Tigzy wrote:What do you mean by "protected by .net" ?It depends from the mscoree.dll (look IAT) that means .net app.
A forum for reverse engineering, OS internals and malware analysis
Yes, that's a .net binary, but why "protected"? By this, I understand either packed or protected with rootkit functionalities
Tigzy wrote:Yes, that's a .net binary, but why "protected"? By this, I understand either packed or protected with rootkit functionalitiesCrypter.
Ring0 - the source of inspiration
SHA256:
ee45297630678b7c628411ab133e23559e9867feb7f1277efada39f41a94d100
File name:
ALIAS.exe
https://www.virustotal.com/file/ee45297 ... 340631497/
ee45297630678b7c628411ab133e23559e9867feb7f1277efada39f41a94d100
File name:
ALIAS.exe
https://www.virustotal.com/file/ee45297 ... 340631497/
Attachments
(348.59 KiB) Downloaded 73 times
markusg wrote:SHA256:Same as http://www.kernelmode.info/forum/viewto ... 234#p14234
ee45297630678b7c628411ab133e23559e9867feb7f1277efada39f41a94d100
File name:
ALIAS.exe
https://www.virustotal.com/file/ee45297 ... 340631497/
Simple fresh dropper crypt. Posts moved.
Ring0 - the source of inspiration
Attachments
(350.32 KiB) Downloaded 79 times
rkhunter wrote: youtube.ex1Regards to this dropper.
MD5: c4a946cc851e2ee6407c2c8c9680cf18
SHA1: ae641cb785644297f7bb34ea58e19fc826f1132a
By behaviour is identical to http://www.kernelmode.info/forum/viewto ... 250#p12577 (hijack ptr at DR0 dev)
It forged driver, for example, with compared of rtk32 that posted above and infected driver (afd.sys)
Payload in c:\WINDOWS\$NtUninstallKB65041$
Attribute: #8Dll1, cutted from driver (in attach):
Type: 0xC0 $(REPARSE_POINT)
Length: 0xA0
Resident flag: resident
Name length: 0x0
Name offset: 0x0
Flags: 0x0
Instance (id): 0x8
Body length: 0x82
Body offset (from attr record): 0x18
Resident flag: 0x0
MD5: 1eba1d6ff5ac83ed0020bf6a2096ba77
SHA1: 344c1f1e88b8e4ec3244078d06dc506ebbe493d7
21/42 https://www.virustotal.com/file/d588629 ... /analysis/
(already was on VT)
Trojan:Win32/Sirefef.AB
\.\globalroot\systemroot\system32\mswsock.dllDll2, cutted from driver (in attach):
WSPStartup
\\.\%08x\U\80000032.@
ntdll.dll
VirtualAlloc
LoadLibraryA
LoadLibraryW
GetProcAddress
FreeLibrary
VirtualFree
KERNEL32.dll
MD5Init
MD5Update
MD5Final
ADVAPI32.dll
INBR64.dll
AcceptEx
\\?\globalroot\systemroot\system32\mswsock.AcceptEx
GetAcceptExSockaddrs
\\?\globalroot\systemroot\system32\mswsock.GetAcceptExSockaddrs
NSPStartup
\\?\globalroot\systemroot\system32\mswsock.NSPStartup
TransmitFile
\\?\globalroot\systemroot\system32\mswsock.TransmitFile
WSPStartup
getnetbyname
\\?\globalroot\systemroot\system32\mswsock.getnetbyname
inet_network
\\?\globalroot\systemroot\system32\mswsock.inet_network
MD5: 0c6082d7275f8741dad54fd5b4af3002
SHA1: 34d0a49fb2499f354bba3f7ca76c2632a6ecd73e
19/42 https://www.virustotal.com/file/11e2426 ... 340734459/
(first upload)
Trojan:Win32/Sirefef.P
\BaseNamedObjects\Restricted\{A3D35150-6823-4462-8C6E-7417FF841D79}Forged afd.sys in attach.
\BaseNamedObjects\Restricted\{A3D35150-6823-4462-8C6E-7417FF841D77}
\systemroot
\\.\%08x\U\%08x.@
\??\%08x\@
\??\%08x\U
????????.@
%08x.@
%08x.$
%08x.~
Microsoft Base Cryptographic Provider v1.0
RtlExitUserThread
ZwOpenFile
ZwQueryVolumeInformationFile
ZwClose
RtlImageNtHeader
MSWSOCK.dll
WSASocketW
WSAIoctl
WSARecv
WSASend
WSASendTo
WSARecvFrom
WS2_32.dll
MD5: fd8a2b2d947bb792065f39a23b4757da
SHA1: 00f1aeac9703762601e7b0017ea701947b14dc7e
Attachments
pass:infected
(75.08 KiB) Downloaded 59 times
(75.08 KiB) Downloaded 59 times
pass:infected
(10.37 KiB) Downloaded 57 times
(10.37 KiB) Downloaded 57 times
pass:infected
(1.62 KiB) Downloaded 59 times
(1.62 KiB) Downloaded 59 times
Attachments
(153.45 KiB) Downloaded 64 times
markusg wrote:https://www.virustotal.com/file/924823e ... /analysis/Sirefef with rootkit and x64 backdoor. Unpacked attached. Posts moved.
Attachments
pass: malware
(179.36 KiB) Downloaded 71 times
(179.36 KiB) Downloaded 71 times
Ring0 - the source of inspiration
Attachments
(154.21 KiB) Downloaded 77 times
