German Ransom (GEMA, GVU, InetAccelerator)

Forum for analysis and discussion about malware.
Post Reply
GMax
Posts: 79
Joined: Sun Mar 14, 2010 7:53 am

Re: Trojan Ransom / FakePoliceAlert

Post by GMax » Thu Dec 15, 2011 6:34 pm

markusg wrote:firefox.exe
MD5   : 61ae78c270fdb7a1038e92999a317968
http://www.virustotal.com/file-scan/rep ... 1323893416
Image

Image
C&C:
megaplox.info
stenamsa.info
grembans.info
You do not have the required permissions to view the files attached to this post.

markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Re: Trojan Ransom / FakePoliceAlert

Post by markusg » Thu Dec 15, 2011 6:55 pm

firefox.exe
MD5 : eb8498777ec2eca69395fa228dc6e1b8
https://www.virustotal.com/file-scan/re ... 1323974700
You do not have the required permissions to view the files attached to this post.

GMax
Posts: 79
Joined: Sun Mar 14, 2010 7:53 am

Re: Trojan Ransom / FakePoliceAlert

Post by GMax » Thu Dec 15, 2011 7:05 pm

markusg wrote:firefox.exe
MD5 : eb8498777ec2eca69395fa228dc6e1b8
https://www.virustotal.com/file-scan/re ... 1323974700
equal to previous

С&C:
restlezma.info
quiwerw.info
apoqwdsd.info
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1671
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Trojan Ransom / FakePoliceAlert

Post by Xylitol » Wed Dec 21, 2011 8:21 pm

You do not have the required permissions to view the files attached to this post.

GMax
Posts: 79
Joined: Sun Mar 14, 2010 7:53 am

Re: Trojan Ransom / FakePoliceAlert

Post by GMax » Fri Dec 23, 2011 5:17 pm

markusg wrote:sbcvvhost_win86.exe
MD5   : 280c3da5ea65c959067f8ab553037370
https://www.virustotal.com/file-scan/re ... 1324584652
equal this
You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Trojan Ransom / FakePoliceAlert

Post by rkhunter » Wed Dec 28, 2011 3:03 pm

markusg wrote:dllhsts.exe
MD5   : 8fbd78ee09d1467920b47fad3702d65a
https://www.virustotal.com/file-scan/re ... 1325079026
Image

Copies itself to %appdata%\Microsoft\dllhsts.exe
Runs from : HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{DB3BF3D9-5F9E-11DD-A073-806D6172696F}

Responce to:
feyana.jino.ru POST /index.php HTTP/1.1
feyana22.ru POST /index.php HTTP/1.1
feyana44.ru POST /index.php HTTP/1.1

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Trojan Winlock / Ransom / ScreenLocker

Post by rkhunter » Mon Jan 09, 2012 5:49 am

GEMA Locker - Trojan:Win32/LockScreen.BO

9/43 >> 20.9%

Image

Copies itself to %appdata%\ActiveX32_64lo.exe.
Autorun from:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\olmwKSKlNdgCU6b
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\olmwKSKlNdgCU6b
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
[www].fuehlediecon.com GET /wasgehtalter_panel/gate.php?...
[www].fuehlediebezahlung.com GET /wirbrauchenbass_bezahlung/index.php
[www].uploadmusic.org GET /MUSIC/6540321325490242.mp3
You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Trojan Winlock / Ransom / ScreenLocker

Post by rkhunter » Mon Jan 09, 2012 11:29 am

18 samples of GEMA
You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Trojan Winlock / Ransom / ScreenLocker

Post by rkhunter » Thu Jan 12, 2012 9:18 am

GEMA winlock

0/43 >> 0.0%

MD5: 79615c5dc40f4f92e9bcef07267b6d29
You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Trojan Ransom / FakePoliceAlert

Post by rkhunter » Sat Jan 14, 2012 3:18 am

13/43

MD5: 87ef59c68256005cd7bfdf379ff7f609

Image
You do not have the required permissions to view the files attached to this post.

Post Reply