A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #9537  by EP_X0FF
 Fri Nov 04, 2011 3:00 pm
Trojan Muldrop crypted by iCrypt Classic v4.4 with AntiVM
AntiVM wrote:GetModuleHandleW
sbiedll.dll
VIRTUAL HD
Sleep
GetVolumeInformationW
QEMU HARDDISK
VMWARE VIRTUAL IDE HARD DRIVE
CreateFileW
\\.\PhysicalDrive0
and then packed with UPX, internally something called bsstealer_loader. Inside contains encrypted modules used for sensitive information stealing (for example first it launch NirSoft.MessenPass).

Unpacked dropper result
http://www.virustotal.com/file-scan/rep ... 1320417791

You may play with unpacked dropper to extract all modules it contains - this malware restarts itself with each module set as payload. Nothing impressive, usual junk.
Attachments
pass: malware
(551.88 KiB) Downloaded 43 times
 #9543  by EP_X0FF
 Sat Nov 05, 2011 1:56 pm
Xylitol wrote:the crypter has also reference to ngrbot apparently but for some reason i need to download files manualy
Yes also from what I have, it used by some SpyEye's.