Monday 6 August 2012

MP-FormGrabber

A Form-grabber malware who claim to grab anything, and with no dependencies.
It work with lastest version of Firefox, Chrome, Internet Explorer and Opera.

Advert:

Copy the file/Execute the copy:

Registry persistence:

Drop a dll from ressource:



Looking for browser process:

Inject:

Firefox injected:
(Congratulation, your browser is owned)



An interesting part of strings found inside the dll:

Doing an attempt to sign in on the VirusTotal.com service:
(Here, the injected dll compare if it's a POST request)


Malware call home procedure:

Before calling the gate it verify if the host is already decrypted, if no it decrypt the host.
(The coder of MP-Formgrabber have added a method to avoid leaks with hexed bins but look's like he have never heard of code-cave)

Retake an hardcoded strings from resource:

Host decyphered:

Encode grabbed datas and call the gate:

"gate.php" server side


The malware panel, login:

Logs:

Rules settings to parse logs:

Grabbed infos parsed:

This form-grabber was fun to reverse, anyway dont take this as a game, malware can always ruin your life in two clicks.


 If you are looking for an exe of MP-FormGrabber and additional access to my panel for research purpose, feel free to contact me.


10 comments:

  1. What'd you think of it? Decent?

    Sales are likely going to close for it, or at least leave my hands. I recently found out sales of this tool is Illegal, and I'm not willing to involve myself with it anymore.

    Anyways, good post.

    ReplyDelete
  2. Drop a dll on the hard drive ?
    What kind of shit is this formgrabber ?

    ReplyDelete
  3. http://4.bp.blogspot.com/-4X6gbRULvPw/UCALPdnyq5I/AAAAAAAAHo0/iVCfGe6wgfw/s1600/06-08-2012+20-21-21.png


    Do I see sql injection here?

    ReplyDelete
  4. Yes Tadas :)
    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Junk')' at line 1

    ReplyDelete
  5. BV1 Looks kind of lame to me, DLL injection is a big downside as it requires you to drop files to disk, easy to spot the injected dlls, and so on, so it's simple solution for people that are too inadequate to inject code directly (I guess copy-pasted projected?)

    ReplyDelete
  6. is this zesu
    coz zesu drop dll to hdd to , and uses a shit encryption for the host

    ReplyDelete
  7. http://krebsonsecurity.com/2012/08/booter-shells-turn-web-sites-into-weapons

    you should do a report on absoboot like krebsonsecurity did :D

    ReplyDelete
  8. Not really interested into ddos faggotry

    ReplyDelete
  9. hello Steven k, please am interested in your MP form grabber. i need it, how do i communicate you, please provide me your contact details. thanks i wait

    ReplyDelete
  10. Hello steve, i m very interested how do i contact you? can you send your contact details to my email varctransport@live.com

    ReplyDelete