A forum for reverse engineering, OS internals and malware analysis 

Search found 20 matches

 Go to advanced search

Re: Winlocker.VB6.Blacksod

 by slipstream- ¦  Wed Aug 03, 2016 8:19 pm ¦  Forum: Malware ¦  Topic: Winlocker.VB6.Blacksod ¦  Replies: 3 ¦  Views: 6450

Next blacksod.

Advanced installer dropper. Contacts hxxp://recoverpcerror.com/ar/pro/5490.html and has nice cmd.exe button (you need to click in the first form to get to it). Number to call: 1-866-933-5490

Re: Winlocker.VB6.Blacksod

 by slipstream- ¦  Fri Jul 22, 2016 4:17 pm ¦  Forum: Malware ¦  Topic: Winlocker.VB6.Blacksod ¦  Replies: 3 ¦  Views: 6450

New blacksod.

Advanced installer dropper, contacts hxxp://gmusicplayer.com/july0678.html and hxxp://recoverpcerror.com/me/july0678.html, has nice cmd.exe button, number to call: 1-844-307-0678

Note same number as earlier instance, but different callback URLs.


 by slipstream- ¦  Sun Jul 17, 2016 9:13 pm ¦  Forum: Malware ¦  Topic: Winlocker.VB6.Blacksod ¦  Replies: 3 ¦  Views: 6450

Indian winlocker trash, fakes bsod or product key screen, tries to get user to call fake tech support. Some have a nice button to run cmd.exe, some do not. All are linked via dropper method (advanced installer), or via callback URL (to notify successful install only). I called this family "VB6.black...

Re: UACMe - Defeating Windows User Account Control

 by slipstream- ¦  Fri Jul 08, 2016 11:32 am ¦  Forum: Tools/Software ¦  Topic: UACMe - Defeating Windows User Account Control ¦  Replies: 136 ¦  Views: 440839

Absolutely hilarious. Similar to a privesc I found in a service provided with an unnamed application, where it LoadLibrary()s attacker controlled path... but built into Windows, working with almost everything!

Re: Malware collection

 by slipstream- ¦  Wed Jun 22, 2016 5:59 pm ¦  Forum: Malware ¦  Topic: Win32/Miuref ¦  Replies: 1 ¦  Views: 2463

next.. https://www.virustotal.com/en/file/e6f69b5fa849065df07a4b0cf6c55dd261779b3d583024256f53bd21133c7a0b/analysis/1466614271/ https://www.virustotal.com/en/file/47f45cee608b84be51051456b7840b02ba2779256b9aa530641f046b0f6e7002/analysis/1466617536/ scesrv.exe: NSIS wrapper, unpacks a ton of junk, a...


 by slipstream- ¦  Tue May 03, 2016 6:33 pm ¦  Forum: Malware ¦  Topic: Ransom.TechSupportScam.PCCleaner ¦  Replies: 0 ¦  Views: 4923

This is a winlocker of Indian origin. (used to try to get people to call tech support scams) Using any one of hardcoded serials "h7c9-7c67-jb" "g6r-qrp6-h2" "yt-mq-6w" starts explorer and appwiz, probably so whoever is remoted in can remove the winlocker. Also, ctrl+shift+S just kills the winlocker,...

Re: Petya malware

 by slipstream- ¦  Mon Apr 11, 2016 9:59 am ¦  Forum: Malware ¦  Topic: Petya malware ¦  Replies: 16 ¦  Views: 42804

slipstream- wrote:Someone supposedly made a decrypter. https://petya-pay-no-ransom.herokuapp.com/
turns out, it's open source: https://github.com/leo-stone/hack-petya

Re: Petya malware

 by slipstream- ¦  Sun Apr 10, 2016 6:59 pm ¦  Forum: Malware ¦  Topic: Petya malware ¦  Replies: 16 ¦  Views: 42804

Someone supposedly made a decrypter. https://petya-pay-no-ransom.herokuapp.com/

Unknown malware coded in golang

 by slipstream- ¦  Tue Mar 22, 2016 2:39 pm ¦  Forum: Malware ¦  Topic: Unknown malware coded in golang ¦  Replies: 0 ¦  Views: 2868

I have *no* idea whatsoever what this does.

It's a signed exe and an inf that sets it up as a nt service.