WinNT/Cridex (alias Dridex, Drixed)

Forum for analysis and discussion about malware.

WinNT/Cridex (alias Dridex, Drixed)

Postby sugar » Wed Dec 21, 2011 12:03 pm

hello, i'm looking for acdd4c2a377933d89139b5ee6eefc464
sugar
 
Posts: 12
Joined: Sat Jul 30, 2011 10:33 am
Reputation point: 0

Re: Malware Requests

Postby EP_X0FF » Thu Dec 22, 2011 7:26 am

sugar wrote:hello, i'm looking for acdd4c2a377933d89139b5ee6eefc464


This is Cridex.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Worm:Win32/Cridex.B

Postby rkhunter » Tue Jan 03, 2012 9:16 am

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Worm%3AWin32%2FCridex.B&threatid=2147649733

Cridex

VT (22/43 >> 51.2%)

Seems this is Cridex too, but it detected as not Cridex by all (ZBot, VirTool)...look VT link (probably this is muldrop)

VT (22/43) >> 51.2%)
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1148
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Worm:Win32/Cridex.B

Postby EP_X0FF » Tue Jan 03, 2012 10:05 am

rkhunter wrote:Seems this is Cridex too, but it detected as not Cridex by all (ZBot, VirTool)...look VT link (probably this is muldrop)


Yes it is Cridex.B too (http://www.virustotal.com/file-scan/rep ... 1325584240)

VirTool:Win32/VBInject because of crypter that has VB origin, with CreateProcess(CREATE_SUSPENDED)/NtWriteVirtualMemory/NtSetContextThread/NtResumeThread.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Worm:Win32/Cridex.B

Postby rkhunter » Thu Jan 05, 2012 3:14 am

Two more Cridex droppers.

VT (3/43 >> 7.0%)

VT (26/43 >> 60.5%)
Under VBCrypt/VBInject.
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1148
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Worm:Win32/Cridex.B

Postby rkhunter » Sat Jan 14, 2012 4:45 am

Observed as BH payload

MD5: e3fa551432bb0ac6fdcbb992e3332cd3

9/43

Drops to %appdata%\KB00725031.exe
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1148
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Worm:Win32/Cridex.B

Postby dcmorton » Fri Jan 20, 2012 12:25 pm

MS article about Cridex.B being spread through fake traffic ticket notification emails

http://blogs.technet.com/b/mmpc/archive/2012/01/19/fake-seattle-traffic-ticket-notification-leads-to-malware.aspx
dcmorton
 
Posts: 30
Joined: Tue Nov 16, 2010 4:56 pm
Location: United States
Reputation point: 13

Re: Worm:Win32/Cridex.B

Postby rkhunter » Fri Jan 20, 2012 2:14 pm

Cridex.B

MD5: 98d4503ad44ade815830019ce44caad2
23/43
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1148
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Worm:Win32/Cridex.B

Postby rkhunter » Sat Jan 21, 2012 5:27 am

MD5: 29ff4c6c301a412d0b6ce8f1b44a4983
5/43
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1148
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Worm:Win32/Cridex.B

Postby rkhunter » Sat Jan 21, 2012 5:30 am

MD5: 1fa2fe2e25ddb2365ac942be5e734681
8/43
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1148
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 12 guests