Search found 365 matches

by thisisu
Thu Jul 11, 2013 10:44 pm
Forum: Malware
Topic: Win32/Medfos - Browser redirecting Trojan
Replies: 22
Views: 13460

Re: Win32/Medfos - Browser redirecting Trojan

"ODUuMTcuMTQ3LjMzOwAA" base64 = 85.17.147.33; That IP address is C&C? More info. This registry data value (string / IP address) was used in the past: ODUuMTcuMT My Lj U0 OwAA ( not to be confused wtih the newer ODUuMTcuMT Q3 Lj Mz OwAA ) Source: http://pastebin.com/qNwscqPA http://home.mcafee.com/v...
by thisisu
Thu Jul 11, 2013 8:51 am
Forum: Malware
Topic: Win32/Medfos - Browser redirecting Trojan
Replies: 22
Views: 13460

Re: Win32/Medfos - Browser redirecting Trojan

Hi, Couple more Medfos samples courtesy of B-boy/StyLe/ These seem a bit different than previous variants encountered. sidapr.dl_ -- b01e81e1b02198fe3e249f9a1b93847c -- https://www.virustotal.com/en/file/e62e474f0b7bc92cd17c9f7bb0f7bb7904b6c5cf347b04931c5dd1af3d950e44/analysis/1373531509/ stspb.dl_ ...
by thisisu
Sun Jul 07, 2013 12:38 am
Forum: Newbie Questions
Topic: Where to start?
Replies: 12
Views: 19125

Re: Where to start?

Do not buy one of the new editions of The Art of Assembly Language by Randall Hyde. It's not assembly but high level assembly or some junk. I'm sorry but just to clarify, you don't recommend which edition(s)? There is a PDF linked from R4ndom's site which I downloaded and started reading (having a ...
by thisisu
Fri Jul 05, 2013 12:42 am
Forum: Malware
Topic: Win32/Dircrypt (File Encrypting Ransomware)
Replies: 14
Views: 25136

Re: Dirty Alert Ransomware

Autorun entries created and some code found in index.html function Validation(paycode, system) { if(system == "psk") { if(paycode.length != 16 || paycode.match("/^\d+$/")) return false; if (paycode.charAt(0) != "0") return false; for(var j = 0; j <= 9;j++) if (paycode.indexOf(RepeatSymbol(5, j)) != ...
by thisisu
Tue Jun 25, 2013 11:54 pm
Forum: Malware
Topic: eType Manager / Browser Manager / bProtector Adware
Replies: 32
Views: 23293

Re: eType Manager / Browser Manager / bProtector Adware

It can be downloaded from the program's website or it may be bundled with some third-party software installation programs. http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FFastSaveApp#techdetails_link BHO CLSID and name are random. As far as I know, AdwC...
by thisisu
Sat Jun 22, 2013 7:31 pm
Forum: Malware
Topic: Win32/Reveton
Replies: 150
Views: 191485

Re: Win32/Reveton

IIRC this one had the "ICE Cyber Crime Center" logo in here somewhere. Pulled from a customer laptop this morning. MD5: 37dea49af3e2cddf3159e794ac14e77d -- https://www.virustotal.com/en/file/9098930862ae67ade521bd5acfb04ce5ab05c39e448b07d08fa1be0d56199b97/analysis/ FRST: HKU\Owner\...\Command Proces...
by thisisu
Fri Jun 21, 2013 9:57 pm
Forum: Malware
Topic: eType Manager / Browser Manager / bProtector Adware
Replies: 32
Views: 23293

Adware

MD5: 96fbde8218339481d5b7c8399b77dfe4 -- https://www.virustotal.com/en/file/8d39a060428c35513d8ffaef5e6a15d951a621724e352763b29268cb77678c4b/analysis/ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 6/21/2013 4:40 PM trueads c:\windows\system32\b9d98fa7-6ad6-270a-5c0a-...
by thisisu
Sat Jun 15, 2013 3:19 pm
Forum: Malware
Topic: Rogue Antimalware (FakeAV, 2013 year)
Replies: 142
Views: 218352

Re: Rogue Antimalware (FakeAV, 2013 year)

EP_X0FF wrote:If you need any layers from this crap let me know.
Hi, yes please if you do not mind can you attach all 4 layers? Thanks
by thisisu
Sat Jun 15, 2013 2:29 pm
Forum: Malware
Topic: Rogue Antimalware (FakeAV, 2013 year)
Replies: 142
Views: 218352

Re: Rogue Antimalware (FakeAV, 2013 year)

Hi and thanks for your response. :)

I think we are looking at different files. It is my fault, I didn't mention at first that I ran the malware in VM and gathered the btdefender.exe from %allusersprofile%. Attached is that file. Sorry for the confusion. This is the one I've been trying to analyse.
by thisisu
Fri Jun 14, 2013 11:06 pm
Forum: Malware
Topic: Rogue Antimalware (FakeAV, 2013 year)
Replies: 142
Views: 218352

Re: Rogue Antimalware (FakeAV, 2013 year)

Internet Security (fakeAv)file1.exe ----> FakeAV OEP @ 00401414? Is that correct? 00401414 |> /55 PUSH EBP Is this custom cryption part? 0040144D |. 68 513A0100 PUSH 13A51 ; /MaximumSize = 13A51 (80465.) 00401452 |. 68 6E6F0000 PUSH 6F6E ; |InitialSize = 6F6E (28526.) 00401457 |. 56 PUSH ESI ; |Fla...