SkyTraF executable

#22485 by Artilllerie
Wed Mar 19, 2014 3:33 pm

Hello,

Here a quick look about a strange malware hosted on some HTTP servers with the name "SkyTraF" :

Included the exe (pass : infected).

Here the VT link :
https://www.virustotal.com/fr/file/f9fb ... 395239864/

I don't think It's an interesting malware, this post is just for sharing infos ;).

Take Care

Attachments

SkyTraF.zip

(848.2 KiB) Downloaded 63 times

Username

Artilllerie

Posts

25

Joined

Thu Dec 13, 2012 11:32 am

Re: SkyTraF executable

#22491 by Xylitol
Thu Mar 20, 2014 2:54 am

SkyTraF is the executable downloaded by http://www.kernelmode.info/forum/viewto ... =50#p22475
each time it will download the payload from new ips (tested on cuckoo)

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: SkyTraF executable

#22493 by Artilllerie
Thu Mar 20, 2014 10:12 am

Dedicated to Kelihos & Waledac, thank for this information Xylitol.

Username

Artilllerie

Posts

25

Joined

Thu Dec 13, 2012 11:32 am

Re: SkyTraF executable

#22607 by colbyiscute4e
Wed Apr 02, 2014 5:46 pm

You know what i dont get?
why some programs dont stop it like Rkill or RougeKiller :|
please correct me if im wrong

Username

colbyiscute4e

Posts

11

Joined

Mon Dec 16, 2013 4:29 pm

Re: SkyTraF executable

#22610 by TETYYSs
Wed Apr 02, 2014 6:42 pm

colbyiscute4e wrote:You know what i dont get?
why some programs dont stop it like Rkill or RougeKiller :|
please correct me if im wrong

Because these programs are not perfect.

Username

TETYYSs

Posts

98

Joined

Fri Jun 28, 2013 6:51 pm

Re: SkyTraF executable

#22611 by r3shl4k1sh
Wed Apr 02, 2014 8:22 pm

Artilllerie wrote:Dedicated to Kelihos & Waledac, thank for this information Xylitol.

Nope it doesn't looks like Kelihos!
From the images you provided in your first post it seems more like Simda -> viewtopic.php?f=16&t=2157&start=20#p22592

Username

r3shl4k1sh

Posts

119

Joined

Tue Feb 05, 2013 10:26 pm

Location

Israel

Contact

Re: SkyTraF executable

#22612 by Xylitol
Wed Apr 02, 2014 11:05 pm

r3shl4k1sh wrote:
Artilllerie wrote:Dedicated to Kelihos & Waledac, thank for this information Xylitol.
Nope it doesn't looks like Kelihos!
From the images you provided in your first post it seems more like Simda -> viewtopic.php?f=16&t=2157&start=20#p22592

Kelihos and Simda are downloaded in bundle by the dropper normally, those files are related to Severa and i suspect a black affiliate system where 'SkyTraF' is the name of the partner.

Code: Select all

194.44.49.96/mod2/zlubob1.exe
123.240.9.110/mod1/zlubob1.exe
37.57.40.36/mod1/azaza01.exe
95.68.95.23/mod1/sheler1.exe
188.237.206.58/mod1/mangust.exe
103.31.186.20/mod1/sheler1.exe
37.57.40.36/mod1/sheler1.exe
77.122.234.46/mod1/sheler1.exe
5.53.242.175/mod2/sheler1.exe
37.233.39.74/mod2/dun0101.exe
95.42.124.199/mod2/dun0101.exe
185.39.74.52/mod1/dun0101.exe
37.229.154.184/mod1/zlubob1.exe
83.99.183.42/mod2/zlubob1.exe
95.158.28.126/mod2/zlubob1.exe
109.251.126.26/mod1/zlubob1.exe
188.190.42.32/mod1/apostol.exe
31.11.76.112/mod2/apostol.exe
194.44.49.96/mod2/5minut1.exe
130.255.135.171/mod2/5minut1.exe
78.90.227.80/mod1/sheler1.exe
103.31.186.20/mod1/kecik01.exe
109.72.58.181/mod1/kecik01.exe
91.250.6.15/mod2/kecik01.exe
37.139.108.182/mod1/zlubob1.exe
91.244.234.65/mod1/dun0101.exe
109.185.118.66/mod2/apostol.exe
194.44.49.98/mod2/apostol.exe
109.251.217.207/mod1/mangust.exe

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact