Trojan SpyEye (alias Pincav) - Page 23

Re: Trojan SpyEye (alias Pincav)

#7811 by EP_X0FF
Mon Aug 01, 2011 12:37 pm

Buckrogers wrote:Initially I thought it was the dropper, but apparently this dir is created and deleted on every boot.

It is hidden by NtQueryDirectoryFile hook in Explorer.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Trojan SpyEye (alias Pincav)

#7877 by gritland
Sat Aug 06, 2011 1:16 pm

http://www.virustotal.com/file-scan/rep ... 1312635892

Attachments

calc.rar

pwd: malware
(395.17 KiB) Downloaded 47 times

Username

gritland

Posts

31

Joined

Tue May 11, 2010 10:57 am

Re: Trojan SpyEye (alias Pincav)

#7878 by EP_X0FF
Sat Aug 06, 2011 1:26 pm

gritland wrote:http://www.virustotal.com/file-scan/rep ... 1312635892

Equal to this, multipacked recrypt.

In attach unpacked.

Attachments

Malware.rar

pass: malware
(308.03 KiB) Downloaded 54 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Trojan SpyEye (alias Pincav)

#7879 by gritland
Sat Aug 06, 2011 1:53 pm

some av detect this as dropper of tdl :D

Username

gritland

Posts

31

Joined

Tue May 11, 2010 10:57 am

Re: Trojan SpyEye (alias Pincav)

#7883 by gritland
Sun Aug 07, 2011 12:38 pm

http://www.virustotal.com/file-scan/rep ... 1312720402

Attachments

log.rar

pwd: malware
(152.2 KiB) Downloaded 48 times

Username

gritland

Posts

31

Joined

Tue May 11, 2010 10:57 am

Re: Trojan SpyEye (alias Pincav)

#7884 by EP_X0FF
Sun Aug 07, 2011 1:45 pm

gritland wrote:http://www.virustotal.com/file-scan/report.html?id=c37427fb19d01c8b3eb657cd7e322c272772506545f87733ea0230cb9c67d292-1312720402

Equal to this and this.

Updated gates list.

hxxp://www.solodiyi.com/main/gate.php;100
hxxp://www.verdumnn.com/main/gate.php;100
hxxp://www.aaggrreesssor.com/main/gate.php;100
hxxp://www.trressuryy.com/main/gate.php;100

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Trojan SpyEye (alias Pincav)

#7974 by EP_X0FF
Sat Aug 13, 2011 3:00 am

SpyEye 1.3.x

Base path x:\Romano.Bin, file and config file names are hexadecimal random.
Crap is failed to hide itself after installation

Pass for decrypted config: FD9EBD0F32D1D60DB9E58344C38FABEF

Gates:

hxxp://banistabank.ru/ko.php;300
hxxp://eewtoopqq.ru/www5.php;300

Plugins: customconnector, ccgrabber.

Original 0/ 43 (0.0%)
http://www.virustotal.com/file-scan/rep ... 1313203186

Unpacked 17/ 42 (40.5%)
http://www.virustotal.com/file-scan/rep ... 1313203802

Attachments

Malware.rar

pass: malware
(172.95 KiB) Downloaded 58 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Trojan SpyEye (alias Pincav)

#7989 by gritland
Sat Aug 13, 2011 11:15 pm

http://www.virustotal.com/file-scan/rep ... 1313272926

Attachments

info.rar

pass: malware
(166.17 KiB) Downloaded 48 times

Username

gritland

Posts

31

Joined

Tue May 11, 2010 10:57 am

Re: Trojan SpyEye (alias Pincav)

#7994 by EP_X0FF
Sun Aug 14, 2011 4:34 am

gritland wrote:http://www.virustotal.com/file-scan/rep ... 1313272926

The same as http://www.kernelmode.info/forum/viewto ... 6382#p6382, re-crypt with new servers list.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Trojan SpyEye (alias Pincav)

#7997 by Brookit
Sun Aug 14, 2011 12:33 pm

Article about Spyeye Builder patch from Xyliton (

) : http://blog.damballa.com/?p=1357

I do not understand why they say it was leaked? Xylitol have you hacked yourself? :)

Username

Brookit

Posts

119

Joined

Wed Mar 10, 2010 8:01 pm