Author Topic: Trojan Ransom  (Read 348166 times)

0 Members and 1 Guest are viewing this topic.

May 07, 2012, 01:43:53 pm
Reply #255

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
Ransom WindowsSecurity

Quote
hxxp://91.202.244.89/files/957f2
hxxp://91.202.244.89/files/a69fa
hxxp://91.202.244.89/files/bdd35

May 07, 2012, 09:35:35 pm
Reply #256

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 10, 2012, 04:55:06 am
Reply #257

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
Ransom WindowsSecurity

Quote
hxxp://91.202.244.89/files/920b8
hxxp://91.202.244.89/files/443aa
hxxp://pl122h.ru/c.php?f=fbf92&e=5

Redirector (probably filters non-russian IP)

Quote
hxxp://mtds5.ru/in.cgi?2

BH EK

Quote
hxxp://pl122h.ru/index.php?page=132fe37e97d99a65

May 17, 2012, 01:39:56 am
Reply #258

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
Ransom WindowsSecurity is now masqueraded as Flash Update.

Quote
hxxp://porkaxcxafreexeh.ru/f/flash_play.exe
hxxp://eh8cja.ru/files/03bc9
hxxp://eh8cja.ru/files/5b260
hxxp://eh8cja.ru/files/be99d

landing page
Quote
hxxp://porkaxcxafreexeh.ru/f/

Redirector

Quote
hxxp://rtds6.ru/in.cgi?2

BH EK

Quote
hxxp://eh8cja.ru/index.php?page=113c7244d24b264f

http://wepawet.iseclab.org/view.php?hash=161510e36933c847f3a2152dd1631683&t=1337218418&type=js

May 18, 2012, 06:33:47 pm
Reply #259

Xylitol

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 24
mbr ransomware
Code: [Select]
hxxp://police-center.in/forum/exe/4.exe
SELECT * FROM `users` WHERE `login` = 'admin '#--' and `password`='d6d36367ad2384f71489707e6fff0879921b50f9';

May 18, 2012, 06:45:37 pm
Reply #260

dlipman

  • Special Access
  • Full Member

  • Offline
  • *

  • 60
    • Multi-AV Scanning Tool
mbr ransomware
Code: [Select]
hxxp://police-center.in/forum/exe/4.exe

Drops a file in German which translates to...

Quote
Antivirus v2.2 harddisk repair .. The computer has been infected with Trojan.Agent.ARVP. This computer virus was .. especially for the removal of information from the computer opponents .. geschaffen.Alle information encrypted on your hard drive for Verschlusselungs algorithm AES-256, this is impossible at this time is to decipher. .. Reinstall the operating system deletes all information for .. ever! The specialist forces of our company has succeeded, the weaknesses in the algorithm of the virus .. Trojan.Agent.ARVP identify and to your computer .. a special version of the antivirus HardDisk Repair v2 .2 to invite to your files .. wiederherzustellen.Unser Program is an important parameter HDDKEYbekommen that is needed to heal the disc to your computer and decode decodieren.Um all your disks, you must obtain a LizenzschlusselHardDiskRepair v2.2. you have to .. system www.paysafecard.com www.ukash.com a PIN or codeine to buy the high of 100 EUR, and reach us by e-mail: Send systemantivirus@yandex.rudie following data: 1 .... . PIN-code XXXX XXXX XXXX XXXX www.paysafecard.com www.ukash.com or (100 EUR) 2 Your unique HDDKEY: xxxxxxx .... let decrypt your password, we need 24 hours .. payment. A password will be sent to your e-mail address ... License activation: Your unique HDDKEY systemantivirus@yandex.ru ..: ...........

July 05, 2012, 11:32:58 am
Reply #261

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
Ransom WindowsSecurity

Quote
hxxp://91.202.244.122/files/2f646
hxxp://91.202.244.122/files/2c753
hxxp://91.202.244.122/files/36cf4

July 10, 2012, 10:43:38 am
Reply #262

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
Ransom WindowsSecurity

Quote
hxxp://91.202.244.122/files/06d87
hxxp://91.202.244.122/files/0512d
hxxp://91.202.244.122/files/67fcb

August 08, 2012, 12:17:42 pm
Reply #263

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
Ransom WindowsSecurity (former LockEmAll) moved to new IP 91.202.244.134

Redirector

Quote
hxxp://apumunav.ru/video.htm -> hxxp://og2cjn.ru/in.cgi?5 -> hxxp://x.fdeeeeroiitee.ru/x/

BH EK

Quote
hxxp://x.rk41qq.ru/indexx.php?pagex=aab27326c543cd88

Files

Quote
hxxp://91.202.244.134/files/1f747
hxxp://91.202.244.134/files/dd6b5
hxxp://91.202.244.134/files/6a513

September 15, 2012, 01:33:01 pm
Reply #264

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
Ransom WindowsSecurity updated their Blackhole (I assume to v2)

BH EK (new format)

Quote
hxxp://wj8nfq.ru:8787/SgLolK?bZoQR=31

http://wepawet.iseclab.org/view.php?hash=d283de6e9f28e0ee27e069169fb29011&t=1347715382&type=js

Redirector (could be IP location aware)

Quote
hxxp://1traffxmd.ru/tds/in.cgi?15

Payload VT
https://www.virustotal.com/file/c8a0bb1589a2d7fc15b25cdcfd566e88148cda20858532fc03b42e59f3229397/analysis/

Nice forum update btw :)

September 15, 2012, 06:27:25 pm
Reply #265

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ransom WindowsSecurity updated their Blackhole (I assume to v2)

BH EK (new format)

Quote
hxxp://wj8nfq.ru:8787/SgLolK?bZoQR=31

It's an exploit kit, but not Blackhole.


Nice forum update btw :)

Thanks. It has been on my todo list a long time. I wasn't sure if SMF 2.0 is stable and secure enough.
But I noticed that support for version 1.x will end soon, so I had to upgrade. I like the Aqua Theme too.
Ruining the bad guy's day

November 09, 2012, 04:51:59 am
Reply #266

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
Redirects to Ransom LokoMoTo

Quote
hxxp://adavysalu.ru/ -> hxxp://xx0909093.ru/tds/in.cgi?15 -> hxxp://videoxmx-onlinee4b.ru/a/ -> hxxp://videoxmx-onlinee4b.ru/a/video.scr

https://www.virustotal.com/file/95bc53d14413d646c8adfcb4a9b213ce26431a3e33e50f20bb7a57d5d6359986/analysis/1352436481/

Exploit Kit (Sweet Orange?)

Quote
hxxp://ua2m43.ru:8787/shtgls?ZWtNH=139

November 09, 2012, 11:41:19 am
Reply #267

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
I'm sorry. None of the urls works for me here.

Redirects to Ransom LokoMoTo

Quote
hxxp://adavysalu.ru/ -> hxxp://xx0909093.ru/tds/in.cgi?15 -> hxxp://videoxmx-onlinee4b.ru/a/ -> hxxp://videoxmx-onlinee4b.ru/a/video.scr

https://www.virustotal.com/file/95bc53d14413d646c8adfcb4a9b213ce26431a3e33e50f20bb7a57d5d6359986/analysis/1352436481/

Exploit Kit (Sweet Orange?)

Quote
hxxp://ua2m43.ru:8787/shtgls?ZWtNH=139
Ruining the bad guy's day

November 09, 2012, 02:04:05 pm
Reply #268

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
Russian IP required for redirector, otherwise nohow.

December 21, 2012, 10:30:44 am
Reply #269

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
hxxp://pedencyclopaedia.asia/

all downloads lead to Trojan MBRlock