A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #7223  by EP_X0FF
 Tue Jul 12, 2011 6:25 am
Pass for decrypted config: 1F89138AA356FFA02DFC7D1192838116

Gates:
hxxp://nowtorrent.ru/forum/viewmsg.php;180
hxxp://upmyspeed.ru/forum/viewmsg.php;180
hxxp://ratenew.net/forum/viewmsg.php;180
All in attach as SpyEye_1.rar
Attachments
pass: malware
(262.9 KiB) Downloaded 73 times
 #7286  by EP_X0FF
 Fri Jul 15, 2011 3:17 am
SpyEye v1.3.4.x

Pass for decrypted config: FCA737CDF22135424EACBC5EEA2D5B3B

Gates:
hxxp://microwavecolosol.com/cp/gate.php;90
hxxp://fff44gfsfdsdfsdf.com/cp/gate.php;90
Original 15 /43 (34.9%)
http://www.virustotal.com/file-scan/rep ... 1310697421

Unpacked 25/ 43 (58.1%)
http://www.virustotal.com/file-scan/rep ... 1310699560

All in attach
Attachments
pass: malware
(863.78 KiB) Downloaded 68 times
 #7310  by EP_X0FF
 Fri Jul 15, 2011 5:32 pm
SpyEye v1.3

Crypted seems to be with iCrypt Classic v4.1 with "Antis" something, i don't know and don't care :)

Pass for decrypted config: 0E9BB08722A518E930B09F9F638482D4

Gate:
hxxp://box.tubehub.net/join/log.php;200
All decrypted, unpacked and original in attach.

Original 13 /42 (31.0%)
http://www.virustotal.com/file-scan/rep ... 1310528384

Unpacked 25/ 43 (58.1%)
http://www.virustotal.com/file-scan/rep ... 1310750474
Attachments
pass: malware
(242.15 KiB) Downloaded 69 times
 #7780  by EP_X0FF
 Sat Jul 30, 2011 3:42 am
Buckrogers wrote:This one barely got detected, if it wasn't for Combofix I would have some trouble finding this sucker:

http://www.virustotal.com/file-scan/report.html?id=40d57dd53ad343344390b87186c06658f60fa09cfe34b6bb374924f6ef0e4734-1311961306

http://www.virustotal.com/file-scan/report.html?id=862bdefabbbe5eaecfda63fc88e487b6ba2b40307a8082a4dc4871353e5b964a-1311961535
mentioned here http://www.kernelmode.info/forum/viewto ... 6330#p6330

servers list updated, few more plugins all rest the same
hxxp://duklio.com/gate.php;1800
hxxp://so47nop.com/gate.php;1800
hxxp://4to4kit.com/gate.php;1800
hxxp://soa4gol.com/gate.php;1800
hxxp://pc4hita.com/gate.php;1800
hxxp://lra7nef.com/gate.php;1800
hxxp://buut7ar.com/gate.php;1800
hxxp://sop3not.com/gate.php;1800
hxxp://raz43op.com/gate.php;1800
hxxp://da3a4no.com/gate.php;1800
hxxp://ta4n6ar.com/gate.php;1800
hxxp://to3rtol.com/gate.php;1800
hxxp://t3os7pt.com/gate.php;1800
hxxp://t3a3dor.com/gate.php;1800
hxxp://56pa7bo.com/gate.php;1800
hxxp://to365mo.com/gate.php;1800
hxxp://pa37rtp.com/gate.php;1800
hxxp://po3t6oa.com/gate.php;1800
hxxp://san34dt.com/gate.php;1800
hxxp://7435424vs.com/gate.php;1800
hxxp://p3a372rtp.com/gate.php;1800
hxxp://p3o36t6oa.com/gate.php;1800
hxxp://sa6n634dt.com/gate.php;1800
hxxp://7435924vs.com/gate.php;1800
hxxp://p9a372rtp.com/gate.php;1800
hxxp://p9o36t6oa.com/gate.php;1800
hxxp://sa69634dt.com/gate.php;1800
hxxp://7438424vs.com/gate.php;1800
hxxp://83a372rtp.com/gate.php;1800
hxxp://p3o38t6oa.com/gate.php;1800
hxxp://sa6n884dt.com/gate.php;1800
hxxp://7435474vs.com/gate.php;1800
hxxp://73a372rtp.com/gate.php;1800
hxxp://p3o3676oa.com/gate.php;1800
hxxp://sa7n634dt.com/gate.php;1800
hxxp://7437424vs.com/gate.php;1800
hxxp://p3a377rtp.com/gate.php;1800
hxxp://p3736t6oa.com/gate.php;1800
hxxp://sa67634dt.com/gate.php;1800
hxxp://7435424vs.com/gate.php;1800
hxxp://p3a32rltp.com/gate.php;1800
hxxp://p3o36t6oa.com/gate.php;1800
hxxp://saln634dt.com/gate.php;1800
Attachments
(197.73 KiB) Downloaded 67 times
 #7808  by EP_X0FF
 Mon Aug 01, 2011 11:24 am
SpyEye v1.3.x

Pass for decrypted config: F2F9A724A66B581CEB0065DC9DEEEA15

Gates:
hxxp://totdisseny.net/gate.php;90
hxxp://klhf7euh768g.com/_cp/gate.php;90
hxxp://jbhukkuhu5gd.com/_cp/gate.php;90
hxxp://khuhcbheuivc.com/_cp/gate.php;90
hxxp://feiwfhnnciugs.com/_cp/gate.php;90
hxxp://f3of8hnfisdjhs.com/_cp/gate.php;90
hxxp://fwuh3ofh89jfn.com/_cp/gate.php;90
hxxp://fwiohf38jnidh.com/_cp/gate.php;90
hxxp://fiojh8f3nfh989.com/_cp/gate.php;90
hxxp://iugiwfbhueiwh.com/_cp/gate.php;90
hxxp://gwogw4gwe08.com/_cp/gate.php;90
hxxp://idfhio489jhgn4.com/_cp/gate.php;90
All decrypted, unpacked and original in attach.

Original 2 /43 (4.7%)
http://www.virustotal.com/file-scan/rep ... 1312194098

Unpacked 29 /43 (67.4%)
http://www.virustotal.com/file-scan/rep ... 1312197649
Attachments
pass: malware
(724.22 KiB) Downloaded 77 times
 #7809  by Buckrogers
 Mon Aug 01, 2011 11:52 am
PX5 wrote:
Buckrogers wrote:This one barely got detected, if it wasn't for Combofix I would have some trouble finding this sucker:

http://www.virustotal.com/file-scan/rep ... 1311961306

http://www.virustotal.com/file-scan/rep ... 1311961535
c:\newdnswatch\

This doesnt stand out like a sore thumb to you?
Yup, but the dir wasn't there anymore. Initially I thought it was the dropper, but apparently this dir is created and deleted on every boot.

The double key entry bug from widely available ASM keylogger was the big tell though.
  • 1
  • 20
  • 21
  • 22
  • 23
  • 24
  • 42