A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19015  by rkhunter
 Fri Apr 19, 2013 5:37 pm
Attachments
pass:infected
(247.86 KiB) Downloaded 124 times
 #26888  by rkhunter
 Tue Oct 06, 2015 11:31 am
I've attached bootkit dropper, mentioned here https://securelist.com/analysis/publica ... ot-part-1/
Haven't played with it.

MD5: 2c85404fe7d1891fd41fcee4c92ad305
SHA1: 4c3171b48d600e6337f1495142c43172d3b01770
SHA256: a9a8dc4ae77b1282f0c8bdebd2643458fc1ceb3145db4e30120dd81676ff9b61
Attachments
pass:infected
(222.4 KiB) Downloaded 88 times
 #26889  by R136a1
 Tue Oct 06, 2015 1:34 pm
This bootkit is known in certain circle as "sunx bootkit". Unfortunately, I have deleted the sample that I have found which included a pdb path. Also, I saw a similar sample that also had a pdb path which was detected as Derusbi.
Interestingly, this bootkit includes functionality that searches for the host protected area (HPA) of IBM hard disks, but I haven't looked further..
 #27027  by D_Harry
 Wed Oct 21, 2015 2:58 pm
Does someone have the sample of the 2nd type backdoor - mentioned in part 2 of the report?

MD5: 755351395AA920BC212DBF1D990809AB
SHA1: 00174fc3e98302117b4d17a5ec7eceed04e8474f
SHA256: 7a265dc00f5a5a7401c56021190bf3345d7e39eadcf49d4c36f1e63654b021db

Thanks!
 #27057  by rkhunter
 Sun Oct 25, 2015 11:53 am
D_Harry wrote:Does someone have the sample of the 2nd type backdoor - mentioned in part 2 of the report?

MD5: 755351395AA920BC212DBF1D990809AB
SHA1: 00174fc3e98302117b4d17a5ec7eceed04e8474f
SHA256: 7a265dc00f5a5a7401c56021190bf3345d7e39eadcf49d4c36f1e63654b021db

Thanks!
In attach.
Attachments
pass:infected
(117.7 KiB) Downloaded 75 times