Search found 101 matches

by sysopfb
Thu Jan 17, 2019 4:25 pm
Forum: Malware
Topic: malware
Replies: 2
Views: 5349

Re: malware

Sorry for necroing but this is XKeyScore , found topic while looking at another sample

Panel attached from a different C2 server
by sysopfb
Tue Apr 17, 2018 11:48 pm
Forum: Malware
Topic: TrickBot
Replies: 2
Views: 6987

Re: TrickBot

Apparently the loader being used by TrickBot which I was calling TrickLoader added UACME #41 back in December atleast according to this post by F5 labs https://labsblog.f-secure.com/2017/12/18/dont-let-an-auto-elevating-bot-spoil-your-christmas/ - thanks Antelox for your google-fu on finding this! K...
by sysopfb
Wed Nov 29, 2017 1:12 am
Forum: Malware
Topic: IcedID Downloader
Replies: 1
Views: 5129

IcedID Downloader

Saw this downloader show up as a payload to Chanitor/Hancitor which is used to download IcedID/BokBot banking trojan. Has some code share with the banking trojan as they share the same manner of string encryption. Attached is the hancitor download - 4 the decoded and decompressed object 4.decoded an...
by sysopfb
Thu Nov 16, 2017 3:59 pm
Forum: Malware
Topic: Ordinypt Wiper
Replies: 1
Views: 4855

Ordinypt Wiper

http://29wspy.ru/reversing/Ordinypt/Ordinypt.pdf Good summary: A stupid malware that destroy information of enterprises and innocent people and try steal money saying that is a ransomware. Bad coding style, a easy packer, only need 1 hour of my time to reverse it and writing this report. sample atta...
by sysopfb
Thu Nov 16, 2017 1:09 am
Forum: Malware
Topic: Win32/Emotet - Banking trojan
Replies: 54
Views: 9835

Re: Win32/Emotet - Banking trojan

Magical builtin hijack.

Attached is a sample from 19sep with the anti layer in the crypter they are referring to.
by sysopfb
Mon Nov 06, 2017 2:08 pm
Forum: Malware
Topic: Malware from Crunchyroll
Replies: 2
Views: 5054

Re: Malware from Crunchyroll

Payload on that pcap was metsrv, meterpreters fileless stager.
by sysopfb
Sun Nov 05, 2017 8:49 pm
Forum: Malware
Topic: Malware from Crunchyroll
Replies: 2
Views: 5054

Re: Malware from Crunchyroll

This has a pcap of it downloading a payload from when it was live. Kudos to any.run for reaching out to Bart on twitter about the pcap https://app.any.run/tasks/010df394-dad9-41dd-87ef-f80892cde074 The decoded code from the embedded PE in the modified taiga program looks like it was based on metaspl...
by sysopfb
Wed Nov 01, 2017 1:24 am
Forum: Malware
Topic: Win32/Upatre (alias Waski)
Replies: 22
Views: 23004

Re: Malware collection

That's an encoded Upatre payload from a campaign in 2015
by sysopfb
Fri Jul 14, 2017 8:41 pm
Forum: Malware
Topic: .INK Powershell Downloader
Replies: 5
Views: 8893

Re: .INK Powershell Downloader

89b138eaaade5a1ec36e2d1422ae38059f138e81b722301e713b65a74de521c7 The file has the same packer as the godzilla loader but apppears to be ramnit The unpacked file has strings that are encrypted with Rabbit but the bots Rabbit routine uses a shr delta of 8 instead of 1 when performing decryption when c...
by sysopfb
Fri Jul 14, 2017 2:14 pm
Forum: Malware
Topic: .INK Powershell Downloader
Replies: 5
Views: 8893

Re: .INK Powershell Downloader

0c19c460c7e8de4c36a9cdfe30836a9bdd18976e2f0f8f7cb9e79d13de00237b Looks like godzilla loader, c2 urls are push pop stored and then XORd with 'GODZILLA' C2s: hxxps://bokergrop.eu/bin/161/css.php hxxps://kuseyambar.eu/bin/161/css.php hxxps://morefitggr.eu/bin/161/css.php hxxps://perefacki.eu/bin/161/cs...