.com>  // <=== Fake mail Addess
X-Mailer: The Bat! (v2.00) Business       // <=== Spammer uses this X-mailer a lot, good to block...
X-Priority: 3 (Normal)
Message-ID: <7807489026.QH861DV3448774@jegivhiq.zbdozt.org> // <==== Fake MessageID  w/another random SUBDOMAIN.DOMAIN
To: <xxx@xxx>
Subject: Please respond - overdue payment
MIME-Version: 1.0
Status: RO
X-UIDL: 1371739193.7918.xxx.xxx,S=142456
Content-Type: multipart/mixed;                   // The way they use this boundary for attachment -
  boundary="----------3572D0EB381D72"            // is significant, good point for the signature generation

------------3572D0EB381D72
Content-Type: text/plain; charset=windows-1250 // This charset Codepage is designed for Central Europe languages like: 
Content-Transfer-Encoding: 7bit                // Albanian, Croatian, Czech, Hungarian, Polish, Romanian, Serbian (Latin), Slovak, Slovenian. 
   [...]
------------3572D0EB381D72
Content-Type: application/zip; name="YOUR@MAIL.ADDRESS_Invoice.zip"  // <=== using your email prefix as zip-
Content-Transfer-Encoding: base64                                    // - filename.
Content-Disposition: attachment; filename="YOUR@MAIL.ADDRESS.zip"
The attachment is Fareit (eventhough some scanner judge it as zbot...)
It downloads medfos from the below url:
Code: Select all
h00p://backup.hellaswebnews.com/8P6j4.exe
h00p://www.powermusicstudio.it/Ckq.exe
h00p://gpbit.com/MACnU.exe
h00p://sedi.ch/XDHMsu.exe 
Sending the credentials taken to:
Code: Select all
h00p://checkpoint-friendly-bag.com/ponyb/gate.php
h00p://checkpoint-friendly-bags.com/ponyb/gate.php
h00p://checkpoint-friendly-laptopcases.com/ponyb/gate.php
h00p://checkpoint-friendly-luggage.com/ponyb/gate.php 
The credentials slurped I devided into:
[1] passwords
[2] Softwares by files
[3] Software by registry With some special notes:
Code: Select all
 //... aiming facebook data too...
2http://www.facebook.com/
//.. using a "saved password" in IE....
abe2869f-9b47-4cd9-a358-c22904dba7f7
Fareit as usual doing comm with HTTP/1.0, in this case to. PoC is , for POST:
Code: Select all
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: %lu
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: %s
Content-Length:
Location:
HWID 
And for GET query:
Code: Select all
GET %s HTTP/1.0
Host: %s
Accept-Language: en-US
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: %s 
The trace of aPLib binary compressor also detected in fareit binary:
Code: Select all
aPLib v1.01  -  the smaller the better :)
Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
More information: http://www.ibsensoftware.com/
Trace of encryption key:
Code: Select all
YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
Fareit was ended after the CMD command to self termination executed.

The Medfos - is sending a different HTTP query using HTTP/1.1 protocol, to IP: 78.140.131.151 for another downloading effort...
Code: Select all
GET /uploading/id=1083241521&u=4WSbvjA+sJYdYTrMmxr7tGGjKtAtmmBrQnuEwUHeacviRtjYIg2xcqQMAWYaZM4RqxalcusDRHEPXzzqdOryxg==
GET /uploading/id=1620113969&u=4WSbvjA+sJYdYTnFmxr7tGHwKNF/zWc6S3uEmRPaacviRtjYIg2xcqQMAWYaZM4RqxalcusDRHEPXzzhfun0xA==
GET /uploading/id=277935153&u=4WSbvjA+sJYdYTnFmxr7tGHwKNF/zWc6S3uEmRPaacviRtjYIg2xcqQMAWYaZM4RqxalcusDRHEPXzzhfun0xA== 
And inject the process to run the msiexec.exe with the malicious config as:
Code: Select all
C:\WINDOWS\system32\msiexec.exe.Manifest
C:\WINDOWS\system32\msiexec.exe.Config
As per shown in pic, I made sure to download every Medfos implanted in many hacked servers, so we have enough sample of it, it self renamed to:
Code: Select all
C:\DOCUME~1\USERNAME\LOCALS~1\Temp\4159875(this is gonnabe RANDOM).exe
and try to execute which one available in your system:
Code: Select all
\system32\msiexec.exe
\SysWOW64\msiexec.exe
The autostart of msiexec was also found:
Code: Select all
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe
Found the trace of Dinkumware, Ltd. / premier supplier of Standard C and Standard C++ libraries, inside too (interesting!).
Interesting changes in registry by Medfos is always attempt to seek these keys:
Code: Select all
"HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\[RANDOM-NUMBER]\Paths"
"HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\[RANDOM-NUMBER]\Hashes"
"HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\[RANDOM-NUMBER]\UrlZones"
I hope the above simple explanation useful, I attached here the spam, the sample attachment PE , the medfos downloaded and PCAP data.
The VirusTotal for the PE Fareit is here
And the Medfos is:
here , here , here and here (etc)
---
#MalwareMustDie!
Attachments
is in 7z archibe w/pwd:infected
(839.07 KiB) Downloaded 91 times
 #19847  by Maijin
 Fri Jun 28, 2013 9:32 am
Code: Select all
Callback
hxxp://ammscanada.com/ponyb/gate.php
hxxp://ammschicago.com/ponyb/gate.php
hxxp://ammsdallas.com/ponyb/gate.php
hxxp://ammsdirectors.com/ponyb/gate.php
hxxp://www.casailtiglio.com/NY19N.exe
hxxp://ftp.vickibettger.com/oEoASW64.exe
hxxp://72.52.164.246/FDKwgvdt.exe
hxxp://www.scenografiesacs.com/mvNaxR.exe
all dumped strings here :
Code: Select all
MDMP
GenuineIntel
RSDS2
ntdll.pdb
RSDS
kernel32.pdb
RSDS
msi.pdb
RSDS
advapi32.pdb
RSDS
rpcrt4.pdb
RSDStx
secur32.pdb
RSDS
gdi32.pdb
RSDS
user32.pdb
RSDS
msvcrt.pdb
RSDS
wldap32.pdb
RSDS
ole32.pdb
RSDS
shell32.pdb
RSDS@
shlwapi.pdb
RSDS
WPP@
MicrosoftWindowsCommon-Controls-6.0.2600.5512-comctl32.pdb
RSDS
comctl32.pdb
RSDS
wininet.pdb
RSDS
crypt32.pdb
RSDS
msasn1.pdb
RSDS
oleaut32.pdb
RSDS
urlmon.pdb
RSDS
version.pdb
RSDS
wsock32.pdb
RSDS
ws2_32.pdb
RSDSX
ws2help.pdb
RSDSNw
sTyG
userenv.pdb
B,Ph
B,Ph
R,RP
SVW+
= EA
SVWhSIA
t>h?IA
h`IA
hSIA
h?IA
hmJA
hVJA
h_JA
hhJA
hoIA
h&JA
B,Ph
B,Ph
R,RP
Ph+KA
B,Ph
B,Ph
=uAA
t;h#KA
h5KA
hcKA
h+LA
haLA
hLMA
hWMA
hbMA
hoMA
h{MA
hLMA
hWMA
hbMA
h/MA
h4MA
hAMA
h	MA
h/MA
h	MA
h4MA
h	MA
hAMA
h	MA
h/MA
h4MA
hAMA
h	MA
h/MA
h	MA
h4MA
h	MA
hAMA
h	MA
h^NA
hYNA
hMNA
h5NA
h)NA
hANA
hzNA
hiNA
5uAA
=yAA
h<OA
hvOA
PPPh
h,PA
hiPA
hWPA
hiPA
hWPA
hMPA
h8PA
hCPA
huPA
huPA
hvQA
hgQA
hlQA
hyQA
PhqQA
Ph~QA
hHQA
h&RA
Ph!RA
Ph	RA
h2RA
h>RA
hHRA
hMRA
hpRA
t$hfRA
hHRA
5uAA
=yAA
Ph)SA
h SA
Ph2SA
IhkSA
hkSA
hzSA
h7SA
h}SA
h`SA
t%hTSA
h`SA
t%hTSA
h`SA
t%hTSA
h`SA
h*TA
h7TA
h7TA
h\TA
h\TA
huTA
huTA
PPPh
h+UA
h+UA
h+UA
hRUA
h\UA
hRUA
h\UA
t9hfUA
hRUA
h\UA
5uAA
=yAA
hGUA
tBPhGUA
hRUA
h\UA
Ch?UA
hRUA
h\UA
hxUA
hxUA
h$VA
h(VA
h1VA
h?VA
h{VA
hDVA
hDVA
5uAA
=yAA
t)PP
B,Ph
B,Ph
R,RP
B,Ph
B,Ph
t$PP
h[WA
h3WA
h3WA
hCWA
hKWA
hKWA
h_WA
:\\u
h'XA
8~u>
hEYA
hOZA
hCZA
hGZA
hKZA
B,Ph
B,Ph
R,RP
:.su
Ph)ZA
Ph6ZA
tAPP
h.[A
h&[A
h.[A
h&[A
hS[A
hA[A
hc[A
hZ[A
hA[A
hc[A
hp[A
5uAA
=yAA
tEh}[A
hp[A
5uAA
=yAA
h)\A
hA\A
hU\A
= EA
= EA
Phm\A
h]\A
= EA
hQ]A
=8EA
= EA
hl]A
5uAA
=yAA
h'^A
h_^A
VWh[^A
h]^A
?'u+
= EA
hU^A
hE^A
h1^A
h:^A
h1^A
h:^A
h1^A
h:^A
h1^A
h:^A
h _A
h*_A
h2_A
hE_A
=uAA
t|h<_A
hO_A
h^_A
=uAA
tYhY_A
=uAA
t@hi_A
hs_A
t)h}_A
=uAA
=uAA
h5`A
hD`A
h?`A
=uAA
t@hb`A
hh`A
=uAA
t@hx`A
8,"u
h=aA
ueh?aA
h?aA
= EA
t5PP
= EA
h!aA
h-aA
=uAA
tQhPaA
hHaA
hWaA
haaA
PhaaA
=$EA
=(EA
=0EA
=,EA
hHbA
hMbA
hRbA
hWbA
h\bA
h)bA
t)hgbA
hxbA
hrbA
hgbA
h'cA
h>cA
hScA
PhlcA
5uAA
=yAA
5uAA
=yAA
5uAA
=yAA
h$dA
h/dA
hGdA
hGdA
hndA
hndA
5uAA
=yAA
=4EA
hHeA
hJeA
5@eA
5DeA
h0eA
h0eA
h0eA
hDeA
h;eA
5@eA
h)fA
h<fA
h)fA
h<fA
h1fA
h<fA
h1fA
h<fA
hbfA
tShgfA
hwfA
hHfA
hHfA
h	gA
h"gA
h.gA
h"gA
h.gA
hMgA
hMgA
hcgA
hcgA
PhcgA
h"gA
h:gA
h.gA
h:gA
h"gA
hCgA
h.gA
hCgA
WVS+
7hQkA
h$kA
hFkA
=8EA
hbiA
hbiA
hWjA
5uAA
=yAA
?}H@
5;mA
5?mA
=?mA
5;mA
5?mA
hDAA
heAA
@tkh
hUuA
h 	A
hI	A
hCmA
=	GA
UVW3
}	trS
!_^]
_^][
tJO@
_^][
_^][
_^][
ri)D$
_^][
_^][
l$ V3
9T$,v
T$,;
;L$,
T$0;
+l$(
l$(;
vGSQ
uFSQ
\$X;
+L$PR
+T$PQ
L$\RQ
T$4R
9D$(ub
9D$8
L$8WQ
D$8=
D$ HP
D$LP
L$(9L$@
D$DPQ
L$$+
L$,Q
D$@RP
D$D;
v89l$D|0
L$(UQ
D$@RP
\$X}
uM9l$D}G
D$@RP
L$(UQ
\$X~
L$<Q
D$0;D$(
T$4R
D$(UP
D$(UP
T$0PR
D$(UP
L$<Q
\$(;
L$$+
D$$+
T$0PR
D$(UP
L$<Q
9|$4r4
T$0WR
D$8WP
L$8WQ
\$(;
L$(R
D$8WP
D$$;
\$X~I
D$8;
L$8WQ
L$(UQ
D$(;
D$(UP
;|$<
L$<Q
9|$4r4
T$0WR
D$8WP
L$8WQ
D$8;
D$TCH
\$X;
T$8WR
D$8;
6][_
+T$PQ
+L$PRQW
+D$P][_^
?	3I
hduA
PPSVW
33331
33331
hdvA
hduA
hdvA
hduA
hduA
hdvA
hdvA
hdvA
=dvA
=dvA
hduA
hduA
hduA
hdvA
hdvA
hdvA
PPVW
aPLib v1.01  -  the smaller the better :)
Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
More information: http://www.ibsensoftware.com/
et{rvkornwu
http://ammscanada.com/ponyb/gate.php
http://ammschicago.com/ponyb/gate.php
http://ammsdallas.com/ponyb/gate.php
http://ammsdirectors.com/ponyb/gate.php
http://www.casailtiglio.com/NY19N.exe
http://ftp.vickibettger.com/oEoASW64.exe
http://72.52.164.246/FDKwgvdt.exe
http://www.scenografiesacs.com/mvNaxR.exe
YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
MODU
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
UninstallString
DisplayName
.exe
Software\WinRAR
open
kernel32.dll
WTSGetActiveConsoleSessionId
ProcessIdToSessionId
netapi32.dll
NetApiBufferFree
NetUserEnum
ole32.dll
StgOpenStorage
advapi32.dll
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
CredEnumerateA
CredFree
CryptGetUserKey
CryptExportKey
CryptDestroyKey
CryptReleaseContext
RevertToSelf
OpenProcessToken
ImpersonateLoggedOnUser
GetTokenInformation
ConvertSidToStringSidA
LogonUserA
LookupPrivilegeValueA
AdjustTokenPrivileges
CreateProcessAsUserA
crypt32.dll
CryptUnprotectData
CertOpenSystemStoreA
CertEnumCertificatesInStore
CertCloseStore
CryptAcquireCertificatePrivateKey
msi.dll
MsiGetComponentPathA
pstorec.dll
PStoreCreateInstance
userenv.dll
CreateEnvironmentBlock
DestroyEnvironmentBlock
shell32.dll
SHGetFolderPathA
My Documents
AppData
Local AppData
Cache
Cookies
History
My Documents
Common AppData
My Pictures
Common Documents
Common Administrative Tools
Administrative Tools
Personal
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
explorer.exe
S-1-5-18
SeImpersonatePrivilege
SeTcbPrivilege
SeChangeNotifyPrivilege
SeCreateTokenPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeIncreaseQuotaPrivilege
SeAssignPrimaryTokenPrivilege
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: %lu
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: %s
Content-Length:
Location:
\*.*
HWID
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
GetNativeSystemInfo
kernel32.dll
IsWow64Process
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
Password
HostName
User
Line
_cx_ftp.ini
\GHISLER
InstallDir
FtpIniName
Software\_hisler\Windows Commander
Software\_hisler\Total Commander
\Ipswitch
Sites\
\Ipswitch\WS_FTP
\win.ini
.ini
WS_FTP
DEFDIR
CUTEFTP
QCHistory
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 9\QCToolbar
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
\sm.dat
_oftware\FlashFXP\3
_oftware\FlashFXP
_oftware\FlashFXP\4
InstallerDathPath
path
Install Path
DataFolder
\Sites.dat
\Quick.dat
\_istory.dat
\FlashFXP\3
\FlashFXP\4
\FileZilla
\sitemanager.xml
\recentservers.xml
\filezilla.xml
Software\FileZilla
Software\FileZilla Client
Install_Dir
Host
User
Pass
Port
Remote Dir
Server Type
Server.Host
Server.User
Server.Pass
Server.Port
Path
ServerType
Last Server Host
Last Server User
Last Server Pass
Last Server Port
Last Server Path
Last Server Type
FTP Navigator
FTP Commander
ftplist.txt
\BulletProof Software
.dat
.bps
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
LastSessionFile
SitesDir
InstallDir1
.xml
\SmartFTP
Favorites.dat
_istory.dat
_ddrbk.dat
quick.dat
\TurboFTP
Software\TurboFTP
installpath
Software\Sota\FFFTP
CredentialSalt
CredentialCheck
Software\Sota\FFFTP\Options
Password
UserName
HostAdrs
RemoteDir
Port
HostName
Port
Username
Password
HostDirName
Software\CoffeeCup Software\Internet\Profiles
Software\FTPWare\COREFTP\Sites
Host
User
Port
PthR
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Buttons
Software\FTP Explorer\Profiles
Password
PasswordType
Host
Login
Port
InitialPath
FtpSite.xml
\Frigate3
.ini
_VanDyke\Config\Sessions
\Sessions
Software\VanDyke\SecureFX
Config Path
UltraFXP
\sites.xml
\FTPRush
RushSite.xml
Server
Username
Password
FtpPort
Software\Cryer\WebSitePublisher
\BitKinex
bitkinex.ds
Hostname
Username
Password
Port
Software\ExpanDrive\Sessions
\ExpanDrive
\drives.js
"password" : "
Software\ExpanDrive
ExpanDrive_Home
Server
UserName
Password
_Password
Directory
Software\NCH Software\ClassicFTP\FTPAccounts
FtpServer
FtpUserName
FtpPassword
_FtpPassword
FtpDirectory
SOFTWARE\NCH Software\Fling\Accounts
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
.oxc
.oll
ftplast.osd
\GPSoftware\Directory Opus
\SharedSettings.ccs
\SharedSettings_1_0_5.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.sqlite
\CoffeeCup Software
leapftp
unleap.exe
sites.dat
sites.ini
\LeapWare\LeapFTP
SOFTWARE\LeapWare
InstallPath
DataDir
Password
HostName
UserName
RemoteDirectory
PortNumber
FSProtocol
Software\Martin Prikryl
\32BitFtp.ini
NDSites.ini
\NetDrive
PassWord
UserName
RootDirectory
Port
Software\South River Technologies\WebDrive\Connections
ServerType
FTP CONTROL
FTPCON
.prf
\Profiles
http://
https://
ftp://
opera
wand.dat
_Software\Opera Software
Last Directory3
Last Install Path
Opera.HTML\shell\open\command
wiseftpsrvs.bin
\AceBIT
Software\AceBIT
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
wiseftpsrvs.ini
wiseftp.ini
FTPVoyager.ftp
FTPVoyager.qc
\RhinoSoft.com
nss3.dll
NSS_Init
NSS_Shutdown
NSSBase64_DecodeBuffer
SECITEM_FreeItem
PK11_GetInternalKeySlot
PK11_Authenticate
PK11SDR_Decrypt
PK11_FreeSlot
sqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
mozsqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
profiles.ini
Profile
IsRelative
Path
PathToExe
prefs.js
signons.sqlite
signons.txt
signons2.txt
signons3.txt
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
Firefox
\Mozilla\Firefox\
Software\Mozilla
ftp://
http://
https://
ftp.
fireFTPsites.dat
SeaMonkey
\Mozilla\SeaMonkey\
Flock
\Flock\Browser\
Mozilla
\Mozilla\Profiles\
Software\LeechFTP
AppDir
LocalDir
bookmark.dat
SiteInfo.QFP
Odin
Favorites.dat
WinFTP
sites.db
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
servers.xml
\FTPGetter
ESTdb2.dat
QData.dat
\Estsoft\ALFTP
Internet Explorer
WininetCacheCredentials
MS IE FTP Passwords
DPAPI: 
@J7<
AJ7<
BJ7<
%02X
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Microsoft_WinInet_*
ftp://
Software\Adobe\Common
SiteServers
SiteServer %d\Host
SiteServer %d\WebUrl
SiteServer %d\Remote Directory
SiteServer %d-User
SiteServer %d-User PW
%s\Keychain
SiteServer %d\SFTP
DeluxeFTP
sites.xml
Web Data
Login Data
SQLite format 3
table
CONSTRAINT
PRIMARY
UNIQUE
CHECK
FOREIGN
logins
origin_url
password_value
username_value
ftp://
http://
https://
\Google\Chrome
\Chromium
\ChromePlus
Software\ChromePlus
Install_Dir
\Bromium
\Nichrome
\Comodo
\RockMelt
K-Meleon
\K-Meleon
\Profiles
Epic
\Epic\Epic
Staff-FTP
sites.ini
\Sites
\Visicom Media
.ftp
\Global Downloader
SM.arch
FreshFTP
.SMF
BlazeFtp
site.dat
LastPassword
LastAddress
LastUser
LastPort
Software\FlashPeak\BlazeFtp\Settings
\BlazeFtp
.fpl
FTP++.Link\shell\open\command
GoFTP
Connections.txt
3D-FTP
sites.ini
\3D-FTP
\SiteDesigner
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
\NetSarang
.xfp
.rdp
TERMSRV/*
password 51:b:
username:s:
full address:s:
TERMSRV/
FTP Now
FTPNow
sites.xml
SOFTWARE\Robo-FTP 3.7\Scripts
SOFTWARE\Robo-FTP 3.7\FTPServers
FTP Count
FTP File%d
Password
ServerName
UserID
InitialDirectory
PortNumber
ServerType
2.5.29.37
Software\LinasFTP\Site Manager
Host
User
Pass
Port
Remote Dir
\Cyberduck
.duck
user.config
<setting name="
value="
Software\SimonTatham\PuTTY\Sessions
HostName
UserName
Password
PortNumber
TerminalType
NppFTP.xml
\Notepad++
Software\CoffeeCup Software
FTP destination server
FTP destination user
FTP destination password
FTP destination port
FTP destination catalog
FTP profiles
FTPShell
ftpshell.fsi
Software\MAS-Soft\FTPInfo\Setup
DataDir
\FTPInfo
ServerList.xml
NexusFile
ftpsite.ini
FastStone Browser
FTPList.db
\MapleStudio\ChromePlus
Software\Nico Mak Computing\WinZip\FTP
Software\Nico Mak Computing\WinZip\mru\jobs
Site
UserID
xflags
Port
Folder
.wjf
winex="
\Yandex
My FTP
project.ini
.xml
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
NovaFTP.db
\INSoftware\NovaFTP
.oeaccount
Salt
<_OP3_Password2
<_MTP_Password2
<IMAP_Password2
<HTTPMail_Password2
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Mail
Software\Microsoft\Windows Mail
Software\RimArts\B2\Settings
DataDir
DataDirBak
Mailbox.ini
Software\Poco Systems Inc
Path
\PocoSystem.ini
Program
DataPath
accounts.ini
\Pocomail
Software\IncrediMail
EmailAddress
Technology
PopServer
PopPort
PopAccount
PopPassword
_mtpServer
_mtpPort
_mtpAccount
_mtpPassword
account.cfg
account.cfn
\BatMail
\The Bat!
Software\RIT\The Bat!
Software\RIT\The Bat!\Users depot
Working Directory
ProgramDir
Count
Default
Dir #%d
RLUQ!Dl`hm!@eesdrr
RLUQ!Rdswds
QNQ2!Rdswds
QNQ2!Trds!O`ld
RLUQ!Trds!O`ld
OOUQ!Dl`hm!@eesdrr
OOUQ!Trds!O`ld
OOUQ!Rdswds
HL@Q!Rdswds
HL@Q!Trds!O`ld
Dl`hm
IUUQ!Trds
IUUQ!Rdswds!TSM
QNQ2!Trds
HL@Q!Trds
IUUQL`hm!Trds!O`ld
IUUQL`hm!Rdswds
RLUQ!Trds
QNQ2!Qnsu
RLUQ!Qnsu
HL@Q!Qnsu
QNQ2!Q`rrvnse3
HL@Q!Q`rrvnse3
OOUQ!Q`rrvnse3
IUUQL`hm!Q`rrvnse3
RLUQ!Q`rrvnse3
QNQ2!Q`rrvnse
HL@Q!Q`rrvnse
OOUQ!Q`rrvnse
IUUQ!Q`rrvnse
RLUQ!Q`rrvnse
Software\Microsoft\Internet Account Manager\Accounts
Identities
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Internet Account Manager
Outlook
\Accounts
identification
identitymgr
inetcomm server passwords
outlook account manager passwords
identities
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Thunderbird
\Thunderbird
FastTrack
ftplist.txt
eh`lnoe
inqd
l`ffhd
l`wdshbj
nomhod
rqhshu
fdnsfd
gshdoer
e`mm`r
`ehe`r
0p3v2d
6666
ns`ofd
udruudru
`rrinmd
`qqmd
chudld
777777
vhmmh`l
lhbjdx
`regfi
vhrenl
c`ul`o
lhbidmmd
e`whe
dlhodl
rbnnuds
`reg`reg
r`llx
c`cx
r`l`oui`
l`yvdmm
44444
ktruho
k`ldr
bihbjdo
e`ohdmmd
hmnwdxnt3
gtbjngg
qshobd
ktohns
s`hocnv
003322
gtbjxnt0
ohoudoen
qd`otu
onod
bitsbi
ctccmdr
sncdsu
333333
edruhox
mnwhof
fgikjl
lxmnwd
k`rqds
i`mmn
032230
bnb`bnm`
idmqld
ohbnmd
fthu`s
chmmf`udr
mnnjhof
rbnncx
knrdqi
fdodrhr
gnstl
dll`otdm
b`rrhd
whbunsx
q`rrv1se
gnnc`s
hmnwdfne
o`ui`o
cm`cm`
ehfhu`m
qd`bidr
gnnuc`mm0
00000000
qnvds
uitoeds
f`udv`x
hmnwdxnt 
gnnuc`mm
uhffds
bnswduud
`ofdm
jhmmds
bsd`uhwd
032547698
fnnfmd
{ybwcol
ru`susdj
`rimdx
biddrd
rtorihod
bishru
111111
rnbbds
pvdsux0
gshdoe
rtllds
0325476
ldsmho
qiqcc
03254769
knse`o
r`wde
edyuds
whqds
vhoods
rq`sjx
vhoenvr
032`cb
mtbjx
`ouinox
kdrtr
ficeuo
`elho
inuenf
c`rdc`mm
q`rrvnse0
es`fno
ustruon0
k`rno
houdsodu
ltruehd
knio
mduldho
lhjd
johfiu
knse`o32
`cb032
sde032
qs`hrd
gsddenl
kdrtr0
03254
mnoeno
bnlqtuds
lhbsnrngu
ltggho
pvdsu
lnuids
l`ruds
000000
p`{vry
r`ltdm
b`o`e`
rm`xds
s`bidm
nodmnwd
pvdsux
qs`xds
hmnwdxnt0
vi`udwds
q`rrvnse
cmdrrhof
ronnqx
0p3v2d5s
bnnjhd
00000
bidmrd`
qnjdlno
i`i`i`
``````
i`sebnsd
ri`env
vdmbnld
ltru`of
745230
c`hmdx
cm`icm`i
l`ushy
kdrrhb`
rudmm`
cdok`lho
udruhof
rdbsdu
ushohux
shbi`se
qd`bd
ri`mnl
lnojdx
hmnwdxnt
uinl`r
cmhoj093
k`rlhod
qtsqmd
udru
`ofdmr
fs`bd
idmmn
qnnq
cmdrrde
0325476981
id`wdo
itouds
qdqqds
knio207
bnnm
ctruds
`oesdv
g`hui
fhofds
6666666
inbjdx
idmmn0
`ofdm0
rtqdsl`o
douds
e`ohdm
032032
gnsdwds
onuihof
e`jnu`
jhuudo
`reg
0000
c`o`o`
f`udr
gmnvds
u`xmns
mnwdmx
i`oo`i
qshobdrr
bnlq`p
kdoohgds
lxrq`bd0
rlnjdx
l`uuidv
i`smdx
snuhlh
gtbjxnt
rnbbds0
032547
rhofmd
knrit`
fsddo
032pvd
ru`sv`sr
mnwd
rhmwds
`truho
lhbi`dm
`l`oe`
0325
bi`smhd
c`oehu
bishr
i`qqx
q`rr
Client Hash
STATUS-IMPORT-OK
%d.exe
%02X
true
%d.bat
      "%s"   
ShellExecuteA
	   :ktk   
     del    	 %1  
	if  		 exist 	   %1  	  goto 	
 ktk
 del 	  %0 
shell32.dll
80( 
91)!
:2*"
;3+#>6.&
=5-%
<4,$
'2, /+0&7!4-)1#
MUw1
wI!~
CreateFileA
ReadFile
CloseHandle
WriteFile
lstrlenA
GlobalLock
GlobalUnlock
LocalFree
LocalAlloc
GetTickCount
lstrcpyA
lstrcatA
GetFileAttributesA
ExpandEnvironmentStringsA
GetFileSize
CreateFileMappingA
MapViewOfFile
UnmapViewOfFile
LoadLibraryA
GetProcAddress
GetTempPathA
CreateDirectoryA
DeleteFileA
GetCurrentProcess
WideCharToMultiByte
GetLastError
lstrcmpA
CreateToolhelp32Snapshot
Process32First
OpenProcess
Process32Next
FindFirstFileA
lstrcmpiA
FindNextFileA
FindClose
GetModuleHandleA
GetVersionExA
GetLocaleInfoA
GetSystemInfo
GetWindowsDirectoryA
GetPrivateProfileStringA
SetCurrentDirectoryA
GetPrivateProfileSectionNamesA
GetPrivateProfileIntA
GetCurrentDirectoryA
lstrlenW
MultiByteToWideChar
Sleep
GetModuleFileNameA
LCMapStringA
ExitProcess
SetUnhandledExceptionFilter
kernel32.dll
CreateStreamOnHGlobal
GetHGlobalFromStream
CoCreateGuid
CoTaskMemFree
CoCreateInstance
OleInitialize
ole32.dll
wsprintfA
user32.dll
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
RegOpenKeyA
RegEnumKeyExA
RegCreateKeyA
RegSetValueExA
IsTextUnicode
RegOpenCurrentUser
RegEnumValueA
GetUserNameA
advapi32.dll
ShellExecuteA
shell32.dll
InternetCrackUrlA
InternetCreateUrlA
wininet.dll
StrStrIA
StrRChrIA
StrToIntA
StrStrA
StrCmpNIA
StrStrIW
shlwapi.dll
ObtainUserAgentString
urlmon.dll
inet_addr
gethostbyname
socket
connect
closesocket
send
select
recv
setsockopt
WSAStartup
wsock32.dll
LoadUserProfileA
UnloadUserProfile
userenv.dll
G0RP
k?`9
W	}9SUEU
^K/$
UoUV
98|!
yjpo
)QY"l
[8Rt
?P[/
(9xDgF
x)KV
M_{x
u!^ [
(ZHq&
6XYq
Fh3J
OgRt
r>t]
!"~_r*;k
!N8T
VHH{
~j7Y
XDGi
Wyh0Suzf
'Ib*#Et`
3UM9
!xV[R
	jdlOl 1K
2|3uZ
o^;|
Cm@{
1P kn[a0|
|{x.gQHCqG
s}ReN^7
-f7j
h( p
DB(iVU
C!Bdk,K
 Stn-]0
^\ FU6
`}:w
~=HW
b)0]
s/dK
e3?pv3hT
p$8Z
lyt(dj2#h
z;)`e9SZ
Dm`^
G%ml
$dNp
"Gil
zA&dIGU^
rY_O4
iIm%v
n"H0
n1'Lj'i%
lHFf
E5=,N
_.s2
F,HK
1oi[
v(33
|0F 
tikj
xg%a
YCd,l
3,b`
6kUCRW
(o5e
fBNM
lo	]
 )=Z6$8P}
&:e,
/j/atJ\?
CuN%
QJ=}o
fMF3_Z
;|g7]MsIU
@VB<
@]Ly
ZRtr
uu^s
3U0j
NW	xN
Ev'v
k)=M
YlZd
{D)}^YKZ
-A[KjX
B_Nq
nsEy
xwzk+`
v&B=
~msQ
\FKR
zr2_
{klaQ
R3>1pX
gZHX
IbNQp9v9
D/}w
Ip>o
I;QK_9sQ
	6[C
;,:j
sJUHiQ
m-KW4
J8ld
s(~`
GC$J
J'V'Q*FS
9;9g
z53v
;g%_
_hZUW
^&pg
yG/ EN
ot=q
?<>s
cc,O
^9~v
jZ$4
z%y_
.`V2
g=|X
ps)[
FL(Z
 {	[0S
-P4t
|!ug
@VZsM$h
5}Ea]
q[)^
_*h<
q*qQ
oH9T
1e,5sE
Fp}5O'
pIIM
P3!`
c&bV
	l%Gij
YIHQq.J7i,
_`8i
tx"[
UYR[z
i0ke
HQDw
RD>sz/
hs#W
l+dh
1-(R
+f`6_Cpry1
uRQO/~/
n5:wG
@k0z
1OZ{
B^#[
,z84
85+f
*IT5`
/1Sy
J:\ni|7O
v'pd
i+	Ib
HLZk
qxIB^
w/eh
ncn-[
on-e
g[D_
Vk&e
4V$>QM
Ro~q^
IVv#H:
Sz0q`4
Os^9
0d+l?sOz
UxzPKK/
~,g_
n vR
v<,p
)[Vs
3Uan
owl%],
}_N]x
B`|+
]ZDU=w`
{3}V}
r*fg^A
dhy,
H^Uqv
'A4S
\@CZ
L6yJ
]CHW
CXSY
sT)bj
ah]_h
u2<M
nJFL
+%|1
])gz
OP7i
,j09
yVFf
WX]|
#kP;	
ao(w
@G(r`#l&
J=zr`(m_
9m6A
)K$W?m
:wVCMZ
vMDi
	yGB`c
,9Ac
& kN@
rPiT
`<Ra
lR^O
l9nh
CL>aODc
@,@P
kO()
[* HXQ
#C2m
K-0RwI
n`(F
 _((
xnTg
y)lZ@
qw%Z
7Y5.CQ
p/:y
WX,P6
Mk1s
x9#71e
wTBd
DO]s
wy1Kgh
]Q[S
c3@^
!$YM
tWRd
l"Dbo8{S
(|kM
n]'O
l0t|
v~i/V Y.
mCAFz
r\PJ
qk*z
Y79Z
s>	8
.mB	VF
8a_M^uGNd/
u0*FV
R}+q
t<j[
|03J_M
o&ec
35:m
u&c2
J[%N(:
F%	]_a
j`$b
x@1GFQu?
I..]x
tVUd
A))Hs
J24q|
UaEB
`+oP
.%NL
K	8y
DL9+
Kt2x
G;k"
tZVi
-kVt
&@Ep
`0<H
Bj>vx
OR_y
]7yr
dGXW
[i3~
Jw8Zd%c3
0f*S
z42PE
n6tT
.s]Ni>
2k/X
K|<qb:
lj=L
WV7y
?s<B<z~:
;t,M
O2k%
%w&o
!gE49{
"hH{|
.y<x
nX^R
&H8W"9
DQBj
p?:l
ybk"
"3&`-
,Qsc
n(3{
W*~S
?a?Ud
!bv$F
1;O4V
)Dfs
*/Qt
?aNbd
Oq(;t
1J\4V
A#6Df
]	+PNF
~31H
(Uwr
lj_P
*J?0
k18R}gx
@jUD
*}bHb
2X:Pz
O.(JvM
8RK-
"C'x
0Y{z
!8Zk<
X&Qspv
>`x`
+]?m
"^_?
I-9d
-xzw
`1(H
p(*z
.(JX
Fh[q
Fh9Zx
.7Yt
]xDf
-f.P
{jY{
7YX*
f0\~{
TvKA
**Lu}
)Ikrj<^
1QszO~
)X/l
Fhg4q
:\J:g
$S,N
"D%#
%1Sn#~
O27X
MUYl
bz=K
&jiJcA
\\o#c6CN
UD%yQS
D:Rr3Cm.x[
G95U'
M{1x
Lo5?
TRg*P/NM
FTSRxYR
7YAJs8W>
}JF\
[9ri
x!qa
bF5~~04s
y0g~
Eb0v
HF'N
pE;.
Rb$8
}5&^
pH*p
wTQVPt
o<(w
\Ego
hk*S
\3iY
b^/Zf
d5to
dyC 
)	5'I
#Gim
WyGsw
'IAnGi
1Gi{
!hSg
uY}Yy
;)R)
]f,^yZ
>-*+
%K	2U
k#3G
e.Y0N
u<^K
 vSt
Jjy^
/q#r
n,h|a
z=4a/
pA=C/
)Bf 
)=c4
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="5.1.0.0" processorArchitecture="x86" name="author.Program_Code" type="win32"></assemblyIdentity><description>Program Description</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>
?pow
sqrt
atan
uaUyA
Dt0B
:	:*$
6\@,
'97q
VBx.
{s4h
5Ua]
2"&v
)#_ck
	:*$
'97|
;$^i
2?ly
zZ3 
*MdI.
0123456789ABCDEF
 !"#$%&'x
456789:;<=>?x
lmno
4G9}
TP9}
hR9}
|T9}
LB!}
_ }l` }
xl9}
Dq9}
tx9}
`. },. }
x- }H
}pf#}
8, }
+ }l+ }T+ }<+ }
l+ }
 + } + }
* }t* }L* }
y#}4
X,}i
w(} ) }
H, }
, }d, }
( }h( }D( }(( }
- } - }
' }p' }D( }`' }P' }
Q5}@' },+5}
}"}0' }
& }(
}`& }
.}(& }
p3 }
%}|_ }
%}d_ }
yF%}X_ }
p~%}
%}x^ }
%} ^ }
)K%}
] }	
K%}T;
%}x] }
$%}<] }
BX%}
t\%}
TL%}T\ }
\ }5
[ }8
%}([ }
J %}8Z }3
"%}DY }
b"%}
`P%}
f#%} X }
P%}PW }
LR%}
W } 
nS%}
V }!
T%}HV }"
V%} V }#
@V%}
U }7
U }$
cV%}\U }%
V%}(U }'
U }(
CW%}
T })
T }*
N%}`T }+
%}$T },
S }-
S }.
%}xS }/
%}DS }0
R }1
	,%}xR }9
8$%}<R }
7_%}$R }
--%}
-%}hQ }
V_%}HQ }
/%},Q }
2%}xP }
`%}TP }
0%},P }
X0%}
O }	
A1%}`O }
G2%}
	3%}
qa%}
N3%}
b%}pM }
c%}TM }
7f%}8M }
I4%}(M }
Ih%}
5%}|L }	
6%}TL }
7%}XK }
l%} K }
#9%}
9%}XJ }
":%},J }
q:%}
#m%}
%}pI }
:%}dI }
:%}LI }
o%}4I }
:%}$/ }
>;%}$I }
{p%}
a;%}
<%}PH }	
!=%}
=%}@G }
 >%}
%}HF }
:%}4F }
p>%}$/ }
>%}$I }
{p%}
>%}PH }
=?%}
G }	
9@%}@G }
%}HF }
AA%}
xE }
9}@D }
x- }
C }@D }
- }x
D }X
x- }
D }xD }
- }X
9}xD }
PE }X
l- }`- }T- }H- }4- })
@@@@
A%}oI)}
)}wJ)}4
*}Vd*}
e*}uh*}O
|+}I
*}7M)}V
A+}q
)}^Y)}
])}wb)}
e)}?
w)}6w)}
-+}{.+}
.+}C.+}
.+}#/+}I-+}e-+}
8} 0*}
F*}LB)}
g)}?E*})}+}
d*}}-+}
-+}].+}
-+}).+}
.+}	/+}
j*}e
*}%<*}gW/}
h*}>?*}
r }0r }
$r }
x- }xq }
\q }
$!}5
H$!}6
$!}7
#!}8
`#!}9
#!}:
"!};
P"!}<
!!}=
!!}>
|!!}?
 !}@
 !}A
`	!}
 }!	
 }"	
 }#	
 }$	
 }%	
 }&	
 }'	
 }(	
 })	
 }*	
 }+	
 },	
 }-	
 }.	
 }0	
 }1	
 }2	
 }4	
 }5	
 }6	
 }7	
 }8	
 }9	
 }:	
 };	
 }<	
 }=	
 }>	
 }?	
 }@	
 }B	
 }H	
 }K	
 }L	
 }M	
 }N	
 }a	
 }b	
~ }u
X~ }v
~ }w
} }x
d} }y
| }z
{ }{
z }|
hz }}
z }~
 w }
r }0r }p-!}
2!}d2!}@2!}02!}
tp9}-
-}xp9}d
p9}b
p9}9
p9}`
D@!}
 9!}
?!} 
?!}@
,. }
`?!}
,?!}
L>!}
`. }
l=!}
<=!}
P<!}
 <!}
9}`B!}
K!}|K!}8:5}
; }hK!}<K!}
J!}`T2}
u }lJ!}XJ!}DJ!}4J!}
}@I!}TI!}
}XI!}dI!}
; }hI!}
(H!}
TH!}
<H!}
 - }
, }d, }H, }(
PC!}dC!}pC!}
C!}0D!}LD!}dD!}
D!} E!}
E!}hF!}
F!}lG!}|G!}
H!}$I!}4I!}
O!}8O!}
O!}#
Pq!}<q!}Lt }
m!}`l!}
h!} g!}
_!}hq!}xs!}
y!}xz!}
}!}@~!}
4}@~!}
4y&}4y&}
@y&}@y&}
!}@y&}
4J!}lJ!}
% }m
SystemLibraryDTC
SOFTWARE\Microsoft\Cryptography\Defaults\Provider\
0m'1
rWxz
G8xCS
FIyvY
&9XA
Vdt|Do6
%W:"
SOFTWARE\Microsoft\Cryptography\Providers\Type 
SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 
SOFTWARE\Microsoft\Cryptography\Defaults\Provider
SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types
wTP 3
.<(+|&
!$*);^-/
,%_>?
`:#@'="
abcdefghi
jklmnopqr
~stuvwxyz
{ABCDEFGHI
}JKLMNOPQR
STUVWXYZ
0123456789
OPENGL32
FNOT 
C~ofF~
7C~L
7C~L
7C~L
7C~L
7C~/
7C~/
7C~L
bE~'
@)A~
T!A~
@1C~
0C~J8C~t
windows.hlp
2A~h2A~
TF~DUF~SVF~fUF~~VF~
VF~P
.?AVexception@@
.?AVbad_cast@@
.?AVbad_typeid@@
.?AV__non_rtti_object@@
.?AVtype_info@@
.?AVDNameNode@@
.?AVcharNode@@
.?AVpDNameNode@@
.?AVDNameStatusNode@@
.?AVpcharNode@@
Assertion failed: %s, file %s, line %d
kU'9
HMXB
?Zd;
?/L[
S;uD
z?aUY
D?$?
U>c{
zc%C1
.:3q
-64OS
NKeb
acos
asin
atan
fmod
wlog
log10
?pow
sqrt
FlR!<B
I:!A9
FlR!<B
Y_,0
ub8c@
)3M3
@hcjz
@~dV=x
?X(X
{bi@
{DA5
kNB'
?JIE]0\
8+ D
/&A2/
atan2
sinh
cosh
tanh
Cp/n/P+
Gp/nY
Ep/n7P+
Op/n1P+
Ip/n5P+
Mp/n
Cp'n/P%
Gp'nY
Ep'n7P%
Op'n1P%
Ip'n5P%
Mp'n
Qpon
Qpgn
/h<P+
'h<P
*Tp3.;P
*Sp3.
'vi;
                          
                        
        
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789ABCDEF
0XwA
1Xw.1Xw4``w
0XwA
5Xw+6Xw
xd`wh``w
Ou[w
u[w+v[w
GH_wGH_w
Nw+/
0g`w0g`w8g`w8g`w@g`w@g`wHg`wHg`wPg`wPg`wXg`wXg`w`g`w`g`whg`whg`wpg`wpg`wxg`wxg`w
|q`w
q`w@l
t`w\t`w
p[Nw
`Nw4
(`Nw
`Nw4
aNw4
(aNw
aNw4
Pw=^`w
@v`w v`w
v`wdy`w
y`w8}`w4w`w4y`w
x`w x`w
w`w`x`w|
`wdv`w
z`w`w`w
v`wx{`w
y`w`~`w
~`wT
`w0~`w 
~`w(
`w(z`w`|`w
}`wd
`w@|`w
x`wH
{`w<
`w`{`w
y`wXz`wl}`w
z`w<{`w
{`w |`w
w`w 
`wx|`w
`wT}`w
bNwp
$Nw4
7T`w
$Nw4
Nw\$Nw4
Nwl$Nw4
!Y`wtY`w
Nw|$Nw4
#`wH[`w
#Nw4
#`wH[`wh#`w
PwyW`w
#Nw4
]Z`w
#Nw4
Pw5W`w
Pwg3`w
Q`wt4`wi5`w
$Nw4
PwvQ`w
Q`wjR`wzR`w
S`wPS`w`S`w(
Pwg3`w
Q`wt4`wi5`w
4`woP`w
$Nw4
PwvQ`w
Q`wjR`wzR`w
S`wPS`w`S`w!Q`w1Q`wP
!`w/6`w
Pw?V`w
#Nw4
WNw4
WNw4
Nw WNw4
NwL$Nw4
Nw,$Nw4
Pw1\`w|]`w
9]`w
Pw1\`w|]`w
9]`w
PwEX`w
#Nw4
Nw<$Nw4
#Nw4
0WNw
`NwH`NwxaNw
WNw(NNw
 WNwhNNw
 WNw
0GOw8DOw4
Je[w
[Ow0\Ow4
@\Ow
\Ow4
\OwT]Ow4
Pw`p[w
d]OwP^Ow4
\w"j[w/j[w
i[w`^Ow
_Ow4
\w"j[w/j[w
^k[w
_Owd`Ow4
0l[wAn[w
o[wx`Ow@aOw4
0l[wAn[w
l[w,m[w
PaOw
aOw4
aOw bOw4
0bOw
bOw4
bOw4
TP 3
pOOw
^Ow,`Ow
aOwp_OwtaOw
aOwLbOw
<$Nw 
<[Nw<[Nw<[Nw\[Nw\[Nw\[Nw\[Nw\[Nw\[Nw\[Nw
oaVT
daVT
eaVT
lOwtlOwb
`lOwPlOwA
DXw<EXwnEXw
EXwSGXw
HXwSHXw
IXw+FXwcFXw
GXw+GXw
$pOw
MARB
MARB
MARB@
MARB
MARB@
MARB
pOwTP 3
luOwPuOw4uOw
 uOw
tOw$
ptOw
\tOw
DtOw
 	\/!:
OLE: Icon source next (Unicode)
OLE: Icon label next (Unicode)
IconOnly
Service Pack 3
DOSIME
|MICROSOFT PIFEX
WINDOWS 386 3.0
WINDOWS VMM 4.0
WINDOWS NT  3.1
WINDOWS NT  4.0
CONFIG  SYS 4.0
AUTOEXECBAT 4.0
Terminal
Lucida Console
Courier New
AppWizard
Service Pack 3
Service Pack 3
dDwx
PiEw\
1$Bw
q:Aw
`q@w|
	>w\
O@w8
YE@w
_k?w0
$L?w$
l@=w
=wd$=w8$=w
#=wt#=wL#=w$#=w
"=wg
Service Pack 3
]x*	]
]|+	]
]\+	]
]@+	]
],.	]
*	] 
]p,	]@
jE	]
jE	]
]x1	]
Q.	]0/	]
S/	]00	]
]F:\malekal\itrust\27062013\Case_06272013.exe
                          
                        
        
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
query 
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History
user@domain
0123456789ABCDEF
wSqYiwjcQCgQxrEgOT
.?AW4P3PStatus@@
.ShellClassInfo
CLSID
{FF393560-C2A7-11CF-BFF4-444553540000}
UICLSID
{7BD29E00-76C1-11CF-9DD0-00A0C9034933}
zedv5
C:\WINDOWS\system32\
.?AVSafeIntException@@
comctl32.dll
vH7B
W4vC
s$~i
s$~r
t$~&t$~5t$~Dt$~St$~bt$~qt$~
s$~E
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
                        
        
text/scriptlet
 i3%
 f%~
0f%~
<f%~
Hf%~
Tf%~
`f%~
lf%~
xf%~
0g%~
lg%~
Pg%~
(d%~
@d%~
Xd%~
pd%~
~`O%~
`O%~
;$~j<$~
UA-CPU: x86
F:\malekal\itrust\27062013\Case_06272013.exe
=w8'
text/plain
text/richtext
image/x-xbitmap
application/postscript
application/base64
application/macbinhex40
application/pdf
audio/x-aiff
audio/basic
audio/wav
image/gif
image/pjpeg
image/jpeg
image/tiff
image/x-png
image/png
image/bmp
image/x-jg
image/x-art
image/x-emf
image/x-wmf
video/avi
video/x-msvideo
video/mpeg
application/x-compressed
application/x-zip-compressed
application/x-gzip-compressed
application/x-msdownload
application/java
application/octet-stream
text/html
application/x-cdf
application/x-netcdf
{\rtf
begin
GIF87
GIF89
%PDF
MThd
Content Type
~MIME\Database\Content Type\
Software\Microsoft\Internet Explorer\ActiveX Compatibility
~Accept-Encoding: gzip, deflate
onverted with BinHex
Location: 
Compatibility Flags
MiscStatus Flags
($A1
y@MH
bqpT
/m,&
%E'u
Accept-Encoding: gzip, deflate
 ~CLSID
Flags
Extension
define
width
bits
0123456789ABCDEF
POST
attachment
filename
s%~Du%~
s%~dt%~
u%~0t%~Ht%~du%~
 ~lU
 ~\U
 ~\|
 ~H;
~Content-Disposition: attachment; filename=
 ~Extension
MIME\Database\Content Type\
 ~Pt ~
kU'9
HMXB
?Zd;
?/L[
S;uD
z?aUY
D?$?
U>c{
zc%C1
.:3q
-64OS
NKeb
 (8PX
800WP
``````
ppxxxx
FE2X}
75?h
PolicyHandler
p)A~
Attachments
(288.2 KiB) Downloaded 72 times
 #20157  by unixfreaxjp
 Thu Jul 18, 2013 11:52 am
Starting from a spam relayed from IP registered to the US's Department of Defense:
Image
Noted: Cyrillyc character set was used.

Below is the PoC of the US's DOD Network:
Image

Has this attachment, which is a Win32/Fareit:
Image
VT: https://www.virustotal.com/en/file/2c59 ... /analysis/
Still using this compressor:
Code: Select all
aPLib v1.01  -  the smaller the better :)
Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
More information: http://www.ibsensoftware.com/
Btw, detected this crypter signature too:
Code: Select all
YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
I run it & make this video of this mess: http://youtu.be/_q8f7kc7nxI < VIDEO! :-)

It calls these gates:
Code: Select all
h00p://nursenextdoor.com:443/ponyb/gate.php
h00p://dreamonseniorswish.org:443/ponyb/gate.php
h00p://prospexleads.com:8080/ponyb/gate.php
h00p://phonebillssuck.com:8080/ponyb/gate.php
Downloaded these two files:
Code: Select all
h00p://www.lavetrinadeidesideri.it/Twe.exe
h00p://ftp.aquasarnami.com/zKo.exe
Template of the downloads/GET used:
Code: Select all
GET %s HTTP/1.0
Host: %s
Accept-Language: en-US
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: %s
While POST'ing using the below template:
Code: Select all
 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: %lu
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: %s
Content-Length:
Location:
HWID
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 
POST session captured:
Image

Downloaded malwares stored them in these locations, PWS ZBots
Image
VT of these files:
https://www.virustotal.com/en/file/0dfc ... 374146394/
https://www.virustotal.com/en/file/213e ... 374146373/

Back to the original sample, it licks these credentials:
Code: Select all
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
UninstallString
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
Password
HostName
User
Line
wcx_ftp.ini
\GHISLER
InstallDir
FtpIniName
Software\Ghisler\Windows Commander
Software\Ghisler\Total Commander
\Ipswitch
Sites\
\Ipswitch\WS_FTP
\win.ini
.ini
WS_FTP
DIR
DEFDIR
CUTEFTP
QCHistory
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 9\QCToolbar
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
\sm.dat
Software\FlashFXP\3
Software\FlashFXP
Software\FlashFXP\4
InstallerDathPath
path
Install Path
DataFolder
\Sites.dat
\Quick.dat
\History.dat
\FlashFXP\3
\FlashFXP\4
\FileZilla
\sitemanager.xml
\recentservers.xml
\filezilla.xml
Software\FileZilla
Software\FileZilla Client
Install_Dir
Host
User
Pass
Port
Remote Dir
Server Type
Server.Host
Server.User
Server.Pass
Server.Port
Path
ServerType
Last Server Host
Last Server User
Last Server Pass
Last Server Port
Last Server Path
Last Server Type
FTP Navigator
FTP Commander
ftplist.txt
\BulletProof Software
.dat
.bps
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
LastSessionFile
SitesDir
InstallDir1
.xml
\SmartFTP
Favorites.dat
History.dat
addrbk.dat
quick.dat
\TurboFTP
Software\TurboFTP
installpath
Software\Sota\FFFTP
CredentialSalt
CredentialCheck
Software\Sota\FFFTP\Options
Password
UserName
HostAdrs
RemoteDir
Port
HostName
Port
Username
Password
HostDirName
Software\CoffeeCup Software\Internet\Profiles
Software\FTPWare\COREFTP\Sites
Host
User
Port
PthR
SSH
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Buttons
Software\FTP Explorer\Profiles
Password
PasswordType
Host
Login
Port
InitialPath
FtpSite.xml
\Frigate3
.ini
\VanDyke\Config\Sessions
\Sessions
Software\VanDyke\SecureFX
Config Path
UltraFXP
\sites.xml
\FTPRush
RushSite.xml
Server
Username
Password
FtpPort
Software\Cryer\WebSitePublisher
\BitKinex
bitkinex.ds
Hostname
Username
Password
Port
Software\ExpanDrive\Sessions
\ExpanDrive
\drives.js
"password" : "
Software\ExpanDrive
ExpanDrive_Home
Server
UserName
Password
_Password
Directory
Software\NCH Software\ClassicFTP\FTPAccounts
FtpServer
FtpUserName
FtpPassword
_FtpPassword
FtpDirectory
SOFTWARE\NCH Software\Fling\Accounts
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
.oxc
.oll
ftplast.osd
\GPSoftware\Directory Opus
\SharedSettings.ccs
\SharedSettings_1_0_5.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.sqlite
\CoffeeCup Software
leapftp
unleap.exe
sites.dat
sites.ini
\LeapWare\LeapFTP
SOFTWARE\LeapWare
InstallPath
DataDir
Password
HostName
UserName
RemoteDirectory
PortNumber
FSProtocol
Software\Martin Prikryl
\32BitFtp.ini
NDSites.ini
\NetDrive
PassWord
Url
UserName
RootDirectory
Port
Software\South River Technologies\WebDrive\Connections
ServerType
FTP CONTROL
FTPCON
.prf
\Profiles
http://
https://
ftp://
opera
wand.dat
_Software\Opera Software
Last Directory3
Last Install Path
Opera.HTML\shell\open\command
wiseftpsrvs.bin
\AceBIT
Software\AceBIT
MRU
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
wiseftpsrvs.ini
wiseftp.ini
FTPVoyager.ftp
FTPVoyager.qc
\RhinoSoft.com
nss3.dll
NSS_Init
NSS_Shutdown
NSSBase64_DecodeBuffer
SECITEM_FreeItem
PK11_GetInternalKeySlot
PK11_Authenticate
PK11SDR_Decrypt
PK11_FreeSlot
sqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
mozsqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
profiles.ini
Profile
IsRelative
Path
PathToExe
prefs.js
signons.sqlite
signons.txt
signons2.txt
signons3.txt
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
Firefox
\Mozilla\Firefox\
Software\Mozilla
ftp://
http://
https://
ftp.
fireFTPsites.dat
SeaMonkey
\Mozilla\SeaMonkey\
Flock
\Flock\Browser\
Mozilla
\Mozilla\Profiles\
Software\LeechFTP
AppDir
LocalDir
bookmark.dat
SiteInfo.QFP
Odin
Favorites.dat
WinFTP
sites.db
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
servers.xml
\FTPGetter
ESTdb2.dat
QData.dat
\Estsoft\ALFTP
Internet Explorer
WininetCacheCredentials
MS IE FTP Passwords
DPAPI: 
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Microsoft_WinInet_*
ftp://
Software\Adobe\Common
SiteServers
SiteServer %d\Host
SiteServer %d\WebUrl
SiteServer %d\Remote Directory
SiteServer %d-User
SiteServer %d-User PW
%s\Keychain
SiteServer %d\SFTP
DeluxeFTP
sites.xml
Web Data
Login Data
SQLite format 3
table
CONSTRAINT
PRIMARY
UNIQUE
CHECK
FOREIGN
logins
origin_url
password_value
username_value
ftp://
http://
https://
\Google\Chrome
\Chromium
\ChromePlus
Software\ChromePlus
Install_Dir
\Bromium
\Nichrome
\Comodo
\RockMelt
K-Meleon
\K-Meleon
\Profiles
Epic
\Epic\Epic
Staff-FTP
sites.ini
\Sites
\Visicom Media
.ftp
\Global Downloader
SM.arch
FreshFTP
.SMF
BlazeFtp
site.dat
LastPassword
LastAddress
LastUser
LastPort
Software\FlashPeak\BlazeFtp\Settings
\BlazeFtp
.fpl
FTP++.Link\shell\open\command
GoFTP
Connections.txt
3D-FTP
sites.ini
\3D-FTP
\SiteDesigner
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
\NetSarang
.xfp
.rdp
TERMSRV/*
password 51:b:
username:s:
full address:s:
TERMSRV/
FTP Now
FTPNow
sites.xml
SOFTWARE\Robo-FTP 3.7\Scripts
SOFTWARE\Robo-FTP 3.7\FTPServers
FTP Count
FTP File%d
Password
ServerName
UserID
InitialDirectory
PortNumber
ServerType
fMY
Software\LinasFTP\Site Manager
Host
User
Pass
Port
Remote Dir
\Cyberduck
.duck
user.config
<setting name="
value="
Software\SimonTatham\PuTTY\Sessions
HostName
UserName
Password
PortNumber
TerminalType
NppFTP.xml
\Notepad++
Software\CoffeeCup Software
FTP destination server
FTP destination user
FTP destination password
FTP destination port
FTP destination catalog
FTP profiles
FTPShell
ftpshell.fsi
Software\MAS-Soft\FTPInfo\Setup
DataDir
\FTPInfo
ServerList.xml
NexusFile
ftpsite.ini
FastStone Browser
FTPList.db
\MapleStudio\ChromePlus
Software\Nico Mak Computing\WinZip\FTP
Software\Nico Mak Computing\WinZip\mru\jobs
Site
UserID
xflags
Port
Folder
.wjf
winex="
\Yandex
My FTP
project.ini
.xml
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
NovaFTP.db
\INSoftware\NovaFTP
.oeaccount
Salt
<_OP3_Password2
<_MTP_Password2
<IMAP_Password2
<HTTPMail_Password2
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Mail
Software\Microsoft\Windows Mail
Software\RimArts\B2\Settings
DataDir
DataDirBak
Mailbox.ini
Software\Poco Systems Inc
Path
\PocoSystem.ini
Program
DataPath
accounts.ini
\Pocomail
Software\IncrediMail
EmailAddress
Technology
PopServer
PopPort
PopAccount
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
account.cfg
account.cfn
\BatMail
\The Bat!
Software\RIT\The Bat!
Software\RIT\The Bat!\Users depot
Working Directory
ProgramDir
Count
Default
Dir #%d
SMTP Email Address
SMTP Server
POP3 Server
POP3 User Name
SMTP User Name
NNTP Email Address
NNTP User Name
NNTP Server
IMAP Server
IMAP User Name
Email
HTTP User
HTTP Server URL
POP3 User
IMAP User
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTP Password
SMTP Password
Software\Microsoft\Internet Account Manager\Accounts
Identities
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Internet Account Manager
Outlook
\Accounts
identification
identitymgr
inetcomm server passwords
outlook account manager passwords
identities
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Thunderbird
\Thunderbird
FastTrack
ftplist.txt
As usual, these strings:
Code: Select all
diamond
hope
maggie
maverick
online
spirit
george
friends
dallas
adidas
1q2w3e
orange
testtest
asshole
apple
biteme
william
mickey
asdfgh
wisdom
batman
michelle
david
eminem
scooter
asdfasdf
sammy
baby
samantha
maxwell
justin
james
chicken
danielle
iloveyou2
fuckoff
prince
junior
rainbow
fuckyou1
nintendo
peanut
none
church
bubbles
robert
destiny
loving
gfhjkm
mylove
jasper
hallo
cocacola
helpme
nicole
guitar
billgates
looking
scooby
joseph
genesis
forum
emmanuel
cassie
victory
passw0rd
foobar
ilovegod
nathan
blabla
digital
peaches
football1
power
thunder
gateway
iloveyou!
football
tigger
corvette
angel
killer
creative
google
zxcvbnm
startrek
ashley
cheese
sunshine
christ
soccer
qwerty1
friend
summer
merlin
phpbb
jordan
saved
dexter
viper
winner
sparky
windows
123abc
lucky
anthony
jesus
ghbdtn
admin
hotdog
baseball
password1
dragon
trustno1
jason
internet
mustdie
john
letmein
mike
knight
jordan23
abc123
red123
praise
freedom
jesus1
london
computer
microsoft
muffin
qwert
mother
master
qazwsx
samuel
canada
slayer
rachel
onelove
qwerty
prayer
iloveyou1
whatever
god
password
blessing
snoopy
1q2w3e4r
cookie
chelsea
pokemon
hahaha
aaaaaa
hardcore
shadow
welcome
mustang
bailey
blahblah
matrix
jessica
stella
benjamin
testing
secret
trinity
richard
peace
shalom
monkey
iloveyou
thomas
blink182
jasmine
purple
test
angels
grace
hello
poop
blessed
heaven
hunter
pepper
john316
cool
buster
andrew
faith
ginger
hockey
hello1
angel1
superman
enter
daniel
forever
nothing
dakota
kitten
asdf
banana
gates
flower
taylor
lovely
hannah
princess
compaq
jennifer
myspace1
smokey
matthew
harley
rotimi
fuckyou
soccer1
single
joshua
green
123qwe
starwars
love
silver
austin
michael
amanda
charlie
bandit
chris
happy
pass
By the way, the facebook:
Code: Select all
2http://www.facebook.com/
pSettings
jwN
xthpt/:w/wwf.cabeoo.koc/m
Bots:
Code: Select all
inet_addr
gethostbyname
socket
connect
closesocket
send
select
recv
After infection of the two downloaded etc malwares detected these:
They tried hard to ping me! :-D
Image
Huge DNS requests (spambot? No! No smtp detected, FakeAV network? NO! Too many hosts, false alarm. is a Zeus BotNet communication!)
Image
Image
and (BINGO!) amalform UDP traffic:
Image

Be free to detail analyze the downloaded malware (attached too), enjoy!
*) thank's to @Xylit0l % @Win32:Virut for quick mentioning this wasn't FakeAV, three sh*ts was running in the same time was confusing me so much, next time I will surely breakdown sample per sample in separate post to avoid confusion in my analysis.
*) @XYlit0l is posting the unpacked binary here: https://www.virustotal.com/en/file/a5e1 ... 374153204/

#MalwareMustDie!
Attachments
password: infected
(451.34 KiB) Downloaded 87 times
 #20163  by unixfreaxjp
 Thu Jul 18, 2013 7:20 pm
I just bumped into a bitter fact a couple of minutes ago.. that I can not let this without clarification as follows:
what "looks like" the US's DOD email routing header information was actually a spoofed information made by a spambot via spam-config template.
We had received the related template generated from decoded spambot config (cutwail) with the below format:
Code: Select all
Received: from [{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}] (port={NUMBER[1-9]}{DIGIT[1]}{DIGIT[1]}{DIGIT[1]}{DIGIT[1]} helo=[192.168.{DIGIT[1]}.{DIGIT[1]}{DIGIT[1]}]) by {BOT_IP} with asmtp id 1rqLaL-000{SYMBOL[1]}{SYMBOL[1]}-00 for {MAILTO_USERNAME}@{MAILTO_DOMAIN}; {DATE}
Which perfectly match to the spam mail header below:
Code: Select all
Received: from [143.214.203.103] (port=30877 helo=[192.168.8.11]) by 69.199.182.82 with
  asmtp id 1rqLaL-0002D-00 for xxx@xxx; Wed, 17 Jul 2013 15:26:40 -0500
So we know that the below template is for the IP address:
Code: Select all
{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}
Port number template:
Code: Select all
{NUMBER[1-9]}{DIGIT[1]}{DIGIT[1]}{DIGIT[1]}{DIGIT[1]
This is the template of two digit REGEX of [0-9A-Z]{2} to fake a counter of MTA log ID.
Code: Select all
{SYMBOL[1]}{SYMBOL[1]}
That means that the DoD IP Address was spoofed, by digit per digit printed into the above template of the spambot.
Hope this explanation will be a good knowledge for the further analysis against these evil malware spambot threat we fight,
we are dealing with the moral sick individuals who know well how to fake a SMTP header here.

credit goes to: @snxperxero @xylit0l for the heads-up.
 #20191  by Win32:Virut
 Mon Jul 22, 2013 1:27 pm
Fareit - E-mail attachment.

Transfer Swift.scr
MD5: 8323c3f56b6777a3cf7d2bb886ac70c2
SHA1: df5c97c674f0fed5adef7424f1ac3f877fcb1b92
SHA256: 3fe613793f827039e62d48b62449938027e58e39bac3d3ba0bcfea75dd719e6a
https://malwr.com/analysis/ODVjOWQwNjQw ... EwZGU4OWE/
https://www.virustotal.com/file/3fe6137 ... /analysis/

MD5: 3880eeb1c736d853eb13b44898b718ab
SHA1: 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256: 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
https://malwr.com/analysis/YWRjNTg1YmZl ... AxY2MxOTM/
https://www.virustotal.com/en/file/936d ... /analysis/
Attachments
(92.15 KiB) Downloaded 67 times
 #20285  by unixfreaxjp
 Tue Jul 30, 2013 4:59 pm
Spam campaign attachment:
Image
Download header used:
Code: Select all
GET %s HTTP/1.0
Host: %s
Accept-Language: en-US
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: %s
Credential posted to gates with below header format:
Code: Select all
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: %lu
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: %s (Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0))
Content-Length:
Location:
HWID
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Access to facebook to the setting bars..
Code: Select all
http://www.facebook.com/
abe2869f-9b47-4cd9-a358-c22904dba7f7
Settings
aPlib cmpressor's trace:
Code: Select all
aPLib v1.01  -  the smaller the better :)
Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
More information: http://www.ibsensoftware.com/
Pony gates:
Code: Select all
http://webmail.alsultantravel.com:8080/ponyb/gate.php
hxxp://alsultantravel.com:8080/ponyb/gate.php
hxxp://webmail.alsultantravel.info:8080/ponyb/gate.php
hxxp://198.57.130.35:8080/ponyb/gate.php
Download Zbots:
Code: Select all
hxxp://www.giftedintuitive.com/kQYjoPqY.exe
hxxp://198.61.134.93/MM75.exe
hxxp://ftp.jason-tooling.com/nhdx.exe
hxxp://paulalfrey.com/guBwFA.exe
Assembly trace:
Code: Select all
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="5.1.0.0" processorArchitecture="x86" name="Progmn.Program_Code" type="win32"></assemblyIdentity><description>Program Description</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>
VT:
https://www.virustotal.com/en/file/8342 ... /analysis/
Note:
credential list slurped is unchanged.
Attachments
pwd: infected
(98.9 KiB) Downloaded 63 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7