A forum for reverse engineering, OS internals and malware analysis 

Malware/NSIS downloaders

Forum for analysis and discussion about malware.

Re: Mal/NSIS downloaders

 #4331  by EP_X0FF
 Fri Jan 07, 2011 2:45 pm
This is trojan downloader based on NSIS installation.
ProgramFilesDir C:\Program Files CommonFilesDir Common Files 1037 Ђ 0x000C 1038 700 0x0030 1034 1039 1028 1256 1041 \inetc.dll /end \caclsa.exe hxxp://xtrips.info:88/api/w5ptis.exe get 2000 \ExecPri.dll high ExecWait\HOSTNAMEb.exe hxxp://xtrips.info:88/bz2/admn.exe э™Ђ\odbcad32a.exe http://xtrips.info:88/bz2/crlss.exe \diskraidb.exe hxxp://xtrips.info:88/api/tcs20.exe Error! Can't initialize plug-ins directory. Please try again later. Nullsoft Install System v2.46
It downloads payload executables and starts them (all in attach).

First Fake Codec / Renos (very popular stuff)
http://www.virustotal.com/file-scan/rep ... 1294410348

Second was already reviewed
http://www.virustotal.com/file-scan/rep ... 1294410672

Third is Trojan downloader AdvLoad (crappy cryptor with NativeAPI + UPX)

http://www.virustotal.com/file-scan/rep ... 1294411058
ver64
%szptfzubjhp.php?adv=adv523&code1=%s&code2=%s&id=%d&p=%s&b=%s
Safari
Chrome
Firefox
Opera
Internet Explorer
http
open
%sljoxocb.exe
%ssjnlgn.php?adv=adv523
%sfpxvranv.exe
%styfnhc.php?adv=adv523
%ssybhgefo.exe
%sxbvqxsa.php?adv=adv523
%sfqxuppm.exe
%sxavdxsz.php?adv=adv523
%sjqiv.exe
%shyfaitavt.php?adv=adv523
%sxeytfnd.exe
%sqhlkrzhf.php?adv=adv523
%sohaned.exe
%skbwdyfeyta.php?adv=adv523
%stqskmj.exe
%smmaucwe.php?adv=adv523
%snrfi.exe
%scptrlg.php?adv=adv523
%srvgsxi.exe
%sizgowq.php?adv=adv523
%smalmkano.exe
%siztbjhowu.php?adv=adv523
%sultamgbih.php?adv=adv523
hxxp://bccorps.com/timuo/
hxxp://accrowd.com/timuo/
if somebody wish it can get all it's payload
Attachments
payload, pass: malware
(141.33 KiB) Downloaded 57 times

Re: Malware/NSIS downloaders

 #4371  by Jaxryley
 Sat Jan 08, 2011 11:59 pm
On first running charmapa.exe I get some of the same named exes as EP_X0FF but different plus extras including the rogue Antivirus Scan?

It took several minutes for the extras to show up.

admn[1].exe - 10/43 - VBA32 - Dropper.TDL4.xa - MD5 : 2fa822060165fad39e9672c06822ffeb
http://www.virustotal.com/file-scan/rep ... 1294529203

dxfh.exe - 15/43
http://www.virustotal.com/file-scan/rep ... 1294529137

nnieujilajb.exe - Rogue AV Scan - 5/43
http://www.virustotal.com/file-scan/rep ... 1294529146

setup.exe - 5/43
http://www.virustotal.com/file-scan/rep ... 1294529218

w5ptis[1].exe - 29/43
http://www.virustotal.com/file-scan/rep ... 1294529224

ExecPri.dll - 0/43
http://www.virustotal.com/file-scan/rep ... 1294530385

inetc.dll - 0/43
http://www.virustotal.com/file-scan/rep ... 1294530392
Pass:
infected
(671.17 KiB) Downloaded 53 times

Re: Malware/NSIS downloaders

 #4378  by EP_X0FF
 Sun Jan 09, 2011 12:59 pm
markusg wrote:PkgMgra.exe
http://www.virustotal.com/file-scan/rep ... 1294574437
payload
hxxp://xtrips.info:88/api/w5ptis.exe
hxxp://vpmedia.in/vortix12/stbim.exe
hxxp://vpmedia.in/vortix12/e4ma.exe
hxxp://xtrips.info:88/api/fr3msgr.exe
hxxp://xtrips.info:88/api/tcs20.exe
where stbim.exe is TDL4
http://www.virustotal.com/file-scan/rep ... 1294578096

fr3msgr.exe is Backdoor Cycbot.
http://www.virustotal.com/file-scan/rep ... 1294578933

w5ptis.exe is Trojan FakeCodec/Renos
http://www.virustotal.com/file-scan/rep ... 1294578103
Attachments
pass: malware
(400.92 KiB) Downloaded 49 times

Re: Malware/NSIS downloaders

 #4415  by EP_X0FF
 Wed Jan 12, 2011 1:38 pm
Payload

tsdiscona
MyDefragScreenSavera.exe hxxp://xtrips.info:88/api/w5ptis.exe
ggpresultb.exe hxxp://xtrips.info:88/bz2/admn.exe
msdtb.exe hxxp://xtrips.info:88/bz2/crlss.exe
DFDWizb.exe hxxp://xtrips.info:88/api/tcs20.exe
TSWbPrxya
ucsvcb.exe hxxp://xtrips.info:88/api/w5ptis.exe
PrintIsolationHosta.exe hxxp://xtrips.info:88/bz2/admn.exe
printuia.exe hxxp://xtrips.info:88/bz2/crlss.exe
shrpubwa.exe hxxp://xtrips.info:88/api/tcs20.exe
looks like the same trash, I'm lazy to look closer.

Re: Malware/NSIS downloaders

 #5168  by EP_X0FF
 Fri Feb 25, 2011 5:37 pm
In attach dropper (NSIS 2.44 installer), extracted payload - TDL4, Harnig.S (AdvLoad), Renos.MJ

Source hxxp://www.dnusax.com/cb.exe
Actually dnusax.com full of muldrop trojan droppers of the same kind.


dropper VT
http://www.virustotal.com/file-scan/rep ... 1298654346
Attachments
pass: malware
(393.69 KiB) Downloaded 45 times
 Return to “Malware”