A forum for reverse engineering, OS internals and malware analysis 

Search found 244 matches

 Go to advanced search

Re: WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)

 by R136a1 ¦  Sun Apr 03, 2016 2:14 pm ¦  Forum: Malware ¦  Topic: WinNT/Turla (WinNT/Pfinet, Uroburos rootkit) ¦  Replies: 66 ¦  Views: 256272

Two days ago, I have started to analyse an unusual Turla dropper which adds an extra layer to the already known dropper and which pretends to be compiled in 2013 according to its time stamp. However, some of its final payloads have a newer compilation time stamp from 2014, leading to the assumption ...

Re: Win32/Rick.d

 by R136a1 ¦  Fri Apr 01, 2016 9:20 pm ¦  Forum: Malware ¦  Topic: [April fool's day] Win32/Rick.d ¦  Replies: 4 ¦  Views: 4684

A bit late and well... at least someone tried it this year ;)

Re: Petya malware

 by R136a1 ¦  Fri Mar 25, 2016 1:42 pm ¦  Forum: Malware ¦  Topic: Petya malware ¦  Replies: 16 ¦  Views: 42893

Its' getting better every day... http://s18.postimg.org/jfgdf7m1z/dropbox.png http://s18.postimg.org/5vzj9i82x/uac.png http://s18.postimg.org/4sfexjnft/picard.png And of course, german security experts appear on the surface with brilliant comments: http://s12.postimg.org/puylg8ba5/heisec.png Source:...

Re: H1N1 loader (aka Win32/Zlader)

 by R136a1 ¦  Wed Mar 16, 2016 9:14 am ¦  Forum: Malware ¦  Topic: H1N1 loader (aka Win32/Zlader) ¦  Replies: 22 ¦  Views: 57957

I have realized that new H1N1 loader isn't the first malware which used the trick with WMI console to elevate privileges. Radamant ransomware used it since the end of December (2015), more of it here.

Re: Ransom.Radamant

 by R136a1 ¦  Wed Mar 16, 2016 9:12 am ¦  Forum: Malware ¦  Topic: Ransom.Radamant ¦  Replies: 10 ¦  Views: 17399

Here is a Radamant sample with compilation timestamp from December 2015 which uses the mentioned trick with WMI console to elevate privileges, so before H1N1 loader v2. The sample comes with a lot of symbols left-behind where you can observe that the author implemented his own idea of UACMe . Inside...

Re: H1N1 loader (aka Win32/Zlader)

 by R136a1 ¦  Tue Mar 15, 2016 4:19 pm ¦  Forum: Malware ¦  Topic: H1N1 loader (aka Win32/Zlader) ¦  Replies: 22 ¦  Views: 57957

Two months ago, the author of H1N1 loader released a new version of his tool (H1N1v2) which he claims was completely rewritten. Some of the new features include a rewrote UAC bypass method and a new social engineering technique to elevate privileges if the malware runs at low integrity level. These ...

Re: Tools from the ZeroAccess author

 by R136a1 ¦  Fri Feb 19, 2016 12:49 pm ¦  Forum: Malware ¦  Topic: Tools from the ZeroAccess author ¦  Replies: 7 ¦  Views: 22710

As outlined by @Soronsen, here are two more profiles from this person:


Copies attached

Re: Tools from the ZeroAccess author

 by R136a1 ¦  Fri Feb 19, 2016 11:13 am ¦  Forum: Malware ¦  Topic: Tools from the ZeroAccess author ¦  Replies: 7 ¦  Views: 22710

Hi folks, thanks to the suggestion from EP_X0FF to search for the driver of the dll list tool (see above), I have found some new interesting information. Unfortunately, I have not found the the driver, but instead a new tool and some information about the ZeroAccess author itself. :) BONUS-TV Player...

Tools from the ZeroAccess author

 by R136a1 ¦  Fri Feb 12, 2016 11:02 am ¦  Forum: Malware ¦  Topic: Tools from the ZeroAccess author ¦  Replies: 7 ¦  Views: 22710

In this article, I will discuss various tools that I have found during the past few months and which I believe are from the same author as the ZeroAccess malware. It is also possible that the source code of the bot was sold after the “takedown” in 2013 and someone is now trying to make profit from i...

Re: ZeroAccess (alias MaxPlus, Sirefef)

 by R136a1 ¦  Wed Jan 27, 2016 2:48 pm ¦  Forum: Malware ¦  Topic: ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 557 ¦  Views: 571463

Yes, that is the sample I was talking about.

  • 1
  • 3
  • 4
  • 5
  • 6
  • 7
  • 25