A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #21421  by frohboy33
 Tue Nov 19, 2013 10:45 pm
I have tried about 15 of these Reveton files to infect a PC, but I am unsuccessful. They seem to run, but I never get the lock screen. Any ideas or help?
 #21438  by bitstechs
 Sun Nov 24, 2013 2:52 am
frohboy33 wrote:I have tried about 15 of these Reveton files to infect a PC, but I am unsuccessful. They seem to run, but I never get the lock screen. Any ideas or help?
Hello frohboy33,

Are you using an actual pc or a virtual machine? If you're using a virtual machine I would recommend you read this thread as a lot of those viruses are capable of vm detection. http://www.kernelmode.info/forum/viewto ... =11&t=1911
 #22148  by Xylitol
 Thu Feb 06, 2014 1:45 pm
Reveton
https://www.virustotal.com/en/file/a507 ... 391694103/ 4/50
X:\\PGP\\Programming\\JimmMonsterNew\\ServerWinlock\\Source\\SysUtils.pas
anti vmware/vbox etc..
Attachments
infected
(134.87 KiB) Downloaded 113 times
 #23063  by thisisu
 Sat Jun 07, 2014 10:16 pm
ICE Cyber Crime Center with low detection (4/51). Fresh from a customer's computer.

MD5 5651aa11bf10475e23c049f3c61f6dd1
SHA1 4e1f5b15668dcc25434d469d2d308f1b2fc95358
SHA256 bc495ccdb5013fe9cdfbf8c14979d40e7f17d0e07e17728b9891f4bfa9ab01c4
https://www.virustotal.com/en/file/bc49 ... 402178273/

Malicious entries I found:
Code: Select all
2014-06-07 06:18 - 2014-06-07 06:25 - 00000000 ____D () C:\ProgramData\354CBA050729A3277B5147D1A633FA01
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk
ShortcutTarget: explorer.lnk -> C:\ProgramData\354CBA050729A3277B5147D1A633FA01\jrjz70zcl.cpp ()
S2 Winmgmt; C:\ProgramData\354CBA050729A3277B5147D1A633FA01\lcz07zjrj.dot [333052 2014-06-07] (Microsoft Corporation)
2014-06-07 13:02 - 2014-06-07 13:06 - 00002576 _____ () C:\ProgramData\RUNDLL32.EXE-1896-F.txt
2014-06-07 12:21 - 2014-06-07 12:21 - 00000473 _____ () C:\ProgramData\RUNDLL32.EXE-1908-F.txt
2014-06-07 06:27 - 2014-06-07 06:27 - 00000605 _____ () C:\ProgramData\RUNDLL32.EXE-1864-F.txt
2014-06-07 06:25 - 2014-06-07 06:25 - 00000114 _____ () C:\ProgramData\RUNDLL32.EXE-3188-F.txt
C:\Users\Owner\AppData\Local\Temp\dtrku.dll
Attachments
pass: infected
(60.55 KiB) Downloaded 104 times
 #23099  by bitstechs
 Thu Jun 12, 2014 1:47 am
Did you happen to save any of the samples from the programdata folder? I'd like to grab those if you have them.
 #23100  by thisisu
 Thu Jun 12, 2014 2:29 am
bitstechs wrote:Did you happen to save any of the samples from the programdata folder? I'd like to grab those if you have them.
No, but I'll save them next time.

Btw, was anyone able to find out what EntryPoint was of that .dll file?
 #23101  by nullptr
 Thu Jun 12, 2014 4:55 am
thisisu wrote: Btw, was anyone able to find out what EntryPoint was of that .dll file?
Have a look in attachment :)
Attachments
pwd: infected
(106.07 KiB) Downloaded 114 times
 #23653  by shoak
 Thu Aug 21, 2014 3:20 pm
i'm interested in sample too, sucks when no provided in AV post
 #23654  by Cody Johnston
 Thu Aug 21, 2014 5:47 pm
Attaching hashes from article for easier searching. These are from the blog post mentioned above.
Code: Select all
209B606203E60B9C3ABDBB27D7F93A2D8A60A87C4AB2E7749A9522C17F4511F2
4998A47D1ECB8C80E3AC5BAF743E87CC3546322335EDF89CE4A9AB1EF5420F69
  • 1
  • 12
  • 13
  • 14
  • 15
  • 16