[kminfo]

Hi

Can someone check this malware ?

unpack it and analyze it,

[EP_X0FF]

It is BTC Stealer from idiot with username "Santa Claus"

dropper -> dotnet RunPE with primitive antiVM -> fake messagebox -> 2nd stage dotnet dropper -> dotnet Payload (https://www.virustotal.com/en/file/22e6 ... /analysis/)

C:\Users\Santa Claus\Desktop\Download\The FILE\BTC-Stealer (No MSG)\BitcoinStealer\obj\Release\AU-Run-Immediately.pdb

All stages in attach, but I really doubt someone whats to looks inside this dotnet shit.

[kminfo]

Well thank you for the analysis.

I do not have BTC , but I ran the file on my pc. How to remove it ? if the malware stays hidden.

What tools did you use for analysis ?

[rootjacker]

Delete the registry key in SOFTWARE\Microsoft\\Windows\CurrentVersion\Run and delete file Adobe\\Updater\\AdobeHelper.exe in your home directory. Reboot.

[rootjacker]

Well thank you for the analysis.

I do not have BTC , but I ran the file on my pc. How to remove it ? if the malware stays hidden.

Delete the file in your home directory (Adobe\\Updater\\AdobeHelper.exe), remove the key in the registry(SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run), and reboot.

[kminfo]

Maybe this guy created or someone used code from here -

Code: Select all

https://tech9tutorialz.wordpress.com/tag/preferably-on-onion-websites-because-thats-where-all-the-good-stuff-is-here-is-the-code-i-used-using-system-using-system-collections-g/

[kminfo]

The next phase of the payload converts to this dll.

AParcEngine.zip

(440.2 KiB) Downloaded 47 times