A forum for reverse engineering, OS internals and malware analysis 

Win32/Kelihos (+Waledac downloader)

Forum for analysis and discussion about malware.

Re: Win32/Kelihos

 #20604  by unixfreaxjp
 Mon Aug 26, 2013 7:41 am
Somehow I can not upload the sample archive, so the below is download link.
The today's round of kelihos binaries full set samples:
http://www.mediafire.com/?8jdc0zz4yxay4jg
Detection ratio in average today is 15/46

VT link is for members only (security purpose)
Attachments
Screen Shot 2013-08-24 at 5.10.26 PM.png
Payloads/Samples per varied file names

sh-3.2$ date
Mon Aug 26 15:43:04 JST 2013
:
4479351c082f6dffbf3ddef0c3aadf37
51e577d8aafd59031b2b9c41616816bf
11f33e969598438dd32a1efb019b7852
5bc8cede063a661765889f3c5d408ba7
febe26169f36b5e49fde4a98c4a6fe36
93b5bfba4189d2b20bb8c25cd8351ff6
2c7376d3ea5c9232bf926d42c5a56ddc
eec1dc188005db1e95c2546e84131b5
fa4d9eefab9b274b660eafd1bcc7deeb
735813740d68d2c7cd40b9bd3cde2f31
8df45f6be7dcd3bf48fee1d2ed5251c4
3bc417ede5c181982e4b3b587938f584
f834e0f498eec274a64c1defab4172b1
sh-3.2$

Payloads per VT checks with average detection ratio 15/46:
https://www.virustotal.com/en/file/5d596cf13ace35f128878dc76e9e9c91699c06433e37e2a29db513afa7ce4f09/analysis/1377499791/
https://www.virustotal.com/en/file/cc57d01e655bdc4d71216d9339dd9faad5ecb7a2f8bfe4e0d11e342c7ffd8da1/analysis/1377499827/
https://www.virustotal.com/en/file/3a485c0ccab1f5d401f5fad687c42baa19edf95fe5ae51d349bc7761d0517ae8/analysis/1377499847/
https://www.virustotal.com/en/file/514b708096e404c571fee7dc9d2069710c504332f5ba385e1a86acce989e01ec/analysis/1377499864/
https://www.virustotal.com/en/file/c8d0daa227d2cbf3372b338dc6c38b351a5a37833ab25c142f63745c7bcfb525/analysis/1377499900/
https://www.virustotal.com/en/file/28f1d6c9dc59ba60ca9fb224496b290a2d435ac6e07af2cd491a6af02eb13fef/analysis/1377499917/
https://www.virustotal.com/en/file/b430bdd09471f02a500e3a89c2c8968f2bb7a80c5c822adf212ec93ad41f1f41/analysis/1377499943/
https://www.virustotal.com/en/file/22cf23222ef92281b136d189e7fc752a1a6deb54df7085d5bd0d357a969e0fbe/analysis/1377499980/
https://www.virustotal.com/en/file/c96f4eb9214fe7d0db9c1213b00f935ff7df47a383485a344150700a059f7b63/analysis/1377499998/
https://www.virustotal.com/en/file/1bf4ca0fa5ca421c3639f941df8094af02c87ffda2622e04bb0a82a85e14b37d/analysis/1377500012/
https://www.virustotal.com/en/file/07cf03c69e4f6185a07756a781c5f3a6aa80d3e48e97d5ef19aa85a2e822ceb6/analysis/1377500043/
https://www.virustotal.com/en/file/17e47fb806603982574cc184d70b9bf84247d784ebcc9e6b5e81197c3b4f3d8e/analysis/1377500310/
https://www.virustotal.com/en/file/cd45114457b6bb440eea193eb4d609b00c61370105bd02e65dd0cb7b84dcfb04/analysis/1377500330/
Screen Shot 2013-08-24 at 5.10.26 PM.png (6.54 KiB) Viewed 924 times

Re: Unknown trojan.downloader

 #22475  by EP_X0FF
 Wed Mar 19, 2014 3:02 am
Hello,

it is very simple dedicated Kelihos/Waledac downloader (TrojanDownloader:Win32/Waledac). Decrypted in attach.

But I found a piece of funny code.
kelihos_fail.png
kelihos_fail.png (21.33 KiB) Viewed 698 times
Posts moved.
Attachments
pass: infected
(2.99 KiB) Downloaded 75 times

Re: Unknown trojan.downloader

 #22497  by wacked2
 Thu Mar 20, 2014 7:38 pm
EP_X0FF wrote:Hello,

it is very simple dedicated Kelihos/Waledac downloader (TrojanDownloader:Win32/Waledac). Decrypted in attach.

But I found a piece of funny code.
kelihos_fail.png
Posts moved.
I like the LoadLibrary("kernel32.dll") in BlackEnergy and some codes of HF people more..

Re: Win32/Kelihos

 #22563  by darkladdie
 Wed Mar 26, 2014 3:01 am
what is the password to the file? the usually one is not working. Thanks in advance.

Re: Win32/Kelihos

 #22564  by darkladdie
 Wed Mar 26, 2014 3:07 am
never mind about my previous reply. The problem wtih the unzpping program I was using.
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8
  • 10
 Return to “Malware”