[Horgh]

And it's not even working, I successfully infected myself on my vmware machine without doing any modifications on the anti-* stuff. The malware performs successfully also on cuckoo sandbox ; so this is a big piece of crap.

[Xylitol]

https://www.security.nl/posting/361361/ ... gebruikers
https://www.virustotal.com/en/file/b278 ... 377514990/

[Horgh]

Lame delphi shit, packed with xpack + upx. No more softice antidebugger detection this time.
Config in base64 in the resources section :

Code: Select all

cp1:http://zipwog.biz/form.php:cp1cp2:http://zigwog.info/form.php:cp2mutx:Win_32:mutxcptm:20:cptmtml:4:tmlpage::pagedel:4:delkey:fei1vo5uceenour:keymainanti:AntiVirtualBox:0:AntiVirtualBoxAntiVMware:0:AntiVMwareAntiVirtualPC:0:AntiVirtualPCAntiSandboxie:0:AntiSandboxieAntiThreadExpert:0:AntiThreadExpertAntiWireshark:0:AntiWiresharkAntiJoeBox:0:AntiJoeBoxAntiRFP:0:AntiRFPAntiAllDebugger:0:AntiAllDebuggerAntiSunbeltSandboxie:0:AntiSunbeltSandboxie:mainanti

[Kafeine]

3f09fbc368f17edb61193d5db5ee0749

[Intimacygel]

Got a new FBI moneypak from customers box today if anyone wants it. Only 4/47 vendors catch it as of my submission to virustotal
https://www.virustotal.com/en/file/9224 ... /analysis/

[r3shl4k1sh]

Same delphi with a bunch of antis...
VT 44/56

Configs in resource section (not just base64):

Code: Select all

cp1:cplink<<http://a7-helium.biz/10/form.php>>cplinkcplink<<http://b7-golfix.org/10/form.php>>cplink:cp1cptm:15:cptmkey:f8a7b90c1e45bbbfa60736790bd3e859:keydebug:0:debugmainanti:AntiVirtualBox:1:AntiVirtualBoxAntiVMware:1:AntiVMwareAntiVirtualPC:1:AntiVirtualPCAntiSandboxie:1:AntiSandboxieAntiThreadExpert:1:AntiThreadExpertAntiWireshark:1:AntiWiresharkAntiJoeBox:1:AntiJoeBoxAntiRFP:1:AntiRFPAntiAllDebugger:1:AntiAllDebuggerAntiQemuVirtualPC:1:AntiQemuVirtualPCAntiWineVirtualPC:1:AntiWineVirtualPCAntiSunbeltSandboxie:1:AntiSunbeltSandboxieal:http://dms-nsk.pw/form2.php:al:mainanti

For the bf:
hxxp://a7-helium.biz/10/login.php

In attach original + unpacked.

[sysopfb]

C2s:
resolveasy.com/11/feed.php
a15-smo.biz/11/form.php


panel is login.php like usual
resolveasy.com/11/login.php
a15-smo.biz/11/login.php

[sysopfb]

Also

couples9.net/w1/form.php
couples9.net/w1/login.php

[r3shl4k1sh]

Kovter with very low detection VT 2/57

MD5: 7da0ebec60ea8125b3ef43d443fc58f9

Configs:

Code: Select all

cp1::230.16.31.188:80>18.125.199.124:80>32.194.149.180:80>75.65.74.41:20286>9.232.39.20:80>98.20.174.152:443>251.70.13.174:443>119.25.89.229:80>68.196.94.231:80>127.207.153.98:443>121.3.50.127:80>18.53.86.72:80>150.108.98.114:80>201.126.95.221:8080>66.129.110.158:80>23.39.121.108:80>187.198.52.101:80>152.195.135.85:34952>142.200.223.28:80>242.151.25.182:80>110.87.53.23:80>113.26.24.197:80>203.154.126.135:80>147.12.90.78:8080>24.71.33.44:443>116.45.50.200:443>85.211.216.89:443>185.42.86.154:80>66.71.123.149:80>29.171.244.217:80>143.240.181.97:29934>100.40.117.185:80>155.101.52.112:80>176.214.81.205:443>248.145.245.200:8080>13.117.179.194:443>232.131.202.150:443>203.15.230.181:443>187.57.110.80:80>37.186.106.110:80>203.146.42.132:80>241.232.233.61:80>15.7.43.30:80>40.29.77.146:80>51.86.106.153:8080>41.28.62.119:80>169.94.157.177:80>167.19.234.79:80>89.137.111.1:80>18.183.79.60:80>75.48.88.242:80>68.85.80.95:80>196.245.221.126:8080>247.199.186.48:80>4.125.108.250:80>225.233.247.14:80>212.224.200.176:80>199.196.89.180:80>180.182.195.114:80>110.91.80.62:80>233.2.26.48:80>188.114.92.166:80>199.149.193.146:80>6.58.29.157:443>31.215.44.29:80>90.154.83.50:8080>199.143.1.24:80>127.30.101.91:80>236.62.159.44:80>2.163.94.34:80>2.142.20.109:80>75.198.169.30:80>136.139.5.36:80>228.195.99.93:55971>254.118.240.203:80>91.206.195.167:80>110.245.185.197:80>242.234.79.214:80>82.180.192.158:80>249.190.178.51:80>62.153.237.245:80>21.25.39.198:80>31.105.168.93:80>26.190.9.61:443>112.30.3.148:80>41.19.39.179:80>105.38.191.236:443>207.39.104.14:80>224.85.196.63:80>177.29.250.236:80>44.195.18.81:8080>97.108.83.150:443>107.10.198.130:80>1.156.126.195:80>221.157.196.69:443>222.137.221.229:80>171.3.22.72:443>230.63.53.56:443>174.145.238.149:50391>142.215.155.2:35163>49.46.232.118:80>130.251.165.244:80>97.33.51.47:80>224.105.23.139:8080>18.250.235.215:443>157.179.7.182:80>58.240.130.239:8080>254.26.88.150:80>209.98.166.190:80>60.50.210.252:80>27.183.88.161:443>190.17.138.119:80>50.145.130.108:80>193.17.214.42:443>54.179.182.93:80>182.214.5.37:443>166.203.104.13:80>109.104.65.149:80>31.3.224.206:443>199.223.253.170:443>109.169.46.63:8080>173.248.136.89:51676>12.25.99.131:80>201.249.186.130:443>31.129.135.253:80>107.131.28.185:80>50.56.242.72:80>96.57.23.131:443>71.95.164.42:8080>::cp1cptm::30::cptmkey::a7887cc809cf0d4df17fc5dafd03e4e7::keypass::65537::20717578436666370206990156461786566788132748458910865354994919388630407187082788932551065567891365033974994995141358277530021944793516607142737605543772104350635734672485498640041982499636009940196953103877199811371834197299886690010229547993815721647414299018829914480336700775760032044922438942690008663278856440487164946050309668972730239620373400036156807226902415414689227139343695179004305146177952041410093920067335850237232148134221904306706694425837140102211178161590920721365317540938040383023194954613997204876850415109848188765254167924483000246775174171501733414326729845936854172715365200925796295269097::passdebug::0::debugmainanti::DD1D:1:DD1DDD2D:1:DD2DDD3D:1:DD3DDD4D:1:DD4DDD5D:1:DD5DDD6D:1:DD6DDD7D:1:DD7DDD8D:1:DD8DDD9D:1:DD9DDD10D:1:DD10DDD11D:1:DD11DDD12D:1:DD12DDD13D:1:DD13DDD14D:1:DD14DDD15D:1:DD15DDD16D:1:DD16Dal:http://b14-mini.ru/upload.php:al::mainanti

In attach original + unpacked

[virusremover]

how do you run these files :D