Fynloski dropper and .NET PWS (pass stealer) Analysis

Again the malware sample came to me via spam camp, and caught in corporate network’s honeypot.

If you want sample: Comment and request it 😉

This time, the camp’s spread was not so wide.
In this post in detail:

  • Recognition of the Fynloski dropper
  • ..recognizing the type of protection of the dropper
  • ..some details on the dropper’s encryption scheme
  • Dumping the main malware process using OllyDbg (PWS in .NET)
  • ..analysing the stealer.. Decompilation via ILSpy
  • ..analysis of the operator’s credential encryption scheme with OllyDbg
  • ..pwning the operator’s credentials revealing victim’s logs and not only..

..Let’s go.. 🙂
Continue reading