A forum for reverse engineering, OS internals and malware analysis 

Koob(face) of the week

Forum for analysis and discussion about malware.

Re: Koob(face) of the week

 #4326  by Jaxryley
 Fri Jan 07, 2011 12:33 pm
First two are well known over at VT.
!http://techmastersofct.com/.ako9pnt/?getexe=ff2ie.exe
!http://techmastersofct.com/.ako9pnt/?getexe=hny32.exe
!http://techmastersofct.com/.ako9pnt/?getexe=fcvalls.exe
!http://techmastersofct.com/.ako9pnt/?getexe=drk.exe
fcvalls.exe - 1/43 - MD5 : 6ae13addba25c698a577f5f43e117b8a
http://www.virustotal.com/file-scan/rep ... 1294403209

drk.exe - 13/43 - MD5 : a147db835f333af924772b1e5df6bfe4
http://www.virustotal.com/file-scan/rep ... 1294403123
Pass:
infected
(507.19 KiB) Downloaded 50 times

Re: Koob(face) of the week

 #4330  by EP_X0FF
 Fri Jan 07, 2011 1:51 pm
fcvalls.exe is trojan password stealer. Some unknown crap cryptor + UPX, bot itself written on Delphi.
See in attach unpacked. Many programs affected.

drk.exe is TDL4.
[main]
version=0.03
aid=40787
sid=0
rnd=1993962763
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://zz87lhfda88.com/;hxxps://01n02n4cx00.com/;hxxps://1l1i16b0.com/;hxxps://zz87ihfda88.com/;hxxps://10n02n4cx00.com/
wsrv=hxxp://pxlaratotor.com/;hxxp://aurelenopkin.com/;hxxp://teiretorkei.com/;hxxp://backlistcheck.com/;hxxp://cilkcpixleabn.com/
psrv=hxxp://cikh71ynks66.com/;hxxp://clkh71yhks66.com/
version=0.15
Attachments
pass: malware
(91.89 KiB) Downloaded 50 times

Re: Koob(face) of the week

 #4458  by Jaxryley
 Sat Jan 15, 2011 1:16 pm
!http://tavalodidigar.com/.kgvq/?getexe=ff2ie.exe
!http://tavalodidigar.com/.kgvq/?getexe=fcvalls.exe
!http://tavalodidigar.com/.kgvq/?getexe=drk.exe
ff2ie.exe - 12/43 - MD5 : 3fbb0eded6a2db438f9c9e507fbb793c
http://www.virustotal.com/file-scan/rep ... 1295096841

fcvalls.exe - 14/43 - MD5 : fe9fbe17bd882778edf8eda8af6df211
http://www.virustotal.com/file-scan/rep ... 1295096844

drk.exe - 10/43 - MD5 : 9dbe0c855f3f304995bc8626b3942ffb
http://www.virustotal.com/file-scan/rep ... 1295096835
Pass:
infected
(513.28 KiB) Downloaded 46 times

Re: Koob(face) of the week

 #4459  by PX5
 Sat Jan 15, 2011 1:54 pm
tavalodidigar.com/.kgvq/?getexe=hny32.exe :)

Re: Koob(face) of the week

 #4478  by Jaxryley
 Sun Jan 16, 2011 11:44 am
!http://educationaltraveladv.com/bdknpk/
setup903045.exe - 15/42
http://www.virustotal.com/file-scan/rep ... 1295177727

Which is dropping and may drop more but my XP VM reboots.
drk.exe - 7/43
http://www.virustotal.com/file-scan/rep ... 1295177692

mike150.exe - 15/43
http://www.virustotal.com/file-scan/rep ... 1295177698

ff2ie.exe - 12/43
http://www.virustotal.com/file-scan/rep ... 1295177710
Pass:
infected
(667.69 KiB) Downloaded 50 times

Re: Koob(face) of the week

 #4534  by Jaxryley
 Tue Jan 18, 2011 1:41 pm
!http://profiglio.com/.fof5sle/?getexe=drk.exe
!http://profiglio.com/.fof5sle/?getexe=ff2ie.exe
!http://profiglio.com/.fof5sle/?getexe=fc.valls.exe
drk.exe - 8/43 - MD5 : 24c896e82855fe96efa342a8c6b84115
http://www.virustotal.com/file-scan/rep ... 1295356965

ff2ie.exe - 20/43 - same
http://www.virustotal.com/file-scan/rep ... 1295356970

fc.valls.exe - 9/43
http://www.virustotal.com/file-scan/rep ... 1295356976
Pass:
infected
(481.19 KiB) Downloaded 48 times

Re: Koob(face) of the week

 #4535  by EP_X0FF
 Tue Jan 18, 2011 2:01 pm
Jaxryley wrote:fc.valls.exe - 9/43
http://www.virustotal.com/file-scan/rep ... 1295356976
Trojan password stealer, written on Delphi, packed by UPX and then crypted

Affected software:
Far
Total Commander
Ipswitch WS_FTP
CuteFTP
CuteFTP Pro
CuteFTP 6
CuteFTP 7
FlashFXP
FileZilla
FTP Commander Pro
FTP Commander Deluxe
Bullet Proof FTP
SmartFTP
TurboFTP
Mozilla Firefox
Opera
Internet Explorer
FTP Navigator
unpacked sample VT result
http://www.virustotal.com/file-scan/rep ... 1295359248
 Return to “Malware”