A forum for reverse engineering, OS internals and malware analysis 

Search found 47 matches

 Go to advanced search

Re: Ordinypt Wiper

 by p1nk ¦  Tue Feb 20, 2018 1:54 am ¦  Forum: Malware ¦  Topic: Ordinypt Wiper ¦  Replies: 1 ¦  Views: 5106

Solid report. Here is the dumped sample

Re: Trojan-Spy.Win32.TeleBot.a

 by p1nk ¦  Tue Feb 20, 2018 1:21 am ¦  Forum: Malware ¦  Topic: Trojan-Spy.Win32.TeleBot.a ¦  Replies: 1 ¦  Views: 2886

Damn. The author really wanted to make sure they have coverage for all systems: if (platform == PlatformID.Win32NT) { byte wProductType = oSVERSIONINFOEX.wProductType; switch (major) { case 3: text = "Windows NT 3.51"; break; case 4: {

Re: Quant Loader

 by p1nk ¦  Sun Dec 24, 2017 2:26 am ¦  Forum: Malware ¦  Topic: Quant Loader ¦  Replies: 4 ¦  Views: 18083

Another http://vxvault.net/ViriList.php?MD5=93E7242DF7499BE3205796CE12FB1A88 https://www.virustotal.com/en/file/64993f36b42e1c9d3193909c73a77fa38b5247154d87bd970a0918641c9ee7a2/analysis/1513937952/ There is a bit more on that host: http://malshare.com/search.php?query=193.124.117.153 Also includes ...

Re: Quant Loader

 by p1nk ¦  Sun Dec 24, 2017 1:11 am ¦  Forum: Malware ¦  Topic: Quant Loader ¦  Replies: 4 ¦  Views: 18083

Initial sample beacons out to: - flyradiator.com (91.218.114.29) - xoofertukawww.com - roompokdatastatus.su URL: http://flyradiator.com/qwanter/data.php?id=34091500&c=1&mk=98e4fe /flyradiator.com/ was flagged in https://www.gaviotta.com/single-post/2016/08/22/Gozi-Financial-Malware-Puts-the-Boots-On

Re: Trojan Korplug

 by p1nk ¦  Tue Aug 22, 2017 12:40 am ¦  Forum: Completed Malware Requests ¦  Topic: Trojan Korplug ¦  Replies: 1 ¦  Views: 4161

Attached.

Re: EREBUS LINUX/Win Ransomware

 by p1nk ¦  Sat Jun 17, 2017 1:47 am ¦  Forum: Malware ¦  Topic: EREBUS LINUX/Win Ransomware ¦  Replies: 2 ¦  Views: 8849

Screenshot from 2017-06-16 21-45-41.png Screenshot of the message. Also dumped the config from one of the Linux samples. { "i" : "B0884334", "c" : [ { "bu" : "/", "tg" : "216.126.224.128/24", "t" : 3 } ], "p" : "6V5LvugJGoKeCppKe0duIM2sV0", "cts" : 36, "a" : "[{\"d\":\"<html><head> <style> body { f...

Re: EREBUS LINUX/Win Ransomware

 by p1nk ¦  Sat Jun 17, 2017 1:16 am ¦  Forum: Malware ¦  Topic: EREBUS LINUX/Win Ransomware ¦  Replies: 2 ¦  Views: 8849

PDB paths:

I:\projects\Erebus\Boost\boost/filesystem/operations.hpp
tI:\projects\Erebus\crypto\modes.h
I:\projects\Erebus\Boost\boost/smart_ptr/shared_ptr.hpp

Contains a Tor onion address: erebus5743lnq6db.onion

Re: TerrorEK

 by p1nk ¦  Tue Mar 28, 2017 12:51 am ¦  Forum: Malware ¦  Topic: TerrorEK ¦  Replies: 3 ¦  Views: 11197

8603 hits

Does anyone have payloads it was spreading?

SynthLoader

 by p1nk ¦  Mon Jan 16, 2017 12:07 am ¦  Forum: Malware ¦  Topic: SynthLoader ¦  Replies: 0 ¦  Views: 5373

Props to @Benkow_ for this find also. Not sure if anyone has another name for it. https://www.virustotal.com/en/file/15c1b863000417a13f96b6fa4dbe9d22da93f63a643c02d917ab09eaabc06e4a/analysis/ Strings are base64 encoded then: def decode( instr, key): for index, byte in enumerate( instr[:-2] ): out +=...

Re: This guys are funny

 by p1nk ¦  Sun Jan 15, 2017 8:55 pm ¦  Forum: General Discussion ¦  Topic: This guys are funny ¦  Replies: 1 ¦  Views: 5349

Reported sample: https://www.virustotal.com/en/file/d9507c83cde125a881c896b7988347db42e8864414706d0c5389c64a894e6feb/analysis/ Message: string text = "Hello, I'm nice Jigsaw or more commonly known as Jigsaws twin.\n\nUnfortunately all of your personal files (pictures, documents, etc...) have been en...