A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #32489  by Fedor22
 Sun Jan 20, 2019 6:36 pm
The second sample is a just adware bundle, which downloaded from hxxp://disk-space.ru or something like that. In addition, he installs a bunch of unwanted software, like Mail.Ru Updates, My Web Shield, etc.
Address directs to:
Code: Select all
hxxp://disk-space.ru/u/f68ab6d35d50666bdbea5bbae80cc3e5/7afac1d6a3/baza_valid.txt
It looks like a list, which contains passwords and emails for brute.
The third sample is AutoIt Spyware, downloads LaZagne hacktool from this IP address:
Code: Select all
hxxp://62.108.34.111/rapido.file
I can't say anything concrete about the first sample, so I am sorry for that.
 #32514  by Antelox
 Fri Jan 25, 2019 9:05 am
ikolor wrote: Thu Jan 24, 2019 8:26 pm thanks you buddy .

https://www.virustotal.com/en/file/a4ba ... 548361352/
Geodo/Emotet doc downloader:

Download this binary: https://www.virustotal.com/#/file/46153 ... /detection

From:
Code: Select all
hxxp://cannabiswebsite10.info/n0VCPGVYD
hxxp://iranbody.xyz/LLRFYL7
hxxp://kamelot.marketing-pr.biz/ql7XeiqG28
hxxp://khomyphamhanoi.com/TvTwWqcK0
hxxp://realgen-webdesign.nl/nE8npUCGq
BR,

Antelox
 #32520  by Fedor22
 Fri Jan 25, 2019 5:24 pm
ikolor wrote: Fri Jan 25, 2019 3:39 pm thanks

https://www.virustotal.com/en/file/97f0 ... 548431560/

https://www.virustotal.com/en/file/6fe7 ... 548430639/
The first sample is Troldesh (Shade) ransomware.
Checks for external IP and connects to CnC server:
Code: Select all
hxxp://whatismyipaddress.com/
hxxp://128.31.0.39
Email, extension and URL's to Tor:
Code: Select all
Email: pilotpilot088@gmail.com
Extension: .crypted000007
URL's: hxxp://cryptsen7fo43rr6.onion.to/
hxxp://cryptsen7fo43rr6.onion.cab/
And the second sample is maybe RAT or spyware.
Connects to sites:
Code: Select all
hxxp://js.nindejia.com
hxxp://clientbi.gz.1251415748.clb.myqcloud.com
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7