Advert:
9Kb with UPX:
Looking for process:
Open process:
WriteProcess:
And CreateRemoteThread. (the first time i run the malware made Firefox crashed, second time it worked)
So let's debug Firefox...
when i try to log in on virustotal:
POST req are intercepted:
Data are enc and send to the panel (here it's localhost/development/panel.php)
If you look for the sample...
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2234
In my opinion it's not even worth to reverse hackforums malawares,most of them are copy /paste and made from ripped sources.
ReplyDeleteand they doesn't work as they are advertised.
Why waste time Xyli bro in such low shit.
thanks
looks like is a rip of this http://pastebin.com/MPeEhGLy
ReplyDeletecoder made another formgrabber before and code was 1:1 match lol
even this public pastbin code is ripped and broken but this formgrabber "coder" obviously cant see that
Even the coder himself have said he's using injection code ripped from Zeus.
DeleteWhat else can we expect from HF skid's,kid's,script kiddy and more importantly Copy/paster's and rippers.
ReplyDeletei'm interested in the rip of this
ReplyDelete