Win32/Reveton

Forum for analysis and discussion about malware.
User avatar
EP_X0FF
Global Moderator
Posts: 4814
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Win32/Reveton

Post by EP_X0FF » Mon May 20, 2013 5:35 am

No paysafecard needed, your passwords will pay off
http://blogs.technet.com/b/mmpc/archive ... y-off.aspx
Ring0 - the source of inspiration

PX5
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am

Re: Win32/Reveton

Post by PX5 » Thu May 30, 2013 9:38 am

Reveton aka FBI/MoneyPak

Link is dead....http://ytojuxate.pl/erolikos (50.7.46.181)

Seen it called Screenlock and other names like Fortinet W32/Moure.A!tr.dldr

I disagree, although screenlock, this is pure reveton, wont be able to share pcap but trust me, its Reveton, all my stolen PWs say so! ;)

https://www.virustotal.com/en/file/4e90 ... 369870629/

https://www.virustotal.com/en/file/38f5 ... 369870675/

https://www.virustotal.com/en/file/8f06 ... 369870684/
You do not have the required permissions to view the files attached to this post.
Arrogance led me to my Ignorance

PX5
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am

Re: Win32/Reveton

Post by PX5 » Thu May 30, 2013 9:47 am

Image

Holy Crap!

Best I could do for now, hadda use a camera, safe mode didnt load, havent tried anything else yet, still not awake.

If someone is good at re-sizing photos, have at it and repost so its visible.

Thanks,

MJ
Last edited by Xylitol on Thu May 30, 2013 11:41 am, edited 1 time in total.
Reason: image fix
Arrogance led me to my Ignorance

User avatar
EP_X0FF
Global Moderator
Posts: 4814
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Win32/Reveton

Post by EP_X0FF » Thu May 30, 2013 2:38 pm

PX5 wrote:Holy Crap!

Best I could do for now, hadda use a camera, safe mode didnt load, havent tried anything else yet, still not awake.

MJ
Is it one of the recent samples you uploaded?
Ring0 - the source of inspiration

PX5
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am

Re: Win32/Reveton

Post by PX5 » Thu May 30, 2013 5:12 pm

Last edited by Xylitol on Thu May 30, 2013 11:41 am, edited 1 time in total.
Reason: image fix

Looks like Xylitol has repaired the image as much as it can be, thanks for asking EP_X0FF. :)

Thank You Much X! :)
Arrogance led me to my Ignorance

User avatar
Mosh
Posts: 29
Joined: Thu Oct 06, 2011 4:10 pm
Location: Colombia
Contact:

Re: Win32/Reveton

Post by Mosh » Thu Jun 06, 2013 4:39 pm

Recently I saw a version with this same design but the name that I found for this was Flimrans.

Image

This is the same Reveton ?

basic analysis:
http://www.nyxbone.com/malware/flimrans.html

links:
http://www.malekal.com/2013/05/25/flimr ... hnologies/
https://www.botnets.fr/index.php/Flimrans
You do not have the required permissions to view the files attached to this post.
nyxbone.com
Twitter: @nyxbone

User avatar
Xylitol
Global Moderator
Posts: 1670
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Win32/Reveton

Post by Xylitol » Sun Jun 09, 2013 9:11 pm

You do not have the required permissions to view the files attached to this post.

Cody Johnston
Posts: 158
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: Win32/Reveton

Post by Cody Johnston » Tue Jun 18, 2013 3:37 pm

Fresh from this morning

VT 7/47 https://www.virustotal.com/en/file/2981 ... 371569564/

MD5: 052f5d4122155f64c95d42ec2a6eed99
You do not have the required permissions to view the files attached to this post.

User avatar
thisisu
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Contact:

Re: Win32/Reveton

Post by thisisu » Sat Jun 22, 2013 7:31 pm

IIRC this one had the "ICE Cyber Crime Center" logo in here somewhere. Pulled from a customer laptop this morning.

MD5: 37dea49af3e2cddf3159e794ac14e77d -- https://www.virustotal.com/en/file/9098 ... /analysis/
FRST:

Code: Select all

HKU\Owner\...\Command Processor: "C:\Users\Owner\AppData\Local\Temp\khpvjhtueuosbxwdt.exe" <===== ATTENTION!
You do not have the required permissions to view the files attached to this post.

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Re: Win32/Reveton

Post by Win32:Virut » Wed Jul 31, 2013 11:02 am

rundll32.exe path,XFG00

https://www.virustotal.com/en/file/90b6 ... 375267929/

I was just browsing some websites and got infected, maybe some site was infected.
You do not have the required permissions to view the files attached to this post.

Post Reply