German Ransom (GEMA, GVU, InetAccelerator)

Forum for analysis and discussion about malware.
markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Re: Trojan Winlock / Ransom / ScreenLocker

Post by markusg » Mon Nov 21, 2011 8:03 pm

svhcost.exe
MD5 : cb08c55ea8a34f0750a7e3a47d6faa63
https://www.virustotal.com/file-scan/re ... 1321905022
You do not have the required permissions to view the files attached to this post.

GMax
Posts: 79
Joined: Sun Mar 14, 2010 7:53 am

Re: Trojan Winlock / Ransom / ScreenLocker

Post by GMax » Tue Nov 22, 2011 7:38 pm

markusg wrote:svhcost.exe
MD5 : cb08c55ea8a34f0750a7e3a47d6faa63
https://www.virustotal.com/file-scan/re ... 1321905022
Image

Image
You do not have the required permissions to view the files attached to this post.

User avatar
Striker
Posts: 53
Joined: Thu Mar 10, 2011 2:22 pm
Location: Germany
Contact:

Re: Trojan Winlock / Ransom / ScreenLocker

Post by Striker » Tue Nov 22, 2011 11:21 pm

GMax wrote: Image

Image
I've used a real Paysafecard ( 0,00€ credit ), so it works. The serials will be locked after activating, unfortunately you cannot use it again..


Image

Image

or try it self..


0971570170772327
0445332279725611
Я люблю старые времена.

Image

markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

German Ransom (GEMA, GVU, InetAccelerator)

Post by markusg » Sun Nov 27, 2011 7:32 pm

sx5u7frt55.exe
MD5   : f76e3c6d194cf1f4002c417e020e7c0b
https://www.virustotal.com/file-scan/re ... 1322421186
gema ransom ware
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan Winlock / Ransom / ScreenLocker

Post by EP_X0FF » Mon Nov 28, 2011 6:32 am

markusg wrote:sx5u7frt55.exe
MD5   : f76e3c6d194cf1f4002c417e020e7c0b
https://www.virustotal.com/file-scan/re ... 1322421186
gema ransom ware
In attach fully decrypted and unpacked sample. Crap is written on Delphi 7 with using of special TdWinlock component that provides blocking features such as:

noCtrlAltDel - FALSE
noAltTab - TRUE
noAltEsc - TRUE
noAltF4 - TRUE
noCtrlEsc - TRUE
noWinkeys - TRUE
noAppkey - TRUE
noRButton - TRUE
noTaskbar - TRUE
noTaskLinks - TRUE
noTaskTray - TRUE
noAltReturn - TRUE
noAccessibilityShortcuts - TRUE
noShutdown - TRUE
noDesktop - TRUE
noStartbutton - TRUE
noStartMenu - TRUE
Version - 3.2
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Re: Trojan Winlock / Ransom / ScreenLocker

Post by markusg » Mon Nov 28, 2011 7:26 pm

svhcost.exe
MD5   : 316a119d9c4ba46a1ffdd01bc8de2a4a
https://www.virustotal.com/file-scan/re ... 1322507937
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan Winlock / Ransom / ScreenLocker

Post by EP_X0FF » Tue Nov 29, 2011 3:12 am

markusg wrote:svhcost.exe
MD5   : 316a119d9c4ba46a1ffdd01bc8de2a4a
https://www.virustotal.com/file-scan/re ... 1322507937
Equal to this

In attach decrypted working sample. Posts moved.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Re: Trojan Ransom / FakePoliceAlert

Post by markusg » Tue Nov 29, 2011 8:24 pm

ed6t57it5.exe
MD5 : dad53b8e2127125f4850348a9e58182f
https://www.virustotal.com/file-scan/re ... 1322597835
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan Ransom / FakePoliceAlert

Post by EP_X0FF » Wed Nov 30, 2011 11:20 am

markusg wrote:ed6t57it5.exe
MD5 : dad53b8e2127125f4850348a9e58182f
https://www.virustotal.com/file-scan/re ... 1322597835
Ransom GEMA

In attach decrypted
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Re: Trojan Ransom / FakePoliceAlert

Post by markusg » Fri Dec 02, 2011 10:51 am

0.837970031559333.exe
MD5   : 4c11c67ff7f05a9a77200d4659c6ef4f
http://www.virustotal.com/file-scan/rep ... 1322822552
You do not have the required permissions to view the files attached to this post.

Post Reply