Malware collection

Forum for analysis and discussion about malware.
Fedor22
Posts: 27
Joined: Sun Dec 03, 2017 5:50 pm
Location: Russian Federation

Re: Malware collection

Post by Fedor22 » Tue Jan 16, 2018 7:35 pm

4 samples of "NIX Video Player" (Win32/InstallCore)
This samples taken from 4 russian scum websites:
xxxx://wq.underfongaafui.download/161114/1736/zt6pptz/s37qjl/3799#
xxxx://ydlqn.soogiedsoafm.download/161112/1738/s84y9/dy5js#
xxxx://f.underfongaafui.download/16119/1736/jsqbmbe/794vw4d#
xxxx://pks03.buncezmnwyxadv.download/16114/1738/pkoy61r# (all websites worked)
When you visit one of these sites, a warning is displayed:
"Please install NIX Video Player to continue".
VT: https://www.virustotal.com/en/file/4e19 ... 516130791/ (Nix_Player_3435892897, 5/66)
https://www.virustotal.com/en/file/d117 ... /analysis/ (Nix Player, 17/67)
Nix_Player_0729469623 (5/66)
Nix_Player_1655606335 (5/66)
You do not have the required permissions to view the files attached to this post.

Fedor22
Posts: 27
Joined: Sun Dec 03, 2017 5:50 pm
Location: Russian Federation

Re: Malware collection

Post by Fedor22 » Sat Jan 20, 2018 4:04 pm

08-07-Homer (I think it's banker or spyware, but I do not know exactly what it is).
Installed: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run <- <appdata>\\Local\\<08-07-homer.exe>
Sample taken from this website:
xxxx://eiainteriors.com/wp-content/plugins/jetpack/08-07-homer.exe
VT: https://www.virustotal.com/en/file/e36a ... /analysis/
HA: https://www.hybrid-analysis.com/sample/ ... mentId=100
You do not have the required permissions to view the files attached to this post.

Fedor22
Posts: 27
Joined: Sun Dec 03, 2017 5:50 pm
Location: Russian Federation

Re: Malware collection

Post by Fedor22 » Thu Jan 25, 2018 4:21 pm

Microsoft Toolkit 265 Stable (Gen:Variant.Adware.Rukometa.Symmi.2)
Fake windows activator. The icon is a zip file but the extension is an exe.
VT: https://www.virustotal.com/en/file/84f8 ... /analysis/
You do not have the required permissions to view the files attached to this post.

Fedor22
Posts: 27
Joined: Sun Dec 03, 2017 5:50 pm
Location: Russian Federation

Re: Malware collection

Post by Fedor22 » Sun Jan 28, 2018 3:15 pm

WinAPI Calculator (Trojan.PWS.Qqpass.12193 or epfeqo)
A russian made fake calculator app that runs looking like a MS calculator but has some extra text making it very suspicious. This virus steals data and put files everywhere (registry, C:/, etc).

Fedor22
Posts: 27
Joined: Sun Dec 03, 2017 5:50 pm
Location: Russian Federation

Re: Malware collection

Post by Fedor22 » Mon Jan 29, 2018 12:51 pm

Fedor22 wrote:WinAPI Calculator (Trojan.PWS.Qqpass.12193 or epfeqo)
A russian made fake calculator app that runs looking like a MS calculator but has some extra text making it very suspicious. This virus steals data and put files everywhere (registry, C:/, etc).
VT: https://www.virustotal.com/en/file/1b71 ... /analysis/
You do not have the required permissions to view the files attached to this post.

ikolor
Posts: 293
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Wed Jan 31, 2018 7:55 pm

You do not have the required permissions to view the files attached to this post.

markusg
Posts: 730
Joined: Mon Mar 15, 2010 2:53 pm

Re: Malware collection

Post by markusg » Sat Feb 03, 2018 9:16 am

vb dropper

SHA-256
02047e45a38b97cb46c0944d3639aa8e9a3e22e77532315ecb436fbf8fc54705
File name
Production_server_specifications.docx.vbs

https://www.virustotal.com/#/file/02047 ... /detection
You do not have the required permissions to view the files attached to this post.

Antelox
Posts: 204
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Malware collection

Post by Antelox » Sat Feb 03, 2018 3:25 pm

markusg wrote:vb dropper

SHA-256
02047e45a38b97cb46c0944d3639aa8e9a3e22e77532315ecb436fbf8fc54705
File name
Production_server_specifications.docx.vbs

https://www.virustotal.com/#/file/02047 ... /detection
VBS.Dunihi

C2: hxxp://185.82.203.194:8080/is-ready

More info: https://www.aldeid.com/wiki/1e7700b9e14 ... affb1bd049

BR,

Antelox

ikolor
Posts: 293
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Sat Feb 03, 2018 4:42 pm

You do not have the required permissions to view the files attached to this post.

Fedor22
Posts: 27
Joined: Sun Dec 03, 2017 5:50 pm
Location: Russian Federation

Re: Malware collection

Post by Fedor22 » Sat Feb 03, 2018 5:13 pm

Steam Keys Generator (Backdoor:MSIL/Bladabindi)
Comtains the "JavaUpdate" fake copyright. After the key is generated, changes the autorun value in the registry ("AppData/Roaming/WindowsService.exe", In the registry, "HKEY_CURRENT_USER" and "HKEY_LOCAL_MACHINE").
Trying to connect to the site: hxxp://gutin123.duckdns.org
VT: https://www.virustotal.com/en/file/4343 ... /analysis/
You do not have the required permissions to view the files attached to this post.

Post Reply