Strings come from the crypter used, a basic one.. and basic enought for mislead most of AV products (4/40) according to VirusTotal ~ http://www.virustotal.com/file-scan/report.html?id=27067921f318fad3d2aecde9996956879fe1bae036b579d6b5446a29f479f360-1320067798
The crypter just map in memory the decrypted PE, no extra stuff when the stub has finish to work it just close without killing the child process
get the dynamic adress where is stored the decrypted copy:
Launch NgrBot:
--
ngrBot selling:
The NgrBot sample was downloaded from
hxxp://www.articlesfront.com/facebook-pic-#####-JPEG
Happy halloween (:
No comments:
Post a Comment