WinNT/Cridex (alias Dridex, Drixed)

Forum for analysis and discussion about malware.
Post Reply
sugar
Posts: 12
Joined: Sat Jul 30, 2011 10:33 am

WinNT/Cridex (alias Dridex, Drixed)

Post by sugar » Wed Dec 21, 2011 12:03 pm

hello, i'm looking for acdd4c2a377933d89139b5ee6eefc464
Top
User avatar
EP_X0FF
Global Moderator
Posts: 4788
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:
Contact EP_X0FF

Re: Malware Requests

Post by EP_X0FF » Thu Dec 22, 2011 7:26 am

sugar wrote:hello, i'm looking for acdd4c2a377933d89139b5ee6eefc464
This is Cridex.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
Top
User avatar
rkhunter
Posts: 1150
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:
Contact rkhunter

Worm:Win32/Cridex.B

Post by rkhunter » Tue Jan 03, 2012 9:16 am

http://www.microsoft.com/security/porta ... 2147649733

Cridex

VT (22/43 >> 51.2%)

Seems this is Cridex too, but it detected as not Cridex by all (ZBot, VirTool)...look VT link (probably this is muldrop)

VT (22/43) >> 51.2%)
You do not have the required permissions to view the files attached to this post.
Top
User avatar
EP_X0FF
Global Moderator
Posts: 4788
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:
Contact EP_X0FF

Re: Worm:Win32/Cridex.B

Post by EP_X0FF » Tue Jan 03, 2012 10:05 am

rkhunter wrote:Seems this is Cridex too, but it detected as not Cridex by all (ZBot, VirTool)...look VT link (probably this is muldrop)
Yes it is Cridex.B too (http://www.virustotal.com/file-scan/rep ... 1325584240)

VirTool:Win32/VBInject because of crypter that has VB origin, with CreateProcess(CREATE_SUSPENDED)/NtWriteVirtualMemory/NtSetContextThread/NtResumeThread.
Ring0 - the source of inspiration
Top
User avatar
rkhunter
Posts: 1150
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:
Contact rkhunter

Re: Worm:Win32/Cridex.B

Post by rkhunter » Thu Jan 05, 2012 3:14 am

Two more Cridex droppers.

VT (3/43 >> 7.0%)

VT (26/43 >> 60.5%)
Under VBCrypt/VBInject.
You do not have the required permissions to view the files attached to this post.
Top
User avatar
rkhunter
Posts: 1150
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:
Contact rkhunter

Re: Worm:Win32/Cridex.B

Post by rkhunter » Sat Jan 14, 2012 4:45 am

Observed as BH payload

MD5: e3fa551432bb0ac6fdcbb992e3332cd3

9/43

Drops to %appdata%\KB00725031.exe
You do not have the required permissions to view the files attached to this post.
Top
dcmorton
Posts: 30
Joined: Tue Nov 16, 2010 4:56 pm
Location: United States
Contact:
Contact dcmorton

Re: Worm:Win32/Cridex.B

Post by dcmorton » Fri Jan 20, 2012 12:25 pm

MS article about Cridex.B being spread through fake traffic ticket notification emails

http://blogs.technet.com/b/mmpc/archive ... lware.aspx
Top
User avatar
rkhunter
Posts: 1150
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:
Contact rkhunter

Re: Worm:Win32/Cridex.B

Post by rkhunter » Fri Jan 20, 2012 2:14 pm

Cridex.B

MD5: 98d4503ad44ade815830019ce44caad2
23/43
You do not have the required permissions to view the files attached to this post.
Top
User avatar
rkhunter
Posts: 1150
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:
Contact rkhunter

Re: Worm:Win32/Cridex.B

Post by rkhunter » Sat Jan 21, 2012 5:27 am

MD5: 29ff4c6c301a412d0b6ce8f1b44a4983
5/43
You do not have the required permissions to view the files attached to this post.
Top
User avatar
rkhunter
Posts: 1150
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:
Contact rkhunter

Re: Worm:Win32/Cridex.B

Post by rkhunter » Sat Jan 21, 2012 5:30 am

MD5: 1fa2fe2e25ddb2365ac942be5e734681
8/43
You do not have the required permissions to view the files attached to this post.
Top
Post Reply

Return to “Malware”