SHARE
TWEET

Logger, Backdoor SMTP, Downloader from China

MalwareMustDie Mar 8th, 2014 388 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #MalwareMustDie!
  2. #Keylogger, Capturer, Backdoor (SMTP) and DOwnloader from China
  3.  
  4. SHA256: c163338cbdefa14a69939c1fe248a94e8cac45f1fd499a556808846205e57b6d
  5. File name:      VoLamII.com
  6. Detection ratio:         48 / 48
  7. VT: https://www.virustotal.com/en/file/c163338cbdefa14a69939c1fe248a94e8cac45f1fd499a556808846205e57b6d/analysis/
  8. Image/Pic:  http://goo.gl/1IctMt
  9.  
  10. #VERDICTS:
  11.  
  12. //Self copied:
  13. C:\WINDOWS\system32\csrs.exe
  14.  C:\WINDOWS\system32\csrs.dll
  15.  
  16. // Autostart:
  17. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrs
  18. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs DllName
  19.  
  20. // Logger trace..
  21. user hook set: 0 mouse C:\WINDOWS\system32\csrs.dll  1000464A   SetWindowsHookExA
  22. user hook set: 0 keyboard C:\WINDOWS\system32\csrs.dll 10004668 SetWindowsHookExA
  23.  
  24. // Downloading
  25. jifendownload.2345.cn/jifen_2345/2345explorer_k57819045.exe
  26. jifendownload.2345.cn/jifen_2345/2345haozip_k57819045.exe
  27. www.rybao.com/myfile/2227921967/Pack/setup_yyfm.jpg (A PE File actually)
  28. boxdown.gtui.cn/KXWebDown/KXWebBox_3364_RBF.exe
  29.  
  30. // Dropped file in VT is still in low detections:
  31. (2/49) https://www.virustotal.com/en/file/7e70ea50134fdb9ee115685ec9aa510ce2c51e5afd9940d16eaaae3067a663f8/analysis/1394313594/
  32. (1/49) https://www.virustotal.com/en/file/d94552187b3690bfb0611192b14ab2210f1fd6ff9ee612c78496269259f3abde/analysis/1394313611/
  33. (1/49 https://www.virustotal.com/en/file/ecb0b7ac07670062db9209e498cd6faaf770ad3e3dbef48ecf10bd11ef5c30a6/analysis/1394313629/)
  34.  
  35.  
  36. // Send Spam…
  37.  
  38. 220 mx.google.com ESMTP 1si12872885lam.171 - gsmtp
  39. EHLO 618321
  40. 250-mx.google.com at your service, [87.106.72.151]
  41. 250-SIZE 35882577
  42. 250-8BITMIME
  43. 250-STARTTLS
  44. 250-ENHANCEDSTATUSCODES
  45. 250 CHUNKING
  46. MAIL FROM:<asdasd@gmail.com>
  47. 250 2.1.0 OK 1si12872885lam.171 - gsmtp
  48. RCPT TO:<lamvip2010vn2010@gmail.com>
  49. 250 2.1.5 OK 1si12872885lam.171 - gsmtp
  50. DATA
  51. 354  Go ahead 1si12872885lam.171 - gsmtp
  52. 550-5.7.1 Our system has detected an unusual rate of
  53. 550-5.7.1 unsolicited mail originating from your IP address. To protect our
  54. 550-5.7.1 users from spam, mail sent from your IP address has been blocked.
  55. 550-5.7.1 Please visit http://www.google.com/mail/help/bulk_mail.html to review
  56. 550 5.7.1 our Bulk Email Senders Guidelines. 1si12872885lam.171 - gsmtp
  57. QUIT
  58. 220 mx.google.com ESMTP zt8si12110416pbc.195 - gsmtp
  59. EHLO 618321
  60. 250-mx.google.com at your service, [87.106.72.151]
  61. 250-SIZE 35882577
  62. 250-8BITMIME
  63. 250-STARTTLS
  64. 250-ENHANCEDSTATUSCODES
  65. 250 CHUNKING
  66. MAIL FROM:<asdasd@gmail.com>
  67. 250 2.1.0 OK zt8si12110416pbc.195 - gsmtp
  68. RCPT TO:<lamvip2010vn2010@gmail.com>
  69. 250 2.1.5 OK zt8si12110416pbc.195 - gsmtp
  70. DATA
  71. 354  Go ahead zt8si12110416pbc.195 - gsmtp
  72. 550-5.7.1 Our system has detected an unusual rate of
  73. 550-5.7.1 unsolicited mail originating from your IP address. To protect our
  74. 550-5.7.1 users from spam, mail sent from your IP address has been blocked.
  75. 550-5.7.1 Please visit http://www.google.com/mail/help/bulk_mail.html to review
  76. 550 5.7.1 our Bulk Email Senders Guidelines. zt8si12110416pbc.195 - gsmtp
  77. QUIT
  78. 220 mx.google.com ESMTP mv7si12887724lbc.154 - gsmtp
  79. EHLO 618321
  80. 250-mx.google.com at your service, [87.106.72.151]
  81. 250-SIZE 35882577
  82. 250-8BITMIME
  83. 250-STARTTLS
  84. 250-ENHANCEDSTATUSCODES
  85. 250 CHUNKING
  86. MAIL FROM:<asdasd@gmail.com>
  87. 250 2.1.0 OK mv7si12887724lbc.154 - gsmtp
  88. RCPT TO:<lamvip2010vn2010@gmail.com>
  89. 250 2.1.5 OK mv7si12887724lbc.154 - gsmtp
  90. DATA
  91. 354  Go ahead mv7si12887724lbc.154 - gsmtp
  92. 550-5.7.1 Our system has detected an unusual rate of
  93. 550-5.7.1 unsolicited mail originating from your IP address. To protect our
  94. 550-5.7.1 users from spam, mail sent from your IP address has been blocked.
  95. 550-5.7.1 Please visit http://www.google.com/mail/help/bulk_mail.html to review
  96. 550 5.7.1 our Bulk Email Senders Guidelines. mv7si12887724lbc.154 - gsmtp
  97. QUIT
  98. 220 mx.google.com ESMTP nx5si8383241icb.60 - gsmtp
  99. EHLO 618321
  100. 250-mx.google.com at your service, [87.106.72.151]
  101. 250-SIZE 35882577
  102. 250-8BITMIME
  103. 250-STARTTLS
  104. 250-ENHANCEDSTATUSCODES
  105. 250 CHUNKING
  106. MAIL FROM:<asdasd@gmail.com>
  107. 250 2.1.0 OK nx5si8383241icb.60 - gsmtp
  108. RCPT TO:<lamvip2010vn2010@gmail.com>
  109.  
  110. ---
  111. #MalwareMustDie
  112. @unixfreaxjp
RAW Paste Data
Top