A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #27868  by Mosh
 Sat Feb 13, 2016 5:09 pm
Malware targeting French people

FileLocker.exe (465.5 KB)
a02aff753dffb13ad034ca67aed985d8
f53cb550bc4d6193a42f8aa2ec348e8cc89728e9
b47f15d1093fd6466e040d3ee786a18e25f8980d3db33465d2acbafe8b0f6850

deobfuscated.exe (294.5 KB)
2ee9b110cd784d6bcdf663c9249ebee4
3d84dfd0f7dd95f26a9a47dd16149602bf8cfb56
459a487b0ad80fc56c06fca73eb80b3268bd423eaf6da5a1b400a7b5c19fb957

Image

- obfuscated with .NET Reactor 4.5+
- Password stored on HKEY_CURRENT_USER\\Software
- Encrypt: TripleDES
- Send client data via EMail
- Blog info: http://nyxbone.com/malware/jobcrypter.html
Attachments
(389.14 KiB) Downloaded 132 times
 #27870  by Xylitol
 Sun Feb 14, 2016 1:38 am
From malekal http://forum.malekal.com/job-crypter-ge ... 54381.html
Code: Select all
This sample has SMTP functionality here is the recipient:
→ from: CumpterName%% <bordeaux@sothis.fr>
→ to: brangiersimonalain@gmail.com ☠
→ to: New Client VolumeSerialNumber%%

The attacker uses the email account of the company SOTHIS Toulouse SAS to send the information on the victims BAL brangiersimonalain@gmail.com probably compromised herself. On the gmail account, a filter is applied to the address of the sender bordeaux@sothis.fr