A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19591  by Xylitol
 Mon Jun 10, 2013 8:12 am
193 Ursnif directly from the BestAV affiliate
Packed: https://www.virustotal.com/en/file/1502 ... 370852251/
Unpck: https://www.virustotal.com/en/file/916c ... 370852109/
Code: Select all
@echo off
color 17
cls
set target=test.bestavsoft2.com/soft/download/soft3/?affid=
set droppath=BestAVsoft3
set start=1
set affiday=00
set end=8888
set step=1
if not exist %droppath% (
mkdir %droppath% )
FOR /L %%G IN (%start%, %step%, %end%) DO wget -U "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" -S -t 100 -P / "%target%%%G%affiday%" -O "%droppath%/%%G"
FOR %%i IN (%droppath%\*) do if %%~zi LEQ 2 DEL %%i
echo Done.
pause
You do not have the required permissions to view the files attached to this post.
 #23137  by EP_X0FF
 Tue Jun 17, 2014 12:37 pm
It is typical old like hell Ursnif like mentioned above.

RSA or didn't know actual malware families (which mean they are incompetent) or they are reinventing the wheel for self PR.

edit: heck their payload even has the same name
 #23159  by Cody Johnston
 Thu Jun 19, 2014 10:35 pm
Here is a recent one from today:

UlcuFsoh.dat:

MD5 34a1fabdbffffa768ec522dd4dc31a78
https://www.virustotal.com/en/file/2341 ... 403216921/

explorer.exe_0x78b0000-0x6c000.bin (injected into explorer.exe)

MD5 8eaae09f60db58ea8fbfc66026c2b786
https://www.virustotal.com/en/file/a5d8 ... 403217053/

Low detection on both
You do not have the required permissions to view the files attached to this post.
 #23162  by EP_X0FF
 Fri Jun 20, 2014 5:31 am
Your dump is partial (as it read from a single virtual memory region) and not fixed thats why it is not detected on VT - file structure is invalid and code inside is simple mess.

Here these payloads extracted from crypted and packed with aplib malware dll in your archive.

32
https://www.virustotal.com/en/file/ba82 ... 403242117/

64
https://www.virustotal.com/en/file/d22d ... 403242120/
You do not have the required permissions to view the files attached to this post.
 #25826  by R136a1
 Fri May 08, 2015 3:49 pm
Sample from December 2014 which uses Carberp method + Windows Easy Transfer (migwiz.exe) for UAC bypass. Probably one of the first malware that uses this specific method.

Internal version number of this variant:
"ISFB_0604: ISFB client DLL version 2.12, build 430, group 1000"

Sample uploaded for historical purposes.
You do not have the required permissions to view the files attached to this post.