Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #MalwareMustDie!
- #Keylogger, Capturer, Backdoor (SMTP) and DOwnloader from China
- SHA256: c163338cbdefa14a69939c1fe248a94e8cac45f1fd499a556808846205e57b6d
- File name: VoLamII.com
- Detection ratio: 48 / 48
- VT: https://www.virustotal.com/en/file/c163338cbdefa14a69939c1fe248a94e8cac45f1fd499a556808846205e57b6d/analysis/
- Image/Pic: http://goo.gl/1IctMt
- #VERDICTS:
- //Self copied:
- C:\WINDOWS\system32\csrs.exe
- C:\WINDOWS\system32\csrs.dll
- // Autostart:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrs
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs DllName
- // Logger trace..
- user hook set: 0 mouse C:\WINDOWS\system32\csrs.dll 1000464A SetWindowsHookExA
- user hook set: 0 keyboard C:\WINDOWS\system32\csrs.dll 10004668 SetWindowsHookExA
- // Downloading
- jifendownload.2345.cn/jifen_2345/2345explorer_k57819045.exe
- jifendownload.2345.cn/jifen_2345/2345haozip_k57819045.exe
- www.rybao.com/myfile/2227921967/Pack/setup_yyfm.jpg (A PE File actually)
- boxdown.gtui.cn/KXWebDown/KXWebBox_3364_RBF.exe
- // Dropped file in VT is still in low detections:
- (2/49) https://www.virustotal.com/en/file/7e70ea50134fdb9ee115685ec9aa510ce2c51e5afd9940d16eaaae3067a663f8/analysis/1394313594/
- (1/49) https://www.virustotal.com/en/file/d94552187b3690bfb0611192b14ab2210f1fd6ff9ee612c78496269259f3abde/analysis/1394313611/
- (1/49 https://www.virustotal.com/en/file/ecb0b7ac07670062db9209e498cd6faaf770ad3e3dbef48ecf10bd11ef5c30a6/analysis/1394313629/)
- // Send Spam…
- 220 mx.google.com ESMTP 1si12872885lam.171 - gsmtp
- EHLO 618321
- 250-mx.google.com at your service, [87.106.72.151]
- 250-SIZE 35882577
- 250-8BITMIME
- 250-STARTTLS
- 250-ENHANCEDSTATUSCODES
- 250 CHUNKING
- MAIL FROM:<asdasd@gmail.com>
- 250 2.1.0 OK 1si12872885lam.171 - gsmtp
- RCPT TO:<lamvip2010vn2010@gmail.com>
- 250 2.1.5 OK 1si12872885lam.171 - gsmtp
- DATA
- 354 Go ahead 1si12872885lam.171 - gsmtp
- 550-5.7.1 Our system has detected an unusual rate of
- 550-5.7.1 unsolicited mail originating from your IP address. To protect our
- 550-5.7.1 users from spam, mail sent from your IP address has been blocked.
- 550-5.7.1 Please visit http://www.google.com/mail/help/bulk_mail.html to review
- 550 5.7.1 our Bulk Email Senders Guidelines. 1si12872885lam.171 - gsmtp
- QUIT
- 220 mx.google.com ESMTP zt8si12110416pbc.195 - gsmtp
- EHLO 618321
- 250-mx.google.com at your service, [87.106.72.151]
- 250-SIZE 35882577
- 250-8BITMIME
- 250-STARTTLS
- 250-ENHANCEDSTATUSCODES
- 250 CHUNKING
- MAIL FROM:<asdasd@gmail.com>
- 250 2.1.0 OK zt8si12110416pbc.195 - gsmtp
- RCPT TO:<lamvip2010vn2010@gmail.com>
- 250 2.1.5 OK zt8si12110416pbc.195 - gsmtp
- DATA
- 354 Go ahead zt8si12110416pbc.195 - gsmtp
- 550-5.7.1 Our system has detected an unusual rate of
- 550-5.7.1 unsolicited mail originating from your IP address. To protect our
- 550-5.7.1 users from spam, mail sent from your IP address has been blocked.
- 550-5.7.1 Please visit http://www.google.com/mail/help/bulk_mail.html to review
- 550 5.7.1 our Bulk Email Senders Guidelines. zt8si12110416pbc.195 - gsmtp
- QUIT
- 220 mx.google.com ESMTP mv7si12887724lbc.154 - gsmtp
- EHLO 618321
- 250-mx.google.com at your service, [87.106.72.151]
- 250-SIZE 35882577
- 250-8BITMIME
- 250-STARTTLS
- 250-ENHANCEDSTATUSCODES
- 250 CHUNKING
- MAIL FROM:<asdasd@gmail.com>
- 250 2.1.0 OK mv7si12887724lbc.154 - gsmtp
- RCPT TO:<lamvip2010vn2010@gmail.com>
- 250 2.1.5 OK mv7si12887724lbc.154 - gsmtp
- DATA
- 354 Go ahead mv7si12887724lbc.154 - gsmtp
- 550-5.7.1 Our system has detected an unusual rate of
- 550-5.7.1 unsolicited mail originating from your IP address. To protect our
- 550-5.7.1 users from spam, mail sent from your IP address has been blocked.
- 550-5.7.1 Please visit http://www.google.com/mail/help/bulk_mail.html to review
- 550 5.7.1 our Bulk Email Senders Guidelines. mv7si12887724lbc.154 - gsmtp
- QUIT
- 220 mx.google.com ESMTP nx5si8383241icb.60 - gsmtp
- EHLO 618321
- 250-mx.google.com at your service, [87.106.72.151]
- 250-SIZE 35882577
- 250-8BITMIME
- 250-STARTTLS
- 250-ENHANCEDSTATUSCODES
- 250 CHUNKING
- MAIL FROM:<asdasd@gmail.com>
- 250 2.1.0 OK nx5si8383241icb.60 - gsmtp
- RCPT TO:<lamvip2010vn2010@gmail.com>
- ---
- #MalwareMustDie
- @unixfreaxjp
Add Comment
Please, Sign In to add comment