A forum for reverse engineering, OS internals and malware analysis 

Trojan.Advload

Forum for analysis and discussion about malware.

Re: Trojan.Advload

 #4382  by nullptr
 Mon Jan 10, 2011 4:51 am
Crypter + UPX, looks like the only things that change are the ads.
COMSPEC
/cdel
>nul
Open
ver64
wininet.dll
user32.dll
kernel32.dll
shell32.dll
urlmon.dll
ddraw.dll
psapi.dll
hxxp://aebrook.com/timuo/
hxxp://befiest.com/timuo/
%sultamgbih.php?adv=adv612
%s%d
%siztbjhowu.php?adv=adv612
%sjdhaql.exe
%sizgowq.php?adv=adv612
%sesky.exe
%scptrlg.php?adv=adv612
%sfjxdjyst.exe
%smmaucwe.php?adv=adv612
%sohgytuvl.exe
%skbwdyfeyta.php?adv=adv612
%svoty.exe
%sqhlkrzhf.php?adv=adv612
%snwtvpei.exe
%shyfaitavt.php?adv=adv612
%skrty.exe
%sxavdxsz.php?adv=adv612
%sycmnfy.exe
%sxbvqxsa.php?adv=adv612
%smcmrvdud.exe
%styfnhc.php?adv=adv612
%sovblnd.exe
%ssjnlgn.php?adv=adv612
%sfarvjcd.exe
open
http
InternetExplorer
Opera
Firefox
Chrome
Safari
%szptfzubjhp.php?adv=adv612&code1=%s&code2=%s&id=%d&p=%s&b=%s
%s%d
NtMapViewOfSection
ntdll.dll
\svchost.exe
explorer.exe
SeDebugPrivilege
explorer.exe

Re: Trojan.Advload

 #5242  by Cr4sh
 Tue Mar 01, 2011 1:11 pm
This is a downloader from Gangsta Bucks (ex Dogma Millions) affiliate program: hxxp://gangstabucks.com
Actual samples available at hxxp://gangstabucks.com/stats/links.php, some valid accounts are test:test and support:support
Have a fun ;)
 Return to “Malware”