Author Topic: Ambler Trojan (Read 7821 times)

malwaremen · March 04, 2009, 06:26:23 pm

Hi all,

I'm new here and I've been trying lately to track down a banking Trojan called Ambler: http://threatexpert.com/report.aspx?md5=ca2ad174a488c72440512088fe8aa0eb

I was wondering if any of you guys know of a site which track down the binaries of this Trojan?
In the reports of threat experts only the drops and sometimes the update point with the configuration file can be found but not the binary itself.
like in the report above:
http://216.12.168.138/1/helper.xml (Xor'd configuration file)
http://main-dns.com/cd.php (one of the drops)

SysAdMini · March 12, 2009, 04:51:21 pm

Here you can find a sample :

http://www.malwaredomainlist.com/mdl.php?search=zlzu.ru&colsearch=All&quantity=50

SysAdMini · March 15, 2009, 02:10:51 pm

Another sample:

Code: [Select]

gimnow.org/images/exe.php?exp=mdac

malwaremen · March 15, 2009, 11:45:47 pm

thank you very much!

is it possible to tag them on mdl always as ambler so its easy to find?

CM_MWR · March 16, 2009, 08:15:45 am

Yeah you overpaid SysAdmin....why not tag all the malware links here with malware names, I know you dont have anything else to do...even in real life.

SysAdMini · March 16, 2009, 10:56:43 am

Quote from: malwaremen on March 15, 2009, 11:45:47 pm

thank you very much!

is it possible to tag them on mdl always as ambler so its easy to find?

If I detect Ambler, then I will flag it.

Here is another one:

Code: [Select]

http://vippif.com/fiesta/load.php?id=101&spl=3

GmG · March 16, 2009, 10:57:51 am

Code: [Select]

http://e-point.com.ua/dr.exe
http://gimnow.org/images/load/Dr.exe

Serg · March 16, 2009, 03:24:07 pm

Quote from: GmG on March 16, 2009, 10:57:51 am

Code: [Select]
http://e-point.com.ua/dr.exe http://gimnow.org/images/load/Dr.exe

Downloader for

Code: [Select]

hxxp://e-point.com.ua/admin/ft.exe

on hxxp://e-point.com.ua/admin/admin.php is the admin page

SysAdMini · March 26, 2009, 01:51:56 pm

Ambler C&C and admin panel

Code: [Select]

sweetlake.biz/clouds

SysAdMini · March 27, 2009, 07:26:26 am

Many people have reported to me that they have received the following text message on their
mobile phone.

Quote

someone posted your full personal and banking information at hxxp://persdata7.com website you must remove it now

This way the bad guys try to lure people into the site which spreads Ambler.

http://www.malwaredomainlist.com/forums/index.php?topic=2639.0

SysAdMini · April 22, 2009, 10:33:32 am

exploits

Code: [Select]

213.155.13.90/1/index.php
trojan Ambler

Code: [Select]

213.155.13.90/1/getexe.php?h=11http://www.virustotal.com/analisis/2c2d3a6a35f4e500b4c74045234af55c 7/40
http://www.threatexpert.com/report.aspx?md5=91569358986d00d8f5c18e14b834d3c6

SysAdMini · April 28, 2009, 10:46:39 am

already posted by RS-232 in daily something

exploits

Code: [Select]

weh8dnb.com/cp/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=b4c05624ce8fa35df63f867787fdca5a&t=1240910512&type=js
Ambler

Code: [Select]

weh8dnb.com/cp/load.phphttp://www.virustotal.com/analisis/5193a8a250b86a0d5f4287464181ae41 5/40
a-squared   4.0.0.101   2009.04.28   Trojan-Dropper.Win32.Ambler!IK
F-Secure   8.0.14470.0   2009.04.28   Suspicious:W32/Malware!Gemini
Ikarus   T3.1.1.49.0   2009.04.28   Trojan-Dropper.Win32.Ambler
Microsoft   1.4602   2009.04.28   TrojanSpy:Win32/Ambler.D
Prevx1   3.0   2009.04.28   Medium Risk Malware
MD5...: 63a3233524d63d6515c7c4915e00e9c6

admin panel

Code: [Select]

weh8dnb.com/troika

Author Topic: Ambler Trojan (Read 7821 times)

malwaremen

Ambler Trojan

SysAdMini

Re: Ambler Trojan

SysAdMini

Re: Ambler Trojan

malwaremen

Re: Ambler Trojan

CM_MWR

Re: Ambler Trojan

SysAdMini

Re: Ambler Trojan

GmG

Re: Ambler Trojan

Serg

Re: Ambler Trojan

SysAdMini

Re: Ambler Trojan

SysAdMini

Re: Ambler Trojan

SysAdMini

Re: Ambler Trojan

SysAdMini

Re: Ambler Trojan