A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #9915  by Xylitol
 Fri Nov 25, 2011 10:44 pm
SpyEye monitoring 5-25 Nov ~10Mb when unpack If you wonder how they can call the gate with a .pdf or .jpg that simple: with an .htaccess and:
Code: Select all
AddType application/x-httpd-php .php .phtml .jpg .pdf
Also one of the C&C monitored banned my IP if you read my comments on VT (403 Forbidden) it's due to script like that:
Code: Select all
<?php
$f = fopen(".htaccess", "a");
fputs($f, "Deny from ".$_SERVER["REMOTE_ADDR"].PHP_EOL);
fclose($f);
?>
A sort of anti-curious if someone try to brute force directories (:
Attachments
infected
(4.95 MiB) Downloaded 78 times
infected
(4.65 MiB) Downloaded 94 times
infected
(389.9 KiB) Downloaded 70 times
 #9947  by EP_X0FF
 Mon Nov 28, 2011 7:31 am
CD165098A5F.exe
MD5 : 55127dcfbc5d0983c02ba8c09cebc807
Pass for decrypted config: CFF435AE25709B701CDCB63A27BB2159

Gates:
hxxp://sex-anal-tits.com/te/pu.php;2000
hxxp://googlorama.com/te/pu.php;2000
hxxp://panerabreab.com/te/pu.php;2000
hxxp://mobilestaf.com/te/pu.php;2000
hxxp://paneradread.com/te/pu.php;2000
hxxp://panerabreab.com/te/pu.php;2000
hxxp://getnoregoole.com/te/pu.php;2000
Collectors:
91.196.216.130:8080
91.196.216.132:8080
873D3F8A24A.exe
MD5 : 4be7c443693bfc3a1f28193b52c78bf4
Pass for decrypted config: FCA737CDF22135424EACBC5EEA2D5B3B

Gates:
hxxp://minimart20.com/forum.php;90
hxxp://whatwasinyourheart.com/forum.php;90
Collector:
95.163.66.191:412
In attach.
Attachments
(89.5 KiB) Downloaded 67 times
(95.41 KiB) Downloaded 58 times
 #9966  by EP_X0FF
 Mon Nov 28, 2011 5:12 pm
markusg wrote:CD16509844B.exe
MD5   : d430caeae2d973b2964649e37bdcf17a
https://www.virustotal.com/file-scan/re ... 1322498446
Different recrypt of http://www.kernelmode.info/forum/viewto ... 9934#p9934
In attach decrypted.
Attachments
pass: malware
(188.4 KiB) Downloaded 58 times
  • 1
  • 31
  • 32
  • 33
  • 34
  • 35
  • 42