Search found 100 matches

by sysopfb
Wed Sep 14, 2016 10:55 pm
Forum: Malware
Topic: Locky ransomware
Replies: 135
Views: 188542

Re: Malware collection

next https://www.virustotal.com/en/file/4ef292ed16218837a7822c124a0cd8e61aad0f3ac3a29e49da9ab394d3ececba/analysis/1473348995/ Smoke Loader next.. https://www.virustotal.com/en/file/e7555a1dbfb2aba9dfea805a6ab9b90b4afeb4d66ad318e84eaf77306f0581d5/analysis/1473862240/ Teerac - Torrent Locker variant ...
by sysopfb
Tue Aug 16, 2016 3:15 pm
Forum: Malware
Topic: WinNT/Vawtrak
Replies: 33
Views: 53919

Re: WinNT/Vawtrak

DGA based on the PRNG string generator that's been in vawtrak for awhile. Blog posts: http://www.threatgeek.com/2016/08/vawtrak-trojan-variant-https-c2.html https://info.phishlabs.com/blog/vawtrak-/-neverquest2-adopts-new-methods-to-increase-persistence DGA example script: https://github.com/fidelis...
by sysopfb
Fri Jul 29, 2016 4:49 pm
Forum: Malware
Topic: WinNT/Ursnif (alias ISFB/Gozi)
Replies: 44
Views: 60928

Re: Malware collection

That's a javascript downloader

The js downloader is delivering Gozi/ISFB
by sysopfb
Sat Jul 09, 2016 1:01 am
Forum: Malware
Topic: WinNT/Ursnif (alias ISFB/Gozi)
Replies: 44
Views: 60928

Re: Malware collection

The first file looks like a common keylogger-stealer. Will look at it more later. Unpacked in the attachment. https://www.hybrid-analysis.com/sample/708ce4f663609d649b14d65addbea85f0646dbeb80ea543930586a7cd6aa8f51?environmentId=100 (the unpacked) That's a gozi/isfb variant The URL can be turned int...
by sysopfb
Sat Jun 04, 2016 10:39 pm
Forum: Malware
Topic: Win32/Cerber
Replies: 71
Views: 154966

Re: Malware collection

https://www.virustotal.com/en/file/09b1937df3f8313ea5cff2321ba1e533ee48878efb8072aa1105794edbd3b70d/analysis/1465067535/ That is Cerber ransomware Config: { "default": { "tor": "cerberhhyed5frqa", "site_1": "onion.to", "site_2": "onion.cab", "site_3": "onion.nu", "site_4": "onion.link", "site_5": "t...
by sysopfb
Sat Jun 04, 2016 1:29 pm
Forum: Malware
Topic: DMA Locker 4.0
Replies: 7
Views: 8289

Re: DMA Locker 4.0

Was also seeing cerber from these but the actor switched to DMA locker it seems? hxxp://avtomatika-dv[.]ru/image/data/avatars/.../log.php?f=404 hxxp://www[.]harmanhouse[.]com/catalog/language/english/error/.../log.php?f=404 Has a pretty large list of file extension targets Strings for traffic: http:...
by sysopfb
Wed May 25, 2016 12:16 pm
Forum: Completed Malware Requests
Topic: PUNCHBUGGY/PUNCHTRACK
Replies: 1
Views: 3413

Re: PUNCHBUGGY/PUNCHTRACK

If you're just interested in the punchbuggy/punchtrack stuff I'm pretty sure it's the same as the below

http://malware.dontneedcoffee.com/2015/ ... e-pos.html

As for the zero day leveraged in the report I don't have samples of sorry
by sysopfb
Tue May 24, 2016 11:26 pm
Forum: Malware
Topic: Locky ransomware
Replies: 135
Views: 188542

Re: Malware collection

by sysopfb
Tue May 03, 2016 1:31 pm
Forum: Completed Malware Requests
Topic: p2p dll za3
Replies: 1
Views: 2489

Re: p2p dll za3

Attached
by sysopfb
Sat Apr 02, 2016 4:25 pm
Forum: Malware
Topic: TrojanDownloader:JS/Nemucod
Replies: 2
Views: 3337

TrojanDownloader:JS/Nemucod

Commonly used to download Kovter. Also been used to download cryptowall, teslacrypt,radamant... They added a crappy 'ransomware' piece to the top of the javascript that will download a simple exe that takes a file as a parameter and XORs the first 0x800 or 2048 bytes of the file with a static 255 by...