German Ransom (GEMA, GVU, InetAccelerator)

Forum for analysis and discussion about malware.
User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan Ransom / FakePoliceAlert

Post by EP_X0FF » Fri Dec 02, 2011 12:16 pm

markusg wrote:0.837970031559333.exe
MD5   : 4c11c67ff7f05a9a77200d4659c6ef4f
http://www.virustotal.com/file-scan/rep ... 1322822552
Ransom BundezPolizei deploying as dll that spawns IE copy on specially allocated desktop with warning message located at -> 194.28.132.231
Ring0 - the source of inspiration

markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Re: Trojan Ransom / FakePoliceAlert

Post by markusg » Sat Dec 03, 2011 7:22 pm

svhcost.exe
MD5   : eb7b3e1ef5c07a5ff6d2f72f1a8adaa3
https://www.virustotal.com/file-scan/re ... 1322939539
You do not have the required permissions to view the files attached to this post.

GMax
Posts: 79
Joined: Sun Mar 14, 2010 7:53 am

Re: Trojan Ransom / FakePoliceAlert

Post by GMax » Sat Dec 03, 2011 8:23 pm

markusg wrote:svhcost.exe
MD5   : eb7b3e1ef5c07a5ff6d2f72f1a8adaa3
https://www.virustotal.com/file-scan/re ... 1322939539
Image

Image

C&C: banderose.jino.ru
You do not have the required permissions to view the files attached to this post.

markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Re: Trojan Ransom / FakePoliceAlert

Post by markusg » Mon Dec 05, 2011 3:42 pm

dr5j56iud56.exe
MD5   : ab48f926417c5ae2bc19aeee7b6a6165
https://www.virustotal.com/file-scan/re ... 1323098592
You do not have the required permissions to view the files attached to this post.

GMax
Posts: 79
Joined: Sun Mar 14, 2010 7:53 am

Re: Trojan Ransom / FakePoliceAlert

Post by GMax » Mon Dec 05, 2011 5:01 pm

markusg wrote:dr5j56iud56.exe
MD5   : ab48f926417c5ae2bc19aeee7b6a6165
https://www.virustotal.com/file-scan/report.html?id=482f69d9eeb910f4bb60b41239a05b24010be1f8edac39dacc5971cde43bb51b-1323098592
Image

used dWinlock (http://www.kassl.de) to disable special keyboard shortcuts

webform hxxp://gemapayment.net/gibmirgeld_de/index.php

unpacked file:
Size: 2119 Kb (2170288 byte)
Data/Time compile: 19.06.1992 / 22:22:17 UTC
MD5: c6a425a7563c4b2a759407890c7ab1d7
www.virustotal.com
You do not have the required permissions to view the files attached to this post.

markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Re: Trojan Ransom / FakePoliceAlert

Post by markusg » Thu Dec 08, 2011 8:20 pm

hostrun.exe
MD5   : 1fd8f14161c79fc4d2adb2da7bf865c6
http://www.virustotal.com/file-scan/rep ... 1323374526
You do not have the required permissions to view the files attached to this post.

markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Re: Trojan Ransom / FakePoliceAlert

Post by markusg » Fri Dec 09, 2011 3:33 pm

seryhse5u.exe
MD5   : b7fd16e439c97dc62c31b4039bb62919
https://www.virustotal.com/file-scan/re ... 1323444146
You do not have the required permissions to view the files attached to this post.

GMax
Posts: 79
Joined: Sun Mar 14, 2010 7:53 am

Re: Trojan Ransom / FakePoliceAlert

Post by GMax » Fri Dec 09, 2011 6:27 pm

markusg wrote:hostrun.exe
MD5   : 1fd8f14161c79fc4d2adb2da7bf865c6
http://www.virustotal.com/file-scan/rep ... 1323374526
Image

Image

С&C: banduman.ru
You do not have the required permissions to view the files attached to this post.

GMax
Posts: 79
Joined: Sun Mar 14, 2010 7:53 am

Re: Trojan Ransom / FakePoliceAlert

Post by GMax » Fri Dec 09, 2011 7:04 pm

markusg wrote:seryhse5u.exe
MD5   : b7fd16e439c97dc62c31b4039bb62919
https://www.virustotal.com/file-scan/re ... 1323444146
Equal to this: fhttp://www.kernelmode.info/orum/viewtopic.php? ... =40#p10157
You do not have the required permissions to view the files attached to this post.

markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Re: Trojan Ransom / FakePoliceAlert

Post by markusg » Wed Dec 14, 2011 8:21 pm

firefox.exe
MD5   : 61ae78c270fdb7a1038e92999a317968
http://www.virustotal.com/file-scan/rep ... 1323893416
You do not have the required permissions to view the files attached to this post.

Post Reply