WinNT/BlackEnergy

Forum for analysis and discussion about malware.
User avatar
R136a1
Forum Admin
Posts: 225
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Re: Black Energy 2.1+

Post by R136a1 » Sat Apr 21, 2012 8:28 am

You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Black Energy 2.1+

Post by rkhunter » Tue Jun 17, 2014 11:34 am

http://www.f-secure.com/weblog/archives/00002715.html

Driver in attach.

MD5: 462860910526904ef8334ee17acbbbe5
SHA1: 26b9816b3f9e2f350cc92ef4c30a097c6fec7798
SHA256: e791718c0141e3829608142fb0f0d35c9af270f78ae0b72fce2edd07a9684568
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4884
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Black Energy 2.1+

Post by EP_X0FF » Tue Jun 17, 2014 12:43 pm

A sample of the BlackEnergy family was recently uploaded to VirusTotal from Ukraine
They forgot to add hysterics part about Kremlin hand. Ops.
Ring0 - the source of inspiration

User avatar
Cr4sh
Posts: 77
Joined: Sun Mar 14, 2010 6:07 pm

Re: Black Energy 2.1+

Post by Cr4sh » Wed Jun 18, 2014 7:53 am

Nice, someone still using and supporting my six years old crap from 2008.

User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Black Energy 2.1+

Post by rkhunter » Wed Jul 02, 2014 7:39 pm

One more sample.

http://www.f-secure.com/weblog/archives/00002721.html

MD5: d98bd7e2ff62ed478ddbd0007831656e
SHA-1: 0d4d3bc51798a4c95ea4dfba8960b9ef948f404c
SHA-256: ffab26134f4c6674a6d0e6d96c11fab5c6dbb2781eedc0ff5ed3226ff56f434e
You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Black Energy 2.1+

Post by rkhunter » Fri Sep 26, 2014 4:16 pm


Mad_Dud
Posts: 6
Joined: Thu Jun 06, 2013 3:15 pm

Re: Black Energy 2.1+

Post by Mad_Dud » Thu Nov 06, 2014 10:51 am

It seems like there are two new unique observables identified in Black Energy used in Sandworm operation:
  • Bots started to receive "destr" command, which destroys hard disk by overwriting with random data (on application level and driver level) at a certain time.
  • Bots also use Google+ to check if botnet master changed IP address of the CnC server. The bots fetch profile image and decode it in search for the new IP using stenography algorithms.
Source: http://securelist.com/blog/research/673 ... -profiles/

ikolor
Posts: 327
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Sun Nov 12, 2017 7:02 pm

You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4884
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Malware collection

Post by EP_X0FF » Wed Jan 09, 2019 8:20 am

Remains of BlackEnergy with Kaspersky fanboy inside. Posts moved.
Ring0 - the source of inspiration

Post Reply