A forum for reverse engineering, OS internals and malware analysis 

Win32.Dorifel / W32/XDocCrypt.a

Forum for analysis and discussion about malware.

Win32.Dorifel / W32/XDocCrypt.a

 #15065  by Maxstar
 Thu Aug 09, 2012 9:20 am
Systems in the Netherlands are currently being hit hard by a new wave of crypto malware named “Trojan-Ransom.Win32.Dorifel”. Based on press reports as well as our own telemetry gathered through our Emsisoft Anti-Malware Network thousands of Dutch systems are already infected. The majority of them located in government, public sector or company networks.

Based on preliminary research “Dorifel” usually enters new networks and systems through the use of a different malware: “Citadel”. “Citadel” belongs to the family of financial malware and is closely related to the “Zeus” bot family. It comes to no surprise that this isn’t the first time that the “Citadel” bot net is used to infect systems with different malware. Just a few weeks ago at the beginning of July “Citadel” was used to infect tens of thousands of PCs with the “Reveton” ransomware.
http://blog.emsisoft.com/2012/08/09/dor ... ic-sector/

https://www.virustotal.com/file/4db33e0 ... /analysis/

Edit
Fabian Wosar (Emsisoft) and Erik Loman (Surfright) developed a tool to decrypt this files. Additonal info from Fox-IT
http://blog.fox-it.com/2012/08/09/xdocc ... ing-virus/
Attachments
PW infected
(71.32 KiB) Downloaded 76 times

Re: Win32.Dorifel / W32/XDocCrypt.a

 #18847  by rough_spear
 Fri Apr 05, 2013 7:31 am
Hi All,

One more Dorifel sample.

MD5 - 747b10da9a706ecfbbff11023a9e37a6

VT link - https://www.virustotal.com/en/file/6d20 ... /analysis/

18 / 45

malicious URL

hxxp://mhna.net/wind.html
hxxp://robbiedsayers.com/exhusband.html
hxxp://sanmarcos-criminallawyer.com/cap.html
hxxp://seaflour.com/ice.html
hxxp://rss-z.com/cotton.html


Regards,

rough_spear. ;)
Attachments
password - infected.
(25.43 KiB) Downloaded 53 times
 Return to “Malware”