[rkhunter]

landing pages for Reveton ransomware
https://www.botnets.fr/index.php/Reveton

[thisisu]

Reveton

Code: Select all

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup			
ctfmon.lnk			File not found: C:\Documents and Settings\All Users\Application Data\lsass.exe

VirusTotal 0/43

[mikuś]

md5 4fc648509619859719485ec7d8618867

please

[Xylitol]

md5 4fc648509619859719485ec7d8618867

please

[dumb110]

https://www.virustotal.com/file/882ea01 ... 350971186/

this one please.

[Xylitol]

https://www.virustotal.com/file/882ea01 ... 350971186/

this one please.

[Win32:Virut]

Click on image to enlarge

Found on Blackhole Exploit Kit 2.0.

Created files:

C:\ProgramData\lsass.exe
C:\Users\[USER]\AppData\Local\Temp\wlsidten.dll
C:\Users\[USER]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk (shortcut to C:\ProgramData\lsass.exe C:\Users\[USER]\AppData\Local\Temp\wlsidten.dll,GOF1)
C:\ProgramData\netdislw.pad (90,6 MB, don't know what is it)

[rinn]

This is Reveton. Take decrypted in attach. Password "infected" without quotes. Before running lsass.exe copy for injection purposes it is doing multiple allocmem/copymem, so it can be easily captured fully decrypted while debugging. Ah and its all on Delphi 6/7 (-.-)

Code: Select all

D301h  win32                             main unit
8210h  crtsock                           
C700h  System                            
8100h  SysInit                           
4B0Ch  Windows                      
5510h  Types                            
0200h  SysUtils                          
9D10h  SysConst                    
831Ch  TlHelp32                     
5710h  Md5                              
1610h  Math                              
2210h  RTLConsts                       
E810h  RegReg                       
0C00h  Connect                           
7400h  MStream                           
8D00h  Compressor                        
7100h  LnkFile                           
5F00h  DateUtils                         
3100h  MemDll                            
1300h  CRC32File                         
EF00h  VatUnit                           
330Ch  Messages                      
470Ch  MMSystem    

[Win32:Virut]

New Reveton with digital signature.

CRC-32: FB6DE5E1
MD4: 00FA01C9CB8A3E693494543CD6B30F83
MD5: B433FD702784701DE5DCFDFD9ED49DCC
SHA-1: ED5921BD3B3CFE2B21736F4394E1405892C7032C
SHA256: 369100596880D10F64F43E2E9663683B8241E168121FE51273E43AE20E89AC6C

[Maxstar]

Reveton

https://www.virustotal.com/file/edb29f1 ... /analysis/
Detection ratio: 9 / 46
79d4270521a71e2361f6c4fceb55cb0c

Code: Select all

C:\WINDOWS\system32\rundll32.exe C:\Users\GEBRUI~1\wgsdgsdgdsgsd.exe,H1N1