How to decrypt phishers

[Acekidd01]

Hello mates today I'm going to show you how to decrypt phisher to get out their information and stop them for good. This process is called Reverse Engineering.

Now first you need to download a good disassembler like:

• String Stealer

Spoiler (Click to View)

Scan Results:

File csharpDis.exe received on 2009.09.26 22:24:10 (UTC)
Current status: finished
Result: 1/41 (2.44%)
Compact
Print results
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.26 -
AhnLab-V3 5.0.0.2 2009.09.26 -
AntiVir 7.9.1.25 2009.09.25 -
Antiy-AVL 2.0.3.7 2009.09.25 -
Authentium 5.1.2.4 2009.09.26 -
Avast 4.8.1351.0 2009.09.26 -
AVG 8.5.0.412 2009.09.26 -
BitDefender 7.2 2009.09.26 -
CAT-QuickHeal 10.00 2009.09.26 -
ClamAV 0.94.1 2009.09.26 -
Comodo 2447 2009.09.26 -
DrWeb 5.0.0.12182 2009.09.26 -
eSafe 7.0.17.0 2009.09.24 -
eTrust-Vet 31.6.6761 2009.09.25 -
F-Prot 4.5.1.85 2009.09.26 -
F-Secure 8.0.14470.0 2009.09.26 -
Fortinet 3.120.0.0 2009.09.26 -
GData 19 2009.09.27 -
Ikarus T3.1.1.72.0 2009.09.26 -
Jiangmin 11.0.800 2009.09.26 -
K7AntiVirus 7.10.855 2009.09.26 -
Kaspersky 7.0.0.125 2009.09.26 -
McAfee 5753 2009.09.26 -
McAfee+Artemis 5753 2009.09.26 -
McAfee-GW-Edition 6.8.5 2009.09.26 -
Microsoft 1.5005 2009.09.23 -
NOD32 4460 2009.09.26 -
Norman 6.01.09 2009.09.26 -
nProtect 2009.1.8.0 2009.09.26 -
Panda 10.0.2.2 2009.09.26 -
PCTools 4.4.2.0 2009.09.25 -
Prevx 3.0 2009.09.27 High Risk Banking Info Stealer
Rising 21.48.52.00 2009.09.26 -
Sophos 4.45.0 2009.09.26 -
Sunbelt 3.2.1858.2 2009.09.26 -
Symantec 1.4.4.12 2009.09.26 -
TheHacker 6.5.0.2.019 2009.09.26 -
TrendMicro 8.950.0.1094 2009.09.25 -
VBA32 3.12.10.11 2009.09.25 -
ViRobot 2009.9.26.1958 2009.09.26 -
VirusBuster 4.6.5.0 2009.09.26 -

Note: I uploaded this file because I couldn't find the original website to download, and don't worry is safe.

Also need to download Sandboxie from here

After you done downloading the disassembler let's get start it .


First you need to find a phisher of course, here is an example of a video I found in youtube it talks about how this program can change "stats" from the game runescape.:


Now that we have our phisher lets run it sandboxie to see if is a real phisher or maybe a keylogger o_0.



So in this image nothing unusual just a simple phisher an ftp function in the program, or mailsystem.

Now we use String Stealer to break down the program


It should be something like this.


Now to open the file in String Stealer go to:
Menu> Load Assambler> phisher.exe{This should be the phisher}
Now it should look something like this:


Now most likely that you will find the email and password should be in
Form1> Button1_Click:


Bingo we hit the jackpot we found the email and password of the phiser's owner. After you do this I will recommend to delete everything/change password/or even delete the email of the phisher's owner because he deserves it.
==============================================================================================================

Tools you need (an optional)

• Red Gate's Reflector:
  This is a good Decompiler it can show you the code of the classes and methods, and how everything relates (optional):
  News about the .NET Reflector here
  
  
• String Stealer:
  Basic dissassembler will be using during this tutorial
  
  
• Sandboxie
  Really important you will use this to test the phishers
  
  
• BinText:
  Optional (thanks to Elektrisk)

==============================================================================================================

Feedbacks opinions are accepted


==============================================================================================================

Credits

I wrote this tutorial, but I also give some credits to Qkyrie who taught me how to do this.