Search found 100 matches

by sysopfb
Thu Dec 10, 2015 4:52 pm
Forum: Malware
Topic: Win32/Corebot
Replies: 4
Views: 9606

Win32/Corebot

Sample and config attached
by sysopfb
Wed Nov 25, 2015 5:28 pm
Forum: Malware
Topic: TeslaCrypt ransomware
Replies: 58
Views: 82234

Re: TeslaCrypt ransomware

Signed teslacrypt attached SN: 6f 17 f2 ec 42 0a cc 9e c6 74 a4 ef 5e 76 32 f6 CN = Certum Level III CA OU = Certum Certification Authority O = Unizeto Technologies S.A. C = PL E = vipul@bscp-lim.com CN = Open Source Developer, Andrea Jane Paxton O = BSCP C = GB C2 list: http://genesistut.com/misc.p...
by sysopfb
Tue Nov 24, 2015 1:03 am
Forum: Malware
Topic: Cryptowall (alias Crowti)
Replies: 29
Views: 61553

Re: Cryptowall (alias Crowti)

Thank you again and we hope you share our view that your contribution helped to provide has zip attached with javascript inside. downloads http://1caclean.com/wp-includes/theme-compat/691.exe?1 SHA: e6a3740228180ceb5f2d6ea58c6a46c03af44e37f5f8b0a4ba6bcf635811a849 http://rgkschool.com/modules/mod_ar...
by sysopfb
Fri Nov 20, 2015 7:09 pm
Forum: Malware
Topic: Cryptowall (alias Crowti)
Replies: 29
Views: 61553

Re: Cryptowall (alias Crowti)

Signed Cryptowall binary https://www.virustotal.com/en/file/1d39890e586bd3af03bb31ed307af378fbc58cc61fddd9bbc4de4fb738bb4d93/analysis/ COMODO cert SN: ?00 94 be 4a fd 1f af 6f 31 4a 80 59 de c5 7d 51 7f Name: Generator Media + Analytics, Inc. Email: development@tuta.io Signing Time: ?Friday, ?Novemb...
by sysopfb
Fri Nov 20, 2015 2:39 pm
Forum: Malware
Topic: Win32/Spy.Shiz.NCP (Shifu)
Replies: 9
Views: 22347

Re: Win32/Spy.Shiz.NCP (Shifu)

Some variation from what I've seen reported with this sample Uses an RC4 key similar to the virusbtn.com report https://www.virusbtn.com/virusbulletin/archive/2015/11/vb201511-Shifu Key: a8zoSTHljZylEx4o3mJ2eqIdsEguKC15KnyQdfx4RTc5sjH Doesn't use the standard RC4 key scheudling algorithm instead it ...
by sysopfb
Tue Nov 17, 2015 7:34 pm
Forum: Malware
Topic: Win32/Dyzap (Dyre)
Replies: 26
Views: 41792

Re: Win32/Dyzap (Dyre)

Paper specific to the loader piece of Dyre is attached. Feel free to whisper me with any corrections.
by sysopfb
Wed Nov 04, 2015 9:46 pm
Forum: Malware
Topic: WinNT/Vawtrak
Replies: 33
Views: 53919

Re: WinNT/Vawtrak

Vawtrak project 13 Being delivered by Bedep Not on VT yet C2 urls: hxxp://ninthclub.com/Work/new/index.php hxxp://camelcap.com/Work/new/index.php hxxp://ideagreens.com/Work/new/index.php hxxp://guesstrade.com/Work/new/index.php hxxp://castuning.ru/Work/new/index.php hxxp://mgsmedia.ru/Work/new/index...
by sysopfb
Tue Oct 27, 2015 8:07 pm
Forum: Malware
Topic: Backdoor Andromeda (waahoo, alias Gamarue)
Replies: 129
Views: 178607

Re: Backdoor Andromeda (waahoo, alias Gamarue)

Word doc macro downloads: hxxp://91.229.79.231:8080/cfab2e3d.jpg Can be decoded using the following script: array = [x for x in xrange(0,256)] arg1 = open('cfab2e3d.jpg','rb').read() arg2 = "abc123" arg1 = bytearray(arg1) arg2 = bytearray(arg2) arg1_len = len(arg1) arg2_len = len(arg2) for i in xran...
by sysopfb
Thu Oct 22, 2015 4:25 pm
Forum: Malware
Topic: Win32/Fareit
Replies: 59
Views: 109981

Re: Win32/Fareit

0/55 pony Delivered with Necurs by Bedep
https://www.virustotal.com/en/file/d02f ... 445529894/


Gate:
mist.fortunetwork.com/news.php

unpack via RtlDecompressBuffer
by sysopfb
Wed Oct 21, 2015 9:12 pm
Forum: Malware
Topic: Win32/Dyzap (Dyre)
Replies: 26
Views: 41792

Re: Win32/Dyzap (Dyre)

Attachment: dyre77_ver1157.zip Dyre 1910us77 campaign, version 1157 The crypter I've seen before has a few stupid GetCPInfo checks for single processor systems Also checks for the FDIV bug IsProcessFeaturePresent(0) C2 list: 31.216.190.18:443 41.57.19.24:443 41.168.11.125:443 41.191.118.234:443 46.1...