About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Thursday, May 10, 2012

020 Crime Ramnit Rootkit - web -May, 10 2012

Sample credit - Artem Baranov and Hendrik Adrian

Research:

 
Download (pass infected)


Size: 135680
MD5:  607B2219FBCFBFE8E6AC9D7F3FB8D50E



AppData\ftaubilx\px1.tmp
AppData\obrymkdk.log
%tmp%\bledqixd.sys MD5: a6d351093f75d16c574db31cdf736153


ffmcnnwunntybhyx.exe
info.exe
narhllul.exe 

Communications
443 to 176.31.62.76

 Virustotal

SHA256:     f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c
SHA1:     a7771cd3b99f7201b331323f03e2d596778b610e
MD5:     607b2219fbcfbfe8e6ac9d7f3fb8d50e
File size:     132.5 KB ( 135680 bytes )
File name:     file
File type:     Win32 EXE
Tags:     upx
Detection ratio:     37 / 42
Analysis date:     2012-04-27 11:02:44 UTC ( 1 week, 6 days ago )
1
3
More details
Antivirus     Result     Update
AhnLab-V3     Trojan/Win32.Lebag     20120426
AntiVir     TR/Offend.KD.504269     20120427
Antiy-AVL     Trojan/Win32.Gamarue.gen     20120427
Avast     Win32:Trojan-gen     20120427
AVG     Generic27.MBL     20120427
BitDefender     Trojan.Generic.KD.504269     20120427
ByteHero     -     20120424
CAT-QuickHeal     Trojan.Lebag.klg.cw3     20120427
ClamAV     Trojan.CripUnp     20120426
Commtouch     W32/Downldr2.IXID     20120427
Comodo     Heur.Suspicious     20120427
DrWeb     Trojan.Rmnet.8     20120427
Emsisoft     DDoS.Win32.Dofoil!IK     20120427
eSafe     -     20120425
eTrust-Vet     Win32/Dofoil.A!generic     20120427
F-Prot     W32/Downldr2.IXID     20120426
F-Secure     Trojan.Generic.KD.504269     20120427
Fortinet     W32/Lebag.A!tr     20120427
GData     Trojan.Generic.KD.504269     20120427
Ikarus     DDoS.Win32.Dofoil     20120427
Jiangmin     Trojan/Gamarue.bx     20120427
K7AntiVirus     Riskware     20120427
Kaspersky     Trojan.Win32.Lebag.klg     20120427
McAfee     Generic.il     20120427
McAfee-GW-Edition     Generic.il     20120426
Microsoft     Trojan:Win32/Ramnit.A     20120427
NOD32     Win32/Ramnit.A     20120427
Norman     W32/Krypt.CI     20120427
nProtect     Trojan/W32.Agent.135680.LI     20120427
Panda     Trj/Agent.NOK     20120427
PCTools     Trojan.Generic     20120424
Rising     Trojan.Win32.Generic.12AF6823     20120427
Sophos     -     20120427
SUPERAntiSpyware     -     20120402
Symantec     Trojan Horse     20120427
TheHacker     Trojan/Lebag.klg     20120426
TrendMicro     TSPY_SINOWAL.WC     20120427
TrendMicro-HouseCall     TSPY_SINOWAL.WC     20120427
VBA32     Trojan.Lebag.klg     20120427
VIPRE     Trojan.Win32.Generic!BT     20120427
ViRobot     -     20120427
VirusBuster     Trojan.Lebag!yEp9NXlqXHc     20120427

    * Comments
    * Votes
    * Additional information

No comments
Also found on BH EK 173.237.198.42
Posted 3 months, 3 weeks ago by Kafeine
BH EK 77.72.129.68
Posted 3 months, 3 weeks ago by Kafeine
This is one of the the Ramnit Worm Malware detected between 1st January 2012 to 6th January 2012

Analyzed in the below written analysis reports:





Binary Analysis: http://mcaf.ee/r6qb5 (Translated from Japanese)

Dynamic Analysis (1) & (2) : http://mcaf.ee/7y46s & http://mcaf.ee/cf0jw (Translated from Japanese)

Overall Latest samples & Analysis: http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html#more



Hendrik ADRIAN (VT/Twitter: @unixfreaxjp )

ZeroDay Japan http://0day.jp

Blog: unixfreaxjp.blogspot.com
Posted 3 months, 3 weeks ago by unixfreaxjp
Below is the current reports:

The static (binary) analysis first handle report is here:
 http://pastebin.com/iNxP8GTR

The dynamic (behavior)) analysis first handle report is here:
 http://pastebin.com/JJ5zuTh1


Last notes:
Received same sample as per sent by contagio.
It sent the encrypted packet to remote, non-SSL by port 443. Decrypting it in many ways.. still can't tell
Encrypt key suspected to be injected in registry, in dynamic analysis line 228. (windows registry)
outbound links goes into zynkhole, pls check if any left.
I am Ollying the sample for more info now..