Nuclear Bot

Forum for analysis and discussion about malware.
Post Reply
tildedennis
Posts: 32
Joined: Mon Jun 17, 2013 7:57 pm

Nuclear Bot

Post by tildedennis » Mon Dec 19, 2016 8:14 pm

dropper: https://www.virustotal.com/en/file/ff83 ... /analysis/
main: https://www.virustotal.com/en/file/25a3 ... /analysis/
mitb: https://www.virustotal.com/en/file/53af ... /analysis/

c2:

Code: Select all

hxxp://85.69.197.19/PanelDark/client.php


components attached, likely test/development samples.
You do not have the required permissions to view the files attached to this post.

Peuk420
Posts: 1
Joined: Tue Jan 31, 2017 7:30 pm

Re: Nuclear Bot

Post by Peuk420 » Fri Feb 10, 2017 5:24 pm

What to do with this?

TheExecuter
Posts: 25
Joined: Sat Aug 10, 2013 5:02 pm

Re: Nuclear Bot

Post by TheExecuter » Mon Feb 13, 2017 9:45 am

The main file shouldn't execute properly.
RtlAdjustPrivilege's 4th param is null. It'll crash for access violation.
how'd you extract the dlls?

tildedennis
Posts: 32
Joined: Mon Jun 17, 2013 7:57 pm

Re: Nuclear Bot

Post by tildedennis » Tue Feb 14, 2017 4:11 pm

statically. they're stored compressed in the dropper and can be carved out and RtlDecompressBuffer'd.

Post Reply