Necurs - another x64 rootkit

Forum for analysis and discussion about malware.
User avatar
Aleksandra
Posts: 79
Joined: Sun Jun 05, 2011 9:34 pm

Re: Win32/Zeus (alias Zbot)

Post by Aleksandra » Mon Mar 24, 2014 2:42 am


User avatar
Xylitol
Global Moderator
Posts: 1680
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Necurs - another x64 rootkit

Post by Xylitol » Fri May 16, 2014 3:13 pm

You do not have the required permissions to view the files attached to this post.

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Re: Necurs - another x64 rootkit

Post by Win32:Virut » Fri May 16, 2014 8:04 pm

3 drivers
You do not have the required permissions to view the files attached to this post.

User avatar
hx1997
Posts: 101
Joined: Sat Apr 07, 2012 12:16 am

Re: Necurs - another x64 rootkit

Post by hx1997 » Sun May 25, 2014 2:07 pm


User avatar
Blaze
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Contact:

Re: Necurs - another x64 rootkit

Post by Blaze » Mon May 26, 2014 11:24 am

Droppers + driver attached.

Exe:
a5923e1efd90be7542c779184f4a7843
f681b38447a16e4d6c9ae4837bfb407b

Sys:
fb7a765c02c06123958c20512c1b8e6a
You do not have the required permissions to view the files attached to this post.

User avatar
thisisu
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Contact:

Re: Necurs - another x64 rootkit

Post by thisisu » Tue Jun 03, 2014 5:50 am

Credits to Malekal_morte for providing dropper on his website.

.sys + .exe/dropper attached

syshost.exe -- dabea808bb91f02e158cdbcbf3e8a790 -- https://www.virustotal.com/en/file/2b64 ... 401773988/
79051d41d365f350.sys -- ca82853fd71df06831edf7ffede4b1d5 -- https://www.virustotal.com/en/file/b94e ... 401773274/
You do not have the required permissions to view the files attached to this post.

forty-six
Posts: 66
Joined: Tue Sep 03, 2013 3:23 pm

Re: Necurs - another x64 rootkit

Post by forty-six » Mon Jun 09, 2014 7:12 pm

More Necurs:

Code: Select all

bcdedit.exe -set TESTSIGNING ON
%s\drivers\%s.sys
runas
ComSpec
\\.\NtSecureSys
You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Necurs - another x64 rootkit

Post by rkhunter » Tue Jun 17, 2014 8:09 am


achn30
Posts: 2
Joined: Sat Jun 21, 2014 2:44 pm

Need little help :)

Post by achn30 » Tue Jul 29, 2014 10:18 pm

I have some thing here: virustotal.com/en/file/c8b6ae219c944f4a6362b22dad1a3cf25a31ca2dbe5ec96d645c031ad7332bf0/analysis/1406668147/
but actually i stuck in unpacking ... lot of anti-debugging tricks ://

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Need little help :)

Post by EP_X0FF » Wed Jul 30, 2014 4:07 am

It is Necurs downloader.
Ring0 - the source of inspiration

Post Reply