This trojan gets pushed by PUP install bundlers.
It initially downloads and runs FreeYoutubeDownloader11012016.exe which is an Inno Setup downloader.
This downloader uses winhttp to send a GET request to http://request.analytics-system.com/getgeo (which gets your GeoIP country location).
If it is not US it downloads hxxp://youtubedownloadernew.com/othr/Setup.exe - this seems to be completely benign.
However if it is US is downloads hxxp://youtubedownloadernew.com/down/Setup.exe which is the benign version with one difference: it includes an additional .exe (Box.exe) that pops a fake alert to get you to call a fake tech support company, and the main application .exe runs it every 2 minutes.
Included: the downloader, and both setups (Setup (5).exe is the version that pops the fakealerts, Setup (6).exe is benign)
Unpacked versions of both setups have been included for your convenience.
The phone number for the fake tech support is hardcoded in two places in Box.exe as: 1-888-479-3649.
It initially downloads and runs FreeYoutubeDownloader11012016.exe which is an Inno Setup downloader.
This downloader uses winhttp to send a GET request to http://request.analytics-system.com/getgeo (which gets your GeoIP country location).
If it is not US it downloads hxxp://youtubedownloadernew.com/othr/Setup.exe - this seems to be completely benign.
However if it is US is downloads hxxp://youtubedownloadernew.com/down/Setup.exe which is the benign version with one difference: it includes an additional .exe (Box.exe) that pops a fake alert to get you to call a fake tech support company, and the main application .exe runs it every 2 minutes.
Included: the downloader, and both setups (Setup (5).exe is the version that pops the fakealerts, Setup (6).exe is benign)
Unpacked versions of both setups have been included for your convenience.
The phone number for the fake tech support is hardcoded in two places in Box.exe as: 1-888-479-3649.
Attachments
Password: infected
(1.31 MiB) Downloaded 84 times
(1.31 MiB) Downloaded 84 times
