A forum for reverse engineering, OS internals and malware analysis 

Search found 194 matches

 Go to advanced search

Re: Malware collection

 by nullptr ¦  Fri Jul 08, 2016 3:52 am ¦  Forum: Malware ¦  Topic: WinNT/Ursnif (alias ISFB/Gozi) ¦  Replies: 50 ¦  Views: 68296

Ransom Shade/Troldesh listed above targets the following extensions: wb2|cdr|srw|p7b|odm|mdf|p7c|3fr|der|odb|arw|rwl|cer|xlk|pdd|rw2|crt|dx|r3d|pem|bay|ptx|pfx|indd|nrw|p12|bd|backup|torrent|kwm|pwm|safe|xl|xls|xlsx|xlsm|xlsb |xltm|xlt|xlam|xla|mdb|rtf|txt|xml|csv|pdf|prn|dif|slk|ods|xltx|xlm|odc|xl...

Re: Malware collection

 by nullptr ¦  Thu Jul 07, 2016 2:14 pm ¦  Forum: Malware ¦  Topic: WinNT/Ursnif (alias ISFB/Gozi) ¦  Replies: 50 ¦  Views: 68296

ikolor wrote: Please about comment what it is.!!!
The one named "sprawa 07072016 t_fdp.rar" is Win32/Ursnif.HP according to MS. Unpacked attached.
The other one is Ransom Shade aka Troldesh. Also attached.

Re: Hooking usage of DLL function

 by nullptr ¦  Sun Dec 13, 2015 1:55 pm ¦  Forum: User-Mode Development ¦  Topic: Hooking usage of DLL function ¦  Replies: 17 ¦  Views: 34094

The jumps are hard coded for 32 bit. It would be better if the code took into account the different size of a pointer, that way compilation for 32bit and 64 bit should be able to use the same code. e.g. Instead of: extern "C" __declspec(naked) void __stdcall __E__0__() { __asm { jmp p[0 * 4]; } } Yo...

Re: Hooking usage of DLL function

 by nullptr ¦  Sun Dec 13, 2015 10:59 am ¦  Forum: User-Mode Development ¦  Topic: Hooking usage of DLL function ¦  Replies: 17 ¦  Views: 34094

Are you replacing the 32 bit dll in the syswow64 directory?

Re: Malware collection

 by nullptr ¦  Sun Dec 13, 2015 8:10 am ¦  Forum: Malware ¦  Topic: Downloader:Win32/Nitol ¦  Replies: 21 ¦  Views: 24620

ikolor wrote:next

https://www.virustotal.com/en/file/6fe5 ... 449939246/
Yet another Muldrop, with Nitol.B + Waledac. Waledac downloads a Muldrop with Nitol.B + Kelihos.F.

Re: TeslaCrypt ransomware

 by nullptr ¦  Sat Nov 14, 2015 11:46 am ¦  Forum: Malware ¦  Topic: TeslaCrypt ransomware ¦  Replies: 58 ¦  Views: 90034

Teslacrypt
MD-5 d7575e4455e4d805fd29effb43591454
SHA-1 ce9a91c24aad1ec93936d9ba7203de84ae2b94c7

Original + Decrypted.

TeslaCrypt_pwm.zip

Re: Malware collection

 by nullptr ¦  Mon Nov 02, 2015 4:53 am ¦  Forum: Malware ¦  Topic: Downloader:Win32/Nitol ¦  Replies: 21 ¦  Views: 24620

next
https://www.virustotal.com/en/file/c366 ... 446393067/
Another Muldrop, this time with the usual Nitol + some Waledac variant.
Both attached.

Re: Malware collection

 by nullptr ¦  Thu Oct 22, 2015 2:58 pm ¦  Forum: Malware ¦  Topic: Win32/Kelihos (+Waledac downloader) ¦  Replies: 94 ¦  Views: 131936

ikolor wrote:next...
https://www.virustotal.com/en/file/a259 ... 445521339/
Likely another Kelihos variant. I'll look further in the morning.

Re: Malware collection

 by nullptr ¦  Thu Oct 22, 2015 2:56 pm ¦  Forum: Malware ¦  Topic: Win32/Kelihos (+Waledac downloader) ¦  Replies: 94 ¦  Views: 131936

ikolor wrote:next
https://www.virustotal.com/en/file/626e ... 445520410/
This looks like a Kelihos variant.

Re: [PoC] Bypassing UM Hooks By Bruteforcing Intel Syscalls

 by nullptr ¦  Sat Aug 22, 2015 2:20 am ¦  Forum: User-Mode Development ¦  Topic: [PoC] Bypassing UM Hooks By Bruteforcing Intel Syscalls ¦  Replies: 9 ¦  Views: 21613

kerpow1 wrote:Nice release but "standard pw" doesn't give much clue.
pw: infected

  • 1
  • 2
  • 3
  • 4
  • 5
  • 20