KernelMode.info

A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/

Rogue Antimalware (FakeAV, 2011 year)

https://www.kernelmode.info/forum/viewtopic.php?f=16&t=2233

Page 28 of 34

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Sat Nov 05, 2011 7:19 pm
by rough_spear
Hi All, :D
Fresh sample, low detection. :twisted:

SYSTEM RESTORE

VT Link - http://www.virustotal.com/file-scan/rep ... 1320430890

MD5 : ccbdccd2a3b35b0d55f08096ae588c82
SHA1 : ed91630edd12fc863ef0f9cda68be1b75c929344
SHA256: f6a8b1daf1ea30afa38ed96c724161f37837dbf5da7c0a73a05963bc09d15a5e
ssdeep: 6144:nJX3O2GfpRphh326goQtg3cXS6eH7h6vnzOTn8/Gp5erz9fpIwDbfvbXLxpJBRGb:tgvHI
oR3cXSHtTr8CwrpfpI2bv33h1lQ
File size : 389112 bytes


Regards,


rough_spear. ;)

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Sat Nov 05, 2011 7:56 pm
by rsav
I found Privacy Protection sample. Attached.

Re: NgrBot (aka Win32/Dorkbot.gen!A)

PostPosted:Sun Nov 06, 2011 5:47 pm
by rough_spear
HI,
One more jorik sample.when i run this in my sandbox it(the sample-soft.exe) crashed :?:
might be it can detect sandbox.

Web link - hxxp://sentx10.co.cc/soft.exe
VT link - http://www.virustotal.com/file-scan/rep ... 1320571025
MD5 : b6d7bc2182afb409c30deaf93ad9e719
SHA1 : d93979d35b1fb2a04d83aa0774c86e596077e59a
SHA256: abfea3b0f2e8256804fdfa25432683fb571ed03d9aaf946ae3059d481833f323
ssdeep: 6144:C/7wocB2ymTJEmmhwWx9QvC+Q0wHj/g9LS6YvRh6vdGv6bVYFtvePgM1Xx4TASC:BlUiw8
sCpjIJdYn3SaFtvi7
File size : 461824 bytes

Regards,


rough_spear. ;)

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Sun Nov 06, 2011 6:07 pm
by rough_spear
Hi All,
One more FakeAV Best Spyware scanner. :evil:

Web link - hxxp://bestspywarescanner.net/BestSpywareScanner_Setup.exe
VT link - http://www.virustotal.com/file-scan/rep ... 1320590317
MD5 : 197507c5de83c4a62118686f11a7346f
SHA1 : d2e923b185d844f3740b2e3130070c2e3ad72dd7
SHA256: 24e731b5db810119b70b57d285e1ea02f6955f2ef1d0d8a09d4d15207839a9ca
ssdeep: 49152:s2m81vV4G/MVKVaO3Nec5e/zpkovLSja3daTy0L+:Bm8LDMyY//tkWN4y0L+
File size : 1999324 bytes

It also loads on rootkit driver while installation.
File name - RKHit.sys
VT link - http://www.virustotal.com/file-scan/rep ... 1320136360
MD5 : b9724926c977468e544a1c66a22add4a
SHA1 : 315e29e30cf3cf541376f153c11539ceed33f396
SHA256: 14259d028d4a7ebaa519cfcf4ebd3aed7e3b920f2c4f129cd3fab42521d20e7a
ssdeep: 768:P/MSsk0Dp9Ur2kSjjqbTdmA3gCTXem8Bie:XXuvs2kSjjqbTdxQCN8BD
File size : 29312 bytes

Regards,


rough_spear ;)

Re: NgrBot (aka Win32/Dorkbot.gen!A)

PostPosted:Sun Nov 06, 2011 8:25 pm
by onthar
rough_spear wrote:HI,
One more jorik sample.when i run this in my sandbox it(the sample-soft.exe) crashed :?:
might be it can detect sandbox.

Web link - hxxp://sentx10.co.cc/soft.exe
VT link - http://www.virustotal.com/file-scan/rep ... 1320571025
MD5 : b6d7bc2182afb409c30deaf93ad9e719
SHA1 : d93979d35b1fb2a04d83aa0774c86e596077e59a
SHA256: abfea3b0f2e8256804fdfa25432683fb571ed03d9aaf946ae3059d481833f323
ssdeep: 6144:C/7wocB2ymTJEmmhwWx9QvC+Q0wHj/g9LS6YvRh6vdGv6bVYFtvePgM1Xx4TASC:BlUiw8
sCpjIJdYn3SaFtvi7
File size : 461824 bytes

Regards,


rough_spear. ;)
It's not dorkbot:
Code: Select all
GET /api/urls/?affid=19600 HTTP/1.1
Referer: http://212.124.109.242
Accept: *//*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)
Host: 212.124.109.242
Connection: Keep-Alive
Cache-Control: no-cache
It's a fakeav software: Security Sphere 2012

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Mon Nov 07, 2011 7:57 pm
by Cody Johnston
Security Defender from today :)

VT scan: 7/42 (17.1%)

http://www.virustotal.com/file-scan/rep ... 1320695317


MD5 : 1a4185d984f039b756ca7f38ff34676b
SHA1 : cfdec286e910f8e81dd4c638009b500c70e8e622
SHA256: 9d711a8064864bd884521a35925c0fe539690b9fd34ad79450e05d4f7d47ad51

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Wed Nov 09, 2011 5:17 am
by Cody Johnston
Privacy Protection

MD5 : b7cef46610a2f6e269c67c47b38ba247

http://www.virustotal.com/file-scan/rep ... 1320815109

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Wed Nov 09, 2011 11:09 am
by Blaze
Nice catch. Can anyone confirm/deny that fedd0994f8233f5060bcf41311b44022 loads Privacy Protection as well or not ?

fedd0994f8233f5060bcf41311b44022
https://www.virustotal.com/file-scan/re ... 1320829212
4e6f2027de1a25f4a0da1517067939c0
https://www.virustotal.com/file-scan/re ... 1320834078

Image
Screenshot: bleepingcomputer.com

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Wed Nov 09, 2011 11:14 am
by Xylitol
4e6f2027de1a25f4a0da1517067939c0 load correctly the fakeav
fedd0994f8233f5060bcf41311b44022 crash for me

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Wed Nov 09, 2011 11:16 am
by EP_X0FF
@Blaze

0.11669808100863044.exe is corrupted.
All times are UTC
Page 28 of 34
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/