Search found 101 matches

by sysopfb
Sat Apr 02, 2016 4:25 pm
Forum: Malware
Topic: TrojanDownloader:JS/Nemucod
Replies: 2
Views: 3849

TrojanDownloader:JS/Nemucod

Commonly used to download Kovter. Also been used to download cryptowall, teslacrypt,radamant... They added a crappy 'ransomware' piece to the top of the javascript that will download a simple exe that takes a file as a parameter and XORs the first 0x800 or 2048 bytes of the file with a static 255 by...
by sysopfb
Tue Mar 22, 2016 6:41 pm
Forum: Malware
Topic: Win32/Corebot
Replies: 7
Views: 10866

Re: Win32/Corebot

Releasing a paper I wrote last year on this.
by sysopfb
Thu Feb 11, 2016 10:09 pm
Forum: Malware
Topic: TorrentLocker ransomware
Replies: 25
Views: 46158

Re: TorrentLocker ransomware

What people are calling Teerac and AV is calling Win32.Teerac is just a variant of TorrentLocker that matches the reports from welivesecurity.com and the FoxIT blog post with the exception of an additional subdomain generation based on a hardcoded domain. Though they usually resolve to the same IP a...
by sysopfb
Sun Feb 07, 2016 10:42 pm
Forum: Malware
Topic: TeslaCrypt ransomware
Replies: 58
Views: 89374

Re: TeslaCrypt ransomware

The spam panel being used is called Spamm Panel

There is a demo up at htxp://spmsmtcheckrgb.com/index.php
by sysopfb
Sat Feb 06, 2016 5:52 pm
Forum: Malware
Topic: TeslaCrypt ransomware
Replies: 58
Views: 89374

Re: Malware collection

next https://www.virustotal.com/en/file/3783340fc1d2e3465e0ec6997c7964fe3faabb8bfdd2d181fa3f62954a44e78e/analysis/1454776380/ It's a javascript downloader. That one downloads one of the following which is probably teslacrypt hxxp://helloguysqq.su/80.exe hxxp://sowhatsupwithitff.com/80.exe There's a...
by sysopfb
Thu Feb 04, 2016 8:02 pm
Forum: Malware
Topic: PClock ransomware
Replies: 7
Views: 9533

Re: PClock ransomware

PClock - criminal_case_for_you.scr

Crypter -

Code: Select all

F:\Krypton_15.0_NR\Bin\StubNew.pdb
packed and unpacked in attached
by sysopfb
Tue Feb 02, 2016 6:55 pm
Forum: Malware
Topic: TeslaCrypt ransomware
Replies: 58
Views: 89374

Re: TeslaCrypt ransomware

ver=3.0.0a in attached Came from piglyeleutqq.com/80.exe unpack on rtldecompressbuffer C2 encryption key changed to 0324532423723948572379453249857 Lots of recrypted versions of the same build and some old ones on there as well: # md5sum *.exe 5993e0215948ab25054cc87a7af7d411 23.exe 1cdb1cd3d4242d3e...
by sysopfb
Thu Jan 14, 2016 8:46 pm
Forum: Malware
Topic: TeslaCrypt ransomware
Replies: 58
Views: 89374

Re: TeslaCrypt ransomware

Previous versions for me would always check into the C2 first before encrypting the files. It appears they now encrypt the files before checking in with this new version.
by sysopfb
Wed Jan 13, 2016 2:27 pm
Forum: Malware
Topic: TeslaCrypt ransomware
Replies: 58
Views: 89374

Re: TeslaCrypt ransomware

version=3.0.0 is attached .xxx extensions C2 list: hxxp://dawnlogistics.com/wp-content/themes/sketch/dbsys.php hxxp://yavuzturk.com/wp-includes/dbsys.php hxxp://thevictorianmotel.com/wp-content/themes/sketch/dbsys.php hxxp://elle-ectric.com/wp-content/themes/sketch/dbsys.php hxxp://nicasitios.com/db...
by sysopfb
Thu Dec 31, 2015 11:11 pm
Forum: Malware
Topic: Downloader:Win32/Nitol
Replies: 21
Views: 24362

Re: Malware collection

next https://www.virustotal.com/en/file/6fe508bc7747cb61cd1f54d902d423fe3e277f3e76fa08ac1d453ba227ceb0d1/analysis/1449939246/ Yet another Muldrop, with Nitol.B + Waledac. Waledac downloads a Muldrop with Nitol.B + Kelihos.F. The waledac you had in VT had the following ips, interesting little 'rando...