A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #12837  by R136a1
 Sat Apr 21, 2012 8:28 am
Attachments
PW: infected
(36.67 KiB) Downloaded 150 times
 #23135  by rkhunter
 Tue Jun 17, 2014 11:34 am
http://www.f-secure.com/weblog/archives/00002715.html

Driver in attach.

MD5: 462860910526904ef8334ee17acbbbe5
SHA1: 26b9816b3f9e2f350cc92ef4c30a097c6fec7798
SHA256: e791718c0141e3829608142fb0f0d35c9af270f78ae0b72fce2edd07a9684568
Attachments
pass:infected
(52.47 KiB) Downloaded 122 times
 #23138  by EP_X0FF
 Tue Jun 17, 2014 12:43 pm
A sample of the BlackEnergy family was recently uploaded to VirusTotal from Ukraine
They forgot to add hysterics part about Kremlin hand. Ops.
 #23263  by rkhunter
 Wed Jul 02, 2014 7:39 pm
One more sample.

http://www.f-secure.com/weblog/archives/00002721.html

MD5: d98bd7e2ff62ed478ddbd0007831656e
SHA-1: 0d4d3bc51798a4c95ea4dfba8960b9ef948f404c
SHA-256: ffab26134f4c6674a6d0e6d96c11fab5c6dbb2781eedc0ff5ed3226ff56f434e
Attachments
pass:infected
(69.53 KiB) Downloaded 154 times
 #24290  by Mad_Dud
 Thu Nov 06, 2014 10:51 am
It seems like there are two new unique observables identified in Black Energy used in Sandworm operation:
  • Bots started to receive "destr" command, which destroys hard disk by overwriting with random data (on application level and driver level) at a certain time.
  • Bots also use Google+ to check if botnet master changed IP address of the CnC server. The bots fetch profile image and decode it in search for the new IP using stenography algorithms.
Source: http://securelist.com/blog/research/673 ... -profiles/