CryptoLocker (Trojan:Win32/Crilock.A)

Forum for analysis and discussion about malware.
Cody Johnston
Posts: 158
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by Cody Johnston » Thu Oct 17, 2013 6:32 pm

hxxp://93.189.44.187/103.exe

skgsergio
Posts: 1
Joined: Fri Oct 18, 2013 8:50 am

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by skgsergio » Fri Oct 18, 2013 1:33 pm

103.exe seems lees detected yet, is a new version?

On the other hand when u enter to a C&C via http (ex [url]hxxp://gktibioivpqbot.net/[/url]) u get this msg:
Temporary notes:

You cannot restore files after time has expired! Setting the system clock back will not help you!

Uninstall action and expiry time controlled by server, your key pair destroyed after uninstall (time has expired)!
You can't control it!!!
After uninstall (if you try reinstall) you obtain a new key pair from server.

You can reinstall software only if time has not expired!


Personal message:

Dear guy, please resend your MP 307*********07, you have month. (We know your machine, we wait you...), this is merchant error, sorry.
Why you did not do this immediately after an error?

Uninstall temporary disabled.
Soon will be available the decryption service... Stay with us :)

Cody Johnston
Posts: 158
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by Cody Johnston » Fri Oct 18, 2013 6:09 pm

skgsergio wrote:103.exe seems lees detected yet, is a new version?
There is nothing new about the binary itself, just crypted the dropper differently.

frame4-mdpro
Posts: 40
Joined: Wed Jul 13, 2011 1:53 am

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by frame4-mdpro » Fri Oct 18, 2013 6:14 pm

Can someone pls post 103.exe, just missed it :(

TIA.
Anthony

Cody Johnston
Posts: 158
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by Cody Johnston » Fri Oct 18, 2013 6:23 pm

Here you go :)

SHA256: b3530b7519660996d28eb31a8d5b585ec60601843c77dd9f2b712812c99843e4
SHA1: 347b21e94912e99fb312153948d1f2758454e136
MD5: a8e0d4771c1f71709ddb63d9a75dc895
File name: 103.exe
Detection ratio: 32 / 48

https://www.virustotal.com/en/file/b353 ... /analysis/
You do not have the required permissions to view the files attached to this post.

frame4-mdpro
Posts: 40
Joined: Wed Jul 13, 2011 1:53 am

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by frame4-mdpro » Fri Oct 18, 2013 6:34 pm

MUCH appreciated :) !!

Cody Johnston
Posts: 158
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by Cody Johnston » Sat Oct 19, 2013 12:05 am

New Crypt from today attached:

SHA256: 136e8991816b958bb76aaf22fefd18194cf78a80e95d572754f95e1f86149a65
SHA1: ea64129f9634ce8a7c3f5e0dd8c2e70af46ae8a5
MD5: f1e2de2a9135138ef5b15093612dd813
Detection ratio: 12 / 47

https://www.virustotal.com/en/file/136e ... /analysis/
You do not have the required permissions to view the files attached to this post.

servarevitas3
Posts: 1
Joined: Fri Oct 18, 2013 7:52 pm

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by servarevitas3 » Mon Oct 21, 2013 11:08 pm

Anyone have a current sample? The last one posted has all the DNS requests either not resolving or resolving to sinkholes. Is this thing dead?

emc74
Posts: 2
Joined: Sun Oct 20, 2013 9:53 am

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by emc74 » Tue Oct 22, 2013 6:48 am

Can a more recent file be posted so that I can download and attempt a recovery? Can I check that following the download I just execute the file?

emc74
Posts: 2
Joined: Sun Oct 20, 2013 9:53 am

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by emc74 » Tue Oct 22, 2013 10:58 pm

I have successfully used the downloaded file here and paid the money and it is working.

Post Reply