A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #16630  by Win32:Virut
 Thu Nov 15, 2012 2:51 pm
Image
Click on image to enlarge

Found on Blackhole Exploit Kit 2.0.

Created files:

C:\ProgramData\lsass.exe
C:\Users\[USER]\AppData\Local\Temp\wlsidten.dll
C:\Users\[USER]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk (shortcut to C:\ProgramData\lsass.exe C:\Users\[USER]\AppData\Local\Temp\wlsidten.dll,GOF1)
C:\ProgramData\netdislw.pad (90,6 MB, don't know what is it)
Attachments
Password is "infected" without quotes
(101.57 KiB) Downloaded 83 times
 #16632  by rinn
 Thu Nov 15, 2012 3:35 pm
This is Reveton. Take decrypted in attach. Password "infected" without quotes. Before running lsass.exe copy for injection purposes it is doing multiple allocmem/copymem, so it can be easily captured fully decrypted while debugging. Ah and its all on Delphi 6/7 (-.-)
Code: Select all
D301h  win32                             main unit
8210h  crtsock                           
C700h  System                            
8100h  SysInit                           
4B0Ch  Windows                      
5510h  Types                            
0200h  SysUtils                          
9D10h  SysConst                    
831Ch  TlHelp32                     
5710h  Md5                              
1610h  Math                              
2210h  RTLConsts                       
E810h  RegReg                       
0C00h  Connect                           
7400h  MStream                           
8D00h  Compressor                        
7100h  LnkFile                           
5F00h  DateUtils                         
3100h  MemDll                            
1300h  CRC32File                         
EF00h  VatUnit                           
330Ch  Messages                      
470Ch  MMSystem    
Attachments
(48.58 KiB) Downloaded 71 times
 #16682  by Win32:Virut
 Sun Nov 18, 2012 11:49 am
New Reveton with digital signature.

CRC-32: FB6DE5E1
MD4: 00FA01C9CB8A3E693494543CD6B30F83
MD5: B433FD702784701DE5DCFDFD9ED49DCC
SHA-1: ED5921BD3B3CFE2B21736F4394E1405892C7032C
SHA256: 369100596880D10F64F43E2E9663683B8241E168121FE51273E43AE20E89AC6C

Image

Image
Attachments
Password is "infected" without quotes.
(100.95 KiB) Downloaded 91 times
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8
  • 16