Win32/WinLocker (VAN32, alias Ransom.DR)

#4481 by GMax
Sun Jan 16, 2011 12:34 pm

FileName: Private_Brute.exe
Size: 534 Kb (546816 byte)
Data/Time compile: 01.01.2011 / 14:19:51 UTC
MD5: 3C09A47B4A673A9E46CB0DE70B02454D
PEiD: ['BobSoft Mini Delphi -> BoB / BobSoft']
http://www.virustotal.com/file-scan/rep ... 1295177816
http://www.threatexpert.com/report.aspx ... e70b02454d

Unlock key: 10293838

Attachments

Private_Brute.exe.rar

pas: malware
(203.74 KiB) Downloaded 89 times

Username

GMax

Posts

79

Joined

Sun Mar 14, 2010 7:53 am

Re: Trojan Winlock / Ransom / ScreenLocker

#5492 by Xylitol
Wed Mar 16, 2011 10:42 am

winlock generator found in the web according to my search it was from december 2010
https://www.virustotal.com/file-scan/re ... 1300267030

generated ransomware are huge ~435 Kb

generated winlock:

disas winlock:

----
Edit: Found a winlock source

Attached.
--------
Edit again: Found the version 0.3 of the winlock builder
https://www.virustotal.com/file-scan/re ... 1299569441

Edit again, again (lol): This winlock generator remind me one sample found by Gmax in Jan 2k11:
http://www.kernelmode.info/forum/viewto ... 4481#p4481
the Winlock builder was made in december 2010, i'm pretty sure the sample of GMax was generated by this.

Attachments

WinLocker_Builder v0.3.zip

See archive comment for password
(271.94 KiB) Downloaded 64 times

winlock source code.zip

See archive comment for password
(612.13 KiB) Downloaded 61 times

WinLocker Builder.zip

See archive comment for password
(275.32 KiB) Downloaded 58 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: Trojan Winlock / Ransom / ScreenLocker

#6041 by Xylitol
Mon Apr 25, 2011 3:54 pm

WinLocker Builder v0.4 is in the wild, i think we will see soon new variants.

Generated winlock (4/41 (9.8%)) http://www.virustotal.com/file-scan/rep ... 1303744185

difference btw the 0.3 and the 0.4 on the serial check it use a simple xor

Attachments

WinLocker Builder v0.4.zip

See archive comment for password
(589.94 KiB) Downloaded 60 times

WinLocker Builder v0.4 Source Code.zip

See archive comment for password
(634.48 KiB) Downloaded 55 times

Reverse XOR.zip

A sort of Keygen i've made using the previous source code of WinLocker
(199.69 KiB) Downloaded 56 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: Trojan Winlock / Ransom / ScreenLocker

#6913 by EP_X0FF
Thu Jun 23, 2011 7:21 am

Primitive Winlock (probably created through Winlock generator).

Unblock key: 816908 (created as result of xor operation over 922039 and key asd9sa786ves)

http://www.virustotal.com/file-scan/rep ... 1308812764
http://www.virustotal.com/file-scan/rep ... 1308560423

In attach both original and unpacked (removed VB crypter and UPX).