[Blaze]

Newest variant of this locker, seems to use Elliptic Curve Diffie-Hellman as encryption algorithm.

Message (Dutch):


Some samples attached.

[Grinler]

Thanks Blaze!

Attached are the main installers harvested from your droppers and the RTF displayed by the dropper.

[Blaze]

Thanks Grinler! Saw the RTF decoy file as well.

Attached 121 more samples of the same crap.

[ikolor]

Next malware code .

[r3shl4k1sh]

I didn't understand the subject you gave to the post. It should be informative.

This one is downloader for CTB-Locker.
The sample it downloads has very low detection on VT 1/56:
https://www.virustotal.com/en/file/5855 ... /analysis/

MD5: dc8bc1f88c3da5aa04fea4933d74f3b6

CTB-Locker thread:
http://www.kernelmode.info/forum/viewto ... ctb+locker

In attach downloaded sample + memory dump of:
0x17a0000.bin the in memory unpacked code (start address is 0x017D329D)
0x1885000.bin the data section (which include the CTB-Locker template).
address.txt the resolved address API

[chimung1994]

I think that is the main installer. It have .data section contains text and bmp image. It will copy himself to %temp% folder and encrypt your file. I dump and rebuild it from image. Can you give me some advise to go analysis this ransomware. Thanks!

[N3mes1s]

analysis of CTB-Locker and dropper:

http://www.gironsec.com/blog/2015/02/ct ... d-dropper/

[Blaze]

Yet another one being spammed out. Attached.

[Blaze]

Yet again, attached.

[Blaze]

Each every X weeks, there's a CTB-locker campaign. Sample of this week attached.