Search found 35 matches

by tildedennis
Wed Oct 25, 2017 6:14 pm
Forum: Malware
Topic: CirhashBot
Replies: 3
Views: 15940

Re: CirhashBot

this thing has resurfaced: https://twitter.com/dvk01uk/status/898431354873851904. my notes are up at https://www.arbornetworks.com/blog/aser ... -reloaded/, samples attached.

edit: oops, those zip command line options are tricky...added non-empty .zip
by tildedennis
Sun Oct 22, 2017 10:29 pm
Forum: Malware
Topic: Win32/Kasidet (Alias Neutrino bot)
Replies: 6
Views: 15778

Re: Win32/Kasidet (Alias Neutrino bot)

https://securelist.com/jimmy-nukebot-fr ... ove/81667/

I've been seeing quite a bit of this variant since the post.
by tildedennis
Sun Oct 22, 2017 10:23 pm
Forum: Malware
Topic: Formbook Form Grabber
Replies: 5
Views: 13203

Re: Help identify malware

@moderators maybe we can rename this thread to "Formbook Form Grabber" Couple of posts: [*] https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/ [*] https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html I'm starting to see newer versi...
by tildedennis
Sun Oct 22, 2017 10:17 pm
Forum: Malware
Topic: Point-of-Sale malwares / RAM scrapers
Replies: 244
Views: 857751

Re: Point-of-Sale malwares / RAM scrapers

LockPoS

https://www.arbornetworks.com/blog/aser ... ins-flock/

I haven't seen much more of this in the wild.
by tildedennis
Mon May 08, 2017 1:10 pm
Forum: Malware
Topic: Shamoon - Trojan.Ismdoor / Greenbug
Replies: 5
Views: 15508

Re: Shamoon - Trojan.Ismdoor / Greenbug

The latest Ismdoor samples (attached) have switched to a DNS C2 mechanism:

https://www.arbornetworks.com/blog/aser ... -dns-isms/
by tildedennis
Fri Apr 21, 2017 1:16 pm
Forum: Malware
Topic: Win32/Zeus (alias Zbot)
Replies: 281
Views: 359283

Re: Win32/Zeus (alias Zbot)

grab another zeus variant from off the wall: http://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data https://virustotal.com/en/file/6d8ce2d1b33ff42ba04ded09fe79cff158e6dfffa82f6ceada12f4fda6d0c221/analysis/ (attached) has a version of 1.6.8 and the following c2s: hxxp://derqdxnvis.info/...
by tildedennis
Tue Feb 14, 2017 4:11 pm
Forum: Malware
Topic: Nuclear Bot
Replies: 3
Views: 15049

Re: Nuclear Bot

statically. they're stored compressed in the dropper and can be carved out and RtlDecompressBuffer'd.
by tildedennis
Tue Feb 07, 2017 6:29 pm
Forum: Malware
Topic: CirhashBot
Replies: 3
Views: 15940

Re: CirhashBot

etpro is calling this "snatch loader", but it looks very similar to h1n1 loader based on: http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities-part-2 https://www.arbornetworks.com/blog/asert/wp-content/uploads/2015/06/blog_h1n1.pdf the c2s from your post were down for me,...
by tildedennis
Mon Dec 19, 2016 8:14 pm
Forum: Malware
Topic: Nuclear Bot
Replies: 3
Views: 15049

Nuclear Bot

dropper: https://www.virustotal.com/en/file/ff83aaa74ec364f4c2403409a28df93ef97e8a61ba79fdb1c94d7081f48e794e/analysis/ main: https://www.virustotal.com/en/file/25a361f297c6d399410b47af5504f4bb2c9327de55168a31154fbee21fa4b186/analysis/ mitb: https://www.virustotal.com/en/file/53af22828a2a1190105c6846...
by tildedennis
Mon Nov 21, 2016 1:06 pm
Forum: Malware
Topic: Win32/Zeus (alias Zbot)
Replies: 281
Views: 359283

Re: Win32/Zeus (alias Zbot)

flokibot (mostly zeus 2.0.8.9 + some basic DDoS + basic track 2 memory scraper): * https://www.flashpoint-intel.com/floki-bot-emerges-new-malware-kit/ * https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/ lastest sample that i've seen (attached): https://www.vir...