Another ransomware builder i've found by error (it's true!)
This one is from 2010 and the file encryption used XOR or TEA.
Interesting feature (hm... joke :þ) maybe the number of password attempt who conduct to a melt..
An output have a size of 10,5 Kb and after UPX: 6,5Kb (Builder in Delphi, stub in asm)
https://www.virustotal.com/file-scan/report.html?id=837df40c1667a2369ad9b17537ce5a9efbb81d93917e23426f4bc17fbacb2356-1310063161
The unlock code for decrypts files is not stored in cleartext, but in build MD5x5 hash.
A good solution to recover files without knowing the password... maybe a generic loader for force the good unlock code, it's very weak:
Related ~
Unxoring Trojan-Ransom.Win32.Xorist
WinLocker Builder v0.4 - Cracking Generated winlocks
WinLocker Builder v0.2/v0.3 - Cracking Generated winlocks
xddd.66ghz.com and the 4B XOR Ransomware
Can you provide the builder download?
ReplyDelete