Malware collection

Forum for analysis and discussion about malware.
markusg
Posts: 730
Joined: Mon Mar 15, 2010 2:53 pm

Re: Malware collection

Post by markusg » Fri Jul 14, 2017 7:25 am

open directory.
an exploit and other malware

Code: Select all

http://no2ro.com/17tes.doc
http://no2ro.com/gibsoncrypter.zip
http://no2ro.com/gibtest.exe
http://no2ro.com/kasati.exe
http://no2ro.com/test.hta
SHA256:
0305c67f80b56dc3b27ab2b27348862880bc23517ddce74e87a4a6fdcd2f0b9f
Dateiname:
17tes.doc
Erkennungsrate:
19 / 57
https://www.virustotal.com/de/file/0305 ... 500015953/

i unpacked gibsoncrypter.zip now the results of 2 exe files
SHA256:
18cae9f4f96d356db18924b182843e27e0759ef95422c1156e3588bfd60985a2
Dateiname:
BalloonFastBuilder.exe
Erkennungsrate:
1 / 63
https://www.virustotal.com/de/file/18ca ... 500016117/
SHA256:
454d6d2bc3603106bbdb151cf61ab50bfbe5cc63dc4d9a1da7c899b7c7e6e32a
Dateiname:
stub.exe
Erkennungsrate:
21 / 63
https://www.virustotal.com/de/file/454d ... 500016198/
SHA256:
dc39f1371bbb11f724fb9bb00cbe0a00b83f6cf4dbd6e60ae31bd3d82d383f9a
Dateiname:
gibtest.exe
Erkennungsrate:
17 / 62
https://www.virustotal.com/de/file/dc39 ... 500016401/
SHA256:
339764b340b4c70a02835054993c13d7a2562b8ced06168ae1318ebc0c52680e
Dateiname:
kasati.exe
Erkennungsrate:
28 / 62
https://www.virustotal.com/de/file/3397 ... 500016841/
You do not have the required permissions to view the files attached to this post.

markusg
Posts: 730
Joined: Mon Mar 15, 2010 2:53 pm

ffRe: Malware collection

Post by markusg » Fri Jul 14, 2017 7:29 am

You do not have the required permissions to view the files attached to this post.

ikolor
Posts: 276
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Fri Jul 14, 2017 8:51 am

What is this any Scanner Japan.

http://45.77.23.20



Image

Antelox
Posts: 154
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Malware collection

Post by Antelox » Fri Jul 14, 2017 9:47 am

ikolor wrote:What is this any Scanner Japan.

http://45.77.23.20
]
Check this one: https://ivre.rocks/

BR,

Antelox

ikolor
Posts: 276
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Fri Jul 14, 2017 4:49 pm

Sorry I ask but this scanner can show real malware code .And it is malware scrip

https://quttera.com/detailed_report/mswia.gov.pl

mswia.gov.pl/pl/batony/785%2CBezpieczny-Autobus-sprawdz-informacje-o-autobusie-lub-autokarze.html

Code: Select all

[[function getCookie(d){var b=d+"=";var a=document.cookie.split(";");for(var e=0;e<a.length;e++){var f=a[e].trim();if(f.indexOf(b)==0){return f.substring(b.length,f.length)}}return"false"}function deleteCookie(a){document.cookie=a+"=;expires=Thu, 01 Jan 1970 00:00:01 GMT;"}function confirmAgeement(){var a=getCookie("cookie_agree");if(a==1){document.getElementById("cookie_agree").style.display="none"}else{document.getElementById("cookie_agree").style.display="block"}}function isCookieEnabled(){setCookie("cookie_enabled","true");var a=getCookie("cookie_enabled");if(a=="true"){document.getElementById("show-cookies-disabled-div").style.display="none"}else{document.getElementById("show-cookies-disabled-div").style.display="block"}}function hideYouTube(){document.getElementById("you-tube-i-frame").style.display="none"}function showYouTube(){document.getElementById("you-tube-i-frame").style.display="block"}function showLoaderImage(){var a=document.getElementById("_bezpiecznyautobusportlet_WAR_bezpiecznyautobuspor

ikolor
Posts: 276
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Fri Jul 14, 2017 8:37 pm

For interesting hunt today .Was this script which not allow you go back in Browser.Firefox has problem run away .Second is website and software what I noticed porn website owner use .I don't know why ?.Thanks.
https://crystal-scripts.com/

Code: Select all

http://s-iwantyou.com/?crq=1tzRyaKTW6aml5%2FTzZHJk6mfopmP2ZKK0ZOjnXGizonW1tFvnaqoooeWoomXeFpoepvQ1tHc2aSYZJehz4iTqople5dZZaaVlJuVV2dsl1eVp5SalVdnbKdkh5allZxibGdoZJTCkZzEZGttbGfBmpGVmWaYbW2UxZmZnZ1XZ2ynY4eWpZuVWJelcX6UlNe90p6okIuE0sbOus%2BWeG5ZZKjHuNDQgomZq3zPqdG%2BqWKuhJ6VlrG0vpWWfaKrgraszsXPYq5cpKTH18mhlmdlZmRolJuWnQ%3D%3D

Cody Johnston
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: Malware collection

Post by Cody Johnston » Sat Jul 15, 2017 4:09 am

ikolor wrote:Sorry I ask but this scanner can show real malware code .And it is malware scrip

https://quttera.com/detailed_report/mswia.gov.pl

mswia.gov.pl/pl/batony/785%2CBezpieczny-Autobus-sprawdz-informacje-o-autobusie-lub-autokarze.html

Code: Select all

[[function getCookie(d){var b=d+"=";var a=document.cookie.split(";");for(var e=0;e<a.length;e++){var f=a[e].trim();if(f.indexOf(b)==0){return f.substring(b.length,f.length)}}return"false"}function deleteCookie(a){document.cookie=a+"=;expires=Thu, 01 Jan 1970 00:00:01 GMT;"}function confirmAgeement(){var a=getCookie("cookie_agree");if(a==1){document.getElementById("cookie_agree").style.display="none"}else{document.getElementById("cookie_agree").style.display="block"}}function isCookieEnabled(){setCookie("cookie_enabled","true");var a=getCookie("cookie_enabled");if(a=="true"){document.getElementById("show-cookies-disabled-div").style.display="none"}else{document.getElementById("show-cookies-disabled-div").style.display="block"}}function hideYouTube(){document.getElementById("you-tube-i-frame").style.display="none"}function showYouTube(){document.getElementById("you-tube-i-frame").style.display="block"}function showLoaderImage(){var a=document.getElementById("_bezpiecznyautobusportlet_WAR_bezpiecznyautobuspor
This does not look like it does anything malicious to me. Probably a false positive. Also following that link for me just redirects to the main page of the site.

First part is just trying to find if a key/value pair exists in the cookie.

Second part is for deleting cookie and just sets expired date to 1970.

Third part checks if some agreement on the site has been agreed to.

Fourth part decided whether to show a message to tell you to enable cookies if they are disabled.

Fifth part hides/shows iframe for a youtube video apparently. (this is probably the part they are detecting)

Sixth part seems to show an image but is cut off so I can't see the rest.

heart888
Posts: 18
Joined: Tue Mar 01, 2016 11:04 pm

Re: Malware collection

Post by heart888 » Fri Jul 21, 2017 5:12 am

You do not have the required permissions to view the files attached to this post.

Antelox
Posts: 154
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Malware collection

Post by Antelox » Fri Jul 21, 2017 10:55 am

This is NemucodAES ransomware, a multipurpose javascript malware capable of encrypting file (last variant uses AES128) as well as downloading other malware families (usually Kovter).

BR,

Antelox

markusg
Posts: 730
Joined: Mon Mar 15, 2010 2:53 pm

Re: Malware collection

Post by markusg » Sat Jul 22, 2017 3:00 am

from this pastebin account

Code: Select all

https://pastebin.com/u/MIcrosofts
the R2 paste
SHA256:
d0c88e5d26f2f126013491a6b22667eb4abe1b3f23e5d649f39ba7706ffbd327
Dateiname:
d0c88e5d26f2f126013491a6b22667eb4abe1b3f23e5d649f39ba7706ffbd327....
Erkennungsrate:
11 / 56
https://www.virustotal.com/de/file/d0c8 ... 500688070/

load this exe

Code: Select all

http://store4.up-00.com/2017-07/150054074583631.png
https://www.virustotal.com/en/file/c460 ... /analysis/
You do not have the required permissions to view the files attached to this post.

Post Reply