A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #12508  by AaLl86
 Tue Apr 03, 2012 9:04 pm
EP_X0FF wrote:
Kafeine wrote:59 items from naretkolas.in as domain (2012-03-28) for the Sinowal BHEK.
I plan to stop posting this (kind of Danaids feeling...) except if told it's of some use by someone.
We appreciate your sharing. Even if your messages are not getting replies, it does not mean that they are not interesting to anyone.
I'm agree with EP_X0FF, your samples are very usefull for us, even if maybe we forget to reply and express gratitude ....
Andrea
 #12524  by rkhunter
 Thu Apr 05, 2012 8:02 am
Kafeine wrote:72 items. 2012-04-04_184.82.147.166.zip
ba64d3a3997fc942a1a9f681e4ed6b61->Reveton
d5d84fee739a9e40a3251ec2b9b746a6->Not a Sinowal I think (at least by behaviour and Kaspersky verdict - Trojan-Spy.Win32.Lurk.uu)
Others are Sinowal.
 #12528  by Kafeine
 Thu Apr 05, 2012 11:59 am
2012-04-05 -> http://minus.com/mbkiPTU7Bc/8f
Thread : http://min.us/mbkiPTU7Bc
Seems something moved in the nginx config of the BH EK. Had to slightly adapt Scripts.

@rkhunter:
Strange ba64d3a3997fc942a1a9f681e4ed6b61 was also present on BH EK from a different group ( for instance : 195.26.18.15 - 195.26.18.127 )
The other file is steady over BHs. And it's not a PE Files right ?...i guess as others around 68KB. An idea anyone ?
 #12664  by Kafeine
 Fri Apr 13, 2012 7:21 am
6 items only.
http://minus.com/mbkiPTU7Bc/11f (attached too)

2 items...but strange BH EK...don't really understand why Sinowal was here with reveton and other stuff...(1 of both items confirmed as Sinowal by Rkhunter)
http://minus.com/mbkiPTU7Bc/12f

Thread: http://minus.com/mbkiPTU7Bc
Attachments
Pass: infected - 6 items
(320.35 KiB) Downloaded 67 times
Pass: infected - 2 items
(239.87 KiB) Downloaded 65 times
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8
  • 12