A forum for reverse engineering, OS internals and malware analysis 

French Ransom (Trojan:Win32/Ransom.FL)

Forum for analysis and discussion about malware.

Re: Trojan Winlock / Ransom / ScreenLocker

 #12682  by EP_X0FF
 Fri Apr 13, 2012 1:26 pm
Ransom Foreign (France) - fill displays with blue color and ransom message.

https://www.virustotal.com/file/0b61f6b9a3b6d9a32fbb3d0a752c27f31919806d7fcb7719e380f529c6a87f40/analysis/

Internal name "reallock"
C:\Documents and Settings\AD-User\\Visual Studio 2008\Projects\reallock\Release\reallock.pdb
Self-explaining strings from inside
Enter valid code and enable you internet.
ERROR on send data.If you have not internet,check you internet.PRESS SPACE for configure internet.
Press SPACE for hide
PLEASE WAIT
(enter VALID code only)
(press ENTER on finish)
Wrong,Input Again!!
Software\Microsoft\Windows\CurrentVersion
<unknown>
taskmgr.exe
taskkill /f /im taskmgr.exe
WinInet
http://www.readkash.com
GET
ERROR
WindowsRegzin
WindowsRegzinid
locksrv/resp.php?func=check&id=
&smg=
WindowsRegzinidreg
Windows
Software\Microsoft\Windows\CurrentVersion\Run
locksrv/resp.php?func=reg&id=
&kod=
taskkill /f /im explorer.exe
cmd.exe /C start explorer.exe
block
\Local Settings\Application Data\winsh.exe
block
block
Attachments
pass: infected
(33.89 KiB) Downloaded 76 times

Re: Trojan Ransom / FakePoliceAlert

 #13257  by Xylitol
 Wed May 16, 2012 7:24 pm
http://www.virustotal.com/file/142cd192 ... 337196306/
Image
removal: http://mrbelyash.blogspot.fr/2012/05/tr ... 22575.html
Attachments
infected
(187.22 KiB) Downloaded 84 times

Re: French Ransom (Trojan:Win32/Ransom.FL)

 #20614  by dwsfra
 Tue Aug 27, 2013 10:10 pm
Police Nationale Malware Unpacked
MD5: ec4fc8eed520b3fff6fec975aa28001b

Please rep me if you like this, i'm new, thanks
https://www.virustotal.com/en/file/79af ... 377641345/
Attachments
infected
(90.18 KiB) Downloaded 74 times
Last edited by Xylitol on Wed Aug 28, 2013 11:27 am, edited 1 time in total. Reason: Added VT link (Request from dwsfra)
 Return to “Malware”