virusremover wrote:how do you run these files :DWith magic. Something more specific to ask?
Ring0 - the source of inspiration
A forum for reverse engineering, OS internals and malware analysis
Kovter using Poweliks methods:
https://reaqta.com/2015/09/poweliks-fil ... -evolving/
Config:
http://pastebin.com/5C6cjamP
Sample:
https://www.virustotal.com/en/file/673b ... /analysis/
Thanks to Horgh for clarifying
https://reaqta.com/2015/09/poweliks-fil ... -evolving/
Config:
http://pastebin.com/5C6cjamP
Sample:
https://www.virustotal.com/en/file/673b ... /analysis/
Thanks to Horgh for clarifying
Attachments
PW: infected
(273.88 KiB) Downloaded 95 times
(273.88 KiB) Downloaded 95 times
Malware Reversing
http://www.malware-reversing.com
http://www.malware-reversing.com
R136a1 wrote:Kovter using Poweliks methods:Oh lol, this gang still use Delphi, after so many years...
https://reaqta.com/2015/09/poweliks-fil ... -evolving/
It took them 1.5 years to translate Powerliks idea in Delphi code. Of course this have nothing in common with original Poweliks which I believe came from Alureon devs (wowliks as previous version).
Fully decrypted Delphi EXE in attach.
Decrypted VT result.
https://www.virustotal.com/en/file/b320 ... 442505459/
Attachments
pass: infected
(141.86 KiB) Downloaded 80 times
(141.86 KiB) Downloaded 80 times
Ring0 - the source of inspiration
A client was hit with Kovter. The dropper {flashplayer.exe, 0433edb27a1ef8028cbdc8ba973693576d6b76bb2d6f29dc7eb474978d4e465c} was downloaded from http://soophsakeena.com/6321112935147/6 ... player.exe (https://virustotal.com/en/url/29194a1fb ... /analysis/). It's not letting me download the file directly so if anyone has this particular piece or can access the file from the site I'd appreciate it. Thanks.
0433edb27a1ef8028cbdc8ba973693576d6b76bb2d6f29dc7eb474978d4e465c is not in VT , do you have another hash?
Unfortunately I don't. SHA-256 is the only hash type the reporting tool on the system recorded. I've been checking Google, Malwr, VT, etc everyday and it's not showing anywhere.
having trouble finding the actual payloads.. but got a step closer.
https://virustotal.com/en/domain/soophs ... formation/
droppers everywhere (examples attached):
wscript (3/57!)
https://virustotal.com/en/file/d368c350 ... /analysis/
powershell (1/57 !!)
https://virustotal.com/en/file/45485ad4 ... /analysis/
I have a good idea: Don't bother running AV since it does nothing anyway. Problem solved. ;)
https://virustotal.com/en/domain/soophs ... formation/
droppers everywhere (examples attached):
wscript (3/57!)
https://virustotal.com/en/file/d368c350 ... /analysis/
powershell (1/57 !!)
https://virustotal.com/en/file/45485ad4 ... /analysis/
I have a good idea: Don't bother running AV since it does nothing anyway. Problem solved. ;)
Attachments
(1.18 KiB) Downloaded 74 times
kovter is polymorphic, this could be the reason why you can't find the sample by hash
attached is dropper I think, didn't look at it yet but that's what it looks like from this HA report: https://www.hybrid-analysis.com/sample/ ... mentId=100
attached is dropper I think, didn't look at it yet but that's what it looks like from this HA report: https://www.hybrid-analysis.com/sample/ ... mentId=100
Attachments
(250.88 KiB) Downloaded 68 times
From hxxp://a.pomf.cat
https://www.hybrid-analysis.com/sample/ ... mentId=100
https://www.virustotal.com/en/file/28ad ... 466344590/ (the unpacked)
https://www.hybrid-analysis.com/sample/ ... mentId=100
https://www.virustotal.com/en/file/28ad ... 466344590/ (the unpacked)
Attachments
(502.26 KiB) Downloaded 71 times
@xorsthingsv2
