A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19483  by PX5
 Thu May 30, 2013 9:38 am
Reveton aka FBI/MoneyPak

Link is dead....http://ytojuxate.pl/erolikos (50.7.46.181)

Seen it called Screenlock and other names like Fortinet W32/Moure.A!tr.dldr

I disagree, although screenlock, this is pure reveton, wont be able to share pcap but trust me, its Reveton, all my stolen PWs say so! ;)

https://www.virustotal.com/en/file/4e90 ... 369870629/

https://www.virustotal.com/en/file/38f5 ... 369870675/

https://www.virustotal.com/en/file/8f06 ... 369870684/
You do not have the required permissions to view the files attached to this post.
 #19484  by PX5
 Thu May 30, 2013 9:47 am
Image

Holy Crap!

Best I could do for now, hadda use a camera, safe mode didnt load, havent tried anything else yet, still not awake.

If someone is good at re-sizing photos, have at it and repost so its visible.

Thanks,

MJ
Last edited by Xylitol on Thu May 30, 2013 11:41 am, edited 1 time in total. Reason: image fix
 #19488  by EP_X0FF
 Thu May 30, 2013 2:38 pm
PX5 wrote:Holy Crap!

Best I could do for now, hadda use a camera, safe mode didnt load, havent tried anything else yet, still not awake.

MJ
Is it one of the recent samples you uploaded?
 #19493  by PX5
 Thu May 30, 2013 5:12 pm
Last edited by Xylitol on Thu May 30, 2013 11:41 am, edited 1 time in total.
Reason: image fix

Looks like Xylitol has repaired the image as much as it can be, thanks for asking EP_X0FF. :)

Thank You Much X! :)
 #19565  by Mosh
 Thu Jun 06, 2013 4:39 pm
Recently I saw a version with this same design but the name that I found for this was Flimrans.

Image

This is the same Reveton ?

basic analysis:
http://www.nyxbone.com/malware/flimrans.html

links:
http://www.malekal.com/2013/05/25/flimr ... hnologies/
https://www.botnets.fr/index.php/Flimrans
You do not have the required permissions to view the files attached to this post.
 #19728  by thisisu
 Sat Jun 22, 2013 7:31 pm
IIRC this one had the "ICE Cyber Crime Center" logo in here somewhere. Pulled from a customer laptop this morning.

MD5: 37dea49af3e2cddf3159e794ac14e77d -- https://www.virustotal.com/en/file/9098 ... /analysis/
FRST:
Code: Select all
HKU\Owner\...\Command Processor: "C:\Users\Owner\AppData\Local\Temp\khpvjhtueuosbxwdt.exe" <===== ATTENTION!
You do not have the required permissions to view the files attached to this post.
  • 1
  • 10
  • 11
  • 12
  • 13
  • 14
  • 16