Citrus
December 29th, 2008, 09:56
Hi,
Someone tried to pose himself as my friend and get me to download his malware. I have been playing with the file he sent in VMWare and I found out that it copies itself using Alternate Data streams to the System32 directory. I found out that its the poison Ivy RAT.
I see that its 106kb and packed with Molebox 2.3. Why is it such a large size compared to the original Poison-Ivy RAT which is only 7kb?
Could anyone in here unpack it and maybe even find the IP address and/or password it uses to connect to the perpetrator? I have read some methods on how to unpack Molebox manually and they are way over my head.
Here is the virustotal link: http://www.virustotal.com/analisis/a5612fa93c290615834515baed421050
Someone tried to pose himself as my friend and get me to download his malware. I have been playing with the file he sent in VMWare and I found out that it copies itself using Alternate Data streams to the System32 directory. I found out that its the poison Ivy RAT.
I see that its 106kb and packed with Molebox 2.3. Why is it such a large size compared to the original Poison-Ivy RAT which is only 7kb?
Could anyone in here unpack it and maybe even find the IP address and/or password it uses to connect to the perpetrator? I have read some methods on how to unpack Molebox manually and they are way over my head.
Here is the virustotal link: http://www.virustotal.com/analisis/a5612fa93c290615834515baed421050