5 replies to this topic

[Chinzo]

Hi, I discovered that one, 0/44 on virustotal, I opened it with ollydbg seems to be anti-? (av killer or vmware.etc detector), and I think password stealer, embeded in a "setup.exe" don't have time to play with, just share it to you, and in that way I now it will be picked up soon by avs

Attached Files

•  server.zip   33.61K   52 downloads

[Chinzo]

Ok I had a look on this it is a pw stealer, it scans firefox ansd even ie, cannot know where it sends this, it creates a file pass.txt on c:\, and it is 0/44 on virustotal, I'll send it to av companies, I posted it on 16th, not detected now, mm that's weird...

[dendi]

One more stupid delphi malware. Steals MSN/FF passwords and uploads it to FTP

ftp://login:abbaba@login.blackapplehost.com

[aliceinwire]

One more stupid delphi malware. Steals MSN/FF passwords and uploads it to FTP

ftp://login:abbaba@login.blackapplehost.com

how you have find the url of the ftp connection ?

this is my dump of the file

00000667:  Professional Software Development
00001C7E: Unknown String
00001CDA: Unexpected Memory Leak
00002E80: RTL FPUMaskValue
00004B08: GetLongPathNameA
00004D54: Locales
00004D77: Locales
0000737C: ggg yyyy
000086EF: GetDiskFreeSpaceExA
00008CE4: CreateToolhelp32Snapshot
00008D06: Heap32ListFirst Heap32ListNext
00008D1E: Heap32First Heap32Next
00008D4A: Toolhelp32ReadProcessMemory Process32First
00008D59: Process32Next
00008D7A: Process32FirstW Process32NextW
00008D89: Thread32First
00008D98: Thread32Next
00008DA9: Module32First
00008DB8: Module32Next
00008DCA: Module32FirstW
00008DD9: Module32NextW
000091B1: IsDebuggerPresent
00009573: InsideTm
000095C4: username
0000968B: currentuser
0000969F: CurrentUser
00009D7B: Mozilla
00009D8B: Firefox
00009DBA: CurrentVersion
00009DE5: Install Directory
0000A586: DecodeBuffer
0000A59F: GetInternalKeySlot
0000A5B1: Authenticate
0000A5C3: Decrypt
0000A5D0: Shutdown
0000A5E1: FreeSlot
0000A5EB: APPDATA
0000A628: Profile0
0000A986: j j j j
0000B8A4: 3bkdhkvT5gQ USER
0000B8B8: DIR LINK
0000B922: ANTI10
0000B92A: ANTI11
0000B932: ANTI12
0000B93A: ANTI13
0000B942: ANTI14
0000B94A: ANTI15
0000B9E3: FIREFOX
0000BAAE: u update
0000BAE6: MAILACTIVE
0000BB55:  close
0000BB8F: urlencoded
0000C375: Runtime error     at 00000000
0000CC91: SysFreeString
0000CCA7: SysReAllocStringLen
0000CCBB: SysAllocStringLen
0000CCDC: RegQueryValueExA
0000CCED: RegOpenKeyExA
0000CCFB: RegCloseKey
0000CD19: GetKeyboardType
0000CD29: DestroyWindow
0000CD37: LoadStringA
0000CD45: MessageBoxA
0000CD51: CharNextA
0000CD68: GetACP
0000CD7F: VirtualFree
0000CD8E: VirtualAlloc
0000CD9E: GetTickCount
0000CDB9: QueryPerformanceCounter
0000CDCE: GetCurrentThreadId
0000CDDE: VirtualQuery
0000CDF5: WideCharToMultiByte
0000CE0B: MultiByteToWideChar
0000CE16: lstrlenA
0000CE23: lstrcpynA
0000CE34: LoadLibraryExA
0000CE47: GetThreadLocale
0000CE59: GetStartupInfoA
0000CE6A: GetProcAddress
0000CE7E: GetModuleHandleA
0000CE94: GetModuleFileNameA
0000CEA6: GetLocaleInfoA
0000CEB6: GetLastError
0000CEC9: GetCommandLineA
0000CED7: FreeLibrary
0000CEE8: FindFirstFileA
0000CEF5: FindClose
0000CF03: ExitProcess
0000CF0F: WriteFile
0000CF2A: UnhandledExceptionFilter
0000CF3C: SetFilePointer
0000CF4C: SetEndOfFile
0000CF59: RtlUnwind
0000CF64: ReadFile
0000CF76: RaiseException
0000CF86: GetStdHandle
0000CF95: GetFileSize
0000CFA3: GetFileType
0000CFB1: CreateFileA
0000CFBF: CloseHandle
0000CFDB: TlsSetValue
0000CFE9: TlsGetValue
0000CFF6: LocalAlloc
0000D00A: GetModuleHandleA
0000D02A: TranslateMessage
0000D039: MessageBoxA
0000D047: LoadStringA
0000D05A: GetSystemMetrics
0000D06E: DispatchMessageA
0000D07B: CharNextA
0000D088: CharToOemA
0000D0A3: WriteFile
0000D0B2: VirtualQuery
0000D0CC: SizeofResource
0000D0D8: ReadFile
0000D0E8: LockResource
0000D0F8: LoadResource
0000D108: LoadLibraryA
0000D119: GetVersionExA
0000D128: GetTickCount
0000D13B: GetThreadLocale
0000D14A: GetStdHandle
0000D15C: GetProcAddress
0000D178: GetPrivateProfileStringA
0000D18C: GetModuleHandleA
0000D1A2: GetModuleFileNameA
0000D1B4: GetLocaleInfoA
0000D1C3: GetFileSize
0000D1D8: GetFileAttributesA
0000D1F3: GetEnvironmentVariableA
0000D207: GetDiskFreeSpaceA
0000D21B: GetCurrentProcess
0000D22E: GetComputerNameA
0000D23B: GetCPInfo
0000D249: FreeLibrary
0000D259: FindResourceA
0000D26D: EnumCalendarInfoA
0000D27B: DeleteFileA
0000D289: CreateFileA
0000D297: CloseHandle
0000D2B8: RegQueryValueExA
0000D2C9: RegOpenKeyExA
0000D2D7: RegCloseKey
0000D2EA: OpenProcessToken
0000D2FA: GetUserNameA
0000D31A: CredEnumerateA
0000D334: WSACleanup
0000D342: WSAStartup
0000D353: gethostbyname
0000D35C: socket
0000D38F: connect
0000D39D: closesocket
0000E168: 7 74787h7
0000E88D: D V C L A L
0000E89D: F I R E F O X
0000E8AF: H O S T
0000E8C7: P A C K A G E I N F O
0000E8D1: P A S S
0000E8DB: U S E R
0000E8ED: N o v e m b e r
0000E8FF: D e c e m b e r
0000E945: S u n d a y
0000E953: M o n d a y
0000E963: T u e s d a y
0000E977: W e d n e s d a y
0000E989: T h u r s d a y
0000E997: F r i d a y
0000E9A9: S a t u r d a y
0000E9EB: J a n u a r y
0000E9FD: F e b r u a r y
0000EA09: M a r c h
0000EA15: A p r i l
0000EA27: J u n e
0000EA31: J u l y
0000EA3F: A u g u s t
0000EA53: S e p t e m b e r
0000EA63: O c t o b e r
0000EA73: I n v a l i d
0000EA83: v a r i a n t
0000EA8D: t y p e
0000EAA3: c o n v e r s i o n
0000EAB3: I n v a l i d
0000EAC3: v a r i a n t
0000EAD7: o p e r a t i o n
0000EAE7: I n v a l i d
0000EAF9: a r g u m e n t
0000EB0B: E x t e r n a l
0000EB1F: e x c e p t i o n
0000EB39: A s s e r t i o n
0000EB47: f a i l e d
0000EB5B: I n t e r f a c e
0000EB77: s u p p o r t e d
0000EB8B: E x c e p t i o n
0000EBA3: s a f e c a l l
0000EBB1: m e t h o d
0000EBCB: l i n e
0000EBE5: A b s t r a c t
0000EBF1: E r r o r
0000EBFF: A c c e s s
0000EC13: v i o l a t i o n
0000EC29: a d d r e s s
0000EC43: m o d u l e
0000EC6B: a d d r e s s
0000ECB3: I n v a l i d
0000ECC3: p o i n t e r
0000ECD7: o p e r a t i o n
0000ECE7: I n v a l i d
0000ECF3: c l a s s
0000ED13: t y p e c a s t 0 A c c e s s
0000ED27: v i o l a t i o n
0000ED3D: a d d r e s s
0000ED61: a d d r e s s
0000ED75: A c c e s s
0000ED89: v i o l a t i o n
0000ED95: S t a c k
0000EDA7: o v e r f l o w
0000EDB7: C o n t r o l
0000EDD9: P r i v i l e g e d
0000EDF1: i n s t r u c t i o n
0000EE05: E x c e p t i o n
0000EE1F: m o d u l e
0000EE5B: A p p l i c a t i o n
0000EE75: E r r o r 1 F o r m a t
0000EE8F: i n v a l i d
0000EEAF: i n c o m p a t i b l e
0000EEB9: w i t h
0000EECB: a r g u m e n t
0000EEE3: a r g u m e n t
0000EEF9: f o r m a t
0000EF13: V a r i a n t
0000EF21: m e t h o d
0000EF2D: c a l l s
0000EF49: s u p p o r t e d
0000EF53: R e a d
0000EF5F: W r i t e
0000EF6B: E r r o r
0000EF7D: c r e a t i n g
0000EF8D: v a r i a n t
0000EF9D: s a f e
0000EFA9: a r r a y
0000EFB9: V a r i a n t
0000EFC9: s a f e
0000EFD5: a r r a y
0000EFE1: i n d e x
0000EFFD: b o u n d s
0000F01B: m e m o r y
0000F02F: e r r o r
0000F03F: F i l e
0000F053: f o u n d
0000F063: I n v a l i d
0000F075: f i l e n a m e
0000F087: m a n y
0000F091: o p e n
0000F09D: f i l e s
0000F0A7: F i l e
0000F0B5: a c c e s s
0000F0C3: d e n i e d
0000F0CD: R e a d
0000F0DB: b e y o n d
0000F0F3: f i l e
0000F0FD: D i s k
0000F107: f u l l
0000F117: I n v a l i d
0000F127: n u m e r i c
0000F133: i n p u t
0000F145: D i v i s i o n
0000F155: z e r o
0000F161: R a n g e
0000F16D: c h e c k
0000F179: e r r o r
0000F189: I n t e g e r
0000F19B: o v e r f l o w
0000F1AB: I n v a l i d
0000F1BD: f l o a t i n g
0000F1C9: p o i n t
0000F1DD: o p e r a t i o n
0000F1EF: F l o a t i n g
0000F1FB: p o i n t
0000F20D: d i v i s i o n
0000F21D: z e r o
0000F22F: F l o a t i n g
0000F23B: p o i n t
0000F24D: o v e r f l o w
0000F25F: F l o a t i n g
0000F26B: p o i n t
0000F27F: u n d e r f l o w
0000F2CA: lightstealer
0000F2D4: WinSock
0000F2DE: KWindows
0000F2E6: UTypes
0000F2F0: SysInit
0000F2F9: System
0000F30B: TlHelp32
0000F316: CryptApi
0000F320: WinInet
0000F32B: SysUtils
0000F336: ImageHlp
0000F341: SysConst
0000F341: SysConst

[illwill]

tcp dump it and see the connection
such as wireshack

[aliceinwire]

tcp dump it and see the connection
such as wireshack

thanks for the suggestion illwill

i have try with zero-wine and tcp dump but i have see no connection :S

i reply it with vmware when i can