A forum for reverse engineering, OS internals and malware analysis 

Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

Forum for analysis and discussion about malware.

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

 #8489  by EP_X0FF
 Fri Sep 09, 2011 12:54 am
markusg wrote:crack.exe
MD5   : 0b30dc110e2805f8344d6187ec21f674
http://www.virustotal.com/file-scan/rep ... 1315508774
TDL4 with updated cmd.dll
[main]
version=0.03
aid=30041
sid=0
builddate=351
installdate=9.9.2011 0:50:35
rnd=1002318735
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.31
Attachments
pass: malware
(98.6 KiB) Downloaded 91 times

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

 #8577  by rough_spear
 Thu Sep 15, 2011 5:50 pm
Hi All, ;)
Dropped file of TDL4.Interesting files are

kwrd

MD5 : 313d6a1344a4a0c030ed49e26cf0686c
SHA1 : 27ec15f53cab7cb273a8314cae591f67a5fbef90
SHA256: 29a59acf8cb23ae01864ba53964ae8c2c995ae1842aeff2fe7fbfbf101317c05
ssdeep: 6144:MQ++akGurNwL1WC0laYDyfvhD7xrKeNaHUsxp0TAwn:J++akGy/laTX5xHNaLp0TAwn

VT Link - http://www.virustotal.com/file-scan/rep ... 1315902925

kwrd.dll

MD5 : 8ea57e8b69f25aed867066ee413d77ca
SHA1 : f7ecceb9b8b36d91660c387176b0be1242fe69d6
SHA256: 385411db62796f6df02a95c10e6f85d8a21567bd2592709bc44c020d4478bbe4
ssdeep: 6144:qJVRAjyPbvmR0cL+o8kMiX9lHkC5+F83oS:IRKR0cyomitlE9F83oS

VT Link - http://www.virustotal.com/file-scan/rep ... 1316082063

Regards,


rough_spear. :D
Attachments
File Name - TDL4-14-09-2011.zip
Password - malware.
(548.59 KiB) Downloaded 95 times

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

 #8619  by rough_spear
 Sun Sep 18, 2011 2:55 pm
HI,
This is fresh sample of TDSS/TDL4 dropper as well as dropped files. :D

File name - TDL-Dropper.7z -- Dropper file.
TDLFS.7z -- Dropped files.
password - malware.


web link - hxxp://122.224.4.134/1.exe?affid=21702

VT Link - http://www.virustotal.com/file-scan/rep ... 1316354594

MD5 : cb91b8695d3990b5b5eae8a714bd357e
SHA1 : 3cd6ef10dd6cbe6f158a360cf5b112cef2e18304
SHA256: eec6bfe112155ab94029f0f8f27a484edf35b5d743503e0199637084d9520ebc
ssdeep: 3072:ipuDQLxtghZzm3mbQjgunPKxZg1JMzPndqAVseXNujBMn1OpgwzAaXA2HhcRlg64:pQz2a
gArbHsT6u1SPAaQ2HhcRqut


config.ini-
Code: Select all
[main]
version=0.03
aid=66671
sid=0
builddate=351
installdate=18.9.2011 14:33:4
rnd=979243912
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=https://lo4undreyk.com/;https://sh01cilewk.com/;https://cap01tchaa.com/;https://kur1k0nona.com/;https://u101mnay2k.com/
wsrv=http://gnarenyawr.com/;http://rinderwayr.com/;http://jukdoout0.com/;http://swltcho0.com/;http://ranmjyuke.com/
psrv=http://crj71ki813ck.com/
version=0.31
Regards,

rough_spear. ;)
Attachments
TDLFS.7z
password - malware.
(96.09 KiB) Downloaded 76 times
TDL-Dropper.7z
password - malware.
(164.23 KiB) Downloaded 101 times
Last edited by EP_X0FF on Fri Sep 30, 2011 7:35 am, edited 1 time in total. Reason: code tags added

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

 #8732  by EP_X0FF
 Sun Sep 25, 2011 1:57 am
TDL4 0.03/0.31 sample which was causing some problems for our automatic analysis system.

all in attach
Attachments
pass: malware
(411.6 KiB) Downloaded 75 times

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

 #8780  by markusg
 Tue Sep 27, 2011 3:54 pm
dll.exe
MD5   : 9ce020a0719921748b41fa76df876283
https://www.virustotal.com/file-scan/re ... 1317137762

file.exe
https://www.virustotal.com/file-scan/re ... 1317137394
MD5   : 909e35b8b43949dc008f6f88e93cbcf0
Attachments
pass infected
(309.29 KiB) Downloaded 79 times
Last edited by EP_X0FF on Wed Sep 28, 2011 8:38 am, edited 1 time in total. Reason: posts merge
  • 1
  • 51
  • 52
  • 53
  • 54
  • 55
  • 60
 Return to “Malware”