A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #32438  by Fedor22
 Sat Jan 12, 2019 7:48 pm
Perfect PC Cleanup
Creates itself in "Program Files", changes internet settings in the registry, shows false positives and asks to buy a product after scan.
Installer:
MD5: ed1954e40caf59b1335893e156661fef
SHA1: 37c066fcab1f704d8a5de58c3e3ce1942726e396
SHA256: b00129823975a8f54d4c4ff039817038d77690615002571d370180fbc0303a78
VirusTotal (33/69): https://www.virustotal.com/en/file/b001 ... /analysis/
Site: hxxp://perfectpccleanup.com
Screenshot:
Image
Attachments
Password "infected" without quotes.
(4.42 MiB) Downloaded 20 times
 #32569  by FakeAVHunter
 Sat Feb 09, 2019 7:52 pm
Personal Antivirus (Internet Antivirus Family)
His Image : Image
Due to problems and errors with this rogue the MD5 CANNOT BE SHOWED DUE TO FILES ERRORS
password : infected
(3.6 MiB) Downloaded 20 times
His License Key : 4db8b3bab2b6b5bfb7b1b9b299510a73e34bc42c95f55ec61e87ef50
Sample fixed from password protected installer :D
 #32645  by FakeAVHunter
 Sun Mar 03, 2019 10:50 am
InfoPure 2010 Korean Rogue
Image :
9d0445176b2b882a.PNG
9d0445176b2b882a.PNG (81.34 KiB) Viewed 365 times
Sample :
Attachments
password : infected Thanks To Fedor22 for korean sample
(1.51 MiB) Downloaded 16 times
 #32660  by FakeAVHunter
 Sat Mar 09, 2019 8:53 am
WinReanimator Rogue + Fixed Crashes
Image
password : infected
(4.04 MiB) Downloaded 18 times
 #32768  by FakeAVHunter
 Fri Mar 29, 2019 5:36 pm
PC Defender Full Version
Image : Image
Take a look at the sample of cracked version of PC Defender russian without trial version :lol: :lol: :lol:
He is a well known fakeav and here is the sample for trying :D
pass : infected
(625.99 KiB) Downloaded 18 times
 #32982  by FakeAVHunter
 Thu Jun 06, 2019 6:35 pm
XP Protector 2009
Image : Image
Full Version After i cracked is similar to Antivirus XP 2008 Simple as a slice of pizza :-)
Image

0043E907 address i found all text strings MOV AL,BYTE PTR DS:[EAX] then i replaced in MOV AL,1
I dumped the debugged process
Code: Select all
LIC�����LIC�����-���0000��������6F740084937EAB76D1A407DE455B5297D1C5047CD79C630E5702B46455E1F2B8
Unfortunately i cannot save the file that i cracked :-( the serial is cryptographic as desktop security 2010.
Attachments
pass : infected
(1.78 MiB) Downloaded 13 times
 #32986  by FakeAVHunter
 Sat Jun 08, 2019 4:34 pm
I found a fakeav with alive domains and from fake scan sites :
hxxp://protection-suite.totalh.net/index.html
hxxp://protection-suite.totalh.net/scanner/scan.html
Both are working but i cannot dump the executable and i found nice thing :-D
A clone of antivirus 10 :-)
bandicam 2019-06-07 23-34-57-290.jpg
Screenshot of rogueav antimalware gui
bandicam 2019-06-07 23-34-57-290.jpg (251.61 KiB) Viewed 197 times
(1.81 MiB) Downloaded 12 times
Video Review : https://www.youtube.com/watch?v=xUiWJyw4rqI
Soon i release a removal tool for this fakeav.
Unfortunately i cannot find AntiPCDefender and save the cracked files of XP Protector 2009 and Antivirus XP 2008 i cracked but is not saving executable modifited :-(
 #33000  by FakeAVHunter
 Fri Jun 14, 2019 9:19 am
Live Security Vista XP + Vista Gui and Live Enterprise Suite
Image
Image

Live Enterprise Suite
Image
pass infected
(4.01 MiB) Downloaded 12 times
pass infected
(5.66 MiB) Downloaded 13 times
pass infected
(3.88 MiB) Downloaded 11 times
I need a unpacker for dump all those rogues from internetantivirus family for saving a modification i will not post that request so i will do later you can find on topic reverse engineer
 #33025  by FakeAVHunter
 Fri Jun 28, 2019 2:00 pm
I Found three rare rogues and one fakeav encrypt your .doc files install a dll that running as a stealth FakeCorr and detect the corrupted file as malware file damaged.
Rogue File repair.
C:\Windows\system32\fpfstb.dll running with csrss.exe and svchost
1.AV Care
Image
Full Version Image
2.FileFix Professional 2009 + Infection Proof
Image
Image
3.Antivira AV FakeSpyPro
Image
The Antivira AV Sample working i tested in all windows :-)
To Activate AVCare A Command line was found
c:\Program Files\AV Care\AVCare.exe /setpaid other command was found -update -setpaid -uninstall -install
So i waited more for unpacking the exe from the KernelMode Reverse Enginner topic so i am not post links so you know already
Last rogue antimalware fakeav i debug with success
VirusRemover2008
VirusRemover2009
VirusIsolator
AntiMalwareGuard
Total Virus Protection and other i am not enumerate all
Attachments
PASSWORD : infected
(977.29 KiB) Downloaded 12 times
PASSWORD : infected
(746.64 KiB) Downloaded 11 times
PASSWORD : infected
(555.72 KiB) Downloaded 14 times
 #33108  by FakeAVHunter
 Mon Jul 29, 2019 3:47 pm
Antivirus Anvi With Serial key Inside notepad
Image
A fakecog and more archive anyway the icons are garbage do not request because them are all about command shortcut
-noscan
-update
-about
-activate
-buy
-scan
-settings
-support
/avt
/customers
Full Version Document
Code: Select all
Thanks for purchasing antivirus software. Your antivirus software is activated successfully.
Your registration key is:
94804860143697233939975370329435970097710202
(PLEASE, SAVE IT SEPARATELY IN CASE YOU NEED TO REBOOT OR REINSTALL ANTIVIRUS SOFTWARE)
The last version of antivirus:
http://checkeds.com/customers/installer.php?pid=AVT_BASIC

You can also find this link in your software HELP & SUPPORT part. Please, use this link in case of reinstallation.
If you have any question, please, pay attention to tickets, Help&Support. You can find out the answer on your question there.
For urgent cases, please, contact us on the phone 
1-866 427 1693.
Thank you!
Have fun with this easy notepad hack fakeav
Attachments
password : infected
(1.36 MiB) Downloaded 11 times