SpyEye monitoring 5-25 Nov ~10Mb when unpack
- 05/11/2011 - build_cr.exe -> 7E736B70C974685E8378D97EB5A7A129 2/43 >> 4.7%
- 05/11/2011 - config.bin -> B35DDE3CB9F888B80B361BBEE47777AD 12/43 >> 27.9%
- 06/11/2011 - 16 (Grabbed from BH) -> 62D0915F2D31D0A060671D31419A0B80 27/42 >> 64.3%
- 08/11/2011 - build___6D397774.exe -> 4911590A2E81B66B3142F404CA83691E 3/41 >> 7.3%
- 08/11/2011 - info.exe -> 39F70B7D398098870C68962CF368BB03 28/42 >> 66.7%
- 09/11/2011 - build___6D397774.exe -> 96E8A34226EECF5F60F0C15BD60A2F55 2/41 >> 4.9%
- 09/11/2011 - build_cr.exe -> 8231F88EEEA4C60CBC7EFD0FB2C9D815 1/43 >> 2.3%
- 10/11/2011 - build_cr.exe -> 775487B2FF26C57EA683290CA3C7C8B7 1/42 >> 2.4%
- 11/11/2011 - build___6D397774.exe -> F7C77FB3764E95D6FA475ACBEC2B76D2 4/42 >> 9.5%
- 11/11/2011 - config.bin of F7C77FB3764E95D6FA475ACBEC2B76D2 -> DAD764C09751B3DA5EC058EB23108F4F 12/43 >> 27.9%
- 12/11/2011 - build_cr.exe -> CF929780DED27D9B78C294950847C225 3/41 >> 7.3%
- 12/11/2011 - build___6D397774_1(1).exe -> 31D4A32096C6F195E2FC77896CA1CEFB 1/41 >> 2.4%
- 13/11/2011 - build___6D397774(1).exe -> 28783E9E77C5155BBAC5C60EB6DE47F5 1/42 >> 2.4%
- 14/11/2011 - build___6D397774.exe -> E07E4BA98FF59FC76A5D6AD9487B4F29 2/42 >> 4.8%
- 14/11/2011 - config.bin of E07E4BA98FF59FC76A5D6AD9487B4F29 -> 4390851BBB71236F8D10E076FCFFCD35 12/42 >> 28.6%
- 15/11/2011 - build_cr.exe -> 02FE49A21F4EF7D33DE2DA5B46A5ABD0 1/42 >> 2.4%
- 15/11/2011 - build___6D397774.exe -> 03BB2BAACCABB8FFD6381D88AD2EEA21 3/42 >> 7.1%
- 15/11/2011 - 151111.exe -> 21A984F0C557F93C8C431D4A85396C1B 2/42 >> 4.8%
- 15/11/2011 - 151111.exe -> 4621C24F2FF3728706C21C594DE9260D 1/41 >> 2.4%
- 15/11/2011 - build_cr.exe -> 10C713428DEB243177371E6252F5C52A 1/42 >> 2.4%
- 16/11/2011 - 161111.exe -> 1BF65180FC15D9730D4D650802A2711F 2/41 >> 4.9%
- 17/11/2011 - 171111.exe -> E8A87C66A41EA37FEFA9DB05C5F5F14C 1/42 >> 2.4%
- 17/11/2011 - build___6D397774_cr.exe -> 68D838AE5C3D1DC66DA0763751B56415 1/42 >> 2.4%
- 17/11/2011 - de1.2.exe -> 5075ACB92CA86FAFF6DF59FB41B41C30 4/41 >> 9.8%
- 17/11/2011 - 18 (Grabbed from BH) -> BB462BEB8EB803063A240A4D0F38D555 10/42 >> 23.8%
- 17/11/2011 - build___6D397774_cr.exe -> 42960662408E6E221308EC9903C6AD69 1/42 >> 2.4%
- 17/11/2011 - 171111.exe -> F87D9E7DF82A9E1597CE38B5583C102E 8/41 >> 19.5%
- 17/11/2011 - config.bin of F87D9E7DF82A9E1597CE38B5583C102E -> F8A686EDBCD9896F1FE94848A430424E 12/42 >> 28.6%
- 18/11/2011 - 181111.exe -> B08A6DB88330CBB105CC7EC9D4A7579F 2/42 >> 4.8%
- 18/11/2011 - 181111.exe -> 628E78C35E0B25D7AB37943FA3CD4AB6 2/42 >> 4.8%
- 18/11/2011 - build___6D397774_cr.exe -> E8B66A32029BF3A99BD616EBD3898A43 7/42 >> 16.7%
- 19/11/2011 - 191111.exe -> 13DD2028348E75565C3F6888F79DC69A 3/42 >> 7.1%
- 19/11/2011 - build___6D397774_o_1.exe -> C73C8F91E7A314E204F85835BB93D352 2/42 >> 4.8%
- 20/11/2011 - 201111.exe -> 7592B213CEC0426D42CD3F38D353FFE6 1/42 >> 2.4%
- 20/11/2011 - build_cr.exe -> 558C19F23E7A2FD05B29F356345C5DB9 1/42 >> 2.4%
- 21/11/2011 - build___6D397774.exe -> 1235F1E9A97118D12190302A15B4C6BF 3/42 >> 7.1%
- 21/11/2011 - config file of 1235F1E9A97118D12190302A15B4C6BF -> D6014141716B0F3E10BA1CA03CEEA23E 12/42 >> 28.6%
- 21/11/2011 - info.exe (grabbed from BH) -> EA8E56CDBC2CACE9BF97357366A57AFA 23/42 >> 54.8%
- 21/11/2011 - 211111.exe -> 8D7EBDE4198888825EB2BC44D0911EDE 3/42 >> 7.1%
- 21/11/2011 - config.bin file of 8D7EBDE4198888825EB2BC44D0911EDE -> 1E9B01F95642427EE7ED5B90E11350A9 13/42 >> 31.0%
- 22/11/2011 - build___6D397774.exe -> 4988C0960EEA60EA33F8AD3CE52CB8B4 1/43 >> 2.3%
- 22/11/2011 - 221111.exe -> A7DD73EBED1857BCAAC54326EFBC9642 3/43 >> 7.0%
- 22/11/2011 - config.bin file of A7DD73EBED1857BCAAC54326EFBC9642 -> 6512E258B62E5E352E2A57016F8AEFCD13/43 >> 30.2%
- 23/11/2011 - 231111.exe -> D134DF160668A13F541E6B5E8F824845 2/43 >> 4.7%
- 23/11/2011 - config.bin of D134DF160668A13F541E6B5E8F824845 -> 032CD53991A33E68044ED0EC5E20675C 13/43 >> 30.2%
- 23/11/2011 - build___6D397774(3)(1).exe -> 2E118284D3E8365ADFC15DDAD85C0E7E 0/43 >> 0.0%
- 23/11/2011 - 231111.exe -> B3A83E18AB1A88A6BBC0AD011A7D25AB 3/43 >> 7.0%
- 23/11/2011 - config.bin of B3A83E18AB1A88A6BBC0AD011A7D25AB -> E38604757C92521D0D178FA2E27249CA 13/43 >> 30.2%
- 23/11/2011 - build___6D397774.exe -> B976134F55A3BBBC7E3A6EC7E944A2E3 3/42 >> 7.1%
- 23/11/2011 - 231111_2.exe -> FF8A1F6939B480E83779A6515E574B1F 3/43 7.0%
- 23/11/2011 - 38 (grabbed from BH) -> 0ADE213E3B5ED73DF71AC23E8BD07CE9 1/42 >> 2.4%
- 23/11/2011 - 231111.exe -> 171AF8D3430C78ED99A7507DFA525D18 1/43 >> 2.3%
- 24/11/2011 - 241111.exe -> 1AA40D10ACA3960B730DDB661673D74F 2/43 >> 4.7%
- 24/11/2011 - build___6D397774.exe -> BEE4FCB7BA99776858C0A9ADD7503F42 2/43 >> 4.7%
- 24/11/2011 - config.bin104 of BEE4FCB7BA99776858C0A9ADD7503F42 -> CF7054C15A6BF8772569E83FCD11E840 12/43 >> 27.9%
- 24/11/2011 - 241111.exe -> 96B6485FE1E4C633FA4B169DC9970794 1/43 >> 2.3%
- 25/11/2011 - 251111.exe -> 4AF35B5A11069DC778894173C4D1B3C4 1/43 >> 2.3%
- 25/11/2011 - build___6D397774.exe -> D5459418C93C411F4FD8783B6768E3AE 3/42 >> 7.1%
Code: Select all
Also one of the C&C monitored banned my IP if you read my comments on VT (403 Forbidden) it's due to script like that:
AddType application/x-httpd-php .php .phtml .jpg .pdf
Code: Select all
A sort of anti-curious if someone try to brute force directories (:<?php
$f = fopen(".htaccess", "a");
fputs($f, "Deny from ".$_SERVER["REMOTE_ADDR"].PHP_EOL);
fclose($f);
?>
Attachments
infected
(4.95 MiB) Downloaded 78 times
(4.95 MiB) Downloaded 78 times
infected
(4.65 MiB) Downloaded 94 times
(4.65 MiB) Downloaded 94 times
infected
(389.9 KiB) Downloaded 70 times
(389.9 KiB) Downloaded 70 times