Resolved vvv.exp1oit.in to 178.33.241.61
This is the new andromeda of the french guy.
It is the full version with all of the plugins.
Server: vvv.exp1oit.in
Gate file: /google/image.php
Plugins:
Formgrabber: beautyoftheworld.ca/xs/f.pack
Gate file: /google/fg.php
Socks: beautyoftheworld.ca/xs/s.pack
Rootkit: beautyoftheworld.ca/xs/r.pack
Downloads files from hxxp://jamboproducciones.com/xs/ and hxxp://ez-cs.net/dk/
He also has a new smoke loader up
Server: smk.cheatgame.org
Gate file: /phpbb/index.php
Confirm at smk.cheatgame.org/phpbb/guest.php guest:guest
Hosting infos: http://whois.domaintools.com/178.33.241.61
Anonymous - October 29, 2012 at 11:37 am
hey pig it would be super cool if you good check this sample, had a very strange spreading method.
Thanks
host : sd.ourcloudsfloat.com
malware sample : http://www.mediafire.com/?8ek1cyc4f562az8
possible syslock? comes up as varint.symmi on bd and fsecure
Pig - October 29, 2012 at 4:23 pm
yes looks like ransomware
this file is created by your sample:C:WINDOWSsystem32crypt32F.exe
this is registry value created by the crypt32F.exe:LMSoftwareMicrosoftWindowsCurrentVersionpoliciesExplorerRunTxvvzfqtj
the file conects to:intohave.com
Mutex created:WBEMPROVIDERSTATICMUTEX
Anonymous - October 30, 2012 at 8:25 am
What do you mean by the "new" andro of the french guy, is this v3 or just a new find of v2 or what not.
I_Post_Ur_Info - October 31, 2012 at 4:58 pm
New as in a new license, since it has all of the plugins. It's still v2 as v3 isn't out yet.