A forum for reverse engineering, OS internals and malware analysis 

Dropper:Win32/Swisyn, etc.

Forum for analysis and discussion about malware.

Dropper:Win32/Swisyn, etc.

 #21537  by patriq
 Mon Dec 02, 2013 9:36 pm
This is how it started.
sample from 192.74.250.121

59870.exe
10e7876fd639ea81767315cd178873c0
https://malwr.com/analysis/MzU3MTdiOTc2 ... JmYjAxOTI/

C&C
Code: Select all
cn0803.aiwooolsf.com	190.115.20.18 - BZ
..and that lead me to this:

samples from 61.147.112.88
there was a bunch of random tool stuff on there, but I don't think I should share all the "tools" found. Sorry. ;)

Low detection rates. Attached.

232.exe
(21.exe)
4a92ffcb4f35ab8e7daf4215e09b58f1
https://malwr.com/analysis/ZDdlMzkzNTJm ... NmOGQzZmE/

330.exe
4e8a0bed5ee626f202fcdcfa28b3176c
https://malwr.com/analysis/ZTZjMTE5MTli ... RlZWNlMDg/

0308.exe
88ccbe2772f4a07f0a7f5925b1a366ac
https://malwr.com/analysis/MTc3ODgyNTkw ... gzNDdiNDE/

3.exe
d9443a02281d495ab3ac1eea6a97d0d5
https://malwr.com/analysis/NDIyMTVkMTEw ... M5OWQ2NjI/

338.exe
776166289f8bce8312b85ffd0a375c01
https://malwr.com/analysis/NmU1YTBhMzkz ... ViMzA2MTA/

55555
49d206f98b44ef9c58b711cd29b6c073
https://malwr.com/analysis/ODQ0NTY5OGMy ... A4NDRkYjE/
ELF executable

8G.NETBOT.CC.zip
9b71e5d676d005160f9096a618d33862
https://malwr.com/analysis/MGFlOTJjYTMz ... VjZGJiN2Q/
(I cant open this archive either, is it trashed? Let me know if you can open it)

3306nodeJR
938a3ceb3691ca92734dcce7547ef394
https://malwr.com/analysis/YTEzZWJmN2Mx ... QzOWZmNDA/


C&C (note same IP from first sample in this post)
Code: Select all
8g.netbot.cc	100.42.235.28
kk.netbot.cc	190.115.20.14
33.netbot.cc	190.115.20.14

190.115.20.18
190.115.20.14

Chinese Foooood!!!
Attachments
infected
(504.43 KiB) Downloaded 54 times
infected
(3.78 MiB) Downloaded 60 times
 Return to “Malware”