A forum for reverse engineering, OS internals and malware analysis 

Search found 35 matches

 Go to advanced search

Re: CirhashBot

 by tildedennis ¦  Wed Oct 25, 2017 6:14 pm ¦  Forum: Malware ¦  Topic: CirhashBot ¦  Replies: 3 ¦  Views: 16297

this thing has resurfaced: https://twitter.com/dvk01uk/status/898431354873851904. my notes are up at https://www.arbornetworks.com/blog/aser ... -reloaded/, samples attached.

edit: oops, those zip command line options are tricky...added non-empty .zip

Re: Win32/Kasidet (Alias Neutrino bot)

 by tildedennis ¦  Sun Oct 22, 2017 10:29 pm ¦  Forum: Malware ¦  Topic: Win32/Kasidet (Alias Neutrino bot) ¦  Replies: 6 ¦  Views: 16139

https://securelist.com/jimmy-nukebot-fr ... ove/81667/

I've been seeing quite a bit of this variant since the post.

Re: Help identify malware

 by tildedennis ¦  Sun Oct 22, 2017 10:23 pm ¦  Forum: Malware ¦  Topic: Formbook Form Grabber ¦  Replies: 5 ¦  Views: 13476

@moderators maybe we can rename this thread to "Formbook Form Grabber" Couple of posts: [*] https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/ [*] https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html I'm starting to see newer versi...

Re: Point-of-Sale malwares / RAM scrapers

 by tildedennis ¦  Sun Oct 22, 2017 10:17 pm ¦  Forum: Malware ¦  Topic: Point-of-Sale malwares / RAM scrapers ¦  Replies: 244 ¦  Views: 864676

LockPoS

https://www.arbornetworks.com/blog/aser ... ins-flock/

I haven't seen much more of this in the wild.

Re: Shamoon - Trojan.Ismdoor / Greenbug

 by tildedennis ¦  Mon May 08, 2017 1:10 pm ¦  Forum: Malware ¦  Topic: Shamoon - Trojan.Ismdoor / Greenbug ¦  Replies: 5 ¦  Views: 15659

The latest Ismdoor samples (attached) have switched to a DNS C2 mechanism:

https://www.arbornetworks.com/blog/aser ... -dns-isms/

Re: Win32/Zeus (alias Zbot)

 by tildedennis ¦  Fri Apr 21, 2017 1:16 pm ¦  Forum: Malware ¦  Topic: Win32/Zeus (alias Zbot) ¦  Replies: 281 ¦  Views: 363903

grab another zeus variant from off the wall: http://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data https://virustotal.com/en/file/6d8ce2d1b33ff42ba04ded09fe79cff158e6dfffa82f6ceada12f4fda6d0c221/analysis/ (attached) has a version of 1.6.8 and the following c2s: hxxp://derqdxnvis.info/...

Re: Nuclear Bot

 by tildedennis ¦  Tue Feb 14, 2017 4:11 pm ¦  Forum: Malware ¦  Topic: Nuclear Bot ¦  Replies: 3 ¦  Views: 15311

statically. they're stored compressed in the dropper and can be carved out and RtlDecompressBuffer'd.

Re: CirhashBot

 by tildedennis ¦  Tue Feb 07, 2017 6:29 pm ¦  Forum: Malware ¦  Topic: CirhashBot ¦  Replies: 3 ¦  Views: 16297

etpro is calling this "snatch loader", but it looks very similar to h1n1 loader based on: http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities-part-2 https://www.arbornetworks.com/blog/asert/wp-content/uploads/2015/06/blog_h1n1.pdf the c2s from your post were down for me,...

Nuclear Bot

 by tildedennis ¦  Mon Dec 19, 2016 8:14 pm ¦  Forum: Malware ¦  Topic: Nuclear Bot ¦  Replies: 3 ¦  Views: 15311

dropper: https://www.virustotal.com/en/file/ff83aaa74ec364f4c2403409a28df93ef97e8a61ba79fdb1c94d7081f48e794e/analysis/ main: https://www.virustotal.com/en/file/25a361f297c6d399410b47af5504f4bb2c9327de55168a31154fbee21fa4b186/analysis/ mitb: https://www.virustotal.com/en/file/53af22828a2a1190105c6846...

Re: Win32/Zeus (alias Zbot)

 by tildedennis ¦  Mon Nov 21, 2016 1:06 pm ¦  Forum: Malware ¦  Topic: Win32/Zeus (alias Zbot) ¦  Replies: 281 ¦  Views: 363903

flokibot (mostly zeus 2.0.8.9 + some basic DDoS + basic track 2 memory scraper): * https://www.flashpoint-intel.com/floki-bot-emerges-new-malware-kit/ * https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/ lastest sample that i've seen (attached): https://www.vir...