Win32/Reveton

Forum for analysis and discussion about malware.
frohboy33
Posts: 1
Joined: Sun Nov 17, 2013 8:56 pm

Re: Win32/Reveton

Post by frohboy33 » Tue Nov 19, 2013 10:45 pm

I have tried about 15 of these Reveton files to infect a PC, but I am unsuccessful. They seem to run, but I never get the lock screen. Any ideas or help?

bitstechs
Posts: 17
Joined: Wed Jun 19, 2013 7:38 am

Re: Win32/Reveton

Post by bitstechs » Sun Nov 24, 2013 2:52 am

frohboy33 wrote:I have tried about 15 of these Reveton files to infect a PC, but I am unsuccessful. They seem to run, but I never get the lock screen. Any ideas or help?
Hello frohboy33,

Are you using an actual pc or a virtual machine? If you're using a virtual machine I would recommend you read this thread as a lot of those viruses are capable of vm detection. http://www.kernelmode.info/forum/viewto ... =11&t=1911

User avatar
Xylitol
Global Moderator
Posts: 1670
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Win32/Reveton

Post by Xylitol » Thu Feb 06, 2014 1:45 pm

Reveton
https://www.virustotal.com/en/file/a507 ... 391694103/ 4/50
X:\\PGP\\Programming\\JimmMonsterNew\\ServerWinlock\\Source\\SysUtils.pas
anti vmware/vbox etc..
You do not have the required permissions to view the files attached to this post.

User avatar
thisisu
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Contact:

Re: Win32/Reveton

Post by thisisu » Sat Jun 07, 2014 10:16 pm

ICE Cyber Crime Center with low detection (4/51). Fresh from a customer's computer.

MD5 5651aa11bf10475e23c049f3c61f6dd1
SHA1 4e1f5b15668dcc25434d469d2d308f1b2fc95358
SHA256 bc495ccdb5013fe9cdfbf8c14979d40e7f17d0e07e17728b9891f4bfa9ab01c4
https://www.virustotal.com/en/file/bc49 ... 402178273/

Malicious entries I found:

Code: Select all

2014-06-07 06:18 - 2014-06-07 06:25 - 00000000 ____D () C:\ProgramData\354CBA050729A3277B5147D1A633FA01
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk
ShortcutTarget: explorer.lnk -> C:\ProgramData\354CBA050729A3277B5147D1A633FA01\jrjz70zcl.cpp ()
S2 Winmgmt; C:\ProgramData\354CBA050729A3277B5147D1A633FA01\lcz07zjrj.dot [333052 2014-06-07] (Microsoft Corporation)
2014-06-07 13:02 - 2014-06-07 13:06 - 00002576 _____ () C:\ProgramData\RUNDLL32.EXE-1896-F.txt
2014-06-07 12:21 - 2014-06-07 12:21 - 00000473 _____ () C:\ProgramData\RUNDLL32.EXE-1908-F.txt
2014-06-07 06:27 - 2014-06-07 06:27 - 00000605 _____ () C:\ProgramData\RUNDLL32.EXE-1864-F.txt
2014-06-07 06:25 - 2014-06-07 06:25 - 00000114 _____ () C:\ProgramData\RUNDLL32.EXE-3188-F.txt
C:\Users\Owner\AppData\Local\Temp\dtrku.dll
You do not have the required permissions to view the files attached to this post.

bitstechs
Posts: 17
Joined: Wed Jun 19, 2013 7:38 am

Re: Win32/Reveton

Post by bitstechs » Thu Jun 12, 2014 1:47 am

Did you happen to save any of the samples from the programdata folder? I'd like to grab those if you have them.

User avatar
thisisu
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Contact:

Re: Win32/Reveton

Post by thisisu » Thu Jun 12, 2014 2:29 am

bitstechs wrote:Did you happen to save any of the samples from the programdata folder? I'd like to grab those if you have them.
No, but I'll save them next time.

Btw, was anyone able to find out what EntryPoint was of that .dll file?

nullptr
Posts: 209
Joined: Sun Mar 14, 2010 6:35 am

Re: Win32/Reveton

Post by nullptr » Thu Jun 12, 2014 4:55 am

thisisu wrote: Btw, was anyone able to find out what EntryPoint was of that .dll file?
Have a look in attachment :)
You do not have the required permissions to view the files attached to this post.

SomeUnusedName
Posts: 46
Joined: Fri Oct 07, 2011 1:17 pm

Re: Win32/Reveton

Post by SomeUnusedName » Thu Aug 21, 2014 8:51 am

Reveton with Pony Loader, banking functionality:

http://blog.avast.com/2014/08/19/reveto ... y-evolved/

Anyone got a sample?

User avatar
shoak
Posts: 7
Joined: Wed Aug 06, 2014 3:59 pm

Re: Win32/Reveton

Post by shoak » Thu Aug 21, 2014 3:20 pm

i'm interested in sample too, sucks when no provided in AV post

Cody Johnston
Posts: 158
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: Win32/Reveton

Post by Cody Johnston » Thu Aug 21, 2014 5:47 pm

Attaching hashes from article for easier searching. These are from the blog post mentioned above.

Code: Select all

209B606203E60B9C3ABDBB27D7F93A2D8A60A87C4AB2E7749A9522C17F4511F2
4998A47D1ECB8C80E3AC5BAF743E87CC3546322335EDF89CE4A9AB1EF5420F69

Post Reply