Search found 194 matches

by nullptr
Fri Jul 08, 2016 3:52 am
Forum: Malware
Topic: WinNT/Ursnif (alias ISFB/Gozi)
Replies: 50
Views: 66785

Re: Malware collection

Ransom Shade/Troldesh listed above targets the following extensions: wb2|cdr|srw|p7b|odm|mdf|p7c|3fr|der|odb|arw|rwl|cer|xlk|pdd|rw2|crt|dx|r3d|pem|bay|ptx|pfx|indd|nrw|p12|bd|backup|torrent|kwm|pwm|safe|xl|xls|xlsx|xlsm|xlsb |xltm|xlt|xlam|xla|mdb|rtf|txt|xml|csv|pdf|prn|dif|slk|ods|xltx|xlm|odc|xl...
by nullptr
Thu Jul 07, 2016 2:14 pm
Forum: Malware
Topic: WinNT/Ursnif (alias ISFB/Gozi)
Replies: 50
Views: 66785

Re: Malware collection

ikolor wrote: Please about comment what it is.!!!
The one named "sprawa 07072016 t_fdp.rar" is Win32/Ursnif.HP according to MS. Unpacked attached.
The other one is Ransom Shade aka Troldesh. Also attached.
by nullptr
Sun Dec 13, 2015 1:55 pm
Forum: User-Mode Development
Topic: Hooking usage of DLL function
Replies: 17
Views: 31945

Re: Hooking usage of DLL function

The jumps are hard coded for 32 bit. It would be better if the code took into account the different size of a pointer, that way compilation for 32bit and 64 bit should be able to use the same code. e.g. Instead of: extern "C" __declspec(naked) void __stdcall __E__0__() { __asm { jmp p[0 * 4]; } } Yo...
by nullptr
Sun Dec 13, 2015 10:59 am
Forum: User-Mode Development
Topic: Hooking usage of DLL function
Replies: 17
Views: 31945

Re: Hooking usage of DLL function

Are you replacing the 32 bit dll in the syswow64 directory?
by nullptr
Sun Dec 13, 2015 8:10 am
Forum: Malware
Topic: Downloader:Win32/Nitol
Replies: 21
Views: 24098

Re: Malware collection

Yet another Muldrop, with Nitol.B + Waledac. Waledac downloads a Muldrop with Nitol.B + Kelihos.F.
by nullptr
Sat Nov 14, 2015 11:46 am
Forum: Malware
Topic: TeslaCrypt ransomware
Replies: 58
Views: 88608

Re: TeslaCrypt ransomware

Teslacrypt
MD-5 d7575e4455e4d805fd29effb43591454
SHA-1 ce9a91c24aad1ec93936d9ba7203de84ae2b94c7

Original + Decrypted.
TeslaCrypt_pwm.zip
by nullptr
Mon Nov 02, 2015 4:53 am
Forum: Malware
Topic: Downloader:Win32/Nitol
Replies: 21
Views: 24098

Re: Malware collection

Another Muldrop, this time with the usual Nitol + some Waledac variant.
Both attached.
by nullptr
Thu Oct 22, 2015 2:58 pm
Forum: Malware
Topic: Win32/Kelihos (+Waledac downloader)
Replies: 94
Views: 128714

Re: Malware collection

Likely another Kelihos variant. I'll look further in the morning.
by nullptr
Thu Oct 22, 2015 2:56 pm
Forum: Malware
Topic: Win32/Kelihos (+Waledac downloader)
Replies: 94
Views: 128714

Re: Malware collection

This looks like a Kelihos variant.
by nullptr
Sat Aug 22, 2015 2:20 am
Forum: User-Mode Development
Topic: [PoC] Bypassing UM Hooks By Bruteforcing Intel Syscalls
Replies: 9
Views: 20377

Re: [PoC] Bypassing UM Hooks By Bruteforcing Intel Syscalls

kerpow1 wrote:Nice release but "standard pw" doesn't give much clue.
pw: infected