A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #22182  by patriq
 Mon Feb 10, 2014 9:46 pm
Not sure if this is Bladabindi, but some vendors detect it as such. They appear to be coded in VisualBasic.

Found via Citadel C&C running script to download this:
Code: Select all
hxxp://cm8899.com/twe/download/black/winsys.exe
https://malwr.com/analysis/ZjYyMGJlOGE3 ... FhOWEzYTE/

There were 2 more samples on this server too.

1f6aa01a3ca401cfa6178d54a988cdd9
https://malwr.com/analysis/MjZkYTY0MWNl ... M1ZmE1MjY/

strings:
Code: Select all
C:\Users\DEJOUI\Desktop\TuniLoad Botnet v.1 Source\Original Stub\Stub\Stub\obj\Release\stub.pdb
Anyone seen this "TuniLoad Botnet v.1" or a panel for it?
The only thing in Google is the malwr.com analysis I just submitted.

262c2bb45b5b5790b3890eb7d2e716ed
https://malwr.com/analysis/YTZhNDg2MzY1 ... I4ZWMxNjg/

Attached.
Attachments
infected
(44.52 KiB) Downloaded 82 times
 #23252  by Xylitol
 Mon Jun 30, 2014 8:34 pm
Microsoft sinkholed no-ip.biz/no-ip.org >> http://whois.domaintools.com/no-ip.biz
Microsoft takes on global cybercrime epidemic in tenth malware disruption ~ http://blogs.technet.com/b/microsoft_bl ... ption.aspx
lawsuit ~ http://www.noticeoflawsuit.com/
No-IP’s Formal Statement on Microsoft Takedown ~ https://www.noip.com/blog/2014/06/30/ip ... -takedown/
 #31237  by Fedor22
 Sat Feb 03, 2018 5:13 pm
Steam Keys Generator (Backdoor:MSIL/Bladabindi)
Comtains the "JavaUpdate" fake copyright. After the key is generated, changes the autorun value in the registry ("AppData/Roaming/WindowsService.exe", In the registry, "HKEY_CURRENT_USER" and "HKEY_LOCAL_MACHINE").
Trying to connect to the site: hxxp://gutin123.duckdns.org
VT: https://www.virustotal.com/en/file/4343 ... /analysis/
Attachments
(136.52 KiB) Downloaded 30 times