Search found 74 matches

by benkow_
Sun Mar 04, 2018 9:22 am
Forum: Malware
Topic: XMRig Miner
Replies: 5
Views: 224

Re: Malware collection

SHA-256 8cd0e931d1de457839fe074ee0819dee78fcd61e1983ea80c7bd7b16f696eb80 File name ExtremeHack.exe https://www.virustotal.com/#/file/8cd0e931d1de457839fe074ee0819dee78fcd61e1983ea80c7bd7b16f696eb80/detection Another miner spreaded around since some weeks ftp://progerman:ivivad9x@82.202.231.21 { "al...
by benkow_
Fri Dec 29, 2017 2:01 pm
Forum: Completed Malware Requests
Topic: Cyber Police (HiddenTear Variant)
Replies: 2
Views: 3979

Re: Cyber Police (HiddenTear Variant)

attached
by benkow_
Sat Dec 16, 2017 9:57 am
Forum: Completed Malware Requests
Topic: Looking for the FireEyE Triton Samples.
Replies: 2
Views: 3650

Re: Looking for the FireEyE Triton Samples.

http://www.kernelmode.info/forum/viewto ... =20&t=1950 :
Requests from users with ZERO (0) posts, "thank-you" only posts, or requests-only posts not allowed. Posts will be removed and user will be banned, depending on situation. Make your effort for this place before asking anything.
by benkow_
Fri Dec 15, 2017 9:45 am
Forum: Completed Malware Requests
Topic: Sample request for mentioned MD5
Replies: 1
Views: 3535

Re: Sample request for mentioned MD5

attached
by benkow_
Sun Oct 01, 2017 10:42 am
Forum: Completed Malware Requests
Topic: svchost.exe
Replies: 1
Views: 4193

Re: svchost.exe

So, it's VBScript "WriteData" looks like a PE hex encoded (4D5A is typical for a PE) https://www.virustotal.com/en/file/79aa811f409838b78ee0eb03d3860894ff44009f0360ee32f8d469099427ab08/analysis/1506853340/ doc Set FSO = CreateObject("Scripting.FileSystemObject") //2=TemporaryFolder / %TEMP%\svchost....
by benkow_
Sun May 14, 2017 9:36 pm
Forum: Malware
Topic: WanaCrypt0r 2.0
Replies: 15
Views: 26006

Re: WanaCrypt0r 2.0

Patched kill switch version

Code: Select all

http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
https://www.virustotal.com/fr/file/32f2 ... /analysis/
by benkow_
Sun Feb 26, 2017 4:33 pm
Forum: Malware
Topic: JScript dropper
Replies: 2
Views: 13889

Re: JScript dropper

List on "Onliner" spambot still up (used for spreading Ursnif)

Code: Select all

http://194.247.13.8/img/login.php
http://194.247.13.178/naomi/login.php
http://194.247.13.196/asus/login.php
by benkow_
Wed Feb 15, 2017 10:42 am
Forum: Malware
Topic: APT question
Replies: 3
Views: 10612

Re: APT question

Maybe the black energy malware Family. (Backdoor+KillDisk)
https://www.youtube.com/watch?v=MzhmRyA_71Q
by benkow_
Sat Jan 28, 2017 5:26 pm
Forum: Reverse Engineering and Debugging
Topic: Debugging Explorer Icon loading
Replies: 2
Views: 13116

Debugging Explorer Icon loading

Hello, I work on a strange case, during malware reversing (6aa5fd384fbfe271a5000397e2e0c9d9e06dd5d041488e4f2de7ae3a4eb1589d) I've noticed a strange behaviour with explorer.exe. The malware itself (spambot) is boring but I don't know if the malware author do this deliberately or not but each time you...