========================================= #MalwareMustDie Latest Cridex/Fareit Infection via BHEK (Credential Stealer Crime Evidence) BHEK Domain / host used: eziponoma.ru:8080 @unixfreaxjp /malware]$ date Sat Jan 26 19:56:20 JST 2013 ========================================= // infector h00p://www.tounichi-g.co.jp/info.htm (redirector) h00p://eziponoma.ru:8080/forum/links/column.php (landing page) // swf h00p://eziponoma.ru:8080/forum/links/column.php?uvdexgag=30:1n:1i:1i:33&wyxtg=3m:34:33:3k:3d&plxyuc=2v:1k:1m:32:33:1k:1k:31:1j:1o&zgcoapeq=dsl h00p://eziponoma.ru:8080/forum/links/column.php?uhe=30:1n:1i:1i:33&gwapy=3c:3k:38:3e&arp=2v:1k:1m:32:33:1k:1k:31:1j:1o&kwo=lxmxja // pdf h00p://eziponoma.ru:8080/forum/links/column.php?dalzfmq=30:1n:1i:1i:33&msrsrdpm=3f:39:32&jddzbak=2v:1k:1m:32:33:1k:1k:31:1j:1o&sqlxaoig=1k:1d:1f:1d:1g:1d:1f h00p://eziponoma.ru:8080/forum/links/column.php?qaxcdv=30:1n:1i:1i:33&opynqk=39&tviura=2v:1k:1m:32:33:1k:1k:31:1j:1o&mddqxkqz=1k:1d:1f:1d:1g:1d:1f // payload h00p://eziponoma.ru:8080/forum/links/column.php?nf=30:1n:1i:1i:33&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&z=1k&sg=n&sc=c //samples (with MD5 + UrlQuery report url) 2013/01/26 18:11 d0fe2ce87f933ff73f5ce0c0efadd462 422 info.htm http://urlquery.net/report.php?id=850246 2013/01/26 18:21 f1b7f17e653cdedbfc78d3e9fa2bef4d 117,752 column.php http://urlquery.net/report.php?id=842744 2013/01/26 19:15 d60be18003ae07ea165d193db087957b 7,238 flash1.swf http://urlquery.net/report.php?id=850229 2013/01/26 19:16 a5a1308ee3ca7f75fe85fe4d9a14752f 946 flash2.swf http://urlquery.net/report.php?id=850230 2013/01/26 19:17 361f6e22e55ca3732d8cbeff43ecb1d4 21,599 infector1.pdf http://urlquery.net/report.php?id=850240 2013/01/26 19:17 ef4c398c0138c3e8adabcdb647b2283b 11,183 infector2.pdf http://urlquery.net/report.php?id=850236 2013/01/26 18:23 95c06ae7b26fcbe338532bbaa1e137c4 15,420 java1.jar http://urlquery.net/report.php?id=842744 2013/01/26 18:24 5599f12b1c2ce9c68dc629d013241273 15,592 java2.jar http://urlquery.net/report.php?id=842744 2013/01/26 18:42 9fb4dd1b3e0b6002eff7e6f63a6b6d07 98,304 about.exe http://urlquery.net/report.php?id=850234 2013/01/26 20:39 b152dacee9c5ca22543fe9e435177496 110,592 KB00777165.exe - //additional: plugindetect 2013/01/26 19:12 47a1882f9677bb24f51405d71c6c7536 56,904 BHEK-PD079.txt // Virus Total: (as per above sample sequence) https://www.virustotal.com/file/1da4c5bf69ae062b525c25538401b9fc6752b0780f4e9494431140350fc74ac9/analysis/1359196122/ https://www.virustotal.com/file/59ab9f3e6a2cf40f8ce5ff37d5afdc36e68bd9c59facf72b3537adeb178fd105/analysis/1359196138/ https://www.virustotal.com/file/f41f8102bb2d7b0e7bf97f61332e768d63fb5ccfa35693b5857c23b9e58e9622/analysis/1359196175/ https://www.virustotal.com/file/3beb8ae0ce0ba1c7a8235d93aefcadded2ab7917414b70ce424836ad0ca4a721/analysis/1359196214/ https://www.virustotal.com/file/66fb2a78aaef9b11d1e0adfaa49a81f380248230add1663cb7a75bd263b854e4/analysis/1359196230/ https://www.virustotal.com/file/1fa06ce003b01fbc41b9e959f1d478f3ba56fe367f498921a757255627c67bb0/analysis/1359196247/ https://www.virustotal.com/file/7ef8f67e7e4b39086387570b7fd8de505684b87318e9acccef34e20e0a8122b4/analysis/1359196264/ https://www.virustotal.com/file/63106ebc5076fe6e1c8195a4e5f0dfb35668c0b0334e9e7fa840f4a28ce4830c/analysis/1359196283/ https://www.virustotal.com/file/4ac71ec87577944cfb098b379bd55e9ddc8234cd791d994f621b892d969c699f/analysis/1359193394/ https://www.virustotal.com/file/6a18c125b64f20432f8bb63ab92afcbaf9bc234968c8e8c2b472832877ee35a7/analysis/1359275410/ ---- #MalwareMustDie!