Win32/Urausy (aka "WinLocker") - Page 8

Re: Win32/Urausy (aka "WinLocker")

#21186 by Cody Johnston
Thu Oct 17, 2013 6:36 pm

Fresh from today

SHA256: 21972c7dac68aead72c0d04f82996aa87fddac9210bad346bc0658ec279eaff1
SHA1: ef07ede3790fa8f6ffe2a4aba66e1adbec7c1e86
MD5: 063e0fe4f07b247feddb9cb32f5a8ec8
Detection ratio: 12 / 47

https://www.virustotal.com/en/file/2197 ... 382033542/

Attachments

cache.zip

Password: infected
(47.86 KiB) Downloaded 95 times

Username

Cody Johnston

Posts

157

Joined

Sun May 01, 2011 4:33 pm

Location

Los Angeles, CA

Contact

Re: Win32/Urausy (aka "WinLocker")

#21368 by thisisu
Fri Nov 08, 2013 8:46 pm

Sorry couldn't find a proper home for this one.

MS identifies as TrojanDownloader:Win32/Cbeplay.R but description on their site doesn't seem to match the very obvious ransomware screen w/ audio that I experienced.

https://www.virustotal.com/en/file/c5e2 ... /analysis/
http://www.microsoft.com/security/porta ... ay.R#tab=2

Code: Select all

HKLM\...\Run: [yCpCQSpcQDy4] - C:\Documents and Settings\Owner\Local Settings\Application Data\RsbYH13.exe [154624 2013-07-23] (Microsoft Corporation)

Attachments

RsbYH13.zip

pass: infected
(110.02 KiB) Downloaded 76 times

Username

thisisu

Posts

362

Joined

Sun Feb 26, 2012 8:57 am

Contact

Re: Win32/Urausy (aka "WinLocker")

#21369 by nullptr
Sat Nov 09, 2013 8:50 am

thisisu wrote: MS identifies as TrojanDownloader:Win32/Cbeplay.R but description on their site doesn't seem to match the very obvious ransomware screen w/ audio that I experienced.

This is Cbeplay ransomware as described at http://malware.dontneedcoffee.com/2013/ ... ks-to.html
Extracted executables + decrypted strings attached.

Attachments

cbeplay.zip

pwd: infected
(96.21 KiB) Downloaded 72 times

Username

nullptr

Posts

209

Joined

Sun Mar 14, 2010 6:35 am

Re: Win32/Urausy (aka "WinLocker")

#21371 by thisisu
Sat Nov 09, 2013 6:12 pm

Nice find, thank you

Here is another sample, this time Urausy -- MD5: 9bf9bcad600fb7f8d3014a0331e4284a

Code: Select all

Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Other.exe ()
HKU\Owner\...\Winlogon: [Shell] explorer.exe,C:\Users\Owner\AppData\Roaming\Other.res [ 2011-11-16] () <==== ATTENTION

https://www.virustotal.com/en/file/c418 ... 384020275/

Attachments

Other.zip

pass: infected
(78.51 KiB) Downloaded 100 times

Username

thisisu

Posts

362

Joined

Sun Feb 26, 2012 8:57 am

Contact

Trojan:Win32/Urausy.C

#21699 by colbyiscute4e
Mon Dec 16, 2013 4:55 pm

Fbi moneypack virus

Attachments

video_HD.zip

infected
(47.15 KiB) Downloaded 111 times

Username

colbyiscute4e

Posts

11

Joined

Mon Dec 16, 2013 4:29 pm

Re: Trojan:Win32/Urausy.C

#21711 by colbyiscute4e
Tue Dec 17, 2013 2:46 pm

Can one of the experenced users please tell me what i did do right and what i didnt do right
Thanks,
Colby

Username

colbyiscute4e

Posts

11

Joined

Mon Dec 16, 2013 4:29 pm

Re: Trojan:Win32/Urausy.C

#21713 by Xylitol
Tue Dec 17, 2013 3:03 pm

colbyiscute4e wrote:Can one of the experenced users please tell me what i did do right and what i didnt do right
Thanks,
Colby

what's do you mean ?

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Win32/Urausy

#21721 by colbyiscute4e
Tue Dec 17, 2013 6:20 pm

Should i put more about it or what could it do.. I just joined and read the rules so bear with me..
Colby :D

Username

colbyiscute4e

Posts

11

Joined

Mon Dec 16, 2013 4:29 pm

Re: Win32/Urausy

#21735 by thisisu
Wed Dec 18, 2013 11:32 pm

colbyiscute4e wrote:Should i put more about it or what could it do.. I just joined and read the rules so bear with me..
Colby :D

As a courtesy you can upload the malware to VirusTotal (https://www.virustotal.com) and add a link to your post. Screenshots of the malware and any reversing tips about said malware are also appreciated but not required.

Username

thisisu

Posts

362

Joined

Sun Feb 26, 2012 8:57 am

Contact