Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // #MalwareMustDie
- // Today's Zeus gameover (GM)
- // Campaign: Malvertisement via Spambot (Cutwail template)
- // [0x00000000:0x00400000]> !date
- // Sat Mar 15 12:40:42 JST 2014
- Pic: http://goo.gl/dxvb8p
- #BLOCK THESE URL!! ↓
- h00p://sienashops.it/image_data/al2602.nub
- h00p://theeventroom.co.uk/Images/al2602.nub
- h00p://gobemall.com/img/p/1/0/1/1203a.ton
- h00p://gobehost.info/images/headers/13003UKp.ton
- h00p://creativemindsplanet.com/images/headers/a.ssa
- h00p://mpbp.org/images/banners/1203UKp.ssa
- //Typical headers in requested URL to block
- ---snips----
- Accept: text/*, application/*
- User-Agent: Updates downloader
- ---- end snips----
- ============
- Sample1
- ============
- MD5 : 4c643c7aa58203e2aa2f82297fd2f71c
- SHA256 : 539f168f1e79a98f6e2d642c3464a9913fee1e4bf56696dbf8c963145eda66fa
- URL : https://www.virustotal.com/latest-scan/539f168f1e79a98f6e2d642c3464a9913fee1e4bf56696dbf8c963145eda66fa
- F-Secure : Trojan:W32/Agent.DUTV
- DrWeb : Trojan.DownLoad3.28161
- F-Prot : W32/Trojan2.ODQM
- VIPRE : Win32.Malware!Drop
- Commtouch : W32/Trojan.DDGP-1880
- McAfee-GW-Edition : Downloader-FSH!4C643C7AA582
- ESET-NOD32 : Win32/TrojanDownloader.Waski.A
- TrendMicro-HouseCall : TROJ_GEN.F0D1H00CE14
- MicroWorld-eScan : Trojan.GenericKD.1605898
- Avast : Win32:Trojan-gen
- Sophos : Troj/DwnLdr-LKT
- GData : Trojan.GenericKD.1605898
- Kaspersky : Trojan.Win32.Bublik.ccdg
- BitDefender : Trojan.GenericKD.1605898
- McAfee : Downloader-FSH!4C643C7AA582
- Malwarebytes : Trojan.Downloader.RRE
- Panda : Generic Malware
- Ikarus : Trojan-Spy.Zbot
- AntiVir : TR/Yarwi.B.214
- Ad-Aware : Trojan.GenericKD.1605898
- Emsisoft : Trojan-Downloader.Win32.Waski (A)
- Malvertisement:
- Spam zip attachment
- Downloads: Zbot/GMO
- h00p://sienashops.it/image_data/al2602.nub
- h00p://theeventroom.co.uk/Images/al2602.nub
- Header:
- GET /image_data/al2602.nub HTTP/1.1
- Accept: text/*, application/*
- User-Agent: Updates downloader
- Host: sienashops.it
- Cache-Control: no-cache
- GET /Images/al2602.nub HTTP/1.1
- Accept: text/*, application/*
- User-Agent: Updates downloader
- Host: theeventroom.co.uk
- Cache-Control: no-cache
- download/decrypted: N/A
- ============
- Sample2
- ============
- MD5 : d4de8bbd2bdee1211ae97d0bb79ab65f
- SHA256 : 809154e0402366e7dfb272ea1620cc4a7b1d03ea0c6880835d394d117608fda9
- URL : https://www.virustotal.com/latest-scan/809154e0402366e7dfb272ea1620cc4a7b1d03ea0c6880835d394d117608fda9
- TotalDefense : Win32/Zbot.VXNPJB
- MicroWorld-eScan : Trojan.GenericKD.1604712
- nProtect : Trojan.GenericKD.1604712
- McAfee : RDN/Downloader.a!pl
- Malwarebytes : Trojan.Downloader.RRE
- K7AntiVirus : Trojan-Downloader ( 0048f6391 )
- K7GW : Trojan-Downloader ( 0048f6391 )
- F-Prot : W32/Trojan2.ODQJ
- Symantec : Downloader.Upatre
- Norman : Kryptik.CDLW
- ESET-NOD32 : Win32/TrojanDownloader.Waski.A
- TrendMicro-HouseCall : TROJ_UPATRE.YYJN
- Avast : Win32:Trojan-gen
- Kaspersky : Trojan.Win32.Bublik.cbrd
- BitDefender : Trojan.GenericKD.1604712
- NANO-Antivirus : Trojan.Win32.Kryptik.cuogqk
- Ad-Aware : Trojan.GenericKD.1604712
- Sophos : Troj/Upatre-AF
- F-Secure : Trojan.GenericKD.1604712
- DrWeb : Trojan.DownLoad3.32271
- VIPRE : Trojan.Win32.Generic.pak!cobra
- AntiVir : TR/Yarwi.B.210
- TrendMicro : TROJ_UPATRE.YYJN
- McAfee-GW-Edition : Downloader-FSH!D4DE8BBD2BDE
- Emsisoft : Trojan.GenericKD.1604712 (B)
- Kingsoft : Win32.Troj.Bublik.cb.(kcloud)
- Microsoft : TrojanDownloader:Win32/Upatre.O
- ViRobot : Trojan.Win32.Downloader.20600.B
- GData : Trojan.GenericKD.1604712
- Commtouch : W32/Trojan.KVED-7604
- AhnLab-V3 : Spyware/Win32.Zbot
- Panda : Trj/Zbot.M
- Ikarus : Trojan-Spy.Agent
- Fortinet : W32/Upatre.A!tr
- AVG : Luhe.Fiha.A
- Baidu-International : Trojan.Win32.Bublik.AduA
- Malvertisement:
- Spam zip attachment
- Downloads: Zbot/GMO
- h00p://gobemall.com/img/p/1/0/1/1203a.ton
- h00p://gobehost.info/images/headers/13003UKp.ton
- Header:
- GET /img/p/1/0/1/1203a.ton HTTP/1.1
- Accept: text/*, application/*
- User-Agent: Updates downloader
- Host: gobemall.com
- Cache-Control: no-cache
- GET /images/headers/13003UKp.ton HTTP/1.1
- Accept: text/*, application/*
- User-Agent: Updates downloader
- Host: gobehost.info
- Cache-Control: no-cache
- download/decrypted:
- 1203a.ton 03f2135d7dbd41c5ac617a6128f17cf6 403,086
- 13003UKp.ton 498962f2564a7d5de0664a9fd15abb0e 479,858
- dmpal.exe 2c059b381eaca3085b2f1cc28acbf580 452,096
- fmpal.exe 80ce7e4ddab8e95b0c82b80c85179d0a 500,224
- // components:
- aplib.dll 7fe2b0b3fc2078130f20070a05daf8d5 11,264
- aplib64.dll 3f4fe60b6d1e05144f6efa098ac381a8 12,800
- client.dll 35c7b7eebe35bc4db0d01965b1193823 228,864
- zlib1.dll 80e41408f6d641dc1c0f5353a0cc8125 59,904
- ============
- Sample3
- ============
- MD5 : edcb08d296a68e5f84f69fd14e66cf00
- SHA256 : 130c95f8fd548d4246b5fe045cbe8572da70fcae9006a7aaeec3e4da18104d10
- URL : https://www.virustotal.com/latest-scan/130c95f8fd548d4246b5fe045cbe8572da70fcae9006a7aaeec3e4da18104d10
- MicroWorld-eScan : Trojan.GenericKD.1603804
- nProtect : Trojan.GenericKD.1603804
- CAT-QuickHeal : TrojanDownloader.Upatre.A4
- McAfee : RDN/Generic.bfr!gg
- Malwarebytes : Trojan.Email.FakeDoc
- K7AntiVirus : Trojan-Downloader ( 0040f7931 )
- K7GW : Trojan-Downloader ( 0040f7931 )
- F-Prot : W32/Trojan3.HSW
- Symantec : Downloader.Upatre
- Norman : Upatre.BD
- ESET-NOD32 : Win32/TrojanDownloader.Waski.A
- TrendMicro-HouseCall : TROJ_GEN.F0D1H00CC14
- Avast : Win32:Malware-gen
- Kaspersky : Trojan.Win32.Bublik.cbqm
- BitDefender : Trojan.GenericKD.1603804
- Ad-Aware : Trojan.GenericKD.1603804
- Sophos : Mal/Upatre-A
- Comodo : TrojWare.Win32.UMal.~A
- F-Secure : Trojan:W32/Agent.DUTS
- DrWeb : Trojan.DownLoad3.28161
- VIPRE : Trojan.Win32.Generic!SB.0
- AntiVir : TR/Yarwi.B.209
- TrendMicro : TROJ_UPATRE.SMBB
- McAfee-GW-Edition : RDN/Generic.bfr!gg
- Emsisoft : Trojan-Downloader.Win32.Agent (A)
- Microsoft : TrojanDownloader:Win32/Upatre.O
- GData : Trojan.GenericKD.1603804
- Commtouch : W32/Trojan.IKAD-3051
- TotalDefense : Win32/Upatre.dGDRDS
- Panda : Generic Malware
- Rising : PE:Malware.XPACK/RDM!5.1
- Ikarus : Trojan-Spy.Zbot
- Fortinet : W32/Waski.A!tr.dldr
- AVG : Zbot.GHA
- Baidu-International : Trojan.Win32.Bublik.axUl
- Qihoo-360 : Win32/Trojan.255
- Malvertisement:
- Spam zip attachment
- Downloads: Zbot/GMO
- h00p://creativemindsplanet.com/images/headers/a.ssa
- h00p://mpbp.org/images/banners/1203UKp.ssa
- Header:
- GET /images/headers/a.ssa HTTP/1.1
- Accept: text/*, application/*
- User-Agent: Updates downloader
- Host: creativemindsplanet.com
- Cache-Control: no-cache
- GET /images/banners/1203UKp.ssa HTTP/1.1
- Accept: text/*, application/*
- User-Agent: Updates downloader
- Host: mpbp.org
- Cache-Control: no-cache
- download/decrypted:
- a.ssa 908be60bc13fe0869dbd6bffe49bda29 269,603
- 1203UKp.ssa 3add040d3f079e06503f5a7ea6a0953e 479,952
- deget.exe 5b396ac3e013b991773f64c9d0f2d4ab 499,200
- igbyv.exe 4401e509fd2a1592bfc6a7fc3aa7a5df 499,200
- beget.exe d5f7d4fe99ccff10178b6d770e1d4f3a 340,992
- // components:
- aplib.dll 7fe2b0b3fc2078130f20070a05daf8d5 11,264
- aplib64.dll 3f4fe60b6d1e05144f6efa098ac381a8 12,800
- client.dll 4dfde38ff8e1df866e863261f9ba2c07 228,864
- zlib1.dll 80e41408f6d641dc1c0f5353a0cc8125 59,904
- ---
- #MalwareMustDie!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement