HTDark | Underground Hacking Forum and Cybersecurity Community
  • Earn real money by being active: Hello Guest, earn real money by simply being active on the forum — post quality content, get reactions, and help the community. Once you reach the minimum credit amount, you’ll be able to withdraw your balance directly. Learn how it works.

Multi Gerador De Crypter Anonymous Rat V4 (autoit vb6 vb.net)

Status
Not open for further replies.
T

top10

Moderator
User
Joined
Mar 18, 2015
Messages
487
Reputation
0
Reaction score
5,047
Points
243
Credits
0
‎10 Years of Service‎
70%
WYUpkX8.png


b3bjNCh.png


mQlPPpS.png


gmNLSvv.png


ASDsuij.png


MgLTu6y.png


This link is hidden for visitors. Please Log in or register now.


dlcan5yzuizvaqfirhmuiqnjyptgbspr2wp.png


INFECTADO: INFECTADO: INFECTADO: INFECTADO: INFECTADO:

[HIDE-THANKS]
This link is hidden for visitors. Please Log in or register now.
[/HIDE-THANKS]

 
Last edited by a moderator:
Re: Multi Gerador De Crypter Anonymous Rat V4 (autoit vb6 vb.net)

Obviamente fui yo que lo aprobé el tema con un analise bien simple, pero despues de ver ese tema en un foro, y ver los archivos, y se ver un analisa PROFUNDO, el archivo esta infectado

Analisis:

Analizado en virtual SO XP

- Sin conexiones

- Sin antivirtuales

- Añade autoinicio

- Comportamiento mas que sospechoso en el registro

Fecha y hora:2015/11/7 13:49:40 , 2015/11/7 13:52:15

Computador:ANALISIS-24E639 , ANALISIS-24E639

Usuario:ANALISIS , ANALISIS

Code: 
>----------------------------------
Claves añadidas:5
----------------------------------
HKLM\SOFTWARE\ODBC\Brazos volatile counter
HKLM\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0x7c Thread 0x90 DBC 0x3a8c3c Jet
HKLM\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0x7c Thread 0x90 DBC 0x3a8c3c Jet\Engines
HKLM\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0x7c Thread 0x90 DBC 0x3a8c3c Jet\Engines\Jet
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\MediaPlayer\Health\{0C49BC77-94B1-4E89-9DBD-7B7D62F9A6F3}
 
----------------------------------
Valores borrados:34
----------------------------------
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31233: "Tareas de archivo y carpeta"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31236: "Crear nueva carpeta"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31260: "Publicar esta carpeta en Web"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31374: "Compartir esta carpeta"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31272: "Otros sitios"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-21785: "Documentos compartidos"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31274: "Detalles"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\Explorer.EXE: "Explorador de Windows"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\SHELL32.dll,-22912: "Muestra accesos directos a sitios Web, equipos en la red y sitios FTP."
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\notepad.exe,-469: "Documento de texto"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31275: "Esta sección muestra el tamaño, tipo de archivo y otra información acerca del elemento seleccionado."
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31234: "Estas tareas se aplicarán sobre los archivos y carpetas que haya seleccionado."
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31237: "Crea una nueva carpeta vacía en la carpeta que ha abierto."
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31249: "Transfiere copias de los elementos seleccionados a una página Web pública para que pueda compartirlos con otras personas."
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31375: "Hace que la carpeta seleccionada esté disponible para otros equipos en la red de manera que otras personas puedan verla."
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31273: "Proporciona vínculos abren otras carpetas y le llevan rápidamente a carpetas y sitios útiles."
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\SHELL32.dll,-12695: "Contiene los archivos y carpetas compartidos entre los usuarios de este equipo."
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\SHELL32.dll,-22914: "Contiene cartas, informes, y otros documentos y archivos."
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-21779: "Mis imágenes"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-21790: "Mi música"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31254: "Cambiar nombre a esta carpeta"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31256: "Mover esta carpeta"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31258: "Copiar esta carpeta"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31380: "Enviar por correo electrónico los archivos de esta carpeta"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31262: "Eliminar esta carpeta"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31242: "Cambiar nombre a este archivo"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31244: "Mover este archivo"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31246: "Copiar este archivo"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31248: "Publicar este archivo en Web"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31370: "Enviar este archivo por correo electrónico"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31252: "Eliminar este archivo"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\ANALISIS\Mis documentos\tools\Regshot.exe: "Regshot"
 
----------------------------------
Valores añadidos:17
----------------------------------
HKLM\SOFTWARE\ODBC\Brazos volatile counter\VolatileDsnCount: 0x00000001
HKLM\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0x7c Thread 0x90 DBC 0x3a8c3c Jet\Engines\Jet\Driver: "{Microsoft Access Driver (*.mdb)}"
HKLM\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0x7c Thread 0x90 DBC 0x3a8c3c Jet\Engines\Jet\ImplicitCommitSync: ""
HKLM\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0x7c Thread 0x90 DBC 0x3a8c3c Jet\Engines\Jet\Threads: 0x00000003
HKLM\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0x7c Thread 0x90 DBC 0x3a8c3c Jet\Engines\Jet\UserCommitSync: "Yes"
HKLM\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0x7c Thread 0x90 DBC 0x3a8c3c Jet\ProcessId: 0x0000007C
HKLM\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0x7c Thread 0x90 DBC 0x3a8c3c Jet\DBQ: "C:\iDEFENSE\SysAnalyzer\known_files.mdb"
HKLM\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0x7c Thread 0x90 DBC 0x3a8c3c Jet\DriverId: 0x00000019
HKLM\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0x7c Thread 0x90 DBC 0x3a8c3c Jet\SafeTransactions: 0x00000000
HKLM\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0x7c Thread 0x90 DBC 0x3a8c3c Jet\UID: ""
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\LangID: 0A 0C
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-12691: "Documentos recientes"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\iDEFENSE\SysAnalyzer\sniff_hit.exe: "sniff_hit"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\cmd.exe: "Procesador de comandos de Windows"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\iDEFENSE\SysAnalyzer\proc_watch.exe: "proc_watch"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\iDEFENSE\SysAnalyzer\sysAnalyzer.exe: "sysAnalyzer"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\ANALISIS\Escritorio\Grador de Crypter anonymous rat V4.exe: "Grador de Crypter anonymous rat V4"
 
----------------------------------
Valores modificados:17
----------------------------------
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 74 62 37 73 7A 1B 9E 95 6D D3 E6 2E 63 3B C3 55 FD 2D B0 7D A6 11 C7 72 25 C7 E7 FE 9D BD 26 71 59 12 67 ED 74 6E 5C 76 F9 5D 67 C4 81 46 E8 AB A0 1B CB C3 84 03 09 7D D7 76 55 04 19 19 0C C9 AA 31 D5 09 A2 64 82 98 AC DB 2A 90 42 24 F4 EA
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: B3 23 E6 77 DB E3 CA BC 91 D4 59 28 C0 3F 8E AD 14 85 6A B6 A4 CF FE 13 CF 2F BE 5F B5 8C 70 DB 7F 93 FF FC 5D 56 39 52 C7 42 C5 0A F4 62 C6 00 90 D7 DB 74 88 71 73 73 D1 97 D5 A7 7A 50 BA 3A BC 9D 9B 66 B9 C9 9C AB FA 66 09 D6 31 02 11 C2
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x0000000C
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000016
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x00000008
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x0000000F
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000000
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "fdcebajihg"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "gfdcebajih"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\g: "C:\Documents and Settings\ANALISIS\Mis documentos\analizar\DroidJack v4[1].0 Cracked.zip"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\g: "C:\Documents and Settings\ANALISIS\Escritorio\Grador de Crypter anonymous rat V4.exe"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe\a: "C:\Documents and Settings\ANALISIS\Mis documentos\tools\spymetools_installer.exe"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe\a: "C:\Documents and Settings\ANALISIS\Escritorio\Grador de Crypter anonymous rat V4.exe"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe\MRUList: "jihcgfedba"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe\MRUList: "ajihcgfedb"
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 03 00 00 00 51 00 00 00 90 95 4D 1F 63 19 D1 01
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 03 00 00 00 53 00 00 00 80 6B CD 29 63 19 D1 01
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 03 00 00 00 27 00 00 00 70 EE 6A 19 63 19 D1 01
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 03 00 00 00 28 00 00 00 20 53 AA 29 63 19 D1 01
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:FlfNanylmre.yax: 02 00 00 00 0F 00 00 00 70 71 50 0D 85 0E D1 01
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:FlfNanylmre.yax: 03 00 00 00 10 00 00 00 20 53 AA 29 63 19 D1 01
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\vQRSRAFR\FlfNanylmre\flfNanylmre.rkr: 02 00 00 00 0F 00 00 00 F0 C0 62 0D 85 0E D1 01
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\vQRSRAFR\FlfNanylmre\flfNanylmre.rkr: 03 00 00 00 10 00 00 00 80 6B CD 29 63 19 D1 01
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 0E 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 90 FC 8F 0A 31 C6 D0 01 01 00 00 00 A9 FE EF 4D 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 0F 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 90 FC 8F 0A 31 C6 D0 01 01 00 00 00 A9 FE EF 4D 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\SessionInformation\ProgramCount: 0x00000004
HKU\S-1-5-21-2052111302-1202660629-1708537768-1003\SessionInformation\ProgramCount: 0x00000008
 
----------------------------------
Total de cambios:73
----------------------------------

No hay mucho que decir... se ve de sobra lo que hace este "generador"

- Procesos arrancados

PV0Xe8V.png


- Nuevos procesos tras iniciarse la tool

EbBDHIo.png


Ya sabemos donde se inyecta, intereante thanhhgfg: , no es un lugar muy comun

Un poco raro que firmen tanto un supuesto generador de archivos.. no?

Pues eso, claramente INFECTADO

 
Status
Not open for further replies.
Back
Top