Search found 100 matches

by sysopfb
Tue Mar 22, 2016 6:41 pm
Forum: Malware
Topic: Win32/Corebot
Replies: 4
Views: 9606

Re: Win32/Corebot

Releasing a paper I wrote last year on this.
by sysopfb
Thu Feb 11, 2016 10:09 pm
Forum: Malware
Topic: TorrentLocker ransomware
Replies: 17
Views: 42294

Re: TorrentLocker ransomware

What people are calling Teerac and AV is calling Win32.Teerac is just a variant of TorrentLocker that matches the reports from welivesecurity.com and the FoxIT blog post with the exception of an additional subdomain generation based on a hardcoded domain. Though they usually resolve to the same IP a...
by sysopfb
Sun Feb 07, 2016 10:42 pm
Forum: Malware
Topic: TeslaCrypt ransomware
Replies: 58
Views: 82234

Re: TeslaCrypt ransomware

The spam panel being used is called Spamm Panel

There is a demo up at htxp://spmsmtcheckrgb.com/index.php
by sysopfb
Sat Feb 06, 2016 5:52 pm
Forum: Malware
Topic: TeslaCrypt ransomware
Replies: 58
Views: 82234

Re: Malware collection

next https://www.virustotal.com/en/file/3783340fc1d2e3465e0ec6997c7964fe3faabb8bfdd2d181fa3f62954a44e78e/analysis/1454776380/ It's a javascript downloader. That one downloads one of the following which is probably teslacrypt hxxp://helloguysqq.su/80.exe hxxp://sowhatsupwithitff.com/80.exe There's a...
by sysopfb
Thu Feb 04, 2016 8:02 pm
Forum: Malware
Topic: PClock ransomware
Replies: 7
Views: 7532

Re: PClock ransomware

PClock - criminal_case_for_you.scr

Crypter -

Code: Select all

F:\Krypton_15.0_NR\Bin\StubNew.pdb
packed and unpacked in attached
by sysopfb
Tue Feb 02, 2016 6:55 pm
Forum: Malware
Topic: TeslaCrypt ransomware
Replies: 58
Views: 82234

Re: TeslaCrypt ransomware

ver=3.0.0a in attached Came from piglyeleutqq.com/80.exe unpack on rtldecompressbuffer C2 encryption key changed to 0324532423723948572379453249857 Lots of recrypted versions of the same build and some old ones on there as well: # md5sum *.exe 5993e0215948ab25054cc87a7af7d411 23.exe 1cdb1cd3d4242d3e...
by sysopfb
Thu Jan 14, 2016 8:46 pm
Forum: Malware
Topic: TeslaCrypt ransomware
Replies: 58
Views: 82234

Re: TeslaCrypt ransomware

Previous versions for me would always check into the C2 first before encrypting the files. It appears they now encrypt the files before checking in with this new version.
by sysopfb
Wed Jan 13, 2016 2:27 pm
Forum: Malware
Topic: TeslaCrypt ransomware
Replies: 58
Views: 82234

Re: TeslaCrypt ransomware

version=3.0.0 is attached .xxx extensions C2 list: hxxp://dawnlogistics.com/wp-content/themes/sketch/dbsys.php hxxp://yavuzturk.com/wp-includes/dbsys.php hxxp://thevictorianmotel.com/wp-content/themes/sketch/dbsys.php hxxp://elle-ectric.com/wp-content/themes/sketch/dbsys.php hxxp://nicasitios.com/db...
by sysopfb
Thu Dec 31, 2015 11:11 pm
Forum: Malware
Topic: Downloader:Win32/Nitol
Replies: 21
Views: 22664

Re: Malware collection

next https://www.virustotal.com/en/file/6fe508bc7747cb61cd1f54d902d423fe3e277f3e76fa08ac1d453ba227ceb0d1/analysis/1449939246/ Yet another Muldrop, with Nitol.B + Waledac. Waledac downloads a Muldrop with Nitol.B + Kelihos.F. The waledac you had in VT had the following ips, interesting little 'rando...
by sysopfb
Fri Dec 11, 2015 8:06 pm
Forum: Malware
Topic: Win32/Corebot
Replies: 4
Views: 9606

Re: Win32/Corebot

Here's a new config with some different targets and ATS urls

Sample came from Brad at MTA: https://isc.sans.edu/forums/diary/Every ... 2015/20477