Search found 101 matches

by sysopfb
Sat May 13, 2017 10:31 pm
Forum: Malware
Topic: WanaCrypt0r 2.0
Replies: 15
Views: 25631

Re: WanaCrypt0r 2.0

t.wnry file that is written has a header on top of 256 bytes that is decrypted using the RSA private key from the loader That decrypts to a 16 byte AES key that can be used to then decrypt out a DLL from that same file in CBC mode with a 16 byte IV of NULL bytes. f351e1fcca0c4ea05fc44d15a17f8b36 for...
by sysopfb
Tue Mar 28, 2017 1:40 pm
Forum: Malware
Topic: TerrorEK
Replies: 3
Views: 10897

Re: TerrorEK

Here you go, I didn't go through all of them, looked like a bunch of garbage. Betabots: 5851aadcaf088cf267d97e84ca45301a 7e3d5bd7a16229c5ddfd36ab52a5b055 2fa4c845ba511511da5b762a8893ab44 547b3176c269b1fb78c2ad337f033c1d 7bd79fe039d832b2b02ff4a78dc9ca87 c4a21f2754155985131669fb5521db37 newsofmyru.pw ...
by sysopfb
Tue Mar 28, 2017 1:50 am
Forum: Malware
Topic: TerrorEK
Replies: 3
Views: 10897

Re: TerrorEK

p1nk wrote:8603 hits

Does anyone have payloads it was spreading?
All the payloads I went through were betabot, I'll upload some tomorrow when I'm back in the lab.
by sysopfb
Mon Mar 27, 2017 1:38 pm
Forum: Malware
Topic: TerrorEK
Replies: 3
Views: 10897

TerrorEK

@forty-six spotted this guys tweets where he released his panel source code -> @King_cobra666 Most of his tweets are random attacks at other EK systems. The 'uploader' portion from BlazeEK was sitting at 188.165.62.1 for awhile, panel calls itself Neptune source from uploader calls itself blaze and ...
by sysopfb
Mon Jan 09, 2017 6:53 pm
Forum: Malware
Topic: Dreambot Targeting Bulgarian Users
Replies: 4
Views: 8607

Re: Malware collection

i unpacked verty.exe and virustotal says it's Graftor https://virustotal.com/en/file/348c8889917d267701b950a1c6b8c45083a1f7d96aa7e828e1ea161ffcb2bef4/analysis/ That's a Gozi variant loader, looks like DreamBot version. Embedded dll config below { 'DLL_32': { 'SHA256': '7aad125104371d27240353764d032...
by sysopfb
Wed Dec 14, 2016 5:33 pm
Forum: Malware
Topic: Win32/Cerber
Replies: 76
Views: 159931

Re: Win32/Cerber

Code: Select all

/read.php?f=404
That is more associated with the delivery mechanism than directly with Cerber. They could push whatever malware they want as a response to that request
by sysopfb
Thu Dec 01, 2016 9:10 pm
Forum: Malware
Topic: Ransomware identfied as Trojan.Win32.Inject.acepl
Replies: 2
Views: 12370

Re: Ransomware identfied as Trojan.Win32.Inject.acepl

They build great web pages

hxxps://dxostywsduvmn6ra.onion[.]cab/hll.php?btc=1FjH2ApjfPYWytCHYXijHFZ6w9E54X4uBk&pin=3ff69b0&uid=%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
by sysopfb
Sun Oct 16, 2016 6:16 pm
Forum: Malware
Topic: Win32/Fleercivet
Replies: 0
Views: 3779

Win32/Fleercivet

This matches both of these reports for Fleercivet https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Fleercivet.A https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28085 Was downloaded from a TrickBot infection via: 207.244.97[.]80/?a...
by sysopfb
Fri Sep 30, 2016 1:00 am
Forum: Newbie Questions
Topic: How did you get into malware analysis?
Replies: 2
Views: 15144

Re: How did you get into malware analysis?

I did development work and then got a job doing incident response and transitioned from that to doing malware research. There are numerous resources and links on this forum leading to book recommendations and tutorials that would help you get into looking at malware. Crackmes are a common recommenda...
by sysopfb
Fri Sep 30, 2016 12:57 am
Forum: Newbie Questions
Topic: How do i analyze this strange ransomware ?
Replies: 5
Views: 7775

Re: How do i analyze this strange ransomware ?

Can you attach a sample?

Just because PEiD and exeinfo do not detected it to be packed or crypted does not mean it is not packed it just means it's not packed with a packer/crypter that has been signatured