[slipstream-]

Pushed via PUP bundlers, this trojan drops a legitimate application and also a bunch of exes, and sets up these bunch of exes to run as scheduled tasks:

One however is a windows service, this is used as persistence to recreate the scheduled tasks.

Of the others, some are winlockers and some pop fake alerts (faking mcafee, and Windows XP security center -- in 2016 -- when that binary also checks if MS Edge is running -- weird mix of old and new here!)

They are all trying to social the user into calling fake tech support, with the number 1-800-245-2579.

The winlocker I found funny, it uses a "matrix-style" image:

The files have a weird mix of detection rates: between undetected by any antimalware solution, and well detected.

https://www.virustotal.com/en/file/121d ... 454004260/ - main dropper with winlocker functionality too 2/54
https://www.virustotal.com/en/file/f9d9 ... 454004439/ - pops fake alerts 0/52
https://www.virustotal.com/en/file/2c21 ... 454004784/ - pops fake alerts 0/52
https://www.virustotal.com/en/file/33e3 ... 454004795/ - pops fake alerts 0/51
https://www.virustotal.com/en/file/bf15 ... 454004809/ - persistence service 11/51
https://www.virustotal.com/en/file/eb55 ... 454004506/ - winlocker 4/54
https://www.virustotal.com/en/file/57a7 ... 454004513/ - winlocker 4/54
https://www.virustotal.com/en/file/bcdd ... 454004520/ - winlocker 4/54
https://www.virustotal.com/en/file/0152 ... /analysis/ - pops fake alerts 0/52

All these files are included in attach, password: infected

[slipstream-]

A pair of additional samples that seem to be the same thing, just recompiled with different names, so I didn't bother looking closely.