Malware collection

Forum for analysis and discussion about malware.
ikolor
Posts: 328
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Sun Jan 20, 2019 4:22 pm

You do not have the required permissions to view the files attached to this post.
Fedor22
Posts: 57
Joined: Sun Dec 03, 2017 5:50 pm
Location: Russian Federation

Sun Jan 20, 2019 6:36 pm

The second sample is a just adware bundle, which downloaded from hxxp://disk-space.ru or something like that. In addition, he installs a bunch of unwanted software, like Mail.Ru Updates, My Web Shield, etc.
Address directs to:

Code: Select all

hxxp://disk-space.ru/u/f68ab6d35d50666bdbea5bbae80cc3e5/7afac1d6a3/baza_valid.txt
It looks like a list, which contains passwords and emails for brute.
The third sample is AutoIt Spyware, downloads LaZagne hacktool from this IP address:

Code: Select all

hxxp://62.108.34.111/rapido.file
I can't say anything concrete about the first sample, so I am sorry for that.
ikolor
Posts: 328
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Thu Jan 24, 2019 8:26 pm

You do not have the required permissions to view the files attached to this post.
Antelox
Posts: 266
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Fri Jan 25, 2019 9:05 am

ikolor wrote:
Thu Jan 24, 2019 8:26 pm
thanks you buddy .

https://www.virustotal.com/en/file/a4ba ... 548361352/
Geodo/Emotet doc downloader:

Download this binary: https://www.virustotal.com/#/file/46153 ... /detection

From:

Code: Select all

hxxp://cannabiswebsite10.info/n0VCPGVYD
hxxp://iranbody.xyz/LLRFYL7
hxxp://kamelot.marketing-pr.biz/ql7XeiqG28
hxxp://khomyphamhanoi.com/TvTwWqcK0
hxxp://realgen-webdesign.nl/nE8npUCGq
BR,

Antelox
ikolor
Posts: 328
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Fri Jan 25, 2019 3:39 pm

You do not have the required permissions to view the files attached to this post.
Fedor22
Posts: 57
Joined: Sun Dec 03, 2017 5:50 pm
Location: Russian Federation

Fri Jan 25, 2019 5:24 pm

The first sample is Troldesh (Shade) ransomware.
Checks for external IP and connects to CnC server:

Code: Select all

hxxp://whatismyipaddress.com/
hxxp://128.31.0.39
Email, extension and URL's to Tor:

Code: Select all

Email: pilotpilot088@gmail.com
Extension: .crypted000007
URL's: hxxp://cryptsen7fo43rr6.onion.to/
hxxp://cryptsen7fo43rr6.onion.cab/
And the second sample is maybe RAT or spyware.
Connects to sites:

Code: Select all

hxxp://js.nindejia.com
hxxp://clientbi.gz.1251415748.clb.myqcloud.com
ikolor
Posts: 328
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Fri Jan 25, 2019 5:31 pm

You do not have the required permissions to view the files attached to this post.
ikolor
Posts: 328
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Tue Jan 29, 2019 1:49 pm

You do not have the required permissions to view the files attached to this post.
Fedor22
Posts: 57
Joined: Sun Dec 03, 2017 5:50 pm
Location: Russian Federation

Tue Jan 29, 2019 2:39 pm

ikolor wrote:
Tue Jan 29, 2019 1:49 pm
some file.

https://www.virustotal.com/en/file/7132 ... /analysis/
Emotet downloader.
Downloads exe from:

Code: Select all

hxxp://koltukasistani.com/MQKx5tquZSaKOS_jjd5iV3ms
hxxp://karnatakajudo.org/Fr7JEg3XCtx
Connects to CnC server:

Code: Select all

hxxp://134.249.116.78/index.php
ikolor
Posts: 328
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Wed Jan 30, 2019 3:30 pm

You do not have the required permissions to view the files attached to this post.
Post Reply