A forum for reverse engineering, OS internals and malware analysis 

Search found 233 matches

 Go to advanced search

Re: Win32/Rick.d

 by R136a1 ¦  Fri Apr 01, 2016 9:20 pm ¦  Forum: Malware ¦  Topic: [April fool's day] Win32/Rick.d ¦  Replies: 4 ¦  Views: 4673

A bit late and well... at least someone tried it this year ;)

Re: Petya malware

 by R136a1 ¦  Fri Mar 25, 2016 1:42 pm ¦  Forum: Malware ¦  Topic: Petya malware ¦  Replies: 16 ¦  Views: 42788

Its' getting better every day... http://s18.postimg.org/jfgdf7m1z/dropbox.png http://s18.postimg.org/5vzj9i82x/uac.png http://s18.postimg.org/4sfexjnft/picard.png And of course, german security experts appear on the surface with brilliant comments: http://s12.postimg.org/puylg8ba5/heisec.png Source:...

Re: H1N1 loader (aka Win32/Zlader)

 by R136a1 ¦  Wed Mar 16, 2016 9:14 am ¦  Forum: Malware ¦  Topic: H1N1 loader (aka Win32/Zlader) ¦  Replies: 22 ¦  Views: 57790

I have realized that new H1N1 loader isn't the first malware which used the trick with WMI console to elevate privileges. Radamant ransomware used it since the end of December (2015), more of it here.

Re: Ransom.Radamant

 by R136a1 ¦  Wed Mar 16, 2016 9:12 am ¦  Forum: Malware ¦  Topic: Ransom.Radamant ¦  Replies: 10 ¦  Views: 17345

Here is a Radamant sample with compilation timestamp from December 2015 which uses the mentioned trick with WMI console to elevate privileges, so before H1N1 loader v2. The sample comes with a lot of symbols left-behind where you can observe that the author implemented his own idea of UACMe . Inside...

Re: H1N1 loader (aka Win32/Zlader)

 by R136a1 ¦  Tue Mar 15, 2016 4:19 pm ¦  Forum: Malware ¦  Topic: H1N1 loader (aka Win32/Zlader) ¦  Replies: 22 ¦  Views: 57790

Two months ago, the author of H1N1 loader released a new version of his tool (H1N1v2) which he claims was completely rewritten. Some of the new features include a rewrote UAC bypass method and a new social engineering technique to elevate privileges if the malware runs at low integrity level. These ...

Re: Tools from the ZeroAccess author

 by R136a1 ¦  Fri Feb 19, 2016 12:49 pm ¦  Forum: Malware ¦  Topic: Tools from the ZeroAccess author ¦  Replies: 7 ¦  Views: 22490

As outlined by @Soronsen, here are two more profiles from this person:

https://www.elance.com/s/emalaste/resume/
http://stackoverflow.com/users/4024739/lotus

Copies attached

Re: Tools from the ZeroAccess author

 by R136a1 ¦  Fri Feb 19, 2016 11:13 am ¦  Forum: Malware ¦  Topic: Tools from the ZeroAccess author ¦  Replies: 7 ¦  Views: 22490

Hi folks, thanks to the suggestion from EP_X0FF to search for the driver of the dll list tool (see above), I have found some new interesting information. Unfortunately, I have not found the the driver, but instead a new tool and some information about the ZeroAccess author itself. :) BONUS-TV Player...

Tools from the ZeroAccess author

 by R136a1 ¦  Fri Feb 12, 2016 11:02 am ¦  Forum: Malware ¦  Topic: Tools from the ZeroAccess author ¦  Replies: 7 ¦  Views: 22490

In this article, I will discuss various tools that I have found during the past few months and which I believe are from the same author as the ZeroAccess malware. It is also possible that the source code of the bot was sold after the “takedown” in 2013 and someone is now trying to make profit from i...

Re: ZeroAccess (alias MaxPlus, Sirefef)

 by R136a1 ¦  Wed Jan 27, 2016 2:48 pm ¦  Forum: Malware ¦  Topic: ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 557 ¦  Views: 570693

Yes, that is the sample I was talking about.

Re: ZeroAccess (alias MaxPlus, Sirefef)

 by R136a1 ¦  Tue Jan 26, 2016 6:38 pm ¦  Forum: Malware ¦  Topic: ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 557 ¦  Views: 570693

I can share the hash on 1. February ;)

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 24