Log in

View Full Version : Another strange packer


Cthulhu
April 2nd, 2007, 15:59
I just got this trojan from a friend. And it seems that it is packed with a brand new packer.

Warning this is a malware

fr33ke
April 2nd, 2007, 16:43
I think this is a home-brewn packer. Pretty trivial to unpack, just trace a bit until the 'jmp eax'. Oep is 403530.

Looks kinda interesting, uses non-API code to get kernel32 base address and functions. Also the strings look promising (some HTTP shit).

EDIT: I found some strings that indicate the trojan want to steal your money. They were encrypted.

Code:
https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/
*banking.*/cgi/ueber*.cgi*
*citibank.de/*
GRABBED TAN:


EDIT2: I am pretty sure it is the trojan described in this paper: http://ip.securescience.net/advisories/pubMalwareCaseStudy.pdf

Attached is my dump, and yes it's malware. Download at your own risk.

Cthulhu
April 3rd, 2007, 07:23
Thanks for helping me with this one man!