Search found 100 matches

by sysopfb
Tue Apr 17, 2018 11:48 pm
Forum: Malware
Topic: TrickBot
Replies: 2
Views: 5570

Re: TrickBot

Apparently the loader being used by TrickBot which I was calling TrickLoader added UACME #41 back in December atleast according to this post by F5 labs https://labsblog.f-secure.com/2017/12/18/dont-let-an-auto-elevating-bot-spoil-your-christmas/ - thanks Antelox for your google-fu on finding this! K...
by sysopfb
Wed Nov 29, 2017 1:12 am
Forum: Malware
Topic: IcedID Downloader
Replies: 1
Views: 3651

IcedID Downloader

Saw this downloader show up as a payload to Chanitor/Hancitor which is used to download IcedID/BokBot banking trojan. Has some code share with the banking trojan as they share the same manner of string encryption. Attached is the hancitor download - 4 the decoded and decompressed object 4.decoded an...
by sysopfb
Thu Nov 16, 2017 3:59 pm
Forum: Malware
Topic: Ordinypt Wiper
Replies: 1
Views: 3571

Ordinypt Wiper

http://29wspy.ru/reversing/Ordinypt/Ordinypt.pdf Good summary: A stupid malware that destroy information of enterprises and innocent people and try steal money saying that is a ransomware. Bad coding style, a easy packer, only need 1 hour of my time to reverse it and writing this report. sample atta...
by sysopfb
Thu Nov 16, 2017 1:09 am
Forum: Malware
Topic: Win32/Emotet - Banking trojan
Replies: 2
Views: 5493

Re: Win32/Emotet - Banking trojan

Magical builtin hijack.

Attached is a sample from 19sep with the anti layer in the crypter they are referring to.
by sysopfb
Mon Nov 06, 2017 2:08 pm
Forum: Malware
Topic: Malware from Crunchyroll
Replies: 2
Views: 3611

Re: Malware from Crunchyroll

Payload on that pcap was metsrv, meterpreters fileless stager.
by sysopfb
Sun Nov 05, 2017 8:49 pm
Forum: Malware
Topic: Malware from Crunchyroll
Replies: 2
Views: 3611

Re: Malware from Crunchyroll

This has a pcap of it downloading a payload from when it was live. Kudos to any.run for reaching out to Bart on twitter about the pcap https://app.any.run/tasks/010df394-dad9-41dd-87ef-f80892cde074 The decoded code from the embedded PE in the modified taiga program looks like it was based on metaspl...
by sysopfb
Wed Nov 01, 2017 1:24 am
Forum: Malware
Topic: Malware collection
Replies: 272
Views: 336098

Re: Malware collection

That's an encoded Upatre payload from a campaign in 2015
by sysopfb
Fri Jul 14, 2017 8:41 pm
Forum: Malware
Topic: .INK Powershell Downloader
Replies: 5
Views: 6915

Re: .INK Powershell Downloader

89b138eaaade5a1ec36e2d1422ae38059f138e81b722301e713b65a74de521c7 The file has the same packer as the godzilla loader but apppears to be ramnit The unpacked file has strings that are encrypted with Rabbit but the bots Rabbit routine uses a shr delta of 8 instead of 1 when performing decryption when c...
by sysopfb
Fri Jul 14, 2017 2:14 pm
Forum: Malware
Topic: .INK Powershell Downloader
Replies: 5
Views: 6915

Re: .INK Powershell Downloader

0c19c460c7e8de4c36a9cdfe30836a9bdd18976e2f0f8f7cb9e79d13de00237b Looks like godzilla loader, c2 urls are push pop stored and then XORd with 'GODZILLA' C2s: hxxps://bokergrop.eu/bin/161/css.php hxxps://kuseyambar.eu/bin/161/css.php hxxps://morefitggr.eu/bin/161/css.php hxxps://perefacki.eu/bin/161/cs...
by sysopfb
Sat May 13, 2017 10:31 pm
Forum: Malware
Topic: WanaCrypt0r 2.0
Replies: 15
Views: 20609

Re: WanaCrypt0r 2.0

t.wnry file that is written has a header on top of 256 bytes that is decrypted using the RSA private key from the loader That decrypts to a 16 byte AES key that can be used to then decrypt out a DLL from that same file in CBC mode with a 16 byte IV of NULL bytes. f351e1fcca0c4ea05fc44d15a17f8b36 for...