Backdoor Blackshades NET - Page 5

Re: Backdoor Blackshades NET

#15492 by nullptr
Mon Sep 03, 2012 11:29 am

MSIL Blackshades dropper
MD5: 4661DBF72238E6AE20C046852215367B
Similar to http://www.kernelmode.info/forum/viewto ... =30#p14412
except runs from %APPDATA%\crpyt.exe

original + unpacked attached.

Attachments

Blackshades.zip

pwd: infected
(622.2 KiB) Downloaded 89 times

Username

nullptr

Posts

209

Joined

Sun Mar 14, 2010 6:35 am

Unknown scrambled file

#18688 by Maxstar
Mon Mar 25, 2013 10:44 am

I found some weird file, probably it is a scrambled file with dummy data to avoid detection.
The file is zipped 850kb and unpacked 130MB.

Code: Select all

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SQLDriver]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hmmm"
"hkey"="HKLM"
"command"="C:\\Documents and Settings\\Username\\Application Data\\SQLDriver\\hmmm.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"SQLDriver"="C:\Documents and Settings\Username\Application Data\SQLDriver\hmmm.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SQLDriver"="C:\Documents and Settings\Username\Application Data\SQLDriver\hmmm.exe"

Process: C:\Documents and Settings\Username\Application Data\SQLDriver\hmmm.exe

Attachments

sample_23-03-2013_1959.zip

PW = infected
(849.83 KiB) Downloaded 78 times

Malware Removal Instructions

Username

Maxstar

Posts

88

Joined

Wed Jan 26, 2011 10:20 am

Re: Unknown scrambled file

#18689 by EP_X0FF
Mon Mar 25, 2013 11:52 am

Blackshades NET aka Ainslot under something named "VIP Crypter" dotnet primitive obfuscator-injector. 130 Mb of zero data as overlay. In attach decrypted. Posts moved.

Attachments

decrypted.rar

pass: malware
(155.5 KiB) Downloaded 62 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Win32/Betabot (alias Neurevt)

#19574 by markusg
Sat Jun 08, 2013 7:56 pm

think belongs to this topic
SHA256:
7c353f2c7aead1c323a3cb70238c8d86be2f048b92fc367d771ea386a1242a76
Dateiname:
AcroRd32.exe
Erkennungsrate:
0 / 47
https://www.virustotal.com/de/file/7c35 ... /analysis/

Attachments

Acrobat.rar

(1.49 MiB) Downloaded 93 times

Username

markusg

Posts

737

Joined

Mon Mar 15, 2010 2:53 pm

Re: Win32/Betabot (alias Neurevt)

#19587 by EP_X0FF
Mon Jun 10, 2013 2:16 am

markusg wrote:think belongs to this topic
SHA256:
7c353f2c7aead1c323a3cb70238c8d86be2f048b92fc367d771ea386a1242a76
Dateiname:
AcroRd32.exe
Erkennungsrate:
0 / 47
https://www.virustotal.com/de/file/7c35 ... /analysis/

Blackshades with dotnet crypter.

Code: Select all

D:\BlackshadesProject\bs_net\server\server.vbp

Posts moved.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Backdoor Blackshades NET

#19827 by Xylitol
Wed Jun 26, 2013 12:54 pm

https://www.virustotal.com/en/file/e52e ... 372250604/
https://www.virustotal.com/en/file/54e9 ... 372250620/
https://www.virustotal.com/en/file/40a6 ... 372250733/
https://www.virustotal.com/en/file/80ea ... 372250894/

Attachments

Blackshades.zip

infected
(735.07 KiB) Downloaded 76 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re:bitcoin miner

#20633 by bao
Thu Aug 29, 2013 8:52 am

https://www.virustotal.com/en/file/033e ... 377765203/
http://anubis.iseclab.org/?action=resul ... ormat=html

Attachments

MicrosoftSecurityUpdates.rar

pass: infected
(957.68 KiB) Downloaded 69 times

Username

bao

Posts

20

Joined

Sat Sep 22, 2012 9:27 pm

Re: Re:bitcoin miner

#20636 by Wack0
Thu Aug 29, 2013 1:15 pm

bao wrote:https://www.virustotal.com/en/file/033e ... 377765203/
http://anubis.iseclab.org/?action=resul ... ormat=html

not bitcoin miner, actually BlackShades RAT packed using HF-style autoit crypter that uses rarsfx with 7MB of random junk in it where 6 files are actually used.