|
Title: [Flag] User "ksystems77" spreading malware Post by: bob123 on September 08, 2019, 06:55:39 PM Original topic: https://bitcointalk.org/index.php?topic=5182888.0 (https://bitcointalk.org/index.php?topic=5182888.0)
Archived: https://archive.fo/8xKAH (https://archive.fo/8xKAH) Reasons to believe this user is spreading malware: I run an analysis on the software he declares as "NEW PORTABLE ELECTRUM ENCRYPTED BITCOIN WALLET RELEASED!!!" Results: 1. It contacts server 84.33.95.3 on an IRC port (6667) and transmits data which is a technique commonly used for C&C server. 2. Malicious artifacts related to 84.33.95.3 found: Code: URL: http://84.33.95.3/powershell_attack.txt (AV positives: 6/71 scanned on 09/08/2019 18:21:14) 3. Touches files in the windows directory: Code: "electrum-3.5.8-portable.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls" 4. It cointains techniques to detect sandboxing and to counter debugging (not good enough ;D) Created a Type1-flag: FLAG (https://bitcointalk.org/index.php?action=trust;flag=720) Title: Re: [Flag] User "ksystems77" spreading malware Post by: ABCbits on September 08, 2019, 07:02:50 PM Good thing you archived it before the posts was edited :)
But looks like the account was hacked since : 1. His/her last posts was made on September 16, 2018, 06:52:19 PM 2. Getting merit isn't that easy, so i doubt scammer would use such valuable account Edit : He share it again on : 1. https://bitcointalk.org/index.php?topic=5174171.msg52398714#msg52398714 (https://bitcointalk.org/index.php?topic=5174171.msg52398714#msg52398714) (https://archive.is/GVsWD (https://archive.is/GVsWD)) 2. https://bitcointalk.org/index.php?topic=5182910.0 (https://bitcointalk.org/index.php?topic=5182910.0) (https://archive.is/jvWmi (https://archive.is/jvWmi)) Title: Re: [Flag] User "ksystems77" spreading malware Post by: Lafu on September 08, 2019, 07:41:17 PM https://www.virustotal.com/gui/file/f79fe737f51a8c8d33c9db677ff236228d66063a35290ef1ee29ed0bec86c7e1/detection
https://up.picr.de/36715365bn.png Title: Re: [Flag] User "ksystems77" spreading malware Post by: Baofeng on September 08, 2019, 08:00:45 PM I checked Eletrum's official twitter account here https://twitter.com/electrumwallet?lang=en and there's no mentioned of this so called new portable wallet.
Supported the flag. Title: Re: [Flag] User "ksystems77" spreading malware Post by: DireWolfM14 on September 08, 2019, 08:02:34 PM Isn't this a ban-able offense?
Title: Re: [Flag] User "ksystems77" spreading malware Post by: bob123 on September 08, 2019, 08:04:40 PM https://www.virustotal.com/gui/file/f79fe737f51a8c8d33c9db677ff236228d66063a35290ef1ee29ed0bec86c7e1/detection ~snip~ You do know how AV engines check a file, do you ? Mostly 2 steps: 1) Check whether this file is known already 2) Runtime analysis. AV's are weak. They never find malware if it is coded properly. Just because 2/70 AV's regard that as malware, that's neither an argument that it is malware, nor that it isn't malware. This just means it is not known yet and that it doesn't raise too many red flags (e.g. like encrypting system folder). The results i posted are from a proper analysis with detailed reports, not from simple AV scans. I honestly don't understand how they can't check the IP the software is connecting to. This IP is related to several other illegal (hacking-) activities. Just one additional argument that AV's are extremely weak and only useful for very well-known malware. Isn't this a ban-able offense? Yes. |
