Rogue Antimalware (FakeAV, 2013 year) - Page 5

Houdsodu!Rdbtshux
X79SDV,U67GE0,T2WBG4@
iuuq;..rdbtshuxidmqrtqqnsu/bnl.nqdo/qiq
iuuq;..`tunhourdbtshux/bnl.ctxonv/qiq>che<$`ewhe$
iuuq;..`tunhourdbtshux/bnl.rtqqnsu/iulm
iuuq;..rnguqnsu`m271/bnl.515/qiq>he<$`ewhe$
iuuq;..mhbdobdbidbj35/bnl.`buhw`ud.`buhw`ud/qiq>he<$the$'l`hm<$dl`hm$'nseds^he<$nseds$
iuuq;..mhbdobdbidbj35/bnl.`buhw`ud.`buhw`ud/qiq>he<$the$'
iuuq;..2erdbtsdhoudso`uhno`m/bnl.rtqqnsu/qiq
ogdbude;!Usnk`o,Envomn`eds/Vho23/@fdou

Decript

Code: Select all

Internet Security
Y68REW-T76FD1-U3VCF5A
hxxp://securityhelpsupport.com/open.php
hxxp://autointsecurity.com/buynow.php?bid=%advid%
hxxp://autointsecurity.com/support.html
hxxp://softportal360.com/404.php?id=%advid%
hxxp://licencecheck24.com/activate/activate.php?id=%uid%&mail=%email%&order_id=%order%
hxxp://licencecheck24.com/activate/activate.php?id=%uid%&
hxxp://3dsecureinternational.com/support.php
nfected: Trojan-Downloader.Win32.Agent!

Attachments

InternetSecurity.zip

pass: infected
(2.81 MiB) Downloaded 135 times

Username

ISergey256

Posts

32

Joined

Wed Oct 05, 2011 11:42 am

Location

Ukraine

Re: Rogue Antimalware (FakeAV, 2013 year)

#19293 by ISergey256
Thu May 16, 2013 7:05 am

XP Micro Antivirus Online Scan

Code: Select all

hxxp://pcspeedplus.com/scan/

https://www.virustotal.com/ru/url/45997 ... /analysis/

Download PS Speed Maximizer

Attachments

PCSpeedMaximizer.zip

no pass
(3.61 MiB) Downloaded 139 times

Username

ISergey256

Posts

32

Joined

Wed Oct 05, 2011 11:42 am

Location

Ukraine

Re: Rogue Antimalware (FakeAV, 2013 year)

#19460 by Blaze
Wed May 29, 2013 9:08 am

System Care Antivirus, very low detection.
https://www.virustotal.com/nl/file/2c38 ... /analysis/

Attachments

504649A2CFFE3B2A00005045F9664498.zip

(400.12 KiB) Downloaded 109 times

Username

Blaze

Posts

198

Joined

Fri Aug 27, 2010 7:35 am

Contact

Re: Rogue Antimalware (FakeAV, 2013 year)

#19468 by Xylitol
Thu May 30, 2013 1:29 am

http://malware.dontneedcoffee.com/2013/ ... rausy.html
http://vxvault.siri-urz.net/ViriList.ph ... 211.98.159
193 System Care Antivirus in attach
grabbed directly from the affiliate (BestAV distribution filter are broken)
if you want to do it yourself, just install wget and save this as batch:

Code: Select all

@echo off
color 17
cls
set target=test.bestavsoft2.com/soft/download/?affid=
set droppath=BestAVsoft1
set start=1
set affiday=00
set end=999
set step=1
if not exist %droppath% (
mkdir %droppath% )
FOR /L %%G IN (%start%, %step%, %end%) DO wget -U "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" -S -t 100 -P / "%target%%%G%affiday%" -O "%droppath%/%%G"
FOR %%i IN (%droppath%\*) do if %%~zi LEQ 2 DEL %%i
echo Done.
pause

urls:

Code: Select all

hxxp://test.bestavsoft2.com/soft/download/?affid=400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=600&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=1400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=1900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=2400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=3200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=3400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=3800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=4200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=4300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=4400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=4600&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=4700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=4800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=4900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=5100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=5400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=5500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=5700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=5800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=5900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=6100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=6300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=6700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=6900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=7100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=7500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=8300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=8500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=8600&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=8900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=9200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=9500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=9700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=10200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=10300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=10400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=10700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=12200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=12400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=12600&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=12700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=12900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=13200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=13300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=13500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=14400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=14700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=15000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=15100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=16000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=16700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=16800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=17100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=17300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=18200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=18400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=18700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=18900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=19000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=19800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=20200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=20300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=20400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=20500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=20700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=21000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=21700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=21800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=21900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=22200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=22300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=26800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=26900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=27200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=28800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=30300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=30800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=31200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=31700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=32100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=32300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=32400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=32800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=34600&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=34800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=35000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=35200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=35400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=36200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=36400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=36500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=36800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=37100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=38000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=38200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=38300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=38400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=42900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=46000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=46300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=46700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=46800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=47700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=47800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=48500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=48800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=48900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=49000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=49500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=50200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=50900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=51100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=51300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=52100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=52200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=53500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=53900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=54600&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=54700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=54800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=55000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=56900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=57800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=58400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=58600&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=59200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=59300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=65400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=65700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=66200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=66900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=67600&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=67800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=69400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=69600&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=70000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=70100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=70200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=71000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=71200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=71700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=72000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=72600&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=72800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=73900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=74100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=74300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=74600&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=74700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=74800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=74900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=75000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=75400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=75500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=75700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=75800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=75900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=76000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=76100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=76200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=76300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=76400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=76500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=76700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=76800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=76900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=77000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=77200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=77300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=77400&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=77500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=77700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=77800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=77900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=78200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=78300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=78800&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=78900&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=79000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=79100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=79200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=79300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=79500&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=79700&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=80000&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=80100&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=80200&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=80300&aggr=1&timeout=300
hxxp://test.bestavsoft2.com/soft/download/?affid=80800&aggr=1&timeout=300

domain start to be burned by AVs :D https://www.virustotal.com/en/domain/te ... formation/

Attachments

BestAVsoft1.part09.rar

infected
(1.51 MiB) Downloaded 87 times

BestAVsoft1.part08.rar

infected
(9 MiB) Downloaded 82 times

BestAVsoft1.part07.rar

infected
(9 MiB) Downloaded 76 times

BestAVsoft1.part06.rar

infected
(9 MiB) Downloaded 81 times

BestAVsoft1.part05.rar

infected
(9 MiB) Downloaded 77 times

BestAVsoft1.part04.rar

infected
(9 MiB) Downloaded 80 times

BestAVsoft1.part03.rar

infected
(9 MiB) Downloaded 77 times

BestAVsoft1.part02.rar

infected
(9 MiB) Downloaded 83 times

BestAVsoft1.part01.rar

infected
(9 MiB) Downloaded 96 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: Rogue Antimalware (FakeAV, 2013 year)

#19522 by EP_X0FF
Sun Jun 02, 2013 11:06 am

System Doctor 2014

Sample courtesy of markusg.

Fresh and agressive FakeAV. Script-kiddie crypter over Visual C++ 2010 written application packed with UPX to reduce size.

Loading screen

Main screen

Detected items

original
https://www.virustotal.com/en/file/e072 ... /analysis/

unpacked
https://www.virustotal.com/en/file/aec9 ... 370170170/

Possible author profile at script-kiddie wasm.ru forum, author post history speaks for itself
hxxp://wasm.ru/forum/profile.php?id=11196

The following code snippet almost directly used in this malware (primitive VM detection using Setup API)
hxxp://wasm.ru/forum/viewtopic.php?pid=465992

VM detection procedure located in unpacked binary at @00413EDB

Malware runs via HKCU\Software\Microsoft\Windows\CurrentVersion\Run key. Scan list of processes with short delay, terminates any new with a fake warning box.

List of available "detections"

Code: Select all

Random access memory  Virus Malware Trojan  %WINDIR%\System32\mdm.exe %WINDIR%\System32\smss.exe  %WINDIR%\System32\rundll.exe  %WINDIR%\System32\pp.exe  %WINDIR%\System32\drivers\hide2.sys %WINDIR%\System32\drivers\spy.sys   %WINDIR%\System32\constrols.ocx %WINDIR%\System32\audio.dll HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices  HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices  HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce  HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce  HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce  HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce  HKCU\Software\Microsoft\Windows\CurrentVersion\Run  HKLM\Software\Microsoft\Windows\CurrentVersion\Run  taskeng.exe nvvsvc.exe  lsass.exe wininit.exe spoolsv.exe smss.exe  services.exe  dwm.exe csrss.exe explorer.exe  svchost.exe winlogon.exe  Low Medium  High    Win32/Ciucio is a family of trojans that connect to certain websites in order to download arbitrary files.  PWS:Win32/Chedap.A is a password stealer that targets SSH user accounts.    This threat is classified as a backdoor trojan. A backdoor trojan provides remote, usually surreptitious, access to affected systems.   This is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected computer. Win32/Zafi is a family of mass-mailing worms. The worm sends itself to e-mail addresses that it finds on the infected computer. This threat is classified as a trojan that steals data. A data theft trojan gathers personal data, often of a financial nature, from affected systems.  This threat is classified as a worm that spreads over the network. A pure network worm propagates without any user interaction. Virus:Win32/Quervar is a virus that infects specific Microsoft Office document files and executable files.  Win32/Malword is a detection used to identify maliciously formed Word documents that contain code that attempts to exploit a vulnerability in Wordpad.  Worm:Win32/Mabezat.A is a worm that attempts to spread by copying itself to newly attached media devices, such as USB drives or USB media cards.    Worm:Win32/Hary.A is a worm that poses as a copy of J K Rowling's book "Harry Potter and the Deathly Hallows". The worm spreads between USB drives. This threat is classified as a password-stealing troian. This trojan installs a keystroke logger which records keystrokes and sends it to remote attackers. This is a trojan that is contained within websites that are malicious. It may redirect your browser to a website other than the one you expect. Win32/Dorkbot.A is a worm that spreads via instant messaging and removable drives. Also it allows control of the affected computer. Win32/Ramnit is a trojan that allows limited remote access and control to an affected computer. BrowserModifier:Win32/Zwangi is a program that runs as a service in the background and modifies Internet browser search functionality.  Win32/Ifnapod.X contains malicious software which it ⁤rops†and installs on the affected system. Also it allows remote access to infected systems. Win32/Sinowal is a family of password-stealing and backdoor programs. It may  capture banking credentials and send the data to the attacker.    Win32/Tracur is a malware that redirects Internet search queries to a malicious URL and allows backdoor access and control. Win32/Nitol.A is a malware that performs DDOS (Distributed Denial of Service) attacks against a target system, which is usually a website.  Win32/OpenCandy is an adware program that may be bundled with certain third-party software installation programs.   Win32/Pramro.F is a trojan that creates a proxy on an infected computer. Proxy servers may be used by attackers to hide the origin of malicious activity.   JS/Seedabutor.B is a JavaScript trojan that attempts to redirect your browser to another website.   Win32/Sality.AT is a detection for a virus that spreads by infecting Windows executable files and by copying itself to removable and remote drives. Win32/Conficker.X is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE).    JS/Medfos.B is a malicious JavaScript file that redirects search queries when using websites such as AOL, Ask, Bing, Google and Yahoo.  PriceGong is an adware program that displays certain deals related to search terms you enter in any webpage's search field. Win32/Pameseg.XX is the detection for a fake installer that asks users to send SMS messages to a premium number.    Win32/Kelihos is a trojan family that distributes spam email messages. The spam messages could contain hyperlinks to installers of Win32/Kelihos malware.   Win32/Zbot, also called Zeus, is a Trojan horse that attempts to steal confidential information from the compromised computer.  Win32/Ciucio  Win32/Chedap.A  Win32/Casus.2_0 Win32/Cameobe.X Win32/Zafi  Win32/Xinkey  Win32/Usen  Win32/Quervar.X Win32/Malword.X Win32/Mabezat.A Win32/Hary.A  Win32/Daurso  JS/Redirector.XX  Win32/Dorkbot.A Win32/Ramnit.X  Win32/Zwangi  Win32/Ifnapod.X

In attach original dropper and unpacked patched (removed AntiVM) version.

Attachments

SystemDoctor.rar

pass: infected
(1.17 MiB) Downloaded 150 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Rogue Antimalware (FakeAV, 2013 year)

#19571 by rough_spear
Sat Jun 08, 2013 12:23 pm

SYSTEM DOCTOR 2014

MD5 - 6110AAEF222DE2F5715B84505D1197C4

VT link - http://www.virustotal.com/file/b9c2d9f4 ... 370693251/

Regards,

rough_spear. ;)

Attachments

6110AAEF222DE2F5715B84505D1197C4.7z

password - infected.
(641.95 KiB) Downloaded 90 times

Username

rough_spear

Posts

163

Joined

Mon Oct 18, 2010 4:46 pm

Location

India

Re: Rogue Antimalware (FakeAV, 2013 year)

#19631 by EX!
Thu Jun 13, 2013 11:11 pm

Internet Security

https://www.virustotal.com/es-ar/file/2 ... 371150073/

hxxp://globalofficesolution.net/tmp/file1.exe (fakeAV downloaded by 1eETvOm.exe )
hxxp://globalofficesolution.net/tmp/file2.exe (zbot type downloaded by 1eETvOm.exe )

Files in attach

(fakeAv)file1.exe ----> FakeAV
(pwd.stealer).1eETvOm.exe ----> [downloader]
file2(1).exe ----> zbot (?)

Attachments

fake-av.zip

password = infected
(1.02 MiB) Downloaded 127 times

Username

EX!

Posts

35

Joined

Wed Jun 29, 2011 8:24 pm

Contact

Re: Rogue Antimalware (FakeAV, 2013 year)

#19632 by EP_X0FF
Fri Jun 14, 2013 1:56 am

EX! wrote:hxxp://globalofficesolution.net/tmp/file2.exe (zbot type downloaded by 1eETvOm.exe )

It is Sirefef.

cfg 32

Code: Select all

[000] 2013.6.12 20:19:50	222.254.253.254
[001] 2013.6.12 20:19:50	206.254.253.254
[002] 2013.6.12 20:19:50	197.254.253.254
[003] 2013.6.12 20:19:50	122.219.185.60
[004] 2013.6.12 20:19:50	190.254.253.254
[005] 2013.6.12 20:19:50	5.15.253.1
[006] 2013.6.12 20:19:50	184.254.253.254
[007] 2013.6.12 20:19:50	72.177.53.2
[008] 2013.6.12 20:19:50	183.254.253.254
[009] 2013.6.12 20:19:50	83.24.252.60
[010] 2013.6.12 20:19:50	182.254.253.254
[011] 2013.6.12 20:19:50	24.208.8.4
[012] 2013.6.12 20:19:50	180.254.253.254
[013] 2013.6.12 20:19:50	66.30.34.4
[014] 2013.6.12 20:19:50	166.254.253.254
[015] 2013.6.12 20:19:50	114.165.194.64
[016] 2013.6.12 20:19:50	158.254.253.254
[017] 2013.6.12 20:19:50	106.186.53.67
[018] 2013.6.12 20:19:50	135.254.253.254
[019] 2013.6.12 20:19:50	95.81.51.4
[020] 2013.6.12 20:19:50	134.254.253.254
[021] 2013.6.12 20:19:50	190.39.68.5
[022] 2013.6.12 20:19:50	119.254.253.254
[023] 2013.6.12 20:19:50	86.169.7.76
[024] 2013.6.12 20:19:50	117.254.253.254
[025] 2013.6.12 20:19:50	173.217.165.57
[026] 2013.6.12 20:19:50	115.254.253.254
[027] 2013.6.12 20:19:50	37.237.166.84
[028] 2013.6.12 20:19:50	113.254.253.254
[029] 2013.6.12 20:19:50	37.75.73.85
[030] 2013.6.12 20:19:50	78.84.208.253
[031] 2013.6.12 20:19:50	111.253.53.253
[032] 2013.6.12 20:19:50	180.31.45.251
[033] 2013.6.12 20:19:50	70.83.221.250
[034] 2013.6.12 20:19:50	189.110.145.248
[035] 2013.6.12 20:19:50	85.64.168.247
[036] 2013.6.12 20:19:50	188.252.135.247
[037] 2013.6.12 20:19:50	96.48.56.246
[038] 2013.6.12 20:19:50	95.86.8.246
[039] 2013.6.12 20:19:50	71.19.210.54
[040] 2013.6.12 20:19:50	75.68.206.244
[041] 2013.6.12 20:19:50	37.237.197.243
[042] 2013.6.12 20:19:50	216.163.200.88
[043] 2013.6.12 20:19:50	68.179.247.53
[044] 2013.6.12 20:19:50	151.0.38.49
[045] 2013.6.12 20:19:50	24.217.197.48
[046] 2013.6.12 20:19:50	62.98.57.228
[047] 2013.6.12 20:19:50	86.123.201.94
[048] 2013.6.12 20:19:50	66.229.124.102
[049] 2013.6.12 20:19:50	99.249.194.45
[050] 2013.6.12 20:19:50	66.97.59.103
[051] 2013.6.12 20:19:50	78.22.122.44
[052] 2013.6.12 20:19:50	71.8.17.39
[053] 2013.6.12 20:19:50	59.161.2.123
[054] 2013.6.12 20:19:50	92.237.86.36
[055] 2013.6.12 20:19:50	123.195.1.196
[056] 2013.6.12 20:19:50	46.237.12.36
[057] 2013.6.12 20:19:50	99.110.120.128
[058] 2013.6.12 20:19:50	67.55.204.35
[059] 2013.6.12 20:19:50	2.193.61.189
[060] 2013.6.12 20:19:50	125.201.5.188
[061] 2013.6.12 20:19:50	103.24.189.33
[062] 2013.6.12 20:19:50	66.244.109.32
[063] 2013.6.12 20:19:50	95.154.179.140
[064] 2013.6.12 20:19:50	95.92.146.31
[065] 2013.6.12 20:19:50	24.196.231.29
[066] 2013.6.12 20:19:50	89.136.119.29
[067] 2013.6.12 20:19:50	219.204.116.29
[068] 2013.6.12 20:19:50	66.225.167.8
[069] 2013.6.12 20:19:50	200.84.52.152
[070] 2013.6.12 20:19:50	85.65.128.153
[071] 2013.6.12 20:19:50	74.57.170.26
[072] 2013.6.12 20:19:50	118.160.218.24
[073] 2013.6.12 20:19:50	184.161.168.15
[074] 2013.6.12 20:19:50	24.0.195.173
[075] 2013.6.12 20:19:50	95.94.54.174
[076] 2013.6.12 20:19:50	68.96.28.10
[077] 2013.6.12 20:19:50	24.241.34.175
[078] 2013.6.12 20:19:50	68.145.105.12
[079] 2013.6.12 20:19:50	50.132.15.58
[080] 2013.6.12 20:19:49	76.90.148.177
[081] 2013.6.12 20:19:49	68.45.155.177
[082] 2013.6.12 20:19:49	79.110.149.173
[083] 2013.6.12 20:19:49	46.5.73.171
[084] 2013.6.12 20:19:49	98.236.234.170
[085] 2013.6.12 20:19:49	79.114.72.179
[086] 2013.6.12 20:19:49	67.182.13.170
[087] 2013.6.12 20:19:49	79.113.16.18
[088] 2013.6.12 20:19:49	98.24.212.18
[089] 2013.6.12 20:19:49	98.122.27.166
[090] 2013.6.12 20:19:49	78.251.108.19
[091] 2013.6.12 20:19:49	176.201.251.164
[092] 2013.6.12 20:19:49	31.192.2.164
[093] 2013.6.12 20:19:49	83.7.136.163
[094] 2013.6.12 20:19:49	173.179.43.22
[095] 2013.6.12 20:19:49	79.116.180.161
[096] 2013.6.12 20:19:49	173.17.70.23
[097] 2013.6.12 20:19:49	71.225.235.179
[098] 2013.6.12 20:19:49	93.118.201.180
[099] 2013.6.12 20:19:49	76.14.182.158
[100] 2013.6.12 20:19:49	5.147.210.26
[101] 2013.6.12 20:19:49	89.177.13.28
[102] 2013.6.12 20:19:49	75.185.60.181
[103] 2013.6.12 20:19:49	2.68.2.9
[104] 2013.6.12 20:19:49	88.207.125.28
[105] 2013.6.12 20:19:49	76.103.166.28
[106] 2013.6.12 20:19:49	70.234.96.8
[107] 2013.6.12 20:19:49	68.13.74.148
[108] 2013.6.12 20:19:49	46.246.54.182
[109] 2013.6.12 20:19:49	68.62.164.145
[110] 2013.6.12 20:19:49	79.113.146.182
[111] 2013.6.12 20:19:49	24.145.70.145
[112] 2013.6.12 20:19:49	143.225.223.144
[113] 2013.6.12 20:19:49	46.162.84.144
[114] 2013.6.12 20:19:49	92.55.77.183
[115] 2013.6.12 20:19:49	188.25.106.184
[116] 2013.6.12 20:19:49	79.121.64.139
[117] 2013.6.12 20:19:49	174.44.217.137
[118] 2013.6.12 20:19:49	95.81.219.136
[119] 2013.6.12 20:19:49	188.167.146.186
[120] 2013.6.12 20:19:49	79.112.187.7
[121] 2013.6.12 20:19:49	95.42.174.133
[122] 2013.6.12 20:19:49	147.143.239.34
[123] 2013.6.12 20:19:49	175.107.226.189
[124] 2013.6.12 20:19:49	203.234.209.132
[125] 2013.6.12 20:19:49	187.68.252.35
[126] 2013.6.12 20:19:49	213.118.248.129
[127] 2013.6.12 20:19:49	108.185.173.129
[128] 2013.6.12 20:19:49	77.238.203.190
[129] 2013.6.12 20:19:49	93.85.153.127
[130] 2013.6.12 20:19:49	79.22.75.126
[131] 2013.6.12 20:19:49	203.115.76.195
[132] 2013.6.12 20:19:49	66.97.58.197
[133] 2013.6.12 20:19:49	188.27.65.124
[134] 2013.6.12 20:19:49	5.14.251.123
[135] 2013.6.12 20:19:49	95.163.161.199
[136] 2013.6.12 20:19:49	141.138.96.122
[137] 2013.6.12 20:19:49	121.144.244.36
[138] 2013.6.12 20:19:49	24.35.57.37
[139] 2013.6.12 20:19:49	99.254.134.37
[140] 2013.6.12 20:19:49	114.37.230.202
[141] 2013.6.12 20:19:49	178.175.49.117
[142] 2013.6.12 20:19:49	46.181.73.115
[143] 2013.6.12 20:19:49	68.192.36.113
[144] 2013.6.12 20:19:49	24.235.235.109
[145] 2013.6.12 20:19:49	79.33.143.40
[146] 2013.6.12 20:19:49	213.112.182.106
[147] 2013.6.12 20:19:49	24.250.36.41
[148] 2013.6.12 20:19:49	98.122.68.106
[149] 2013.6.12 20:19:49	98.192.244.105
[150] 2013.6.12 20:19:49	71.75.65.203
[151] 2013.6.12 20:19:49	31.176.130.103
[152] 2013.6.12 20:19:49	37.214.244.203
[153] 2013.6.12 20:19:49	67.81.82.205
[154] 2013.6.12 20:19:49	72.224.125.213
[155] 2013.6.12 20:19:49	24.55.35.46
[156] 2013.6.12 20:19:49	49.124.192.100
[157] 2013.6.12 20:19:49	81.24.241.224
[158] 2013.6.12 20:19:49	178.169.149.94
[159] 2013.6.12 20:19:49	72.223.105.93
[160] 2013.6.12 20:19:49	60.34.117.92
[161] 2013.6.12 20:19:49	50.90.139.46
[162] 2013.6.12 20:19:49	93.114.171.229
[163] 2013.6.12 20:19:49	94.251.140.235
[164] 2013.6.12 20:19:49	95.52.202.49
[165] 2013.6.12 20:19:49	151.41.79.236
[166] 2013.6.12 20:19:49	2.92.221.242
[167] 2013.6.12 20:19:49	82.209.173.245
[168] 2013.6.12 20:19:49	174.100.136.86
[169] 2013.6.12 20:19:49	109.197.81.55
[170] 2013.6.12 20:19:49	95.166.162.7
[171] 2013.6.12 20:19:49	176.97.45.7
[172] 2013.6.12 20:19:49	12.27.26.7
[173] 2013.6.12 20:19:49	2.192.140.78
[174] 2013.6.12 20:19:49	117.109.231.77
[175] 2013.6.12 20:19:49	46.214.149.5
[176] 2013.6.12 20:19:49	178.152.218.75
[177] 2013.6.12 20:19:49	89.42.80.74
[178] 2013.6.12 20:19:49	109.53.57.73
[179] 2013.6.12 20:19:49	212.152.20.69
[180] 2013.6.12 20:19:49	31.192.201.68
[181] 2013.6.12 20:19:49	98.213.70.67
[182] 2013.6.12 20:19:49	221.31.51.4
[183] 2013.6.12 20:19:49	50.7.216.66
[184] 2013.6.12 20:19:49	24.229.186.65
[185] 2013.6.12 20:19:49	68.179.144.65
[186] 2013.6.12 20:19:49	24.55.40.4
[187] 2013.6.12 20:19:49	222.151.13.64
[188] 2013.6.12 20:19:49	184.152.107.62
[189] 2013.6.12 20:19:49	84.90.92.3
[190] 2013.6.12 20:19:49	125.195.47.1
[191] 2013.6.12 20:19:49	58.0.228.59
[192] 2013.6.12 20:19:49	24.146.224.59
[193] 2013.6.12 20:19:49	24.23.61.177
[194] 2013.6.12 20:19:49	24.69.33.0
[195] 2013.6.12 20:19:48	177.65.91.86
[196] 2013.6.12 20:19:48	46.49.25.88
[197] 2013.6.12 20:19:48	2.184.227.186
[198] 2013.6.12 20:19:48	86.122.43.89
[199] 2013.6.12 20:19:48	68.82.14.90
[200] 2013.6.12 20:19:48	46.237.80.90
[201] 2013.6.12 20:19:48	78.61.254.90
[202] 2013.6.12 20:19:48	114.24.18.91
[203] 2013.6.12 20:19:48	74.199.68.101
[204] 2013.6.12 20:19:48	93.178.200.102
[205] 2013.6.12 20:19:48	201.75.194.105
[206] 2013.6.12 20:19:48	170.51.116.106
[207] 2013.6.12 20:19:48	211.127.18.107
[208] 2013.6.12 20:19:48	69.244.120.117
[209] 2013.6.12 20:19:48	95.76.176.117
[210] 2013.6.12 20:19:48	95.86.13.120
[211] 2013.6.12 20:19:48	218.103.235.121
[212] 2013.6.12 20:19:48	76.29.81.124
[213] 2013.6.12 20:19:48	187.101.165.125
[214] 2013.6.12 20:19:48	24.20.34.132
[215] 2013.6.12 20:19:48	200.7.161.133
[216] 2013.6.12 20:19:48	98.71.44.35
[217] 2013.6.12 20:19:48	71.70.163.133
[218] 2013.6.12 20:19:48	5.20.50.134
[219] 2013.6.12 20:19:48	210.1.188.32
[220] 2013.6.12 20:19:48	185.12.169.134
[221] 2013.6.12 20:19:48	121.162.17.32
[222] 2013.6.12 20:19:48	77.221.85.142
[223] 2013.6.12 20:19:48	111.188.15.31
[224] 2013.6.12 20:19:48	70.2.139.145
[225] 2013.6.12 20:19:48	190.201.125.146
[226] 2013.6.12 20:19:48	174.134.77.148
[227] 2013.6.12 20:19:48	75.138.84.149
[228] 2013.6.12 20:19:48	86.22.216.149
[229] 2013.6.12 20:19:48	95.180.246.153
[230] 2013.6.12 20:19:48	5.57.165.27
[231] 2013.6.12 20:19:48	95.85.166.158
[232] 2013.6.12 20:19:48	86.122.207.159
[233] 2013.6.12 20:19:48	184.57.163.26
[234] 2013.6.12 20:19:48	109.184.228.25
[235] 2013.6.12 20:19:48	116.193.135.160
[236] 2013.6.12 20:19:48	78.20.170.160
[237] 2013.6.12 20:19:48	69.246.128.22
[238] 2013.6.12 20:19:48	184.66.0.163
[239] 2013.6.12 20:19:48	42.147.9.22
[240] 2013.6.12 20:19:48	24.155.12.21
[241] 2013.6.12 20:19:48	220.208.220.19
[242] 2013.6.12 20:19:48	194.28.69.165
[243] 2013.6.12 20:19:48	77.179.201.168
[244] 2013.6.12 20:19:48	108.252.47.18
[245] 2013.6.12 20:19:48	188.237.23.18
[246] 2013.6.12 20:19:48	70.83.17.18
[247] 2013.6.12 20:19:48	84.236.13.169
[248] 2013.6.12 20:19:48	82.127.22.170
[249] 2013.6.12 20:19:48	177.143.224.12
[250] 2013.6.12 20:19:48	89.40.49.175
[251] 2013.6.12 20:19:48	93.77.3.11
[252] 2013.6.12 20:19:48	2.193.103.177
[253] 2013.6.12 20:19:48	85.122.80.181
[254] 2013.6.12 20:19:48	70.82.125.181
[255] 2013.6.12 20:19:48	202.161.250.181

cfg 64

Code: Select all

[000] 2013.6.12 20:19:45	222.254.253.254
[001] 2013.6.12 20:19:45	206.254.253.254
[002] 2013.6.12 20:19:45	197.254.253.254
[003] 2013.6.12 20:19:45	190.254.253.254
[004] 2013.6.12 20:19:45	184.254.253.254
[005] 2013.6.12 20:19:45	183.254.253.254
[006] 2013.6.12 20:19:45	182.254.253.254
[007] 2013.6.12 20:19:45	180.254.253.254
[008] 2013.6.12 20:19:45	166.254.253.254
[009] 2013.6.12 20:19:45	158.254.253.254
[010] 2013.6.12 20:19:45	135.254.253.254
[011] 2013.6.12 20:19:45	134.254.253.254
[012] 2013.6.12 20:19:45	119.254.253.254
[013] 2013.6.12 20:19:45	117.254.253.254
[014] 2013.6.12 20:19:45	115.254.253.254
[015] 2013.6.12 20:19:45	113.254.253.254
[016] 2013.6.12 20:19:45	188.2.179.145
[017] 2013.6.12 20:19:45	78.96.236.123
[018] 2013.6.12 20:19:45	75.134.127.155
[019] 2013.6.12 20:19:45	5.248.135.157
[020] 2013.6.12 20:19:45	68.173.189.9
[021] 2013.6.12 20:19:45	69.41.149.251
[022] 2013.6.12 20:19:45	82.225.96.112
[023] 2013.6.12 20:19:45	68.36.242.9
[024] 2013.6.12 20:19:45	68.112.138.163
[025] 2013.6.12 20:19:45	178.155.241.103
[026] 2013.6.12 20:19:45	67.242.140.169
[027] 2013.6.12 20:19:45	76.107.65.244
[028] 2013.6.12 20:19:45	70.115.201.243
[029] 2013.6.12 20:19:45	24.23.224.97
[030] 2013.6.12 20:19:45	178.148.215.14
[031] 2013.6.12 20:19:45	75.132.39.97
[032] 2013.6.12 20:19:45	178.206.115.81
[033] 2013.6.12 20:19:45	76.109.152.78
[034] 2013.6.12 20:19:45	69.210.242.74
[035] 2013.6.12 20:19:45	174.50.62.213
[036] 2013.6.12 20:19:45	117.201.116.57
[037] 2013.6.12 20:19:45	109.235.54.216
[038] 2013.6.12 20:19:45	78.20.16.219
[039] 2013.6.12 20:19:45	31.147.112.54
[040] 2013.6.12 20:19:45	69.31.207.228
[041] 2013.6.12 20:19:45	84.113.225.229
[042] 2013.6.12 20:19:45	69.132.137.141
[043] 2013.6.12 20:19:44	184.162.64.42
[044] 2013.6.12 20:19:44	109.254.11.43
[045] 2013.6.12 20:19:44	173.48.11.48
[046] 2013.6.12 20:19:44	188.25.22.49
[047] 2013.6.12 20:19:44	24.231.150.35
[048] 2013.6.12 20:19:44	95.68.40.49
[049] 2013.6.12 20:19:44	78.78.18.35
[050] 2013.6.12 20:19:44	24.253.78.226
[051] 2013.6.12 20:19:44	96.42.85.50
[052] 2013.6.12 20:19:44	78.106.29.51
[053] 2013.6.12 20:19:44	2.195.176.52
[054] 2013.6.12 20:19:44	91.214.46.223
[055] 2013.6.12 20:19:44	69.246.246.52
[056] 2013.6.12 20:19:44	27.0.57.33
[057] 2013.6.12 20:19:44	125.196.155.54
[058] 2013.6.12 20:19:44	72.48.251.31
[059] 2013.6.12 20:19:44	105.225.187.56
[060] 2013.6.12 20:19:44	68.34.84.22
[061] 2013.6.12 20:19:44	24.190.37.236
[062] 2013.6.12 20:19:44	188.26.179.58
[063] 2013.6.12 20:19:44	98.249.188.21
[064] 2013.6.12 20:19:44	177.82.182.211
[065] 2013.6.12 20:19:44	87.99.109.59
[066] 2013.6.12 20:19:44	203.237.214.61
[067] 2013.6.12 20:19:44	130.43.145.62
[068] 2013.6.12 20:19:44	67.173.14.210
[069] 2013.6.12 20:19:44	98.220.42.67
[070] 2013.6.12 20:19:44	75.76.216.72
[071] 2013.6.12 20:19:44	78.232.205.73
[072] 2013.6.12 20:19:44	170.224.169.74
[073] 2013.6.12 20:19:44	85.238.222.200
[074] 2013.6.12 20:19:44	173.30.9.196
[075] 2013.6.12 20:19:44	67.164.202.20
[076] 2013.6.12 20:19:44	5.165.139.75
[077] 2013.6.12 20:19:44	189.61.165.190
[078] 2013.6.12 20:19:44	94.191.197.188
[079] 2013.6.12 20:19:44	68.189.185.188
[080] 2013.6.12 20:19:44	108.171.20.239
[081] 2013.6.12 20:19:44	74.197.105.18
[082] 2013.6.12 20:19:44	77.95.50.89
[083] 2013.6.12 20:19:44	50.90.8.184
[084] 2013.6.12 20:19:44	186.94.173.183
[085] 2013.6.12 20:19:44	98.184.94.182
[086] 2013.6.12 20:19:44	24.214.165.92
[087] 2013.6.12 20:19:44	82.38.86.94
[088] 2013.6.12 20:19:44	212.5.130.94
[089] 2013.6.12 20:19:44	72.199.118.180
[090] 2013.6.12 20:19:44	50.138.9.176
[091] 2013.6.12 20:19:44	174.102.50.96
[092] 2013.6.12 20:19:44	89.176.152.17
[093] 2013.6.12 20:19:44	24.108.61.97
[094] 2013.6.12 20:19:44	71.45.52.243
[095] 2013.6.12 20:19:44	173.23.208.100
[096] 2013.6.12 20:19:44	69.127.74.14
[097] 2013.6.12 20:19:44	46.105.52.168
[098] 2013.6.12 20:19:44	96.27.250.246
[099] 2013.6.12 20:19:44	72.209.19.110
[100] 2013.6.12 20:19:44	24.153.162.111
[101] 2013.6.12 20:19:44	71.45.155.10
[102] 2013.6.12 20:19:44	166.142.0.251
[103] 2013.6.12 20:19:44	83.157.33.162
[104] 2013.6.12 20:19:44	69.119.122.160
[105] 2013.6.12 20:19:44	74.122.94.160
[106] 2013.6.12 20:19:44	74.58.58.113
[107] 2013.6.12 20:19:44	110.47.155.9
[108] 2013.6.12 20:19:44	98.164.156.5
[109] 2013.6.12 20:19:44	184.78.181.116
[110] 2013.6.12 20:19:44	88.206.133.154
[111] 2013.6.12 20:19:44	118.86.37.121
[112] 2013.6.12 20:19:44	216.158.252.152
[113] 2013.6.12 20:19:44	76.112.173.151
[114] 2013.6.12 20:19:44	50.154.150.123
[115] 2013.6.12 20:19:44	109.87.128.2
[116] 2013.6.12 20:19:44	1.114.119.129
[117] 2013.6.12 20:19:44	74.210.225.129
[118] 2013.6.12 20:19:44	97.81.249.254
[119] 2013.6.12 20:19:44	201.51.86.145
[120] 2013.6.12 20:19:44	120.29.95.130
[121] 2013.6.12 20:19:44	69.125.192.144
[122] 2013.6.12 20:19:44	78.251.191.134
[123] 2013.6.12 20:19:44	91.136.168.142
[124] 2013.6.12 20:19:44	109.175.142.137
[125] 2013.6.12 20:19:44	178.116.137.36
[126] 2013.6.12 20:19:43	96.27.213.140
[127] 2013.6.12 20:19:43	190.54.94.139
[128] 2013.6.12 20:19:43	98.237.138.142
[129] 2013.6.12 20:19:43	75.141.249.7
[130] 2013.6.12 20:19:43	75.183.103.253
[131] 2013.6.12 20:19:43	94.253.69.247
[132] 2013.6.12 20:19:43	125.197.83.2
[133] 2013.6.12 20:19:43	70.62.132.11
[134] 2013.6.12 20:19:43	50.146.104.130
[135] 2013.6.12 20:19:43	24.1.73.145
[136] 2013.6.12 20:19:43	76.169.194.146
[137] 2013.6.12 20:19:43	186.147.7.3
[138] 2013.6.12 20:19:43	1.22.157.127
[139] 2013.6.12 20:19:43	213.150.36.148
[140] 2013.6.12 20:19:43	71.76.196.11
[141] 2013.6.12 20:19:43	24.211.27.3
[142] 2013.6.12 20:19:43	109.190.113.119
[143] 2013.6.12 20:19:43	50.88.103.155
[144] 2013.6.12 20:19:43	65.191.189.113
[145] 2013.6.12 20:19:43	114.134.139.3
[146] 2013.6.12 20:19:43	185.4.8.163
[147] 2013.6.12 20:19:43	24.167.4.245
[148] 2013.6.12 20:19:43	68.35.227.242
[149] 2013.6.12 20:19:43	77.78.217.107
[150] 2013.6.12 20:19:43	24.51.147.239
[151] 2013.6.12 20:19:43	79.177.106.7
[152] 2013.6.12 20:19:43	193.126.157.102
[153] 2013.6.12 20:19:43	69.139.126.170
[154] 2013.6.12 20:19:43	203.136.99.173
[155] 2013.6.12 20:19:43	69.250.41.4
[156] 2013.6.12 20:19:43	188.29.149.173
[157] 2013.6.12 20:19:43	142.217.249.173
[158] 2013.6.12 20:19:43	67.149.51.96
[159] 2013.6.12 20:19:43	71.74.3.176
[160] 2013.6.12 20:19:43	31.46.189.22
[161] 2013.6.12 20:19:43	50.80.104.95
[162] 2013.6.12 20:19:43	123.202.201.23
[163] 2013.6.12 20:19:43	71.77.57.26
[164] 2013.6.12 20:19:43	188.29.92.182
[165] 2013.6.12 20:19:43	70.124.27.184
[166] 2013.6.12 20:19:43	70.172.227.26
[167] 2013.6.12 20:19:43	84.238.55.185
[168] 2013.6.12 20:19:43	68.1.42.81
[169] 2013.6.12 20:19:43	90.56.111.80
[170] 2013.6.12 20:19:43	72.135.244.187
[171] 2013.6.12 20:19:43	178.141.136.192
[172] 2013.6.12 20:19:43	116.75.7.75
[173] 2013.6.12 20:19:43	93.78.176.193
[174] 2013.6.12 20:19:43	50.130.39.4
[175] 2013.6.12 20:19:43	46.98.130.74
[176] 2013.6.12 20:19:43	83.33.163.234
[177] 2013.6.12 20:19:43	62.65.54.206
[178] 2013.6.12 20:19:43	79.118.37.232
[179] 2013.6.12 20:19:43	67.84.21.37
[180] 2013.6.12 20:19:43	82.121.84.64
[181] 2013.6.12 20:19:43	77.53.70.37
[182] 2013.6.12 20:19:43	98.193.197.210
[183] 2013.6.12 20:19:43	198.72.210.210
[184] 2013.6.12 20:19:43	119.241.33.60
[185] 2013.6.12 20:19:43	94.23.152.59
[186] 2013.6.12 20:19:43	68.60.137.211
[187] 2013.6.12 20:19:43	75.252.83.214
[188] 2013.6.12 20:19:43	89.184.141.40
[189] 2013.6.12 20:19:43	188.112.128.216
[190] 2013.6.12 20:19:43	173.182.134.43
[191] 2013.6.12 20:19:43	75.141.135.44
[192] 2013.6.12 20:19:43	176.36.74.45
[193] 2013.6.12 20:19:43	75.136.134.54
[194] 2013.6.12 20:19:43	84.228.169.220
[195] 2013.6.12 20:19:43	188.26.146.45
[196] 2013.6.12 20:19:43	50.81.223.223
[197] 2013.6.12 20:19:43	77.122.62.224
[198] 2013.6.12 20:19:43	184.189.88.47
[199] 2013.6.12 20:19:43	91.231.82.229
[200] 2013.6.12 20:19:43	76.29.164.230
[201] 2013.6.12 20:19:43	65.254.160.7
[202] 2013.6.12 20:19:42	177.179.228.225
[203] 2013.6.12 20:19:42	24.72.78.221
[204] 2013.6.12 20:19:42	142.129.106.220
[205] 2013.6.12 20:19:42	71.56.10.56
[206] 2013.6.12 20:19:42	74.192.221.43
[207] 2013.6.12 20:19:42	124.125.46.56
[208] 2013.6.12 20:19:42	72.23.152.231
[209] 2013.6.12 20:19:42	173.21.182.231
[210] 2013.6.12 20:19:42	151.29.157.215
[211] 2013.6.12 20:19:42	208.123.42.63
[212] 2013.6.12 20:19:42	83.233.163.66
[213] 2013.6.12 20:19:42	109.55.254.231
[214] 2013.6.12 20:19:42	78.20.68.36
[215] 2013.6.12 20:19:42	114.148.97.208
[216] 2013.6.12 20:19:42	2.192.110.232
[217] 2013.6.12 20:19:42	134.130.183.204
[218] 2013.6.12 20:19:42	212.251.147.201
[219] 2013.6.12 20:19:42	24.8.196.31
[220] 2013.6.12 20:19:42	68.148.175.29
[221] 2013.6.12 20:19:42	184.162.228.81
[222] 2013.6.12 20:19:42	218.250.5.182
[223] 2013.6.12 20:19:42	176.41.244.181
[224] 2013.6.12 20:19:42	174.19.202.95
[225] 2013.6.12 20:19:42	173.32.208.235
[226] 2013.6.12 20:19:42	84.176.129.97
[227] 2013.6.12 20:19:42	95.235.178.166
[228] 2013.6.12 20:19:42	130.43.148.19
[229] 2013.6.12 20:19:42	65.4.128.106
[230] 2013.6.12 20:19:42	71.201.235.239
[231] 2013.6.12 20:19:42	70.176.4.16
[232] 2013.6.12 20:19:42	78.239.20.4
[233] 2013.6.12 20:19:42	177.131.164.164
[234] 2013.6.12 20:19:42	65.31.235.148
[235] 2013.6.12 20:19:42	68.49.224.254
[236] 2013.6.12 20:19:42	85.65.206.0
[237] 2013.6.12 20:19:42	24.167.215.249
[238] 2013.6.12 20:19:42	68.56.226.252
[239] 2013.6.12 20:19:42	99.47.72.143
[240] 2013.6.12 20:19:42	93.100.167.136
[241] 2013.6.12 20:19:42	82.235.17.230
[242] 2013.6.12 20:19:42	178.218.42.0
[243] 2013.6.12 20:19:41	72.213.190.6
[244] 2013.6.12 20:19:41	2.68.203.254
[245] 2013.6.12 20:19:41	173.240.39.5
[246] 2013.6.12 20:19:41	91.148.21.5
[247] 2013.6.12 20:19:41	24.129.69.236
[248] 2013.6.12 20:19:41	178.123.222.234
[249] 2013.6.12 20:19:41	178.126.200.165
[250] 2013.6.12 20:19:41	98.215.70.160
[251] 2013.6.12 20:19:41	66.169.40.153
[252] 2013.6.12 20:19:41	115.241.230.147
[253] 2013.6.12 20:19:41	82.147.170.131
[254] 2013.6.12 20:19:41	24.101.137.132
[255] 2013.6.12 20:19:41	89.173.166.134

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Rogue Antimalware (FakeAV, 2013 year)

#19649 by thisisu
Fri Jun 14, 2013 11:06 pm

EX! wrote:Internet Security

(fakeAv)file1.exe ----> FakeAV

OEP @ 00401414? Is that correct?

Code: Select all

00401414  |> /55            PUSH EBP

Is this custom cryption part?

Code: Select all

0040144D  |.  68 513A0100   PUSH 13A51                               ; /MaximumSize = 13A51 (80465.)
00401452  |.  68 6E6F0000   PUSH 6F6E                                ; |InitialSize = 6F6E (28526.)
00401457  |.  56            PUSH ESI                                 ; |Flags
00401458  |.  FF15 30024700 CALL DWORD PTR DS:[<&kernel32.HeapCreate>; \HeapCreate

Trying to learn how to unpack this.

Attached what I THINK is the proper dump + IAT fix (dumped_.exe). Where do I go from here (if even on the right track) to view interesting/decrypted strings? Thank you :)

EDIT: Added dumped2_.exe. SEEMS a bit more complete and reveals program written in Delphi v2.25. Please correct if wrong.