Search found 224 matches

by R136a1
Thu Sep 06, 2018 8:17 pm
Forum: Malware
Topic: Chainshot
Replies: 0
Views: 1347

Chainshot

by R136a1
Sun Mar 25, 2018 11:18 am
Forum: General Discussion
Topic: Forum bugs
Replies: 3
Views: 3687

Re: Forum bugs

File upload bug for attachments > 1MB was fixed, it was caused by wrong directory permission set during the maintenance on Friday.
by R136a1
Tue Mar 13, 2018 2:40 pm
Forum: Announcements
Topic: Forum transfer and new admin
Replies: 0
Views: 6648

Forum transfer and new admin

Hi folks, as a_d_13 recently announced, he transferred the domain and forum over to me as the new admin. I want to thank him for his effort and time he put into it over the course of the last 8 years! He will still be available on the forum as a global moderator if you want to contact him. For those...
by R136a1
Mon Apr 10, 2017 7:19 pm
Forum: Malware
Topic: [Longhorn group] Backdoor.Plexor + Backdoor.Trojan.LH1
Replies: 0
Views: 11558

[Longhorn group] Backdoor.Plexor + Backdoor.Trojan.LH1

Hi folks, Symantec published an article about a group they named Longhorn whose tools match the descriptions of the Vault 7 documents leaked by Wikileaks, allegedly the CIA hacking tools arsenal. In the article, they also published the signature names of some tools of which some can be found on Viru...
by R136a1
Tue Sep 27, 2016 11:14 am
Forum: Malware
Topic: Backdoor.Batel
Replies: 0
Views: 7658

Backdoor.Batel

Hi folks, here are two samples of Backdoor.Batel, a small shellcode like dll file. Nothing special though, the technique is nearly identical to the one described here, except this time it's realized as a standalone dll: https://blog.cylance.com/operation-cleaver-the-notepad-files PDB path string: C:...
by R136a1
Tue Sep 27, 2016 11:02 am
Forum: Malware
Topic: ATM (Diebold) related file
Replies: 0
Views: 7316

ATM (Diebold) related file

Hi folks, maybe someone can shed some light into the functionality of this small ATM related file. It doesn't look malicious to me, but I can't say for sure since the Diebold API isn't public. Perhaps it's useful for someone... File: https://virustotal.com/en/file/d2296deb1b6ae42d787889e163d8d75a43c...
by R136a1
Tue Sep 27, 2016 10:42 am
Forum: Malware
Topic: Win32/Xswkit (alias Gootkit)
Replies: 61
Views: 113611

Re: Win32/Xswkit (alias Gootkit)

Hi folks, here are two fresh samples from beginning of September which aren't crypted. They look like some test samples, because they have "-testldr" command line switch among other things. Samples also contain two small embedded dlls (x86/64) which seem to deal with certificate related stuff. Haven...
by R136a1
Thu Aug 11, 2016 4:46 pm
Forum: Malware
Topic: TeamSpy
Replies: 7
Views: 6516

Re: TeamSpy

Here are a few new versions. The droppers are mostly self-extracting RAR archives which contain a legit version of Teamviewer (v7) and a parasitic file named msimg32.dll. It seems to have kind of new UAC bypass method on board, but haven't checked in detail. Strings of msimg32.dll: F123456789ABCDEFG...
by R136a1
Thu Aug 11, 2016 4:08 pm
Forum: Malware
Topic: Backdoor.Remsec
Replies: 2
Views: 3934

Re: Backdoor.Remsec

Files attached.