Advertisement
MalwareMustDie

#MalwareMustDie - Zbot captured & stripped @Nov2nd -6th 2012

Nov 6th, 2012
1,616
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.91 KB | None | 0 0
  1. =============================================
  2. #MalwareMustDie - Tue Nov 6 23:04:14 JST 2012
  3. DETECTED ZBOT TROJAN
  4. Nov 2nd - 6th, 2012 / Spam Sources
  5. Route: BHEK2 URLs
  6. Sample Download: http://www.mediafire.com/?02z0k7rf3rruc3z (research purpose only)
  7. ==============================================
  8.  
  9. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  10. Dt Has FileName MD5 Size Packer VT SOURCE URL VT URL
  11. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  12. 06 MD5 (HY709.exe) = 78956c291772c6a318f79d05758a744f 299736 ***No match 4/44 http://ftp.frontsuppress.com/HY709.exe https://www.virustotal.com/file/f47dd37cd56c657a9f54266597375568d92b372681341c09d0bb2685e2b90a59/analysis/1352211108/
  13. 06 MD5 (UZSM.exe) = 1fbd072120a24152b10a9abb1417a5d3 301056 ***No match 27/44 http://citigatesanchis.com/UZSM.exe https://www.virustotal.com/file/ca7a05f76ae49b709f6843687043bbb38f2b05a121ff9b7ee598aa5cec21c62c/analysis/1352211139/
  14. 06 MD5 (KCCm.exe) = 88adcd37f259a5f32259f8e5dad3a7cd 331024 Borland Delphi 3.0 6/44 http://www.dydinformatica.com/KCCm.exe https://www.virustotal.com/file/9f727d7353b86a3ef1296dbb1d591b6dd9848363261a0366f25ecb0b7a9636a7/analysis/1352211180/
  15. 06 MD5 (RAbp.exe) = 88adcd37f259a5f32259f8e5dad3a7cd 331024 Borland Delphi 3.0 6/44 http://iglesiauniversaldecristopuentealto.cl/RAbp.exe https://www.virustotal.com/file/9f727d7353b86a3ef1296dbb1d591b6dd9848363261a0366f25ecb0b7a9636a7/analysis/1352211229/
  16. 06 MD5 (LA6KuCv7.exe) = b44ab2a123761123f76d00b9c76f87fb 331024 Borland Delphi 3.0 6/44 http://mulayimakca.com/LA6KuCv7.exe https://www.virustotal.com/file/9a7562f0606040b7192a3a145a24cdf409637c02c3c296d1ef3eb2d7624960b6/analysis/1352211380/
  17. 05 MD5 (11W5W4N.exe) = 88adcd37f259a5f32259f8e5dad3a7cd 331024 Borland Delphi 3.0 6/44 http://swg-gera-ag.de/11W5W4N.exe https://www.virustotal.com/file/9f727d7353b86a3ef1296dbb1d591b6dd9848363261a0366f25ecb0b7a9636a7/analysis/
  18. 02 MD5 (gMmaZarY.exe) = 17f72f8be80c61d8ba39504933014e83 327527 ***No match 32/44 http://northeasttreeremoval.com/bsAzo.exe https://www.virustotal.com/file/de9f1c856820ff0d6ea1ac42fbcc3f13a93ab4f0d2f999d4d36bf5cfa923e725/analysis/
  19. 02 MD5 (G0J.exe) = 88adcd37f259a5f32259f8e5dad3a7cd 331024 Borland Delphi 3.0 6/44 http://dreamdiv.com/gMmaZarY.exe https://www.virustotal.com/file/9f727d7353b86a3ef1296dbb1d591b6dd9848363261a0366f25ecb0b7a9636a7/analysis/1352211229/
  20. 02 MD5 (bsAzo.exe) = 17f72f8be80c61d8ba39504933014e83 327527 ***No match 32/44 http://www.olivetbc.net/G0J.exe https://www.virustotal.com/file/9f727d7353b86a3ef1296dbb1d591b6dd9848363261a0366f25ecb0b7a9636a7/analysis/
  21. ------------------------------------------------------------------
  22. DOWNLOAD LOGS
  23. ------------------------------------------------------------------
  24. --22:01:41-- http://ftp.frontsuppress.com/HY709.exe
  25. => `HY709.exe'
  26. Resolving ftp.frontsuppress.com... 174.77.183.17
  27. Connecting to ftp.frontsuppress.com|174.77.183.17|:80... connected.
  28. HTTP request sent, awaiting response... 200 OK
  29. Length: 299,736 (293K) [application/octet-stream]
  30. 22:01:43 (151.35 KB/s) - `HY709.exe' saved [299736/299736]
  31.  
  32. --22:01:56-- http://citigatesanchis.com/UZSM.exe
  33. => `UZSM.exe'
  34. Resolving citigatesanchis.com... 217.76.142.57
  35. Connecting to citigatesanchis.com|217.76.142.57|:80... connected.
  36. HTTP request sent, awaiting response... 200 OK
  37. Length: 301,056 (294K) [application/octet-stream]
  38. 22:02:01 (78.17 KB/s) - `UZSM.exe' saved [301056/301056]
  39.  
  40. --22:02:33-- http://www.dydinformatica.com/KCCm.exe
  41. => `KCCm.exe'
  42. Resolving www.dydinformatica.com... 62.42.230.17
  43. Connecting to www.dydinformatica.com|62.42.230.17|:80... connected.
  44. HTTP request sent, awaiting response... 200 OK
  45. Length: 331,024 (323K) [application/octet-stream]
  46. 22:02:38 (86.37 KB/s) - `KCCm.exe' saved [331024/331024]
  47.  
  48. --22:02:55-- http://iglesiauniversaldecristopuentealto.cl/RAbp.exe
  49. => `RAbp.exe'
  50. Resolving iglesiauniversaldecristopuentealto.cl... 190.114.255.83
  51. Connecting to iglesiauniversaldecristopuentealto.cl|190.114.255.83|:80... connected.
  52. HTTP request sent, awaiting response... 200 OK
  53. Length: 331,024 (323K) [application/x-msdownload]
  54. 22:03:03 (49.42 KB/s) - `RAbp.exe' saved [331024/331024]
  55.  
  56. --22:03:14-- http://mulayimakca.com/LA6KuCv7.exe
  57. => `LA6KuCv7.exe'
  58. Resolving mulayimakca.com... 91.102.161.11
  59. Connecting to mulayimakca.com|91.102.161.11|:80... connected.
  60. HTTP request sent, awaiting response... 200 OK
  61. Length: 331,024 (323K) [application/octet-stream]
  62. 22:03:20 (74.64 KB/s) - `LA6KuCv7.exe' saved [331024/331024]
  63.  
  64. --22:03:34-- http://swg-gera-ag.de/11W5W4N.exe
  65. => `11W5W4N.exe'
  66. Resolving swg-gera-ag.de... 83.169.46.108
  67. Connecting to swg-gera-ag.de|83.169.46.108|:80... connected.
  68. HTTP request sent, awaiting response... 200 OK
  69. Length: 331,024 (323K) [application/x-msdos-program]
  70. 22:04:05 (10.61 KB/s) - `11W5W4N.exe' saved [331024/331024]
  71.  
  72. --22:04:37-- http://northeasttreeremoval.com/bsAzo.exe
  73. => `bsAzo.exe'
  74. Resolving northeasttreeremoval.com... 50.63.42.1
  75. Connecting to northeasttreeremoval.com|50.63.42.1|:80... connected.
  76. HTTP request sent, awaiting response... 200 OK
  77. Length: 327,527 (320K) [application/x-msdownload]
  78. 22:04:40 (137.83 KB/s) - `bsAzo.exe' saved [327527/327527]
  79.  
  80. --22:05:01-- http://dreamdiv.com/gMmaZarY.exe
  81. => `gMmaZarY.exe'
  82. Resolving dreamdiv.com... 174.121.102.82
  83. Connecting to dreamdiv.com|174.121.102.82|:80... connected.
  84. HTTP request sent, awaiting response... 200 OK
  85. Length: 327,527 (320K) [application/x-msdownload]
  86. 22:05:04 (133.62 KB/s) - `gMmaZarY.exe' saved [327527/327527]
  87.  
  88. --22:05:17-- http://www.olivetbc.net/G0J.exe
  89. => `G0J.exe'
  90. Resolving www.olivetbc.net... 67.199.92.221
  91. Connecting to www.olivetbc.net|67.199.92.221|:80... connected.
  92. HTTP request sent, awaiting response... 200 OK
  93. Length: 331,024 (323K) [application/octet-stream]
  94. 22:05:27 (62.59 KB/s) - `G0J.exe' saved [331024/331024]
  95.  
  96. ===================================================
  97. MALICIOUS PROCESS KICKED-OFF CHECKED PER TROJAN
  98. ===================================================
  99. --------------------------------------------------
  100. (HY709.exe) = 78956c291772c6a318f79d05758a744f
  101. --------------------------------------------------
  102. C:\Documents and Settings\<USER>\Application Data\Eriv\epam.exe""
  103. C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmp246f57a8.bat""
  104.  
  105. ----------------------------------------------
  106. (UZSM.exe) = 1fbd072120a24152b10a9abb1417a5d3
  107. ----------------------------------------------
  108. C:\Documents and Settings\<USER>\Application Data\Guilix\regae.exe""
  109. C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmpff276ded.bat""
  110.  
  111. --------------------------------------------------------
  112. These are worked in the same way↓
  113. (KCCm.exe, RAbp.exe, LA6KuCv7.exe, gMmaZarY.exe, G0J.exe
  114. --------------------------------------------------------
  115. C:\Documents and Settings\<USER>\Application Data\RANDOM\RANDOM.exe""
  116. C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\RANDOM.bat""
  117.  
  118. --------------------------------------------------------
  119. These are worked in the same way↓
  120. (gMmaZarY.exe, bsAzo.exe
  121. --------------------------------------------------------
  122. C:\Documents and Settings\<USER>\Application Data\RANDOM(4char)\RANDOM.exe""
  123. C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmpRANDOM.bat""
  124.  
  125. + Open Backdoor..
  126. 127.0.0.1:53
  127.  
  128. ----------------
  129. #MalwareMustDie you MTFSOB!! We will follow you like ghost, lurk & slain you down!!
  130. @unixfreaxjp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement