Search found 100 matches

by sysopfb
Tue Mar 28, 2017 1:40 pm
Forum: Malware
Topic: TerrorEK
Replies: 3
Views: 10562

Re: TerrorEK

Here you go, I didn't go through all of them, looked like a bunch of garbage. Betabots: 5851aadcaf088cf267d97e84ca45301a 7e3d5bd7a16229c5ddfd36ab52a5b055 2fa4c845ba511511da5b762a8893ab44 547b3176c269b1fb78c2ad337f033c1d 7bd79fe039d832b2b02ff4a78dc9ca87 c4a21f2754155985131669fb5521db37 newsofmyru.pw ...
by sysopfb
Tue Mar 28, 2017 1:50 am
Forum: Malware
Topic: TerrorEK
Replies: 3
Views: 10562

Re: TerrorEK

p1nk wrote:8603 hits

Does anyone have payloads it was spreading?
All the payloads I went through were betabot, I'll upload some tomorrow when I'm back in the lab.
by sysopfb
Mon Mar 27, 2017 1:38 pm
Forum: Malware
Topic: TerrorEK
Replies: 3
Views: 10562

TerrorEK

@forty-six spotted this guys tweets where he released his panel source code -> @King_cobra666 Most of his tweets are random attacks at other EK systems. The 'uploader' portion from BlazeEK was sitting at 188.165.62.1 for awhile, panel calls itself Neptune source from uploader calls itself blaze and ...
by sysopfb
Mon Jan 09, 2017 6:53 pm
Forum: Malware
Topic: Malware collection
Replies: 314
Views: 454850

Re: Malware collection

i unpacked verty.exe and virustotal says it's Graftor https://virustotal.com/en/file/348c8889917d267701b950a1c6b8c45083a1f7d96aa7e828e1ea161ffcb2bef4/analysis/ That's a Gozi variant loader, looks like DreamBot version. Embedded dll config below { 'DLL_32': { 'SHA256': '7aad125104371d27240353764d032...
by sysopfb
Wed Dec 14, 2016 5:33 pm
Forum: Malware
Topic: Win32/Cerber
Replies: 71
Views: 154966

Re: Win32/Cerber

Code: Select all

/read.php?f=404
That is more associated with the delivery mechanism than directly with Cerber. They could push whatever malware they want as a response to that request
by sysopfb
Thu Dec 01, 2016 9:10 pm
Forum: Malware
Topic: Ransomware identfied as Trojan.Win32.Inject.acepl
Replies: 2
Views: 12120

Re: Ransomware identfied as Trojan.Win32.Inject.acepl

They build great web pages

hxxps://dxostywsduvmn6ra.onion[.]cab/hll.php?btc=1FjH2ApjfPYWytCHYXijHFZ6w9E54X4uBk&pin=3ff69b0&uid=%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
by sysopfb
Sun Oct 16, 2016 6:16 pm
Forum: Malware
Topic: Win32/Fleercivet
Replies: 0
Views: 3485

Win32/Fleercivet

This matches both of these reports for Fleercivet https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Fleercivet.A https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28085 Was downloaded from a TrickBot infection via: 207.244.97[.]80/?a...
by sysopfb
Fri Sep 30, 2016 1:00 am
Forum: Newbie Questions
Topic: How did you get into malware analysis?
Replies: 2
Views: 14812

Re: How did you get into malware analysis?

I did development work and then got a job doing incident response and transitioned from that to doing malware research. There are numerous resources and links on this forum leading to book recommendations and tutorials that would help you get into looking at malware. Crackmes are a common recommenda...
by sysopfb
Fri Sep 30, 2016 12:57 am
Forum: Newbie Questions
Topic: How do i analyze this strange ransomware ?
Replies: 5
Views: 7379

Re: How do i analyze this strange ransomware ?

Can you attach a sample?

Just because PEiD and exeinfo do not detected it to be packed or crypted does not mean it is not packed it just means it's not packed with a packer/crypter that has been signatured
by sysopfb
Tue Sep 20, 2016 12:39 am
Forum: Completed Malware Requests
Topic: sample request
Replies: 1
Views: 5083

Re: sample request

attached