Page 10 of 15
Re: Rogue Antimalware (FakeAV, 2013 year)
PostPosted:Tue Aug 20, 2013 2:25 pm
by ISergey256
Re: Rogue Antimalware (FakeAV, 2013 year)
PostPosted:Thu Aug 22, 2013 12:10 pm
by N3mes1s
First fakeAv browser page:
http://urlquery.net/report.php?id=4676419
after
GET /index.php?c=RaEQL35Qhmg8kIEAyKydUWLt2abuVSeZkMW823tcOdHLi+sHzn+IhzfWz0ESjU4fq3YMhr4Xf4T8yLo0G1yosbiJyssK1LCmIKe4X6XXotKxBA== HTTP/1.1
Host: 212.7.195.124
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36
Referer: hxxp://212.7.195.124/index.php?c=RaENOjEayDF925cOxP3ACC60zajgAjCTlcK0liAaKtvKheVQzm+YhzfWz1MPnw1S6zBdyf4bfpf/naQjDQHx5/+ByoM=
Accept-Encoding: gzip,deflate,sdch
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: uid=100
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 22 Aug 2013 09:44:32 GMT
Content-Type: application/octet-stream
Content-Length: 512000
Connection: keep-alive
X-Powered-By: PHP/5.3.26
Content-Disposition: attachment;filename="security_cleaner.exe"
System Care Antivirus
SHA256: 6e68c2de51da4f2a5bcc99e83218a7251066393b293d1225a4ad48552c3d30f7
SHA1: a9eb52dd4842fa08ec96d284a1989432b65ff2cb
MD5: 9a189b4f7b7fe113f4798bb80f920667
File size: 500.0 KB ( 512000 bytes )
File name: fakeavdropped.exe
File type: Win32 EXE
Detection ratio: 6 / 46
Analysis date: 2013-08-22 11:49:15 UTC
https://www.virustotal.com/en/file/6e68 ... 377172155/
Re: Rogue Antimalware (FakeAV, 2013 year)
PostPosted:Thu Aug 22, 2013 3:32 pm
by Win32:Virut
Hello, it is downloading empty file for me.
Re: Rogue Antimalware (FakeAV, 2013 year)
PostPosted:Thu Aug 22, 2013 3:37 pm
by spywar
working for me.
Re: Rogue Antimalware (FakeAV, 2013 year)
PostPosted:Thu Aug 22, 2013 9:20 pm
by IndiGenus
Win32:Virut wrote:Hello, it is downloading empty file for me.
Works here too. Is your AV blocking it?
Re: Rogue Antimalware (FakeAV, 2013 year)
PostPosted:Fri Aug 23, 2013 8:24 am
by ISergey256
Antivirus Security Pro
https://www.virustotal.com/en/file/9005 ... /analysis/
To run in virtual machine - create file "
C:\sd.dbg"
Code: Select allif ( dword_44E050(L"C:\\sd2.dbg") != -1 )
dword_44E1A8(0);
if ( dword_44E050(L"C:\\sd.dbg") == -1 )
{
v15 = *(_DWORD *)"VMWARE";
v16 = *(_WORD *)"RE";
v17 = aVmware_0[6];
v11 = *(_DWORD *)"VIRTUAL HD";
v12 = *(_DWORD *)"UAL HD";
v13 = *(_WORD *)"HD";
v14 = aVirtualHd[10];
v5 = dword_47223C[0];
.................
Re: Rogue Antimalware (FakeAV, 2013 year)
PostPosted:Fri Aug 23, 2013 4:55 pm
by Win32:Virut
I don't use any AV. It's looking that they blacklisted my IP. I was usually downloading samples from IP 212.7.195.122
Re: Rogue Antimalware (FakeAV, 2013 year)
PostPosted:Sat Aug 24, 2013 8:44 pm
by gied
Would guess it country - based blacklist.
Re: Rogue Antimalware (FakeAV, 2013 year)
PostPosted:Sun Aug 25, 2013 8:11 pm
by bitstechs
PC Defender 360 and My Safe PC 2014 not working on my virtual machine. Anyone else have any luck?
Re: Rogue Antimalware (FakeAV, 2013 year)
PostPosted:Mon Aug 26, 2013 3:23 am
by EP_X0FF
bitstechs wrote:PC Defender 360 and My Safe PC 2014 not working on my virtual machine. Anyone else have any luck?
How many times this must be told? They almost all VM aware. Use real machine or patched VM.