Monday, 6 August 2012

MP-FormGrabber

A Form-grabber malware who claim to grab anything, and with no dependencies.
It work with lastest version of Firefox, Chrome, Internet Explorer and Opera.

Advert:

Copy the file/Execute the copy:

Registry persistence:

Drop a dll from ressource:



Looking for browser process:

Inject:

Firefox injected:
(Congratulation, your browser is owned)



An interesting part of strings found inside the dll:

Doing an attempt to sign in on the VirusTotal.com service:
(Here, the injected dll compare if it's a POST request)


Malware call home procedure:

Before calling the gate it verify if the host is already decrypted, if no it decrypt the host.
(The coder of MP-Formgrabber have added a method to avoid leaks with hexed bins but look's like he have never heard of code-cave)

Retake an hardcoded strings from resource:

Host decyphered:

Encode grabbed datas and call the gate:

"gate.php" server side


The malware panel, login:

Logs:

Rules settings to parse logs:

Grabbed infos parsed:

This form-grabber was fun to reverse, anyway dont take this as a game, malware can always ruin your life in two clicks.


 If you are looking for an exe of MP-FormGrabber and additional access to my panel for research purpose, feel free to contact me.


Posted by at 21:32
Labels: , , , , , , , , ,

10 comments:

  1. BV17 August 2012 at 03:55

    What'd you think of it? Decent?

    Sales are likely going to close for it, or at least leave my hands. I recently found out sales of this tool is Illegal, and I'm not willing to involve myself with it anymore.

    Anyways, good post.

    ReplyDelete
  2. Anonymous7 August 2012 at 12:04

    Drop a dll on the hard drive ?
    What kind of shit is this formgrabber ?

    ReplyDelete
  3. Tadas P.7 August 2012 at 12:19

    http://4.bp.blogspot.com/-4X6gbRULvPw/UCALPdnyq5I/AAAAAAAAHo0/iVCfGe6wgfw/s1600/06-08-2012+20-21-21.png


    Do I see sql injection here?

    ReplyDelete
  4. Steven K7 August 2012 at 13:36

    Yes Tadas :)
    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Junk')' at line 1

    ReplyDelete
  5. Anonymous7 August 2012 at 15:59

    BV1 Looks kind of lame to me, DLL injection is a big downside as it requires you to drop files to disk, easy to spot the injected dlls, and so on, so it's simple solution for people that are too inadequate to inject code directly (I guess copy-pasted projected?)

    ReplyDelete
  6. Anonymous7 August 2012 at 23:26

    is this zesu
    coz zesu drop dll to hdd to , and uses a shit encryption for the host

    ReplyDelete
  7. Anonymous10 August 2012 at 20:03

    http://krebsonsecurity.com/2012/08/booter-shells-turn-web-sites-into-weapons

    you should do a report on absoboot like krebsonsecurity did :D

    ReplyDelete
  8. Steven K11 August 2012 at 00:33

    Not really interested into ddos faggotry

    ReplyDelete
  9. Anonymous29 August 2013 at 12:07

    hello Steven k, please am interested in your MP form grabber. i need it, how do i communicate you, please provide me your contact details. thanks i wait

    ReplyDelete
  10. Anonymous15 January 2014 at 18:32

    Hello steve, i m very interested how do i contact you? can you send your contact details to my email varctransport@live.com

    ReplyDelete

Subscribe to: Post Comments (Atom)