A forum for reverse engineering, OS internals and malware analysis 

Trojan.Advload

Forum for analysis and discussion about malware.

Re: Malware/Not classified

 #5427  by EP_X0FF
 Fri Mar 11, 2011 12:31 pm
markusg wrote:keygen.exe http://www.virustotal.com/file-scan/rep ... 1299844937
Trojan AdvLoad.

hxxp://bcrocket.com/ghquuyypdd/
hxxp://acgoblin.com/ghquuyypdd/
ver69%shhuuypqu.php?adv
%sqliqtbd.exe
%swwnoefww.php?adv=adv528&id=%d&c=%d
%spuoyd.exe
%sjjwnnerv.php?adv=adv528&id=%d&c=%d
%sibbt.exe
%sefiwwna.php?adv=adv528&id=%d&c=%d
%stwokpah.exe
%snnaeivmzd.php?adv=adv528&id=%d&c=%d
%svgwog.exe
%sivvzmdqhiy.php?adv=adv528&id=%d&c=%d
%shsjbu.exe
%sjwnoesww.php?adv=adv528&id=%d&c=%d
%seqma.exe
%sfsfwxar.php?adv=adv528&id=%d&c=%d
%safdtujja.exe
%sfssswaa.php?adv=adv528&id=%d&c=%d
%serlqd.exe
%skdhhu.php?adv=adv528&id=%d&c=%d
%shnbwjvoi.exe
%sylzzdhhll.php?adv=adv528&id=%d&c=%d
%sfhvgcdw.exe
%sbbopsj.php?adv=adv528&id=%d&c=%d
%srtdhhly.php?adv=adv528&id=%d&c=%d
Posts moved

Re: Trojan.Advload

 #5524  by EP_X0FF
 Thu Mar 17, 2011 1:02 pm
markusg wrote:your_exe.exe
http://www.virustotal.com/file-scan/report.html?id=36727e4b7b8566fd98ff35b4b2c86ca61af06111b1d72eac01b028eff0484d9b-1300359021
AdvLoad with refreshed cryptor.
hxxp://besenate.com/pdzqq/
hxxp://aemodern.com/pdzqq/

ver70
%sgnen.exe
%sdreiizm.php?adv=adv612&id=%d&c=%d
%sfabtdxsv.exe
%sererijznnr.php?adv=adv612&id=%d&c=%d
%syfcndrh.exe
%sxklypptgx.php?adv=adv612&id=%d&c=%d
%shyhmtwoo.exe
%szmmmdq.php?adv=adv612&id=%d&c=%d
%smuwk.exe
%ssfsswwaoef.php?adv=adv612&id=%d&c=%d
%stjqi.exe
%soxybcg.php?adv=adv612&id=%d&c=%d
%srqjiw.exe
%sveivm.php?adv=adv612&id=%d&c=%d
%sjxsbiui.exe
%snabfswwnn.php?adv=adv612&id=%d&c=%d
%sosegfte.exe
%sciivvmnd.php?adv=adv612&id=%d&c=%d
%scmmj.exe
%sqanarmz.php?adv=adv612&id=%d&c=%d
%sbyrjao.exe
%sfsggtxx.php?adv=adv612&id=%d&c=%d
%scpdqhuu.php?adv=adv612&id=%d&c=%d

Re: Trojan.Advload

 #5546  by PX5
 Fri Mar 18, 2011 4:11 pm
Looks like they are logging IPs and leaving mutex to ID machines already installed on before, doesnt seem to want to install more than once per machine/IP Address, this is a newish feature for these jokers, atleast for me it is.
 Return to “Malware”