A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #21408  by unixfreaxjp
 Sat Nov 16, 2013 2:07 pm
Mostly alive:

h00p://picklingtank.com/images/slade1.exe
h00p://molipack.it/kNbC8q4.exe
h00p://christianos.com/images/stories/banner.exe
h00p://ting-spa.com/img/logo.exe
h00p://edupoint.co.in/images/logo.exe
h00p://nkatoz.com/images/slide.exe
h00p://ciistudies.com/templates/themza_j25_13/images/green/logo.exe
h00p://activateyourcareerlife.com/images/img_05.exe
h00p://saniteq.com/wp-content/uploads/2013/08/saniteq-jet-hand-dryer-thumb-1.exe
h00p://thebaymanbook.com/wp-content/uploads/2012/07/Joeys-Story-200x300.exe
h00p://ballfriend.org/images/stories/index.exe
h00p://main-point.com/flash/main.exe
h00p://asfitness.com/wp-content/uploads/2013/04/ourgoals.exe
h00p://bookmarkingbeast.com/wp-content/uploads/2012/05/logo.exe
h00p://wealthitself.com/wp-content/uploads/2013/07/ID-100105794-150x150.exe
h00p://nzmalinois.com/PhotoBorderAboutUs.exe
h00p://poweruphosting.com/images/slides/server2.exe
h00p://nasap.net/config/8mo.exe
h00p://ttms.org/config/UKo8.exe
h00p://hot-buys.org/error/9mor.exe
h00p://alloccasionslimousines.net/wp-content/uploads/2013/05/footer.exe
h00p://ax100.net/images/firefox.exe
h00p://infoplusplus.com/config/joomla.exe
h00p://robotvacuumhut.com/wp-content/uploads/2013/01/profile_main.exe
h00p://ayurvedharsh.com/images/img1.exe
h00p://nishantmultistate.com/images/service.exe
h00p://pdmmc.com/image/pdmmc.exe
h00p://mycitypa.co.uk/wp-content/uploads/2012/09/news.exe
h00p://vxatape.com/wp-content/uploads/2012/09/adobe.exe
h00p://kyron.co.uk/wp-content/uploads/2012/09/banner.exe
h00p://marutistore.com/images/logo.exe
h00p://andrology-urology.com/images/hpimg3.exe
h00p://disenart.info/wp-content/uploads/2013/07/wordpress.exe
h00p://dchamt.com/images/i_box.exe
h00p://www.c3dsolutions.com/set/do6.exe
h00p://bwcaffebar.com/images/logo.exe
h00p://alibra.co.uk/images/config.exe
h00p://santanvalleynow.com/wp-content/uploads/2013/05/conf.exe
h00p://howtopaintaroomnow.com/wp-content/uploads/2013/07/conf.exe
h00p://excitingdealstown.com/wp-content/uploads/conf.exe
h00p://icamschat.com/images/index_right_panel.exe
h00p://trc-sd.com/index_files/config.exe
h00p://superpress.net/web/install.exe
h00p://iddak.com/images/slide5.exe
h00p://slowdating.ca/images/image1.exe
h00p://homevisitor.co.uk/images/apply_f2.exe
h00p://thisisyourwife.co.uk/images/cancel.exe
h00p://saferankbacklinks.com/wp-content/uploads/2011/06/fbbl-logo.exe
h00p://twitterbacklinks.com/wp-content/uploads/2011/01/ml06USA-dt.exe
h00p://hortonnovak.com/wp-content/uploads/2011/02/2011-01-26-Australia-Day-2011.exe
h00p://ramasports.com/products/large_153.exe
h00p://delanecanada.ca/images/014-600.exe
h00p://alohadental.sg/Home/AboutUs.exe
h00p://getappsforpc.com/wp-content/uploads/2013/10/Andriod-Apps_32.exe
h00p://andydan.com/images/andydan_logo.exe
h00p://groupesorepco.com/commercial/mrx30d.exe
h00p://amazingfloorrestoration.com/source/logo.exe
h00p://glynwedasia.com/logos/astore.exe

Credit: markussg
 #21424  by teddybear
 Wed Nov 20, 2013 2:26 pm
Is this Zbot or what? Came in through spam attachment (.SCR inside .RAR):
Code: Select all
X-Envelope-From: <mike@mitechps.com>
Received: from melevois.org (melevois.org [141.255.161.18]) by
 mail3.simpledot.net (Horde Framework) with HTTP; Wed, 20 Nov 2013 12:52:08
 +0100
Date: Wed, 20 Nov 2013 12:52:08 +0100
From: CHPS <mike@mitechps.com>
To: undisclosed-recipients:;
Subject: CHPS Purchase Reminder
User-Agent: Internet Messaging Program (IMP) H3 (4.3.7)

...

Content-Type: application/x-rar;
 name="Repeat Order.rar"
Content-Disposition: attachment;
 filename="Repeat Order.rar"
Content-Transfer-Encoding: base64
https://www.virustotal.com/en/file/8af0 ... /analysis/
https://www.virustotal.com/en/file/96b6 ... /analysis/

http://www.file-analyzer.net/analysis/75/111/0/html
http://www.file-analyzer.net/analysis/75/111/1/html
Code: Select all
http://46,183,219,136/team-lekki/server/format.bin
http://46,183,219,136/team-lekki/server/root.php
Seems to be targeting Colpatria bank.
Does anybody have more information?
Attachments
 #21510  by Xylitol
 Sun Dec 01, 2013 11:14 am
IceIX v1.1.0.0 and config in attach, sample courtesy of Kafeine (that this one who's also analysed by Kimberly)
https://www.virustotal.com/en/file/b5f5 ... 385896695/
In the wild:
Code: Select all
hxtps://anlogtewron.ru/nmap/aqwea.exe
RC4 key:
Code: Select all
62 21 3F 0F 3E 2F 57 1C 53 30 96 BC A7 B9 4F 3B E0 33 1F 9F FF A0 F3 05 B8 1E 49 8E B3 9A 40 C9 CA 7F C8 5D 47 39 5A 09 E5 C7 C5 45 A6 74 DA 6E 0B D1 2D 31 42 B5 10 AC B4 95 98 9E 4E 91 C6 6F BA 0C 7B 2B 07 23 41 76 9D 11 46 4A E6 97 08 CB 0D A2 85 A5 12 59 B7 86 2A 8D 6B 44 20 8A 7C 61 34 F7 BF 84 00 DC 75 77 48 7E 36 EC EF D6 03 F0 C4 8B 1A CF 69 9B D7 28 38 8C 6D CC F8 81 24 E7 5C 7D BD 1D E1 F1 AA 71 D2 8F 58 1B C2 FB A9 89 D0 D3 AE 68 F6 D4 13 BB 78 88 22 EA E9 01 A3 B2 67 E8 5E 9C 99 E2 E3 4C 82 51 72 EB 7A CE 15 BE 37 18 29 B1 94 5F DE C1 50 4D B0 26 43 14 87 C0 70 4B 2E FE 35 F2 6C 04 6A 3C 32 06 AD ED DF 66 DB D5 FA A1 FD 0E 27 5B 0A 80 C3 D9 65 73 B6 E4 AF D8 63 F4 AB A8 3D 25 16 DD CD 19 92 55 54 52 83 F9 FC A4 F5 17 93 60 2C 64 56 90 EE 02 3A 79
Code: Select all
hxtps://anlogtewron.ru/nmap/config.php
hxtps://anlogtewron.ru/nmap/redir.php
Webinject:
Code: Select all
hxtps://megasrc.com/users/sign_in
Image
Attachments
infected
(190.58 KiB) Downloaded 73 times
infected
(21.4 KiB) Downloaded 62 times
 #21559  by Xylitol
 Wed Dec 04, 2013 1:08 pm
ZeuS – now packed as an antivirus update ~ http://www.securelist.com/en/blog/8143/ ... rus_update
Multiple Antivirus Vendors - ... Important System Update - requires immediate action - Virus ~ http://techhelplist.com/index.php/spam- ... tion-virus
https://www.virustotal.com/en/file/244e ... 386162554/
Weird broken jpeg in ressource:
Image
And no communication for me, maybe p2p node is down, run under cuckoo, just some ICMP traffic and HTTP on google.com.
Image
Attachments
infected
(320.88 KiB) Downloaded 57 times
 #21607  by Xylitol
 Sat Dec 07, 2013 3:14 pm
https://www.virustotal.com/en/file/75d1 ... 386428912/
https://zeustracker.abuse.ch/monitor.ph ... owners.com
Code: Select all
Version: 2.1.0.1
RC4 Keystream: 6ee9675f1d15aab0ae05104539f9c86338acf3348ebf06d257fe2602c66cd02d9beff65e71c1af94f820f01c69fa7675d8ffca1b1f2b73c9eb2fe23ee89f4bb46652920f009a4e0784fcb8722144e76f09e00b1495555161ec2731044acfe4ee9389cc6be5124d9e968c647e1ac4681862878849a1b95d7c5cdd8586bd99472e32a5980880c3edcb3516b359df7a7fd63090293b709c9d43a6c78382f5a0bcc5d4b7a9b1ada297fdd56d41337bba1ebbe3d1b619c08a0d1722d7c22a53db91de2558a88dabb211748fe6236a4cd94677780ccde154be3a013ca4daa70350eaf4ce0e795b36d33f40376524568142f18b5a4f280aa3fb3d13f2dcb57d48602cf7
gate.php URLs: http://udmowners.com/web/server/gate.php
URLs: http://udmowners.com/web/server/config.bin
Webinjects:
    https://www.ccm.es/cgi-bin/INclient_6105
    https://www.caja-granada.es/cgi-bin/INclient_2031
    https://home.ybonline.co.uk/login.html*
    https://www.nwolb.com/Login.aspx*
    https://online-business.lloydstsb.co.uk/customer.ibc
    https://online-offshore.lloydstsb.com/customer.ibc
    http://www.hsbc.co.uk/1/2/personal/internet-banking*
    https://www.dab-bank.com*
    https://probanking.procreditbank.bg/main/main.asp*
    https://www.citibank.de*
    https://ibank.barclays.co.uk/olb/x/LoginMember.do
    https://ibank.internationalbanking.barclays.com/logon/icebapplication*
    http://caixasabadell.net/banca2/tx0011/0011.jsp
    http://*.osmp.ru/
    https://www.sabadellatlantico.com/es/*
    https://oi.cajamadrid.es/CajaMadrid/oi/pt_oi/Login/login
    https://www.caixagirona.es/cgi-bin/INclient_2030*
    https://www.unicaja.es/PortalServlet*
    https://areasegura.banif.es/bog/bogbsn*
    https://www.bgnetplus.com/niloinet/login.jsp
    https://www.caixalaietana.es/cgi-bin/INclient_2042
    https://www.cajacirculo.es/ISMC/Circulo/acceso.jsp
    https://www.cajabadajoz.es/cgi-bin/INclient_6010*
    https://extranet.banesto.es/npage/OtrosLogin/LoginIBanesto.htm
    https://www.e-gold.com/acct/li.asp
    https://www.fibancmediolanum.es/BasePage.aspx*
    https://online.wellsfargo.com/das/cgi-bin/session.cgi*
    https://www.wellsfargo.com/*
    */my.ebay.com/*CurrentPage=MyeBayPersonalInfo*
    *.ebay.com/*eBayISAPI.dll?*
    https://www.us.hsbc.com/*
    https://home.cbonline.co.uk/login.html*
    https://welcome27.co-operativebank.co.uk/CBIBSWeb/start.do
    https://welcome23.smile.co.uk/SmileWeb/start.do
    https://www.halifax-online.co.uk/_mem_bin/formslogin.asp*
    https://online.wellsfargo.com/login*
    https://online.wellsfargo.com/signon*
    https://www.e-gold.com/acct/balance.asp*
    https://intelvia.cajamurcia.es/2043/entrada/01entradaencrip.htm
    https://banca.cajaen.es/Jaen/INclient.jsp
    https://www.cajavital.es/Appserver/vitalnet*
    https://www.caixaontinyent.es/cgi-bin/INclient_2045
    https://web.da-us.citibank.com/cgi-bin/citifi/portal/l/autherror.do*
    https://www.cajacanarias.es/cgi-bin/INclient_6065
    https://montevia.elmonte.es/cgi-bin/INclient_2098*
    https://www.gruppocarige.it/grps/vbank/jsp/login.jsp
    https://oie.cajamadridempresas.es/CajaMadrid/oie/pt_oie/Login/login_oie_1
    https://privati.internetbanking.bancaintesa.it/sm/login/IN/box_login.jsp
    https://bancopostaonline.poste.it/bpol/bancoposta/formslogin.asp
    https://www.iwbank.it/private/index_pub.jhtml*
    https://hb.quiubi.it/newSSO/x11logon.htm
    https://www.isideonline.it/relaxbanking/sso.Login*
    https://web.secservizi.it/siteminderagent/forms/login.fcc
    https://rupay.com/index.php
    https://www.53.com/servlet/efsonline/index.html*
    https://www.suntrust.com/portal/server.pt*parentname=Login*
    https://onlinebanking.nationalcity.com/OLB/secure/AccountList.aspx
    https://www#.citizensbankonline.com/*/index-wait.jsp
    https://easyweb*.tdcanadatrust.com/servlet/*FinancialSummaryServlet*
    https://www#.usbank.com/internetBanking/LoginRouter
    https://www.paypal.com/*/webscr?cmd=_login-done*
    https://www.paypal.com/*/webscr?cmd=_account
    https://www.clavenet.net/cgi-bin/INclient_7054
    https://www.cajasoldirecto.es/2106/*
    https://www.cajalaboral.com/home/acceso.asp
    https://carnet.cajarioja.es/banca3/tx0011/0011.jsp
    https://www.caixatarragona.es/esp/sec_1/oficinacodigo.jsp
    https://www.cajadeavila.es/cgi-bin/INclient_6094
    https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome
    https://web.da-us.citibank.com/*BS_Id=MemberHomepage*
    *banquepopulaire.fr/*
    https://light.webmoney.ru/default.aspx
    https://www.isbank.com.tr/Internet/ControlLoader.aspx*
    https://light.webmoney.ru/default.aspx
    *wellsfargo.com/*
    https://online*.lloydstsb.co.uk/logon.ibc
    https://home.ybonline.co.uk/ral/loginmgr/*
    https://www.mybank.alliance-leicester.co.uk/login/*
    https://www.ebank.hsbc.co.uk/main/IBLogon.jsp
    https://scrigno.popso.it*
    https://www.halifax-online.co.uk/MyAccounts/MyAccounts.aspx*
    https://ibank.barclays.co.uk/olb/x/LoginMember.do
    https://www.halifax-online.co.uk/_mem_bin/*
    https://resources.chase.com/MyAccounts.aspx
    https://bancaonline.openbank.es/servlet/PProxy?*
    https://online.wamu.com/Servicing/Servicing.aspx?targetPage=AccountSummary
    https://onlinebanking#.wachovia.com/myAccounts.aspx?referrer=authService
    https://empresas.gruposantander.es/WebEmpresas/servlet/webempresas.servlets.*
    https://www.gruposantander.es/bog/sbi*?ptns=acceso*
    https://extranet.banesto.es/*/loginParticulares.htm
    https://banesnet.banesto.es/*/loginEmpresas.htm
    https://web.da-us.citibank.com/cgi-bin/citifi/portal/l/l.do
    https://www2.bancopopular.es/AppBPE/servlet/servin*
    https://www.bbvanetoffice.com/local_bdno/login_bbvanetoffice.html
    https://www.bancajaproximaempresas.com/ControlEmpresas*
    https://home2ae.cd.citibank.ae/CappWebAppAE/producttwo/capp/action/signoncq.do
    https://www.nwolb.com/Login.asp*
    https://lot-port.bcs.ru/names.nsf?#ogin*
    https://www.bancoherrero.com/es/*
    https://pastornetparticulares.bancopastor.es/SrPd*
    https://internetbanking.aib.ie/hb1/roi/signon
    https://www.uno-e.com/local_bdnt_unoe/Login_unoe2.html
    https://olb2.nationet.com/signon/signon*
    https://banking*.anz.com/*
    https://www.rbsdigital.com/Login.asp*
    *//mail.yandex.ru/
    *//mail.yandex.ru/index.xml
    *//money.yandex.ru/
    *//money.yandex.ru/index.xml
    https://cardsonline-consumer.com/RBSG_Consumer/VerifyLogin.do
    https://www*.banking.first-direct.com/1/2/*
    https://olb2.nationet.com/MyAccounts/frame_MyAccounts_WP2.asp*
Attachments
 #21617  by Xylitol
 Sun Dec 08, 2013 11:21 am
ice9 targeting france and germany
Code: Select all
37 28 10 C8 98 4B 50 E3 FD 5F 7C AD FA B4 82 42 A1 09 41 40 17 52 8A 00 95 8D 65 A3 76 21 A8 23 06 CD 15 CC 25 16 53 34 B3 1F 7B AA B8 AE D0 74 85 EB 4E B7 90 AF 22 F5 88 F6 72 D5 45 2B 13 89 B2 F4 08 E0 8C 1D ED A7 83 9E 64 6B 3B 7D 67 62 C7 EF D3 5B D7 5E 3A 14 6D 81 3F 8E 9F BB 69 D8 73 2E 92 E6 35 DE B1 C1 BF 1C 59 6A 02 BE EA 63 57 30 7F 19 E2 29 0A 3C 87 F0 C4 BD 9C C6 96 B5 20 D9 79 6F 5A 93 BC C5 56 CA 1A 44 12 49 9B 48 36 77 7E 26 58 B0 43 E7 E1 D2 9D D6 A4 38 97 70 80 78 A5 2F F3 CE 91 0C FF DC 84 DF B9 2C EE B6 33 F7 55 2A 3E 0F 4C 0D 71 BA 7A 6C E9 46 66 DD 99 A0 F2 E4 A9 07 39 1E D4 24 04 05 1B 47 4D FC F8 4F AB C3 C9 32 A6 51 DB 31 4A FB E5 E8 AC 18 6E 11 2D C2 CF C0 8B 60 D1 54 68 F9 EC A2 5C 03 DA 9A 01 F1 86 75 CB 0B 5D 94 8F 3D 27 FE 61 0E
https://zeustracker.abuse.ch/monitor.ph ... ernews.net
Attachments
infected
(13.42 KiB) Downloaded 58 times
 #21649  by Xylitol
 Wed Dec 11, 2013 3:55 pm
The inevitable move - 64-bit ZeuS has come enhanced with Tor ~ http://www.securelist.com/en/blog/20821 ... d_with_Tor

Trojan.Win32.Scarsi.uhm >> 39/49
Trojan-Spy.Win64.Zbot.a >> 10/49
Attachments
infected
(1.26 MiB) Downloaded 82 times
  • 1
  • 19
  • 20
  • 21
  • 22
  • 23
  • 29