Search found 121 matches

by r3shl4k1sh
Sat Dec 10, 2016 8:17 pm
Forum: Reverse Engineering and Debugging
Topic: Analyzing VB Malware - XtremeRAT
Replies: 3
Views: 20974

Re: Analyzing VB Malware - XtremeRAT

XtremeRAT is written in Delphi not in VB (6). The VB part is probably just the cryptor. Personally i don't spend much time on cryptors. Just run and dump the extracted data from memory (with Xtreme RAT it's even easier because most of the time it's going to be on the same memory address 0x10000000)....
by r3shl4k1sh
Sat Dec 10, 2016 8:10 pm
Forum: Malware
Topic: Malware or not malware.....this is a big question...
Replies: 2
Views: 5902

Re: Malware or not malware.....this is a big question...

If it's really a big question please give us more context to the malware.

To me it seems to be part of Adware. But it might be part of malware if it's used for sys info gathering.
by r3shl4k1sh
Tue Aug 23, 2016 3:26 pm
Forum: Tools/Software
Topic: UACMe - Defeating Windows User Account Control
Replies: 136
Views: 428384

Re: UACMe - Defeating Windows User Account Control

The following article gives another method to defeat the UAC using environment variables:
http://breakingmalware.com/vulnerabilit ... expansion/

POC:
https://github.com/BreakingMalwareResearch/eleven
by r3shl4k1sh
Fri Aug 05, 2016 1:08 pm
Forum: Malware
Topic: LuminosityLink (Cryptominer) RAT
Replies: 1
Views: 4315

Re: LuminosityLink (Cryptominer) RAT

Another one. VT 6/53 56a4e071cfba887e620924a9eeea8eb9 Decrypted configs: SHA256: d954e352d0385307e2bfcc8c614e22d5555be24c9f3d4890ced0b9192b958800 Encryption Key: This confi'g contains nothing useful. Quit acting as if you're cool by decrypting it. Domain/IP: 66.45.225.46 Port: 888 Backup DNS: Disabl...
by r3shl4k1sh
Tue Jul 12, 2016 6:18 pm
Forum: Malware
Topic: LuminosityLink (Cryptominer) RAT
Replies: 1
Views: 4315

LuminosityLink (Cryptominer) RAT

http://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/ Very low detection rate 2/53: cb599999063da4b3113b0b8dbefd39ec Connects to: mopol.mooo.com:8485 --> [212.7.208.101] Strings: RELPATH SHADOW_COPY_DIRS CACHE_BASE PRIVATE_BINP...
by r3shl4k1sh
Thu Sep 17, 2015 6:30 pm
Forum: Malware
Topic: TeslaCrypt ransomware
Replies: 58
Views: 88608

Re: TeslaCrypt ransomware

http://www.isightpartners.com/2015/09/teslacrypt-2-0-cyber-crime-malware-behavior-capabilities-and-communications/ Anyone got any samples for this supposed "Tesla Crypt 2.0" ? In attach the sample mentioned in the article: https://www.virustotal.com/en/file/f01c6e165228b65178be848c86544b02ad36af81b...
by r3shl4k1sh
Thu Sep 17, 2015 6:04 pm
Forum: Malware
Topic: Imports that flag AV
Replies: 3
Views: 3235

Re: Imports that flag AV

WriteProcessMemory ReadProcessMemory CreateRemoteThread VirtualAllocEx EnumProcesses CreateToolhelp32Snapshot But i doubt you will able to get AVs from "major vendors" to flag the file based only on suspicious imports from the Import Table. Anyway most of the time the imports should actually be used...
by r3shl4k1sh
Fri Jun 26, 2015 8:44 am
Forum: Malware
Topic: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)
Replies: 83
Views: 116767

Re: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)

Hi, It seems like Symantec detects the latest Rovnix Dropper and payload as Carberb.C: http://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under Part of the decrypted web-injects from the sample posted by @comak (You can get the full web-injects in the attached zip file): set_url *....
by r3shl4k1sh
Sat Jun 13, 2015 6:46 pm
Forum: Malware
Topic: Duqu 2.0
Replies: 18
Views: 33944

Re: Duqu 2.0

I believe that the Duqu 2.0 team where those who wrote the "report" from Kaspersky...
Probably there is a cease-fire agreement now...
by r3shl4k1sh
Fri May 15, 2015 12:35 pm
Forum: Malware
Topic: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)
Replies: 83
Views: 116767

Re: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)

Hi folks, A fresh Rovnix dropper (MS: TrojanDropper:Win32/Rovnix.P, ESET: Win32/Rovnix.Z) that contains CVE-2013-3660 and CVE-2014-4113 in order to escalate its privileges. d1049482df1d0d0cfe84f00eb710ab14009afb7a1d496ee664b7e24f312805ae The driver contains an effective method to prevent loading of ...