A forum for reverse engineering, OS internals and malware analysis 

German Ransom (GEMA, GVU, InetAccelerator)

Forum for analysis and discussion about malware.

Re: Trojan Ransom / FakePoliceAlert

 #10650  by rkhunter
 Wed Dec 28, 2011 3:03 pm
markusg wrote:dllhsts.exe
MD5   : 8fbd78ee09d1467920b47fad3702d65a
https://www.virustotal.com/file-scan/re ... 1325079026
Image

Copies itself to %appdata%\Microsoft\dllhsts.exe
Runs from : HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{DB3BF3D9-5F9E-11DD-A073-806D6172696F}

Responce to:
feyana.jino.ru POST /index.php HTTP/1.1
feyana22.ru POST /index.php HTTP/1.1
feyana44.ru POST /index.php HTTP/1.1

Re: Trojan Winlock / Ransom / ScreenLocker

 #10916  by rkhunter
 Mon Jan 09, 2012 5:49 am
GEMA Locker - Trojan:Win32/LockScreen.BO

9/43 >> 20.9%

Image

Copies itself to %appdata%\ActiveX32_64lo.exe.
Autorun from:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\olmwKSKlNdgCU6b
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\olmwKSKlNdgCU6b
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
[www].fuehlediecon.com GET /wasgehtalter_panel/gate.php?...
[www].fuehlediebezahlung.com GET /wirbrauchenbass_bezahlung/index.php
[www].uploadmusic.org GET /MUSIC/6540321325490242.mp3
Attachments
pass:infected
(280.77 KiB) Downloaded 57 times
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7
  • 12
 Return to “Malware”