A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #6380  by EP_X0FF
 Wed May 18, 2011 5:38 am
markusg wrote:performsizm.exe
http://www.virustotal.com/file-scan/report.html?id=2a01c8cdea1150ef81f460da174fa724bfa6e1e5c1cab8d975384b7b886e70ba-1305564580
SpyEye v1.3

pass for decrypted config.bin: 9F6EBAF3531712646467F0C54E0D7D24

Gates:
hxxp://gameopiloris.com/svf/ksk.php;300
hxxp://ogmetakeloris.com/svf/ksk.php;300
Attachments
performsizm decrypted config
(75.17 KiB) Downloaded 56 times
 #6382  by EP_X0FF
 Wed May 18, 2011 6:09 am
markusg wrote:winxnet.bin.exe
http://www.virustotal.com/file-scan/report.html?id=321f75d35930d32e5f5300efb500f6ad1337f0cbffd39b633c8a977aedb7ab44-1305560314
This SpyEye v1.3 more interesting. It has antivm on board (probably part of skiddie crypter). Actually it looks for VmWare/VirtualPC/Sandbox/QEMU by checking specific registry keys, volume serial numbers and user names. If you interested have a look here @004415A7 (remove UPX first), if something is detected it will exit. Right after VM check located decryption procedures and main payload.

In attach decrypted SpyEye config, pass: 92E06E57C74BE0C0079606B99D9B5291

Gates:
hxxps://mishurka.ru/mail/form.php;3600
hxxps://hireiar.ru/web/trope.php;3600
hxxps://interwirez.ru/ale/one.php;3600
hxxps://sepostin.ru/update/womt.php;3600
hxxps://100wiles.ru/ars/being.php;3600
hxxps://krifis.ru/da/net.php;3600
hxxps://poleposx.ru/nit/big.php;3600
hxxps://jivat.ru/lo/bus.php;3600
Hehe, SpyEye likes Kaspersky Lab :) see certificates grabber plugin
sww wire cvv2 gostev bmw bugatti stock porche mustang satan 666 z0mbie
Attachments
(28.98 KiB) Downloaded 64 times
 #6488  by EP_X0FF
 Mon May 23, 2011 12:47 pm
Public directory

cnc0098510m.cz.cc/mmmmmmaaaaaa/bin

SpyEye v1.2x

Gate:
hxxp://cnc0098510m.cz.cc/mmmmmmaaaaaa/gate.php
Pass to decrypted config: A32A0302C2BA8C87B59553525929553F
Attachments
dropper, pass: malware
(112.29 KiB) Downloaded 53 times
(1.73 KiB) Downloaded 56 times
 #6489  by EP_X0FF
 Mon May 23, 2011 12:53 pm
markusg wrote:Washer2.rar.exe
http://www.virustotal.com/file-scan/report.html?id=6b9284c3732fae2ccc12673f4702c889e3e68cbb6667a3c5bf2882f199b1645a-1306153577
SpyEye v1.3
Find attached fully unpacked executable and decrypted config data (plugins: ccgrabber, customconnector, activeaz)
Pass for decrypted config.bin: 9B24636E1BB55960CF9B8F04A905FE96

Gates:
hxxp://host-checkker.net/ASdhgas6d/sdhgas/yrgdate13.php;350
hxxp://befirstchild.net/bFeIN_L/50x.html.php;350
hxxp://nofrostengland.com/hYtgfE/dgTrfdbbbf.php;350
http://www.virustotal.com/file-scan/rep ... 1306154511
Attachments
pass: malware
(258.3 KiB) Downloaded 70 times
  • 1
  • 10
  • 11
  • 12
  • 13
  • 14
  • 42