Search found 48 matches

by p1nk
Mon Oct 08, 2018 2:14 pm
Forum: Malware
Topic: trojan agent
Replies: 1
Views: 2233

Re: trojan agent

Code: Select all

66f573036f8b99863d75743eff84f15d
looks like a crack me.
by p1nk
Tue Feb 20, 2018 1:54 am
Forum: Malware
Topic: Ordinypt Wiper
Replies: 1
Views: 4952

Re: Ordinypt Wiper

Solid report. Here is the dumped sample
by p1nk
Tue Feb 20, 2018 1:21 am
Forum: Malware
Topic: Trojan-Spy.Win32.TeleBot.a
Replies: 1
Views: 2745

Re: Trojan-Spy.Win32.TeleBot.a

Damn. The author really wanted to make sure they have coverage for all systems: if (platform == PlatformID.Win32NT) { byte wProductType = oSVERSIONINFOEX.wProductType; switch (major) { case 3: text = "Windows NT 3.51"; break; case 4: {
by p1nk
Sun Dec 24, 2017 2:26 am
Forum: Malware
Topic: Quant Loader
Replies: 4
Views: 17729

Re: Quant Loader

Another http://vxvault.net/ViriList.php?MD5=93E7242DF7499BE3205796CE12FB1A88 https://www.virustotal.com/en/file/64993f36b42e1c9d3193909c73a77fa38b5247154d87bd970a0918641c9ee7a2/analysis/1513937952/ There is a bit more on that host: http://malshare.com/search.php?query=193.124.117.153 Also includes ...
by p1nk
Sun Dec 24, 2017 1:11 am
Forum: Malware
Topic: Quant Loader
Replies: 4
Views: 17729

Re: Quant Loader

Initial sample beacons out to: - flyradiator.com (91.218.114.29) - xoofertukawww.com - roompokdatastatus.su URL: http://flyradiator.com/qwanter/data.php?id=34091500&c=1&mk=98e4fe /flyradiator.com/ was flagged in https://www.gaviotta.com/single-post/2016/08/22/Gozi-Financial-Malware-Puts-the-Boots-On
by p1nk
Tue Aug 22, 2017 12:40 am
Forum: Completed Malware Requests
Topic: Trojan Korplug
Replies: 1
Views: 4096

Re: Trojan Korplug

Attached.
by p1nk
Sat Jun 17, 2017 1:47 am
Forum: Malware
Topic: EREBUS LINUX/Win Ransomware
Replies: 2
Views: 8700

Re: EREBUS LINUX/Win Ransomware

Screenshot from 2017-06-16 21-45-41.png Screenshot of the message. Also dumped the config from one of the Linux samples. { "i" : "B0884334", "c" : [ { "bu" : "/", "tg" : "216.126.224.128/24", "t" : 3 } ], "p" : "6V5LvugJGoKeCppKe0duIM2sV0", "cts" : 36, "a" : "[{\"d\":\"<html><head> <style> body { f...
by p1nk
Sat Jun 17, 2017 1:16 am
Forum: Malware
Topic: EREBUS LINUX/Win Ransomware
Replies: 2
Views: 8700

Re: EREBUS LINUX/Win Ransomware

PDB paths:

I:\projects\Erebus\Boost\boost/filesystem/operations.hpp
tI:\projects\Erebus\crypto\modes.h
I:\projects\Erebus\Boost\boost/smart_ptr/shared_ptr.hpp

Contains a Tor onion address: erebus5743lnq6db.onion
by p1nk
Tue Mar 28, 2017 12:51 am
Forum: Malware
Topic: TerrorEK
Replies: 3
Views: 11034

Re: TerrorEK

8603 hits

Does anyone have payloads it was spreading?
by p1nk
Mon Jan 16, 2017 12:07 am
Forum: Malware
Topic: SynthLoader
Replies: 0
Views: 5237

SynthLoader

Props to @Benkow_ for this find also. Not sure if anyone has another name for it. https://www.virustotal.com/en/file/15c1b863000417a13f96b6fa4dbe9d22da93f63a643c02d917ab09eaabc06e4a/analysis/ Strings are base64 encoded then: def decode( instr, key): for index, byte in enumerate( instr[:-2] ): out +=...