Again the malware sample came to me via spam camp, and caught in corporate network’s honeypot.
If you want sample: Comment and request it 😉
This time, the camp’s spread was not so wide.
In this post in detail:
- Recognition of the Fynloski dropper
- ..recognizing the type of protection of the dropper
- ..some details on the dropper’s encryption scheme
- Dumping the main malware process using OllyDbg (PWS in .NET)
- ..analysing the stealer.. Decompilation via ILSpy
- ..analysis of the operator’s credential encryption scheme with OllyDbg
- ..pwning the operator’s credentials revealing victim’s logs and not only..
..Let’s go.. 🙂