Malware collection

Forum for analysis and discussion about malware.
ikolor
Posts: 298
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Wed Feb 21, 2018 4:41 pm

You do not have the required permissions to view the files attached to this post.

Antelox
Posts: 227
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Malware collection

Post by Antelox » Thu Feb 22, 2018 8:13 am

Geodo/Emotet doc downloader.
Download this: https://www.virustotal.com/en/file/a267 ... /analysis/

BR,

Antelox

tomatto007
Posts: 24
Joined: Fri Mar 19, 2010 8:16 pm

Re: Malware collection

Post by tomatto007 » Fri Feb 23, 2018 6:06 am

Antelox wrote:
Geodo/Emotet doc downloader.
Download this: https://www.virustotal.com/en/file/a267 ... /analysis/

BR,

Antelox
FILES ADDED:
%LOCAL APPDATA%\MICROSOFT\WINDOWS\ISONET.EXE

VALUES ADDED:
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ISONET: "%LOCAL APPDATA%\MICROSOFT\WINDOWS\ISONET.EXE"

markusg
Posts: 733
Joined: Mon Mar 15, 2010 2:53 pm

Re: Malware collection

Post by markusg » Wed Feb 28, 2018 8:07 pm

17 / 67
17 engines detected this file

SHA-256
26e96ea13983d78ea52d318e018ece4b973fbf2181eb2915fe9fa9abe3f182fd
File name
CHEAT.EXE
https://www.virustotal.com/#/file/26e96 ... fd/details
You do not have the required permissions to view the files attached to this post.

markusg
Posts: 733
Joined: Mon Mar 15, 2010 2:53 pm

Re: Malware collection

Post by markusg » Fri Mar 02, 2018 11:45 pm

Download & Extract Here.exe
SHA-256
f54a78aa6d90eaa44a0cd757f90e649219207150f2c89ae0431bae150a1d6268
https://www.virustotal.com/#/file/f54a7 ... 68/details
miner?
You do not have the required permissions to view the files attached to this post.

tomatto007
Posts: 24
Joined: Fri Mar 19, 2010 8:16 pm

Re: Malware collection

Post by tomatto007 » Sat Mar 03, 2018 10:37 am

markusg wrote:Download & Extract Here.exe
SHA-256
f54a78aa6d90eaa44a0cd757f90e649219207150f2c89ae0431bae150a1d6268
https://www.virustotal.com/#/file/f54a7 ... 68/details
miner?
FILES ADDED:
%COMMON APPDATA%\SRSLABS\CMD.EXE
%COMMON APPDATA%\SRSLABS\CONFIG.JSON
%COMMON APPDATA%\SRSLABS\CONHOST.EXE
%COMMON APPDATA%\SRSLABS\WSCRIPTTARGET.EXE
%STARTUP%\MICROHOSTLAB.LNK (start conhost.exe)
%STARTUP%\SOFTCONTROL.LNK (start cmd.exe)

markusg
Posts: 733
Joined: Mon Mar 15, 2010 2:53 pm

Re: Malware collection

Post by markusg » Sat Mar 03, 2018 8:45 pm

SHA-256
ca03c5af1ae8b1cd14e952a9906803f91cd93ec545f377092b8a5cfeab66b4cd
File name
download-lsassexe-windows-7.exe
https://www.virustotal.com/#/file/ca03c ... /detection
You do not have the required permissions to view the files attached to this post.

markusg
Posts: 733
Joined: Mon Mar 15, 2010 2:53 pm

Re: Malware collection

Post by markusg » Sun Mar 04, 2018 12:32 am

SHA-256
8cd0e931d1de457839fe074ee0819dee78fcd61e1983ea80c7bd7b16f696eb80
File name
ExtremeHack.exe
https://www.virustotal.com/#/file/8cd0e ... /detection
You do not have the required permissions to view the files attached to this post.

benkow_
Posts: 83
Joined: Sat Jan 24, 2015 12:14 pm

Re: Malware collection

Post by benkow_ » Sun Mar 04, 2018 9:22 am

markusg wrote:SHA-256
8cd0e931d1de457839fe074ee0819dee78fcd61e1983ea80c7bd7b16f696eb80
File name
ExtremeHack.exe
https://www.virustotal.com/#/file/8cd0e ... /detection
Another miner spreaded around since some weeks

Code: Select all

ftp://progerman:ivivad9x@82.202.231.21
{
    "algo": "cryptonight",  // cryptonight (default) or cryptonight-lite
    "av": 0,                // algorithm variation, 0 auto select
    "background": false,    // true to run the miner in the background
    "colors": true,         // false to disable colored output    
    "cpu-affinity": null,   // set process affinity to CPU core(s), mask "0x3" for cores 0 and 1
    "cpu-priority": 1,   // set process priority (0 idle, 2 normal to 5 highest)
    "donate-level": 1,      // donate level, mininum 1%
    "log-file": null,       // log all output to a file, example: "c:/some/path/xmrig.log"
    "max-cpu-usage": 30,    // maximum CPU usage for automatic mode, usually limiting factor is CPU cache not this option.  
    "print-time": 60,       // print hashrate report every N seconds
    "retries": 5,           // number of times to retry before switch to backup server
    "retry-pause": 5,       // time to pause between retries
    "safe": false,          // true to safe adjust threads and av settings for current CPU
    "threads": 1,        // number of miner threads
    "pools": [
        {
            "url": "progerman.ru:90",   // URL of mining server
            "user": "cpu",                        // username for mining server
            "pass": "cpu",                       // password for mining server
            "keepalive": true,                 // send keepalived for prevent timeout (need pool support)
            "nicehash": true                  // enable nicehash/xmrig-proxy support
        }
    ],
    "api": {
        "port": 0,                             // port for the miner API https://github.com/xmrig/xmrig/wiki/API
        "access-token": null,                  // access token for API
        "worker-id": null                      // custom worker-id for API
    }
}

Fedor22
Posts: 30
Joined: Sun Dec 03, 2017 5:50 pm
Location: Russian Federation

Re: Malware collection

Post by Fedor22 » Sun Mar 04, 2018 3:44 pm

Fake Chrome (Trojan:Win32/Skeeyah.A!rfn)
Dropped in:

Code: Select all

C:\Users\*username*\AppData\Roaming\WebBrowser.exe
Changes the autorun value in:

Code: Select all

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
URL:

Code: Select all

xxxx://campinglesamis.com/wpscripts/Chrome%20Hijacker.exe
VT (55/67): https://www.virustotal.com/en/file/d569 ... /analysis/
You do not have the required permissions to view the files attached to this post.

Post Reply