Twitter | Search | |
Matthieu Suiche
A patched (non recompiled) variant with *NO* kill-switch is out there too. Patched jump and zeroed the URL. See screenshots below.
Reply Retweet Like More
Matthieu Suiche May 14
Replying to @craiu
Thanks to for sharing the 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd hash.
Reply Retweet Like
Mitja Kolsek May 14
Replying to @msuiche @craiu
Puzzled as to why was "jnz $+2" in the original code. Looks like a placeholder for patching out the kill switch.
Reply Retweet Like
Costin Raiu May 14
Replying to @mkolsek @msuiche
that is the patched code, not the original one. The original was 75 15 hex.
Reply Retweet Like
R0bert R0senb0rg May 14
Replying to @msuiche @craiu
isn't this some testing version that a researcher patched to use after sinkholing killswitch?
Reply Retweet Like
Mitja Kolsek May 14
Replying to @craiu @msuiche
Oh, that makes sense.
Reply Retweet Like
Mark Steward May 14
Replying to @msuiche @craiu
Ugh. And given the number of historic builds out there, the person who did this is unlikely very to be the malware author.
Reply Retweet Like
# mind mapper # May 14
Replying to @msuiche
Is it spreading wild or just for testing purpose ?
Reply Retweet Like
Aaron Shelmire May 14
Replying to @msuiche @craiu
wtf everyone who is running an automated internet connected sandbox needs to make sure this file is NOT run and is NOT allowed to spread.
Reply Retweet Like
Aaron Shelmire May 14
Replying to @msuiche @craiu
Reply Retweet Like
Mark Steward May 14
Replying to @msuiche @craiu
Is that version viable? The payload looks different and doesn't have a zip directory.
Reply Retweet Like
Aaron Shelmire May 14
while it may be a testing version, think of how many sandboxes pull files from virustotal and run them in the wild, leading to spread
Reply Retweet Like
Thanh Bình May 14
Replying to @msuiche
How you can do that ? I would like to help
Reply Retweet Like
R0bert R0senb0rg May 14
I know,that's why researchers should be careful and use patched versions only in a way it can't spread,definitely not upload to VT or SBox
Reply Retweet Like
Adam May 14
Replying to @msuiche
Are the bitcoin addresses the same, or have they been changed?
Reply Retweet Like
GalBit May 14
Replying to @msuiche
Legit malware development process :D
Reply Retweet Like
R0bert R0senb0rg May 14
this thead sums it up:
Reply Retweet Like
Aaron Shelmire May 14
agree, but it's on vt since 90 minutes ago:
Reply Retweet Like
mndg May 14
Replying to @msuiche
What is now in the resources? The same ?
Reply Retweet Like