A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #30588  by markusg
 Fri Jul 14, 2017 7:25 am
open directory.
an exploit and other malware
Code: Select all
http://no2ro.com/17tes.doc
http://no2ro.com/gibsoncrypter.zip
http://no2ro.com/gibtest.exe
http://no2ro.com/kasati.exe
http://no2ro.com/test.hta
SHA256:
0305c67f80b56dc3b27ab2b27348862880bc23517ddce74e87a4a6fdcd2f0b9f
Dateiname:
17tes.doc
Erkennungsrate:
19 / 57
https://www.virustotal.com/de/file/0305 ... 500015953/

i unpacked gibsoncrypter.zip now the results of 2 exe files
SHA256:
18cae9f4f96d356db18924b182843e27e0759ef95422c1156e3588bfd60985a2
Dateiname:
BalloonFastBuilder.exe
Erkennungsrate:
1 / 63
https://www.virustotal.com/de/file/18ca ... 500016117/
SHA256:
454d6d2bc3603106bbdb151cf61ab50bfbe5cc63dc4d9a1da7c899b7c7e6e32a
Dateiname:
stub.exe
Erkennungsrate:
21 / 63
https://www.virustotal.com/de/file/454d ... 500016198/
SHA256:
dc39f1371bbb11f724fb9bb00cbe0a00b83f6cf4dbd6e60ae31bd3d82d383f9a
Dateiname:
gibtest.exe
Erkennungsrate:
17 / 62
https://www.virustotal.com/de/file/dc39 ... 500016401/
SHA256:
339764b340b4c70a02835054993c13d7a2562b8ced06168ae1318ebc0c52680e
Dateiname:
kasati.exe
Erkennungsrate:
28 / 62
https://www.virustotal.com/de/file/3397 ... 500016841/
You do not have the required permissions to view the files attached to this post.
 #32411  by EP_X0FF
 Wed Jan 09, 2019 11:06 am
Most of posts moved to dedicated malware family topics.

False positives/offtopic removed.

Some posts cannot be moved because they contain packs of different malware.

Thread bump.
 #32452  by Fedor22
 Tue Jan 15, 2019 5:44 pm
ikolor wrote: Tue Jan 15, 2019 3:15 pm Thanks for clean.

https://www.virustotal.com/en/file/fc03 ... 547571750/

https://www.virustotal.com/en/file/4955 ... 547565729/

https://www.virustotal.com/en/file/cfed ... 547565238/
The first one is Emotet downloader. Downloads exe from:
Code: Select all
hxxp://www.niteshagrico.com/z7ISltpB
and connects to CnC server:
Code: Select all
hxxp://187.163.213.124:443/
The second is MSIL/APosT
And the third is Emotet downloader too. Downloads exe from:
Code: Select all
hxxp://www.unitepro.mx/PyZTGc_yPRX0x_ik0aFT
and connects to CnC servers:
Code: Select all
hxxp://187.207.58.148
Code: Select all
hxxp://201.230.255.100
Last edited by Fedor22 on Tue Jan 15, 2019 5:59 pm, edited 1 time in total.
 #32454  by Antelox
 Tue Jan 15, 2019 6:10 pm
More binary distribution URLs contacted by the sample fc03e1f920d4d45b7a8b7151aab189fa6abec650cfdd34687a488414e27fac7d
Code: Select all
hxxp://kynangtuhoc.com/h6pTDOH
hxxp://www.dnenes.com.mx/Wmv9Lwru
hxxp://www.hopeintlschool.org/ebIV1do
hxxp://www.niteshagrico.com/z7ISltpB
hxxp://www.tenmiengiarenhat.com/bIfcRi8Kc
More binary distribution URLs contacted by the sample cfedb49ef13185d61f0e08af6c1f08fa2014e4106c974f532448ebdee25bc07e
Code: Select all
hxxp://www.jessie-equitation.fr/H4Nn9_X736_ajROTy
hxxp://www.kartonaza-hudetz.hr/LERDIp_zNxmr_9A2
hxxp://www.lidstroy.ru/adfdl_tnvFDCC
hxxp://www.nkalitin.ru/3ghp_FE5B5_77azu
hxxp://www.unitepro.mx/PyZTGc_yPRX0x_ik0aFT
BR,

Antelox
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7