Try something like WinXP + VBox 4.x. It should work, if dropper has no antivm code. Or use real machine instead.
A forum for reverse engineering, OS internals and malware analysis
Searched query: antivm
Try something like WinXP + VBox 4.x. It should work, if dropper has no antivm code. Or use real machine instead.
Dorkbot (crypter TensilCrypt? with AntiVM and multiple process restarting feature)
http://www.virustotal.com/file-scan/rep ... 1320478396
dropper and unpacked in attach
Trojan Muldrop crypted by iCrypt Classic v4.4 with AntiVM GetModuleHandleW sbiedll.dll VIRTUAL HD Sleep GetVolumeInformationW QEMU HARDDISK VMWARE VIRTUAL IDE HARD DRIVE CreateFileW \\.\PhysicalDrive0 and then packed with UPX, internally something ...
IDK what exactly does not working for Julian but it isn't antivm or something, because I've some of these posted samples in my vm repository. It is known that updated TDL4 may cause KB2506014 patched system unbootable. Dropper tries to infect MBR but ...
... Trojan downloader Phokace with AntiVM. Payload hxxp://www.allezdax.com/images/m.exe (crypted and packed by MPRESS Worm:Win32/Phorpiex.B ) decrypted downloader, payload + decrypted ...
... edit: TensilCrypt can throw an error due to AntiVM. Just search for (VIRTUAL, VBOX, Sbie.dll etc) strings and change them. All in attachment.
... GUI http://img690.imageshack.us/img690/8821/27683203.th.gif Has antivm and anti-debugging on board (likely part of crypter code). Perfect example of Matryoshka (crypter+UPX->crypter+UPX) All original + unpacked in ...
... hosted ZAccess sample). Muldrop, crypted then packed by UPX, payload it drops also crypted and packed by UPX. Uses IE injection. Dropper has AntiVM on board (VMWare, Virtual Box, Virtual PC). In attach original dropper and extracted payload. http://www.virustotal.com/file-scan/report.html?id=887487779c7331319e166ea97f15ecabd45daad50b6aa27833622b86de00602c-1306508426
... This SpyEye v1.3 more interesting. It has antivm on board (probably part of skiddie crypter). Actually it looks for VmWare/VirtualPC/Sandbox/QEMU by checking specific registry keys, volume serial ...
... because they are internally ABSOLUTELY ALL the same (the only difference maybe - crypter used, some crypter adds additional features such as AntiVM and other sort of skiddie BS). As for VT results - fresh crypted malware (with fresh clean crypter used) will always fool all VirusTotal patients ...