Page 3 of 12

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Posted: Thu Oct 17, 2013 6:32 pm
by Cody Johnston
hxxp://93.189.44.187/103.exe

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Posted: Fri Oct 18, 2013 1:33 pm
by skgsergio
103.exe seems lees detected yet, is a new version?

On the other hand when u enter to a C&C via http (ex [url]hxxp://gktibioivpqbot.net/[/url]) u get this msg:
Temporary notes:

You cannot restore files after time has expired! Setting the system clock back will not help you!

Uninstall action and expiry time controlled by server, your key pair destroyed after uninstall (time has expired)!
You can't control it!!!
After uninstall (if you try reinstall) you obtain a new key pair from server.

You can reinstall software only if time has not expired!


Personal message:

Dear guy, please resend your MP 307*********07, you have month. (We know your machine, we wait you...), this is merchant error, sorry.
Why you did not do this immediately after an error?

Uninstall temporary disabled.
Soon will be available the decryption service... Stay with us :)

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Posted: Fri Oct 18, 2013 6:09 pm
by Cody Johnston
skgsergio wrote:103.exe seems lees detected yet, is a new version?
There is nothing new about the binary itself, just crypted the dropper differently.

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Posted: Fri Oct 18, 2013 6:14 pm
by frame4-mdpro
Can someone pls post 103.exe, just missed it :(

TIA.
Anthony

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Posted: Fri Oct 18, 2013 6:23 pm
by Cody Johnston
Here you go :)

SHA256: b3530b7519660996d28eb31a8d5b585ec60601843c77dd9f2b712812c99843e4
SHA1: 347b21e94912e99fb312153948d1f2758454e136
MD5: a8e0d4771c1f71709ddb63d9a75dc895
File name: 103.exe
Detection ratio: 32 / 48

https://www.virustotal.com/en/file/b353 ... /analysis/

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Posted: Fri Oct 18, 2013 6:34 pm
by frame4-mdpro
MUCH appreciated :) !!

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Posted: Sat Oct 19, 2013 12:05 am
by Cody Johnston
New Crypt from today attached:

SHA256: 136e8991816b958bb76aaf22fefd18194cf78a80e95d572754f95e1f86149a65
SHA1: ea64129f9634ce8a7c3f5e0dd8c2e70af46ae8a5
MD5: f1e2de2a9135138ef5b15093612dd813
Detection ratio: 12 / 47

https://www.virustotal.com/en/file/136e ... /analysis/

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Posted: Mon Oct 21, 2013 11:08 pm
by servarevitas3
Anyone have a current sample? The last one posted has all the DNS requests either not resolving or resolving to sinkholes. Is this thing dead?

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Posted: Tue Oct 22, 2013 6:48 am
by emc74
Can a more recent file be posted so that I can download and attempt a recovery? Can I check that following the download I just execute the file?

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Posted: Tue Oct 22, 2013 10:58 pm
by emc74
I have successfully used the downloaded file here and paid the money and it is working.