A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #8590  by EP_X0FF
 Fri Sep 16, 2011 2:03 pm
BitDefender posted about LockEmAll.

Cyber-Extortion Scam Issues False Child Porn Accusations

nothing really interesting or new, aside from this they forget (or they don't know) that this ransom distributes through tizer networks and exploits from blackhole, not only from fake porn sites.
BTW it's about 1.5 year of this blocker itw (if we'll sum lifetime of all two versions).
 #8992  by rough_spear
 Thu Oct 06, 2011 5:05 pm
Hi, 8-)
Fraud software.Same malware but with difference in file size and md5.

Weblink - hxxp://1.fov8imd.ru/w.php?f=589&e=2
file size - 30 KB
MD5 : e27e9c1b6c22b334e4eb683765c5969c
SHA1 : dd7a3c1666536f52227a29989da48359ddccf990
SHA256: 2b9219fc303aa95f22ffb9082c61c3a019958162a7555e794253b246b1bb2dd0
ssdeep: 768:A9XZN75ov/6kkPq+rSvpODvFULMObh0lde+fbH:oXXyX6RXr6pODvFsMOGdzfL

VT link - http://www.virustotal.com/file-scan/rep ... 1317917244

Weblink - hxxp://1.fov8imd.ru/w.php?f=591&e=2
File size - 31 KB
MD5 : 47d0dfa2460fec996ee394363c7b66ea
SHA1 : 4e18050b6f4723e327dedd3ed751d79a6230844f
SHA256: b8f19e0e5282c6250e51a3c42d0630106cc0604855aec6c031ab16ba85d41b47
ssdeep: 768:wztygB5dqzg4fSmhH5HNxOxvMxBHngXSW:erdmjFrDNh

VT Link - http://www.virustotal.com/file-scan/rep ... 1317915626

Regards,


rough_spear. ;)
You do not have the required permissions to view the files attached to this post.
 #9002  by EP_X0FF
 Fri Oct 07, 2011 12:20 am
This is trojan ransom lockemall and these links are come from Blackhole. Wrong thread.

Posts moved.
 #9513  by EP_X0FF
 Wed Nov 02, 2011 4:50 pm
Blackhole host at 89.208.141.171 down two days ago, new Blackhole location at 79.137.226.93

Currently it's vjl3dvj.ru domain + few reserved for future use

Blackhole link format

http://domainname/random_script_name.php?f=ID

name for script updates few times per day, as well as ransoms they deliver (repacks). Currently starting ID for looking up > 700 and script name is s.php
 #19621  by Xylitol
 Thu Jun 13, 2013 12:04 am
You do not have the required permissions to view the files attached to this post.