KernelMode.info

A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/

Rogue Antimalware (FakeAV, 2012 year)

https://www.kernelmode.info/forum/viewtopic.php?f=16&t=2414

Page 46 of 46

Re: Rogue Antimalware (FakeAV, 2012 year)

PostPosted:Fri Dec 14, 2012 2:35 pm
by Buster_BSA
Win32:Virut wrote:2 URLs, probably FakeAV
Code: Select all
hxxp://guchpaygoogles.info/data.exe
hxxp://monitorsupremenike.com/data.exe
Necurs maybe?

Re: Rogue Antimalware (FakeAV, 2012 year)

PostPosted:Fri Dec 14, 2012 3:10 pm
by EP_X0FF
Buster_BSA wrote:
Win32:Virut wrote:2 URLs, probably FakeAV
Code: Select all
hxxp://guchpaygoogles.info/data.exe
hxxp://monitorsupremenike.com/data.exe
Necurs maybe?
Yes, part of.
bcdedit.exe -set TESTSIGNING ON wb %s\drivers\%s.sys %x runas ComSpec \\.\NtSecureSys SeShutdownPrivilege kernel32 IsWow64Process rb Wow64DisableWow64FsRedirection Wow64RevertWow64FsRedirection *EUDC* ZwQuerySystemInformation ntdll.dll svchost.exe SystemDefaultEUDCFont EUDC\%d ObReferenceObjectByHandle ZwDuplicateToken ObOpenObjectByPointer PsReferencePrimaryToken PsInitialSystemProcess ObfReferenceObject IoGetCurrentProcess KeDelayExecutionThread

Re: Rogue Antimalware (FakeAV, 2012 year)

PostPosted:Wed Dec 19, 2012 10:30 am
by Xylitol
http://siri-urz.blogspot.fr/2012/12/mul ... ender.html
4/45 >> https://www.virustotal.com/file/1d760d9 ... 355911576/

Re: Rogue Antimalware (FakeAV, 2012 year)

PostPosted:Fri Dec 21, 2012 11:29 am
by Xylitol
FakeRean + landings
https://www.virustotal.com/file/d4f5511 ... 356088558/

Re: Rogue Antimalware (FakeAV, 2012 year)

PostPosted:Sat Jan 05, 2013 7:53 am
by EP_X0FF
FakeAV/FakeAlert observed and collected in the 2012 year.

Please post any new samples in actual thread.

This thread now archived.
All times are UTC
Page 46 of 46
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/