A forum for reverse engineering, OS internals and malware analysis
ikolor wrote:next..Skype.rar - damaged archive, removed.
https://www.virustotal.com/en/file/b59a ... 471635778/
https://www.virustotal.com/en/file/4dc1 ... 471635105/
NetWire
Nh22=
b6 .
M/S#
DLujlrSb
Profile (EDYKO)
Password
+Ro
_@"d
&o'2
a?4#b
$H]H
AM!9
Z%v:
l[m7
ceonoip.gotdns.ch:20194;
WH`d
oe%}
"@dc
@echo off
ping 192.0.2.2 -n 1 -w %d >nul 2>&1
DEL /s "%s" >nul 2>&1
call :deleteSelf&exit /b
:deleteSelf
start /b "" cmd /c del "%%~f0"&exit /b
%c%.8x%s
%s @ %s
TEMP
%s\%s.exe
%s\%s.%s
%s\%s
%s*.*
!&.37<
"%/28;=#$019:>?
FCONNECT %s:%d HTTP/1.0
Host: %s:%d
200 OK
%.2d/%.2d/%d %.2d:%.2d:%.2d
%I64u
%s%s\
%I64u
%s%s
shell32.dll
SHFileOperationA
%.4d-%.2d-%.2d %.2d:%.2d:%.2d
Time: %d
Time: +%d
http://%s%s
GET %s HTTP/1.1
Host: %s
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8
Connection: close
200 OK
psapi.dll
GetModuleFileNameExA
kernel32.dll
%.2d/%.2d/%d %.2d:%.2d:%.2d
ComSpec
WINDIR
%s\system32\cmd.exe
mozcrt19.dll
sqlite3.dll
nspr4.dll
plc4.dll
plds4.dll
nssutil3.dll
nss3.dll
softokn3.dll
Path=
SOFTWARE\Mozilla\%s\
CurrentVersion
SOFTWARE\Mozilla\%s\%s\Main
Install Directory
%s\%s
%s\msvcr100.dll
%s\msvcp100.dll
%s\msvcr120.dll
%s\msvcp120.dll
mozutils.dll
mozglue.dll
mozsqlite3.dll
%s\nss3.dll
Mozilla Firefox
APPDATA
%s\Mozilla\Firefox\profiles.ini
%s\Mozilla\Firefox\%s
Mozilla Thunderbird
%s\Thunderbird\profiles.ini
%s\Thunderbird\%s
%s\signons.sqlite
%s\logins.json
NSS_Init
PK11_GetInternalKeySlot
PK11_Authenticate
NSSBase64_DecodeBuffer
PK11SDR_Decrypt
PK11_FreeSlot
NSS_Shutdown
sqlite3_open
sqlite3_close
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
select * from moz_logins
%c%s
hostname
encryptedUsername
encryptedPassword
%s\Opera\Opera\wand.dat
%s\Opera\Opera\profile\wand.dat
%s\.purple\accounts.xml
<protocol>
%d%s
<name>
<password>
advapi32.dll
CredEnumerateA
CredFree
WindowsLive:name=*
%d%s
Email
POP3 User
POP3 Server
POP3 Password
IMAP User
IMAP Server
IMAP Password
HTTP User
HTTP Server
HTTP Password
SMTP User
SMTP Server
SMTP Password
%c%c%S
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
%.2X
%c%S
%S:%S
abe2869f-9b47-4cd9-a358-c22904dba7f7
%c%s
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
%s\*.*
index.dat
vaultcli.dll
VaultOpenVault
VaultCloseVault
VaultEnumerateItems
VaultGetItem
VaultFree
%c%s
%s:%s
History
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
%s\Google\Chrome\User Data\Default\Login Data
%s\Chromium\User Data\Default\Login Data
%s\Opera Software\Opera Stable\Login Data
localhost
USERNAME
Unknown
kernel32.dll
GetNativeSystemInfo
SYSTEM\CurrentControlSet\Control\ProductOptions
ProductType
WINNT
LANMANNT
SERVERNT
Version
GlobalMemoryStatusEx
ProcessorNameString
HARDWARE\DESCRIPTION\System\CentralProcessor\0
advapi32.dll
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
PATH
WINDIR
%I64u
%I64u
%I64u
winhttp.dll
WinHttpOpen
WinHttpGetProxyForUrl
http=
socks=
WinHttpGetIEProxyConfigForCurrentUser
TEMP
%s\%s.bat
ComSpec
%s /c "%s"
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Active Setup\Installed Components
.Identifier
%s%s
%Rand%
-m "%s"
SOFTWARE\Microsoft\Active Setup\Installed Components\%s
"%s"
StubPath
{%s*
%d:%s%s;
%s%s\
%d:%I64u:%s%s;
%c%llu
%llu
6%s%.2d-%.2d-%.4d
[Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
[Backspace]
[Enter]
[Tab]
[Arrow Left]
[Arrow Up]
[Arrow Right]
[Arrow Down]
[Home]
[Page Up]
[Page Down]
[End]
[Break]
[Delete]
[Insert]
[Print Screen]
[Scroll Lock]
[Caps Lock]
[Esc]
[Ctrl+%c]
[%s]
user32.dll
RegisterRawInputDevices
GetRawInputData
wcnwClass
%s%s
%.2d-%.2d-%.4d
Secur32.dll
LsaGetLogonSessionData
LsaFreeReturnBuffer
LsaEnumerateLogonSessions
%.2d/%.2d/%d %.2d:%.2d:%.2d
%s\%s
0x%.8X (%d)
0x%.16llX (%I64d)
%c%.8x%s
%c%.8x%s%s
%c%.8x%s\%s
%c%.8x%s\%s
iphlpapi.dll
GetExtendedTcpTable
GetExtendedUdpTable
psapi.dll
GetProcessImageFileNameA
kernel32.dll
%s:%u
%s:%d
Closed
Listening...
SYN Sent
SYN Received
Established
Fin Wait (1)
Fin Wait (2)
Close Wait
Closing...
Last ACK
Time Wait
Delete TCB
Local Disk
%s (%s)
%I64d
%I64d