Page 1 of 3


PostPosted:Tue May 05, 2015 9:54 pm
by cuttingedge

I read an article on Rombertik and would like to know if anyone has a sample of it?

Read about it here: ... f-detected

I did a search for it and could not find anything posted about it.

Thank you.


Re: Rombertik Sample

PostPosted:Wed May 06, 2015 3:26 am
by forty-six

Win32 Rombertik

PostPosted:Wed May 06, 2015 3:31 am
by forty-six

Re: Win32 Rombertik

PostPosted:Wed May 06, 2015 4:22 am
by EP_X0FF
overwrite the MBR, it will instead destroy all files in the user’s home folder (e.g. C:\Documents and Settings\Administrator\)
Stop using Windows XP and ancient computers with BIOS.

Re: Win32 Rombertik

PostPosted:Wed May 06, 2015 2:38 pm
by Intimacygel
This is blowing up in the media for like no reason. It's not even that scary or innovative.

Here is an unpacked sample

Re: Win32 Rombertik

PostPosted:Thu May 07, 2015 1:55 pm
by SomeUnusedName
Typical blogpost analyzing the packer nobody in their right mind cares about.

Re: Win32 Rombertik

PostPosted:Fri May 08, 2015 2:08 am
by r32
Hi all, this sample was extracted Cuckoo Sandbox, but not because they have been deleted.
In this url i found.

I uploaded the sample to download:
Regards ;)

Re: Win32 Rombertik

PostPosted:Fri May 08, 2015 8:24 am
by EP_X0FF
Finally got some "willing" to look on this.

What can I say.


It is Delphi dropper with perun dll inside.
In this case, the unpacked Rombertik sample is 28KB while the packed version is 1264KB. Over 97% of the packed file is dedicated to making the file look legitimate by including 75 images and over 8000 functions that are never used.
From where did you get out Ben Baker and Alex Chiu? Two idiots never saw Delphi apps? Or maybe two idiots never know how to join something with Delphi app? :) This work is definitely not for you.

Talos Group? How about re-branding to Phallus Group? :D Fully describes their level of the sophistication and professionalism.

Guess what this "super malware" level of hackforums does? It drops VBS script of the following ultimate code
Code: Select all
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run chr(34) & "C:\Documents and Settings\User\Application Data\rsr\yfoye.bat" & Chr(34), 0
Set WshShell = Nothing
to "AUTORUN" folder, drops bat and copy of itself to AppData\rsr folder. Next it runs in background as PROCESS and waits in loop for browsers popup in process list. Next when browser "firefox/chrome" found it injects this super dll written in VS 2010 with CreateRemoteThread and performs ring3 HOOKING of several API's. Wow, never seen before.

Depending on browser it will hook:



It implemented so buggy (madskillz hooks) so it never work for me resulting in browsers crash.

Next comedy part - so called "anti-analysis".

Under this comedy statement is hidden simple CRC32 check this malware does over it resource. This is made to prevent hex-editing. If something wrong it will do described mbr overwrite and files encryption. Will work on Windows XP. That's all anti-analysis. Yes, that's all.

It is common trend of last few years when team of unknown monkeys and script-kiddies are poping up from nowhere with "security researches" about "ultimate super-duper" malware. Sort of legalized fraud. So they just a kind of cybercriminals itself -> Ben Baker and Alex Chiu from Phallus Group, remember them, I think it's beginning of their professional career.


Re: Win32 Rombertik

PostPosted:Fri May 08, 2015 1:17 pm
by robemtnez
So no anti-debuging or sandbox analysis detection at all with machine mass destruction? :roll:

Re: Win32 Rombertik

PostPosted:Fri May 08, 2015 3:19 pm
by EP_X0FF
robemtnez wrote:So no anti-debuging or sandbox analysis detection at all with machine mass destruction? :roll:
Does it looks like this? Malwr running on VirtualBox open for any detection.

I can tell you why and where this scary machine "destruction" will only take place.

This so called anti-analysis is a protection from smart script-kiddies who know how to use in memory hex-editor and can change bot configuration (server name for example from hxxp:// to Configuration stored inside this small dll as resources in RCDATA (this dll is actually executable - you can run it just like you run any exe and it will work). Here also stored block of keys used to decrypt configuration. This malware check checksum of 1006 resource and if something bad happened -> CRC32 != 0x0E1A63B9 -> wow we are under hacking attempt - wipe MBR etc. Ultra super advanced technology.

People who did this "analysis" are script-kiddies with IDA Pro at hand which used only for screenshoting of Delphi VCL runtime call graph, facepalm.

So basically all these mass media monkeys are lying you. Well, just like they should by design and purpose.