A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #25883  by R136a1
 Sat May 16, 2015 8:42 am
This was lying around on my hard disk for some time, forgot about it. I think it's the version of Carbon Grabber which Mr. Stama describes in his article (released in August/October 2014). Also found the copy of a builder for the free version which unfortunately crashes during creation of payload. Haven't looked at it in detail and why it crashes.
Attachments
PW: infected
(100.83 KiB) Downloaded 62 times
 #25907  by EP_X0FF
 Wed May 20, 2015 4:09 pm
Just most fun of the thousands.

No comments.

Image
Image
Image
Fortinet wrote:I encountered some bugs along the way, and I had to brute force my way into the malware’s code to search for the MBR wipe functionality. Finally, I found it and it actually overwrites your MBR. Figure 2 shows the part where it prepares your MBR to be overwritten.
Image
Image
Image
Image
Image
Image
Image
Image
Image
Image Image
Image
Image
Image Image
Image
Image
Image
Webroot wrote:The first stage of the malware is checks to make sure it’s not being debugged or sandboxed where if it fails these checks will attempt to overwrite your MBR (Master Boot Record).
Image
Image
 #25979  by EP_X0FF
 Mon Jun 01, 2015 7:38 am
TIMING-BASED EVASION
Timing-based evasion is probably the least evident technique in Rombertik’s behavior. According to Symantec, the malware writes the file “%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup\[RANDOM CHARACTERS].vbs,” which ensures that its code will run every time Windows starts up. But not much is known beyond that, as most analyses have focused on Rombertik’s other evasive attributes.
I don't even want to comment this. Somebody kill this imbecile.
 #25985  by patriq
 Mon Jun 01, 2015 4:07 pm
Merge?

http://www.kernelmode.info/forum/viewto ... =21&t=3837

0d11a13f54d6003a51b77df355c6aa9b1d9867a5af7661745882b61d9b75bccf

The sample that caused all the fuss.

Postby forty-six » Tue May 05, 2015 10:26 pm

Attached is from :

http://blogs.cisco.com/security/talos/rombertik

ATTACHMENTS
0d11a13f54d6003a51b77df355c6aa9b1d9867a5af7661745882b61d9b75bccf.7z
(612.62 KiB) Downloaded 19 times
 #25988  by EP_X0FF
 Mon Jun 01, 2015 5:05 pm
patriq wrote:Merge?
Yes, sure.