KernelMode.info

Anyone has samples from the FireEye's blog: https://www.fireeye.com/blog/threat-res ... ecord.html
I think 372f1e4d2d5108bbffc750bb0909fc49 is the one that starts the show.

From my quick search of the listed hashes, none are on VT.

needs to go in the Request area . . but ..

+1

a guy who wrote research said he cant share

I call bullshit. None of the 14 hashes from the report show up in VT.

billbudsocket wrote:I call bullshit. None of the 14 hashes from the report show up in VT.

Jeez, not all the malware is on VT you know, especially not the really "juicy" ones -- they even admit to this; I'd say they have about 70% give-or-take. There are a lot of occasions (read: malware campaigns) where malware samples do not appear on VT, period.

billbudsocket wrote:I call bullshit. None of the 14 hashes from the report show up in VT.

372f1e4d2d5108bbffc750bb0909fc49 is the installer, the other hashes belong to resources obtained from the same malware. They won't upload anything to VT if the the investigation is still running.

billbudsocket wrote:I call bullshit. None of the 14 hashes from the report show up in VT.

Just some notes, about the report from fireeye:

• - No explanation about the way this thing does the installation.
  - FireEye does not share it
  - Nothing is not VT
  - The sample supports x64/x32 and is a bootkit

I'd guess there is some sort of zero-day inside the dropper/loader which could explain most of the above.
So, let's wait till the right time come for the share

With it being described as a threat that's been around for a while, it's strange to not have more public hashes.

Another crap from BIOS era. "Advanced by design". Closed and moved to completed.