Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- =============================================
- #MalwareMustDie - Tue Nov 6 23:04:14 JST 2012
- DETECTED ZBOT TROJAN
- Nov 2nd - 6th, 2012 / Spam Sources
- Route: BHEK2 URLs
- Sample Download: http://www.mediafire.com/?02z0k7rf3rruc3z (research purpose only)
- ==============================================
- -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
- Dt Has FileName MD5 Size Packer VT SOURCE URL VT URL
- -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
- 06 MD5 (HY709.exe) = 78956c291772c6a318f79d05758a744f 299736 ***No match 4/44 http://ftp.frontsuppress.com/HY709.exe https://www.virustotal.com/file/f47dd37cd56c657a9f54266597375568d92b372681341c09d0bb2685e2b90a59/analysis/1352211108/
- 06 MD5 (UZSM.exe) = 1fbd072120a24152b10a9abb1417a5d3 301056 ***No match 27/44 http://citigatesanchis.com/UZSM.exe https://www.virustotal.com/file/ca7a05f76ae49b709f6843687043bbb38f2b05a121ff9b7ee598aa5cec21c62c/analysis/1352211139/
- 06 MD5 (KCCm.exe) = 88adcd37f259a5f32259f8e5dad3a7cd 331024 Borland Delphi 3.0 6/44 http://www.dydinformatica.com/KCCm.exe https://www.virustotal.com/file/9f727d7353b86a3ef1296dbb1d591b6dd9848363261a0366f25ecb0b7a9636a7/analysis/1352211180/
- 06 MD5 (RAbp.exe) = 88adcd37f259a5f32259f8e5dad3a7cd 331024 Borland Delphi 3.0 6/44 http://iglesiauniversaldecristopuentealto.cl/RAbp.exe https://www.virustotal.com/file/9f727d7353b86a3ef1296dbb1d591b6dd9848363261a0366f25ecb0b7a9636a7/analysis/1352211229/
- 06 MD5 (LA6KuCv7.exe) = b44ab2a123761123f76d00b9c76f87fb 331024 Borland Delphi 3.0 6/44 http://mulayimakca.com/LA6KuCv7.exe https://www.virustotal.com/file/9a7562f0606040b7192a3a145a24cdf409637c02c3c296d1ef3eb2d7624960b6/analysis/1352211380/
- 05 MD5 (11W5W4N.exe) = 88adcd37f259a5f32259f8e5dad3a7cd 331024 Borland Delphi 3.0 6/44 http://swg-gera-ag.de/11W5W4N.exe https://www.virustotal.com/file/9f727d7353b86a3ef1296dbb1d591b6dd9848363261a0366f25ecb0b7a9636a7/analysis/
- 02 MD5 (gMmaZarY.exe) = 17f72f8be80c61d8ba39504933014e83 327527 ***No match 32/44 http://northeasttreeremoval.com/bsAzo.exe https://www.virustotal.com/file/de9f1c856820ff0d6ea1ac42fbcc3f13a93ab4f0d2f999d4d36bf5cfa923e725/analysis/
- 02 MD5 (G0J.exe) = 88adcd37f259a5f32259f8e5dad3a7cd 331024 Borland Delphi 3.0 6/44 http://dreamdiv.com/gMmaZarY.exe https://www.virustotal.com/file/9f727d7353b86a3ef1296dbb1d591b6dd9848363261a0366f25ecb0b7a9636a7/analysis/1352211229/
- 02 MD5 (bsAzo.exe) = 17f72f8be80c61d8ba39504933014e83 327527 ***No match 32/44 http://www.olivetbc.net/G0J.exe https://www.virustotal.com/file/9f727d7353b86a3ef1296dbb1d591b6dd9848363261a0366f25ecb0b7a9636a7/analysis/
- ------------------------------------------------------------------
- DOWNLOAD LOGS
- ------------------------------------------------------------------
- --22:01:41-- http://ftp.frontsuppress.com/HY709.exe
- => `HY709.exe'
- Resolving ftp.frontsuppress.com... 174.77.183.17
- Connecting to ftp.frontsuppress.com|174.77.183.17|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 299,736 (293K) [application/octet-stream]
- 22:01:43 (151.35 KB/s) - `HY709.exe' saved [299736/299736]
- --22:01:56-- http://citigatesanchis.com/UZSM.exe
- => `UZSM.exe'
- Resolving citigatesanchis.com... 217.76.142.57
- Connecting to citigatesanchis.com|217.76.142.57|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 301,056 (294K) [application/octet-stream]
- 22:02:01 (78.17 KB/s) - `UZSM.exe' saved [301056/301056]
- --22:02:33-- http://www.dydinformatica.com/KCCm.exe
- => `KCCm.exe'
- Resolving www.dydinformatica.com... 62.42.230.17
- Connecting to www.dydinformatica.com|62.42.230.17|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 331,024 (323K) [application/octet-stream]
- 22:02:38 (86.37 KB/s) - `KCCm.exe' saved [331024/331024]
- --22:02:55-- http://iglesiauniversaldecristopuentealto.cl/RAbp.exe
- => `RAbp.exe'
- Resolving iglesiauniversaldecristopuentealto.cl... 190.114.255.83
- Connecting to iglesiauniversaldecristopuentealto.cl|190.114.255.83|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 331,024 (323K) [application/x-msdownload]
- 22:03:03 (49.42 KB/s) - `RAbp.exe' saved [331024/331024]
- --22:03:14-- http://mulayimakca.com/LA6KuCv7.exe
- => `LA6KuCv7.exe'
- Resolving mulayimakca.com... 91.102.161.11
- Connecting to mulayimakca.com|91.102.161.11|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 331,024 (323K) [application/octet-stream]
- 22:03:20 (74.64 KB/s) - `LA6KuCv7.exe' saved [331024/331024]
- --22:03:34-- http://swg-gera-ag.de/11W5W4N.exe
- => `11W5W4N.exe'
- Resolving swg-gera-ag.de... 83.169.46.108
- Connecting to swg-gera-ag.de|83.169.46.108|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 331,024 (323K) [application/x-msdos-program]
- 22:04:05 (10.61 KB/s) - `11W5W4N.exe' saved [331024/331024]
- --22:04:37-- http://northeasttreeremoval.com/bsAzo.exe
- => `bsAzo.exe'
- Resolving northeasttreeremoval.com... 50.63.42.1
- Connecting to northeasttreeremoval.com|50.63.42.1|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 327,527 (320K) [application/x-msdownload]
- 22:04:40 (137.83 KB/s) - `bsAzo.exe' saved [327527/327527]
- --22:05:01-- http://dreamdiv.com/gMmaZarY.exe
- => `gMmaZarY.exe'
- Resolving dreamdiv.com... 174.121.102.82
- Connecting to dreamdiv.com|174.121.102.82|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 327,527 (320K) [application/x-msdownload]
- 22:05:04 (133.62 KB/s) - `gMmaZarY.exe' saved [327527/327527]
- --22:05:17-- http://www.olivetbc.net/G0J.exe
- => `G0J.exe'
- Resolving www.olivetbc.net... 67.199.92.221
- Connecting to www.olivetbc.net|67.199.92.221|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 331,024 (323K) [application/octet-stream]
- 22:05:27 (62.59 KB/s) - `G0J.exe' saved [331024/331024]
- ===================================================
- MALICIOUS PROCESS KICKED-OFF CHECKED PER TROJAN
- ===================================================
- --------------------------------------------------
- (HY709.exe) = 78956c291772c6a318f79d05758a744f
- --------------------------------------------------
- C:\Documents and Settings\<USER>\Application Data\Eriv\epam.exe""
- C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmp246f57a8.bat""
- ----------------------------------------------
- (UZSM.exe) = 1fbd072120a24152b10a9abb1417a5d3
- ----------------------------------------------
- C:\Documents and Settings\<USER>\Application Data\Guilix\regae.exe""
- C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmpff276ded.bat""
- --------------------------------------------------------
- These are worked in the same way↓
- (KCCm.exe, RAbp.exe, LA6KuCv7.exe, gMmaZarY.exe, G0J.exe
- --------------------------------------------------------
- C:\Documents and Settings\<USER>\Application Data\RANDOM\RANDOM.exe""
- C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\RANDOM.bat""
- --------------------------------------------------------
- These are worked in the same way↓
- (gMmaZarY.exe, bsAzo.exe
- --------------------------------------------------------
- C:\Documents and Settings\<USER>\Application Data\RANDOM(4char)\RANDOM.exe""
- C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmpRANDOM.bat""
- + Open Backdoor..
- 127.0.0.1:53
- ----------------
- #MalwareMustDie you MTFSOB!! We will follow you like ghost, lurk & slain you down!!
- @unixfreaxjp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement