TorrentLocker ransomware

Forum for analysis and discussion about malware.

TorrentLocker ransomware

Postby Blaze » Thu Oct 23, 2014 1:57 pm

You do not have the required permissions to view the files attached to this post.
Follow me on Twitter: @bartblaze
User avatar
Blaze
 
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Reputation point: 71

Re: TorrentLocker ransomware

Postby ydklijnsma » Thu Oct 30, 2014 2:42 pm

Published an updated blog regarding stats and known C2 servers: http://blog.fox-it.com/2014/10/21/updat ... ansomware/
User avatar
ydklijnsma
 
Posts: 2
Joined: Thu Oct 30, 2014 2:36 pm
Reputation point: 0

Re: TorrentLocker ransomware

Postby Blaze » Thu Nov 06, 2014 10:42 pm

Latest one attached.
You do not have the required permissions to view the files attached to this post.
Follow me on Twitter: @bartblaze
User avatar
Blaze
 
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Reputation point: 71

Re: TorrentLocker ransomware

Postby Grinler » Thu Nov 06, 2014 11:01 pm

Thanks Blaze.

Been looking since last week for the malicious docs that instal TorrentLocker.

I have been able to locate a few of these malicious word docs, but they don't seem to drop a ransomware payload. Instead they were installing downloaders from a variety of sites using the path /js/bin.exe and saving them as names like calc1.exe. Derek (DVK01) felt that the docs payload are installing downloaders that may eventually install a ransomware, but not initially.

Anyone able to find one that actually installs TorrentLocker as described by the Fox-IT blog?
BleepingComputer.com
Grinler
 
Posts: 48
Joined: Sun Mar 14, 2010 1:47 pm
Reputation point: 5

Re: TorrentLocker ransomware

Postby Blaze » Thu Nov 06, 2014 11:15 pm

Haven't been able to locate any of the DOC files. Attached some alleged droppers as well, but can't test myself now unfortunately.

Cheers!
You do not have the required permissions to view the files attached to this post.
Follow me on Twitter: @bartblaze
User avatar
Blaze
 
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Reputation point: 71

Re: TorrentLocker ransomware

Postby Mosh » Thu Mar 12, 2015 3:52 pm

Friends, fyi I found this on 100.42.62.205 (US).
You do not have the required permissions to view the files attached to this post.
nyxbone.com
Twitter: @nyxbone
User avatar
Mosh
 
Posts: 29
Joined: Thu Oct 06, 2011 4:10 pm
Location: Colombia
Reputation point: 8

Re: TorrentLocker ransomware

Postby sysopfb » Thu Feb 11, 2016 10:09 pm

What people are calling Teerac and AV is calling Win32.Teerac is just a variant of TorrentLocker that matches the reports from welivesecurity.com and the FoxIT blog post with the exception of an additional subdomain generation based on a hardcoded domain.

Though they usually resolve to the same IP as the hardcoded domain but I didn't see that mentioned in a report(correct me if I'm wrong)
Example:
Code: Select all
oduqaw.vjivebilan.org (31.170.104.60)
egfz.vjivebilan.org (31.170.104.60)
agusel.vjivebilan.org (31.170.104.60)
opaqiqqpaw.vjivebilan.org (31.170.104.60)
oqtsmfoz.vjivebilan.org (31.170.104.60)
yqaqoq.vjivebilan.org (31.170.104.60)
ykezovaniri.vjivebilan.org (31.170.104.60)
ifttirygema.vjivebilan.org (31.170.104.60)
abpcyla.vjivebilan.org (31.170.104.60)
ibijopy.vjivebilan.org (31.170.104.60)


I went through a few samples confirming most of what I had read in regards to the code-reuse from HesperBot and the outlook and smtp server information theft using MAPI via COM.

Whitepaper is attached but I didn't check it over much so if anyone sees something that needs fixed let me know.

Sample hash list:
Code: Select all
89edb283b3a3c892cb8ed7fa893aff5f36982fc3f4657c3b0723351212ded3e6
c4928426873726e4eeb341aaea33d07f41cef58193eb1655bfe1ee6a97afd4c8
2c6b46b60b4ddb5e75a45a9ba2e57a60a1d95bd798bac6b3036ecde237dddb74
56cbf1281a50e0082a1db873bec0097b61c6074152d40598f73c094d37674ea6
6ef7c2cd280b17ea104f7c9c75711992176bb2b854424b779e6da7becda8d998
43d0b93f825a60c676eeab175cc11eea07f1b598bee08bf57d99c64f41a9b8c6
580c61c84d588f32b0cb6b4203cf5918a0c63a15b1529d5ea0ba105b59ab4373
7db8759c7260b71866d896c9a381f47b8d7e452aea3d1d8aab41e38085ccfb70
fe17addfb458cf66f4a922f342baf4337ec33e9e1aa3b715ec94e676ca74417b
c9e9f81c9438ea7a062b41bbb1c121f88b6a372c4eb15030c50a3f16b714b62d
3c38e1e5956c2a9f6fe4f33d52d5c1ddbdc2e43abeda25b16f7ae4aa7eaa610f
f5f7cb83a8f229b96a39f2be7a686fdecd717f2519ffe5b62bc98ff439b6f583
545f991909341b92702a0aa2aa18c4ccceefad207af2180aeed24f5c1b346037


Observed C2 domains:
Code: Select all
megezawone.net
vodleklina.org
pyjtoxoyr.org
ioytoxpaire.net
kdiertyjoxeg.com
vjivebilan.org
jgiwoxoqlwez.com
rygzatyee.com
asoijaisojais.net
nemexcikx.net
kheoyostowe.net
lderktdfphje.net


Observed C2 ips:
Code: Select all
31.170.104.60
188.225.34.221
80.78.253.130
91.214.114.122
You do not have the required permissions to view the files attached to this post.
sysopfb
 
Posts: 90
Joined: Thu Oct 23, 2014 1:22 am
Reputation point: 52

Re: TorrentLocker ransomware

Postby xors » Tue Jun 14, 2016 1:16 pm

One more
You do not have the required permissions to view the files attached to this post.
@xorsthings
User avatar
xors
 
Posts: 132
Joined: Mon May 23, 2016 2:01 am
Location: Greece
Reputation point: 63

Re: TorrentLocker ransomware

Postby xors » Sat Jun 18, 2016 8:13 pm

One more. Uploaded on VirusTotal yesterday.
You do not have the required permissions to view the files attached to this post.
@xorsthings
User avatar
xors
 
Posts: 132
Joined: Mon May 23, 2016 2:01 am
Location: Greece
Reputation point: 63

Re: TorrentLocker ransomware

Postby xors » Tue Jun 21, 2016 11:18 am

Found today one more
You do not have the required permissions to view the files attached to this post.
@xorsthings
User avatar
xors
 
Posts: 132
Joined: Mon May 23, 2016 2:01 am
Location: Greece
Reputation point: 63

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 7 guests