Page 1 of 15
Rogue Antimalware (FakeAV, 2013 year)
PostPosted:Sat Jan 05, 2013 7:02 am
by grum
remark start
2010 year FakeAV
2011 year FakeAV
2012 year FakeAV
remark end
super FakeAV for all research :lol: ver 2013
Re: Rogue Antimalware (FakeAV, 2013 year)
PostPosted:Sat Jan 05, 2013 7:47 am
by EP_X0FF
Thats "XP Defender". It changes default reg ".exe" association so every time you try to launch exe this crap will popup.
Main part of FakeAV downloads from
hxxp://terminologyipadinitiating.org/
"Definitions", resources and decrypted loader attached.
Re: Rogue Antimalware (FakeAV, 2013 year)
PostPosted:Wed Jan 23, 2013 12:38 pm
by rusl
Rogue - Security Defender
password: infected (19.71 KiB) Downloaded 183 times
Re: Rogue Antimalware (FakeAV, 2013 year)
PostPosted:Wed Jan 23, 2013 2:09 pm
by ISergey256
rusl wrote:Rogue - Security Defender
SecurityDefender.7z
Activation Code:
?O?Z?L?W?I?T?F?Q?C?N?Y?K?V?H?S?E
Re: Rogue Antimalware (FakeAV, 2013 year)
PostPosted:Thu Jan 31, 2013 9:54 am
by Xylitol
Disk Antivirus Professional
Original:
https://www.virustotal.com/file/95e4027 ... 359625432/ > 21/46
Unpack:
https://www.virustotal.com/file/41fc7f7 ... 359625192/ > 12/45
Network:
Code: Select allGET /api/urls/?ts=f3626e3f&affid=00100 HTTP/1.1
Host: 112.121.178.189
---
GET /api/stats/install/?ts=f3626e3f&affid=00100&ver=3070024&group=dap HTTP/1.1
Host: 112.121.178.189
---
GET /p/?&lid=3070024&affid=00100&nid=8065D52C&group=dap HTTP/1.1
Host: kilopaybilling.com
Re: Rogue Antimalware (FakeAV, 2013 year)
PostPosted:Thu Jan 31, 2013 12:31 pm
by gied
Does it has Geo / VM protection?
Re: Rogue Antimalware (FakeAV, 2013 year)
PostPosted:Sat Feb 02, 2013 11:28 am
by fixrogues
I was able to run it on a VMVare Machine.
Re: Rogue Antimalware (FakeAV, 2013 year)
PostPosted:Sat Feb 02, 2013 11:44 am
by EP_X0FF
gied wrote:Does it has Geo / VM protection?
It has at least VPC/Vmware detection.
Vmware by cpuid "VmwareVmware" and by VMX backdoor.
VPC by invalid command.
This detection located at @0043AEB7 in Xylitol dump.
Re: Rogue Antimalware (FakeAV, 2013 year)
PostPosted:Sat Feb 16, 2013 8:57 pm
by secObs
Another Disk Antivirus Professional.
Detection 5/46
https://www.virustotal.com/en/file/e8e4 ... 361048122/
MD5: d86062cf9c363fbe817b04665f311555
SHA-1: f4a18d4e939418133120ecdb9a959bfa4249fb10
Re: Rogue Antimalware (FakeAV, 2013 year)
PostPosted:Wed Mar 06, 2013 12:29 pm
by Blaze
Disk Antivirus Professional