Rootkit ZeroAccess (alias MaxPlus, Sirefef) - Page 7

Re: Rootkit ZeroAccess (aka MAX++)

#6533 by erikloman
Wed May 25, 2011 12:47 pm

Anybody got a dropper of the new x64 variant?

Erik Loman [HitmanPro]
SurfRight B.V. - www.surfright.com

Username

erikloman

Posts

70

Joined

Sun Mar 14, 2010 8:53 am

Re: Rootkit ZeroAccess (aka MAX++)

#6556 by Flopik
Fri May 27, 2011 2:17 pm

erikloman wrote:Anybody got a dropper of the new x64 variant?

Still got no sample of the x64?

Last edited by Flopik on Fri May 27, 2011 5:12 pm, edited 1 time in total.

Username

Flopik

Posts

47

Joined

Wed Sep 08, 2010 5:39 pm

Re: Rootkit ZeroAccess (aka MAX++)

#6557 by erikloman
Fri May 27, 2011 2:24 pm

Flopik wrote:
erikloman wrote:Anybody got a dropper of the new x64 variant?
Still got no sample of thex64?

Nope :(

Erik Loman [HitmanPro]
SurfRight B.V. - www.surfright.com

Username

erikloman

Posts

70

Joined

Sun Mar 14, 2010 8:53 am

Re: Rootkit ZeroAccess (aka MAX++)

#6559 by EP_X0FF
Fri May 27, 2011 2:29 pm

I think nullptr have it :)

from hxxp://miliardov.com

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Rootkit ZeroAccess (aka MAX++)

#6561 by EP_X0FF
Fri May 27, 2011 3:41 pm

Not sure which one this. Anyway it's ZeroAccess.

dropper also attached (trol.exe)

Attachments

trol.rar

pass: malware
(31.12 KiB) Downloaded 110 times

010d585.rar

pass: malware
(83.53 KiB) Downloaded 99 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Rootkit ZeroAccess (aka MAX++)

#6564 by EP_X0FF
Fri May 27, 2011 5:57 pm

Update.

Here is full data dump of this ZeroAccess rootkit made with help of our internal tool.

It's volume contains two folders

U (user mode), few dlls (debug names: click.pdb, resident.pdb), copy of dropper, scripts
L (loader), infected driver clean copy
GUID-file (settings)

All in attach, pass: malware.

Completely not Zero access I must say.

Attachments

ZA_HiddenData.rar

(128.96 KiB) Downloaded 121 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Trojan:Win64/Sirefef.B

#6810 by hnpl2011
Wed Jun 15, 2011 7:23 am

I'm looking for sample with MD5:adf1ddd89d424e8d0e275cc42747ec81
anyone have it, please post it here
thank,

Username

hnpl2011

Posts

48

Joined

Mon Jan 24, 2011 8:53 am

Re: Malware Requests

#6813 by EP_X0FF
Wed Jun 15, 2011 9:06 am

hnpl2011 wrote:I'm looking for sample with MD5:adf1ddd89d424e8d0e275cc42747ec81
anyone have it, please post it here
thank,

This is ZeroAccess. Check dedicated thread.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Malware Requests

#6853 by hnpl2011
Sat Jun 18, 2011 8:51 am

EP_X0FF wrote:
hnpl2011 wrote:I'm looking for sample with MD5:adf1ddd89d424e8d0e275cc42747ec81
anyone have it, please post it here
thank,
This is ZeroAccess. Check dedicated thread.

have no file with MD5:adf1ddd89d424e8d0e275cc42747ec81 in thread ZeroAccess
thank,

Username

hnpl2011

Posts

48

Joined

Mon Jan 24, 2011 8:53 am

Re: Malware Requests

#6854 by EP_X0FF
Sat Jun 18, 2011 9:13 am

hnpl2011 wrote:have no file with MD5:adf1ddd89d424e8d0e275cc42747ec81 in thread ZeroAccess
thank,

Take any ZAccess sample unless yours is something special which I believe not.

Correction: You looking for x64 dll that ZAccess uses instead of rootkit on x64 systems.
Well you have to wait until someone will post it in dedicated thread.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact