A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #21416  by Xylitol
 Mon Nov 18, 2013 12:18 pm
leeno wrote:Hi Guys ,

I have been looking for samples PWS:Win32/Dexter.B . the samples which we have in forum are of PWS:Win32/Dexter.A , may be new variation has been noticed by the Microsoft team ,
http://www.microsoft.com/security/porta ... er.B#tab=2

Any one with PWS:Win32/Dexter.B samples !

Warm Regards

Leeno
http://www.kernelmode.info/forum/viewto ... 756#p17147
70feec581cd97454a74a0d7c1d3183d1 please search before asking
 #21534  by bsteo
 Mon Dec 02, 2013 7:28 pm
Xylitol wrote:latest, there is no build version in this one, the source was probably sold to someone
So it should be 7.* Just found out from the bad guys that the latest Alina version is v7
 #21549  by bsteo
 Wed Dec 04, 2013 9:30 am
Some new POS malware I found on a compromised Backoffice server.

MD5 hash: a5a89dc69c4d3fa47a88b379179626c7
SHA1 hash: d2b1dccbb3a3a6e0ed5d55a89b4c04af192b414a

- crypted/packed with a VB crypter
- drops itself to %APPDATA\NET Framework\msdll32.exe, creates also two files in the same location: nt01.dat, nthome.dat
- tries to communicate with two HTTP panels, at least to fetch some configs:
Code: Select all
www.localhost0x2.net/config/config_01.bin
lucky-dumps.biz/config/config_01.bin
from the first one gets the file with the following encrypted and base64 encoded data:
Code: Select all
gJycmNLHx5+fn8aEh4uJhICHm5zYkNrGho2c
gJycmNLHx4Sdi4ORxYydhZibxoqBkg==
- creates a MUTEX "_NEW_HOOK10"
- adds itself to autorun

http://camas.comodo.com/cgi-bin/submit? ... ec498571a6

I didn't try to decrypt/unpack it because I'm not home and no tools here.
https://www.virustotal.com/en/file/639a ... 386174185/
Attachments
password: infected
(700.33 KiB) Downloaded 93 times
 #21551  by Xylitol
 Wed Dec 04, 2013 10:30 am
http://www.kernelmode.info/forum/viewto ... 140#p21549
This is projecthook (or the mod), haven't looked the rest.
Also in attachement a pos malware that i received in august from an infected retailer, no idea if i should do a post about this.
https://www.virustotal.com/en/file/746c ... 376958328/
decebal: https://www.virustotal.com/en/file/af72 ... 386206269/ doen't look a pos malware too me another pe embedded in ressource, again vb6
Attachments
infected
(16.4 KiB) Downloaded 87 times
 #21583  by Xylitol
 Thu Dec 05, 2013 3:13 pm
checked your second file and this is darkomet not a pos malware
Code: Select all
#BEGIN DARKCOMET DATA --
PWD={xaxa23}
MUTEX={xaxa23}
SID={Jiji}
FWB={0}
NETDATA={davincii.no-ip.biz:1604}
GENCODE={VinoFfiKathi}
INSTALL={1}
COMBOPATH={7}
EDTPATH={MSDCSC32\msdcsc32.exe}
KEYNAME={MicroUpdate32}
EDTDATE={16/04/2007}
PERSINST={0}
MELT={1}
CHANGEDATE={0}
DIRATTRIB={6}
FILEATTRIB={6}
OFFLINEK={1}
#EOF DARKCOMET DATA --
  • 1
  • 13
  • 14
  • 15
  • 16
  • 17
  • 25