SHARE
TWEET

#MalwareMustDie - Infection of Cridex/Fareit ()

MalwareMustDie Jan 26th, 2013 245 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. =========================================
  2. #MalwareMustDie
  3. Latest Cridex/Fareit Infection via BHEK
  4. (Credential Stealer Crime Evidence)
  5. BHEK Domain / host used: eziponoma.ru:8080
  6. @unixfreaxjp /malware]$ date
  7. Sat Jan 26 19:56:20 JST 2013
  8. =========================================
  9.  
  10. // infector
  11. h00p://www.tounichi-g.co.jp/info.htm (redirector)
  12. h00p://eziponoma.ru:8080/forum/links/column.php (landing page)
  13.  
  14. // swf
  15. h00p://eziponoma.ru:8080/forum/links/column.php?uvdexgag=30:1n:1i:1i:33&wyxtg=3m:34:33:3k:3d&plxyuc=2v:1k:1m:32:33:1k:1k:31:1j:1o&zgcoapeq=dsl
  16. h00p://eziponoma.ru:8080/forum/links/column.php?uhe=30:1n:1i:1i:33&gwapy=3c:3k:38:3e&arp=2v:1k:1m:32:33:1k:1k:31:1j:1o&kwo=lxmxja
  17.  
  18. // pdf
  19. h00p://eziponoma.ru:8080/forum/links/column.php?dalzfmq=30:1n:1i:1i:33&msrsrdpm=3f:39:32&jddzbak=2v:1k:1m:32:33:1k:1k:31:1j:1o&sqlxaoig=1k:1d:1f:1d:1g:1d:1f
  20. h00p://eziponoma.ru:8080/forum/links/column.php?qaxcdv=30:1n:1i:1i:33&opynqk=39&tviura=2v:1k:1m:32:33:1k:1k:31:1j:1o&mddqxkqz=1k:1d:1f:1d:1g:1d:1f
  21.  
  22. // payload
  23. h00p://eziponoma.ru:8080/forum/links/column.php?nf=30:1n:1i:1i:33&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&z=1k&sg=n&sc=c
  24.  
  25. //samples (with MD5 + UrlQuery report url)
  26. 2013/01/26  18:11  d0fe2ce87f933ff73f5ce0c0efadd462     422 info.htm      http://urlquery.net/report.php?id=850246
  27. 2013/01/26  18:21  f1b7f17e653cdedbfc78d3e9fa2bef4d 117,752 column.php    http://urlquery.net/report.php?id=842744
  28. 2013/01/26  19:15  d60be18003ae07ea165d193db087957b   7,238 flash1.swf    http://urlquery.net/report.php?id=850229
  29. 2013/01/26  19:16  a5a1308ee3ca7f75fe85fe4d9a14752f     946 flash2.swf    http://urlquery.net/report.php?id=850230
  30. 2013/01/26  19:17  361f6e22e55ca3732d8cbeff43ecb1d4  21,599 infector1.pdf http://urlquery.net/report.php?id=850240
  31. 2013/01/26  19:17  ef4c398c0138c3e8adabcdb647b2283b  11,183 infector2.pdf http://urlquery.net/report.php?id=850236
  32. 2013/01/26  18:23  95c06ae7b26fcbe338532bbaa1e137c4  15,420 java1.jar     http://urlquery.net/report.php?id=842744
  33. 2013/01/26  18:24  5599f12b1c2ce9c68dc629d013241273  15,592 java2.jar     http://urlquery.net/report.php?id=842744
  34. 2013/01/26  18:42  9fb4dd1b3e0b6002eff7e6f63a6b6d07  98,304 about.exe     http://urlquery.net/report.php?id=850234
  35. 2013/01/26  20:39  b152dacee9c5ca22543fe9e435177496 110,592 KB00777165.exe     -                                    
  36.  
  37. //additional: plugindetect
  38. 2013/01/26  19:12  47a1882f9677bb24f51405d71c6c7536  56,904 BHEK-PD079.txt
  39.  
  40. // Virus Total: (as per above sample sequence)
  41. https://www.virustotal.com/file/1da4c5bf69ae062b525c25538401b9fc6752b0780f4e9494431140350fc74ac9/analysis/1359196122/
  42. https://www.virustotal.com/file/59ab9f3e6a2cf40f8ce5ff37d5afdc36e68bd9c59facf72b3537adeb178fd105/analysis/1359196138/
  43. https://www.virustotal.com/file/f41f8102bb2d7b0e7bf97f61332e768d63fb5ccfa35693b5857c23b9e58e9622/analysis/1359196175/
  44. https://www.virustotal.com/file/3beb8ae0ce0ba1c7a8235d93aefcadded2ab7917414b70ce424836ad0ca4a721/analysis/1359196214/
  45. https://www.virustotal.com/file/66fb2a78aaef9b11d1e0adfaa49a81f380248230add1663cb7a75bd263b854e4/analysis/1359196230/
  46. https://www.virustotal.com/file/1fa06ce003b01fbc41b9e959f1d478f3ba56fe367f498921a757255627c67bb0/analysis/1359196247/
  47. https://www.virustotal.com/file/7ef8f67e7e4b39086387570b7fd8de505684b87318e9acccef34e20e0a8122b4/analysis/1359196264/
  48. https://www.virustotal.com/file/63106ebc5076fe6e1c8195a4e5f0dfb35668c0b0334e9e7fa840f4a28ce4830c/analysis/1359196283/
  49. https://www.virustotal.com/file/4ac71ec87577944cfb098b379bd55e9ddc8234cd791d994f621b892d969c699f/analysis/1359193394/
  50. https://www.virustotal.com/file/6a18c125b64f20432f8bb63ab92afcbaf9bc234968c8e8c2b472832877ee35a7/analysis/1359275410/
  51. ----
  52. #MalwareMustDie!
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top