A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #26145  by EP_X0FF
 Sat Jun 20, 2015 8:39 am
Ta!0n wrote:Attached sample
Your post is empty.
 #26159  by rgster002
 Tue Jun 23, 2015 3:49 am
hi guys ,which one note that who inject to dllhost process use APC ways ?
I see that the poweliks , powershell , dllhost those process start each other.
 #27763  by DMEW
 Wed Jan 27, 2016 11:07 pm
I heard Poweliks has been dead since 2014, but I have what looks like a Poweliks sample from ~2015 and the C2 servers are still working. It does the same loader tactics, performs click fraud, and even visits Expendablesearch.com (just like the Symantec report on it). With that said..is this still a variant? I would like to know what to properly call this piece of malware.
 #27765  by EP_X0FF
 Thu Jan 28, 2016 4:34 am
DMEW wrote:I heard Poweliks has been dead since 2014, but I have what looks like a Poweliks sample from ~2015 and the C2 servers are still working. It does the same loader tactics, performs click fraud, and even visits Expendablesearch.com (just like the Symantec report on it). With that said..is this still a variant? I would like to know what to properly call this piece of malware.
Attach your sample please.
 #27769  by DMEW
 Thu Jan 28, 2016 5:08 am
This is a sample I got from July 2015, but I still see it working today although not as well. (one of the main ad fraud servers are not responding correctly anymore and cutting down the ad traffic).
Attachments
pw: infected
(41.41 KiB) Downloaded 58 times
Last edited by Xylitol on Sat Feb 06, 2016 1:13 pm, edited 1 time in total. Reason: Archive password