A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #15065  by Maxstar
 Thu Aug 09, 2012 9:20 am
Systems in the Netherlands are currently being hit hard by a new wave of crypto malware named “Trojan-Ransom.Win32.Dorifel”. Based on press reports as well as our own telemetry gathered through our Emsisoft Anti-Malware Network thousands of Dutch systems are already infected. The majority of them located in government, public sector or company networks.

Based on preliminary research “Dorifel” usually enters new networks and systems through the use of a different malware: “Citadel”. “Citadel” belongs to the family of financial malware and is closely related to the “Zeus” bot family. It comes to no surprise that this isn’t the first time that the “Citadel” bot net is used to infect systems with different malware. Just a few weeks ago at the beginning of July “Citadel” was used to infect tens of thousands of PCs with the “Reveton” ransomware.
http://blog.emsisoft.com/2012/08/09/dor ... ic-sector/

https://www.virustotal.com/file/4db33e0 ... /analysis/

Edit
Fabian Wosar (Emsisoft) and Erik Loman (Surfright) developed a tool to decrypt this files. Additonal info from Fox-IT
http://blog.fox-it.com/2012/08/09/xdocc ... ing-virus/
You do not have the required permissions to view the files attached to this post.
 #15066  by erikloman
 Thu Aug 09, 2012 9:53 am
Find attached the Citadel samples that were found on computers with the Dorifel infection.
You do not have the required permissions to view the files attached to this post.
 #15073  by Blaze
 Thu Aug 09, 2012 12:41 pm
Attached. Thanks to @erikremmelzwaal for these samples.
You do not have the required permissions to view the files attached to this post.
 #18847  by rough_spear
 Fri Apr 05, 2013 7:31 am
Hi All,

One more Dorifel sample.

MD5 - 747b10da9a706ecfbbff11023a9e37a6

VT link - https://www.virustotal.com/en/file/6d20 ... /analysis/

18 / 45

malicious URL

hxxp://mhna.net/wind.html
hxxp://robbiedsayers.com/exhusband.html
hxxp://sanmarcos-criminallawyer.com/cap.html
hxxp://seaflour.com/ice.html
hxxp://rss-z.com/cotton.html


Regards,

rough_spear. ;)
You do not have the required permissions to view the files attached to this post.