The messages looked like this:
|zip file !|
|crunchpress image folder with some aditional content|
|Oh noez! no pics just exe : (|
|Actual bad stuff downloaded here|
Risold.de where the file n.txt is hosted looks like another pwned web server.
Now we have three PE files downloaded from different locations:
|file number 2|
The detection ratio is higher (14/45), and the file is recognized as generic trojan:
|fbp.exe virustotal ratio|
Both files seem to be developed on the same machine by the same Visual C++ user, as they contain the following string:
C:\Users\Samim\Desktop\Stab\stb\Release\stb.pdbThe site hosting the fbp.exe is some Indian company.
|site hosting malware|
It is only detected by Kaspersky as a "UDS:DangerousObject.Multi.Generic".
In the packet capture i was also able to observe some IRC alike communication on port 1863.
This was just a quick analysis, and it is a bit chaotic (sorry for that). If i will find some free time, a follow up with the executables analysis will show up here.