Win32/Rombertik - Page 3 - KernelMode.info

Re: Win32 Rombertik

#25883 by R136a1
Sat May 16, 2015 8:42 am

This was lying around on my hard disk for some time, forgot about it. I think it's the version of Carbon Grabber which Mr. Stama describes in his article (released in August/October 2014). Also found the copy of a builder for the free version which unfortunately crashes during creation of payload. Haven't looked at it in detail and why it crashes.

Attachments

Rombertik.D + free builder.zip

PW: infected
(100.83 KiB) Downloaded 61 times

Malware Reversing
http://www.malware-reversing.com

Username

R136a1

Rank

Forum Admin

Posts

272

Joined

Wed Jul 13, 2011 4:30 pm

Location

Netherlands

Win32 Rombertik Story Of Success

#25907 by EP_X0FF
Wed May 20, 2015 4:09 pm

Just most fun of the thousands.

No comments.

Fortinet wrote:I encountered some bugs along the way, and I had to brute force my way into the malware’s code to search for the MBR wipe functionality. Finally, I found it and it actually overwrites your MBR. Figure 2 shows the part where it prepares your MBR to be overwritten.

Webroot wrote:The first stage of the malware is checks to make sure it’s not being debugged or sandboxed where if it fails these checks will attempt to overwrite your MBR (Master Boot Record).

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Win32 Rombertik

#25908 by t4L
Wed May 20, 2015 6:21 pm

Username

t4L

Rank

Global Moderator

Posts

139

Joined

Tue Mar 09, 2010 5:44 pm

Re: Win32 Rombertik

#25937 by malwarelabs
Wed May 27, 2015 3:47 pm

http://www.tripwire.com/state-of-securi ... echniques/

"we at Tripwire can only conclude that Rombertik is a master of evasion."

\o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/ \o/

Username

malwarelabs

Posts

44

Joined

Tue Dec 10, 2013 9:07 am

Re: Win32 Rombertik

#25979 by EP_X0FF
Mon Jun 01, 2015 7:38 am

TIMING-BASED EVASION
Timing-based evasion is probably the least evident technique in Rombertik’s behavior. According to Symantec, the malware writes the file “%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup\[RANDOM CHARACTERS].vbs,” which ensures that its code will run every time Windows starts up. But not much is known beyond that, as most analyses have focused on Rombertik’s other evasive attributes.

I don't even want to comment this. Somebody kill this imbecile.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Win32 Rombertik

#25982 by Xylitol
Mon Jun 01, 2015 11:36 am

Malware Evolution Calls for Actor Attribution? ~ http://krebsonsecurity.com/2015/05/malw ... tribution/

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: Win32 Rombertik

#25985 by patriq
Mon Jun 01, 2015 4:07 pm

Merge?

http://www.kernelmode.info/forum/viewto ... =21&t=3837

0d11a13f54d6003a51b77df355c6aa9b1d9867a5af7661745882b61d9b75bccf

The sample that caused all the fuss.

Postby forty-six » Tue May 05, 2015 10:26 pm

Attached is from :

http://blogs.cisco.com/security/talos/rombertik

ATTACHMENTS
0d11a13f54d6003a51b77df355c6aa9b1d9867a5af7661745882b61d9b75bccf.7z
(612.62 KiB) Downloaded 19 times

Username

patriq

Posts

109

Joined

Fri Jun 28, 2013 8:11 pm

Re: Win32 Rombertik

#25988 by EP_X0FF
Mon Jun 01, 2015 5:05 pm

patriq wrote:Merge?

Yes, sure.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact