Bitcoin Forum
August 20, 2019, 05:16:59 PM *
News: Latest Bitcoin Core release: 0.18.0 [Torrent] (New!)
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 [4]  All
  Print  
Author Topic: The BEST Bitcoin price ticker widget for Windows PC. (Recommend)  (Read 16991 times)
MagicByt3
Full Member
***
Offline Offline

Activity: 294
Merit: 177


View Profile
May 28, 2019, 05:11:08 PM
 #61

https://www.hybrid-analysis.com/sample/d24057f9965dcf819c4c8e55b461f1231e8a6916f3fc081c6dcae646a5f624f5

Threat score of 85?
Not something you would normally see from something that has avast whitelist.

I'm going to go out on a limb and say this has some form of malware or spy-ware in it.

Code:
BitTabSetup2.1b.2.exe
This report is generated from a file or URL submitted to this webservice on May 28th 2019 16:51:15 (CEST) and action script Heavy Anti-Evasion
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by Falcon Sandbox v8.30 © Hybrid Analysis -  learn more

I would be cautious there is still some warning signs on this software see the above link.
If the developers would care to explain some of the strings in here for RPC and private keys
Spawned process:

taskkill.exe
Code:
243A6011
?���������
\RPC Control\ConsoleLPC-0x0000000000000D70-1710979711-555981891199312740717942630711054705465-1417213109-10361871071607272043
ContextLimit
Domain
EnableObjectValidation
EnablePrivateObjectHeap
Hostname
IdentifierLimit
Image Path
Log File Max Size
Logging
Logging Directory
MachineGuid
MaximumAllowedAllocationSize
ObjectLimit
PrivateKeyLifetimeSeconds


MOONBOT PRO The Trading Terminal For Pro's - Contact me for 10% off PRO version & 20% Off Pro+Scalping Addon - Strategies Available -    
[ https://moon-bot.com/ ]
1566321419
Hero Member
*
Offline Offline

Posts: 1566321419

View Profile Personal Message (Offline)

Ignore
1566321419
Reply with quote  #2

1566321419
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
bittab
Jr. Member
*
Offline Offline

Activity: 123
Merit: 5


View Profile WWW
May 29, 2019, 12:25:13 AM
 #62

https://www.hybrid-analysis.com/sample/d24057f9965dcf819c4c8e55b461f1231e8a6916f3fc081c6dcae646a5f624f5

Threat score of 85?
Not something you would normally see from something that has avast whitelist.

I'm going to go out on a limb and say this has some form of malware or spy-ware in it.

Code:
BitTabSetup2.1b.2.exe
This report is generated from a file or URL submitted to this webservice on May 28th 2019 16:51:15 (CEST) and action script Heavy Anti-Evasion
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by Falcon Sandbox v8.30 © Hybrid Analysis -  learn more

I would be cautious there is still some warning signs on this software see the above link.
If the developers would care to explain some of the strings in here for RPC and private keys
Spawned process:

taskkill.exe
Code:
243A6011
?���������
\RPC Control\ConsoleLPC-0x0000000000000D70-1710979711-555981891199312740717942630711054705465-1417213109-10361871071607272043
ContextLimit
Domain
EnableObjectValidation
EnablePrivateObjectHeap
Hostname
IdentifierLimit
Image Path
Log File Max Size
Logging
Logging Directory
MachineGuid
MaximumAllowedAllocationSize
ObjectLimit
PrivateKeyLifetimeSeconds



Dear MagicByt3

There are two things that we can clearly explain about it.

1. The warning you saw is related to  "d24057f9965dcf819c4c8e55b461f1231e8a6916f3fc081c6dcae646a5f624f5" which is the installer's.
As mentioned, this installer and inside files were scanned by VirusTotal with 71 world-wide anti-viruses and resulted clean. Plus, the whole files have been inspected by Avast Whitelist program and declared harmless.
The files inside are encapsulated and compressed by InnoSetup ( http://www.jrsoftware.org/isinfo.php ) solution (which is very widely used) and this solution generates temporary file like "BitTabSetup2.1b.2.tmp" but unfortunately, most 'small developments' installers are easy targets for showing alert to users even though they are not malwares. That's because most anti-viruses do not trust unknown files in the first place and it's easier to show users 'dangerous' rather than 'we don't know'. Usually, those anti-viruses first suspect by 'heuristic algorithm' and require user's agreement for running programs. They may prefer showing false-positive alarm than showing "actually we don't know".

2. TaskKill.exe is not a suspicious file but rather official and default native file in Microsoft Windows.
(about taskkill: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-xp/bb491009(v=technet.10) )
(official answer about users asking if it is a virus: https://answers.microsoft.com/en-us/windows/forum/windows_10-security-winpc/is-taskkillexe-a-virus/03e39f0c-f6e3-4730-9240-6e3cebd7f974 )
(disclosure of utilizing code in InnoSetup installer: Exec(ExpandConstant('taskkill.exe'), '/f /im ' + '"' + "BitTab.exe" + '"', '', SW_HIDE, ewWaitUntilTerminated, ResultCode); )

We use 'native' TaskKill command to kill the BitTab.exe when installing to replace the 'running older version' of BitTab.exe to newer one. That's all that we use TaskKill.

We explained in detail and we understand your concern. Unlike apps in Appstore or Google Play, there is no way to distribute Windows Software in that manner. (Windows7 does not have Windows Store so that we cannot publish BitTab as Windows10 Store app)
If you still have 'something feel uncomfortable', please let us know. We will be happy to answer that.

Thanks for your interest.

MagicByt3
Full Member
***
Offline Offline

Activity: 294
Merit: 177


View Profile
May 29, 2019, 10:56:02 AM
 #63

Thank you for the post but I am still have concerns if you look at the report the mitre score is through the roof and it's showing hooking into other parts of the system.
The avast whitelist program is useless any script kid with $50 can buy a full encrypted virus that won't be detected by avast and by 99.5% of the AV's on virustotal.

Can you further explain the following information as you did not post the source code to your application in the crypto space being open is key and hybrid-analysis is very rarely wrong.

Code:
Spyware Found a string that may be used as part of an injection method
Persistence Writes data to a remote process
Fingerprint
Queries process information
Queries sensitive IE security settings
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
Reads the active computer name
Reads the cryptographic machine GUID
Evasive
Marks file for deletion
Tries to sleep for a long time (more than two minutes)

Queries sensitive IE security settings

Registry Access

The analysis extracted a file that was identified as malicious

1/94 Antivirus vendors marked dropped file "BitTabSetup2.1b.2.tmp" as malicious (classified as "W32.Neshta.D")

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Neshta-A/detailed-analysis.aspx

[b]System Security
[/b]
Contains ability to elevate privileges

SetSecurityDescriptorDacl@advapi32.dll at 15503-5232-00409408

[b]Modifies proxy settings[/b]

"BitTab.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"BitTab.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")

Queries sensitive IE security settings

"BitTab.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")


I suspect this is dropping some form of spyware onto the machine the bounce back for one of them is the following..
https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Neshta-A/detailed-analysis.aspx

there is also anti-sandbox and anti-debugger works in there which lead me to believe this has something more packed inside.

The detection in the report's are not just from taskkill but from bittab and the tmp file's it's creating.



MOONBOT PRO The Trading Terminal For Pro's - Contact me for 10% off PRO version & 20% Off Pro+Scalping Addon - Strategies Available -    
[ https://moon-bot.com/ ]
bittab
Jr. Member
*
Offline Offline

Activity: 123
Merit: 5


View Profile WWW
May 29, 2019, 04:44:35 PM
Last edit: May 30, 2019, 03:18:44 PM by bittab
 #64

Thank you for the post but I am still have concerns if you look at the report the mitre score is through the roof and it's showing hooking into other parts of the system.
The avast whitelist program is useless any script kid with $50 can buy a full encrypted virus that won't be detected by avast and by 99.5% of the AV's on virustotal.

Can you further explain the following information as you did not post the source code to your application in the crypto space being open is key and hybrid-analysis is very rarely wrong.

Code:
Spyware Found a string that may be used as part of an injection method
Persistence Writes data to a remote process
Fingerprint
Queries process information
Queries sensitive IE security settings
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
Reads the active computer name
Reads the cryptographic machine GUID
Evasive
Marks file for deletion
Tries to sleep for a long time (more than two minutes)

Queries sensitive IE security settings

Registry Access

The analysis extracted a file that was identified as malicious

1/94 Antivirus vendors marked dropped file "BitTabSetup2.1b.2.tmp" as malicious (classified as "W32.Neshta.D")

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Neshta-A/detailed-analysis.aspx

[b]System Security
[/b]
Contains ability to elevate privileges

SetSecurityDescriptorDacl@advapi32.dll at 15503-5232-00409408

[b]Modifies proxy settings[/b]

"BitTab.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"BitTab.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")

Queries sensitive IE security settings

"BitTab.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")


I suspect this is dropping some form of spyware onto the machine the bounce back for one of them is the following..
https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Neshta-A/detailed-analysis.aspx

there is also anti-sandbox and anti-debugger works in there which lead me to believe this has something more packed inside.

The detection in the report's are not just from taskkill but from bittab and the tmp file's it's creating.




Thank you for your sincere concern. As you know, the file is 'packed' by installer and compressed with LZMA algorithm. It is 'self extracting' file that generates '.tmp' temporary file for essential procedure as a InnoSetup solution. We do not know how to interpret [Code:] and it seems to be very simplified.
Our answer is following:


Before explanation,
* BitTab's 'bar' and 'box' widgets are 'Internet Explorer Browser' based which means while running BitTab.exe, interactions with Internet Explorer and related process and dlls are required and it's not a suspicious at all.
* BitTab uses, of course, Windows APIs for detecting monitor size to dock the bar, for making the app 'run at start' by modifying registry(it's really a common thing.), for generating shortcut links, for detecting time zone and language of OS, for updating exchanges info from the internet(downloading), for checking whether it is a latest version(accessing internet), for making a Window semi-transparent or topmost, for disabling clicking sound of innate Internet Explorer by using native DLLs and so on..
* your mention "hybrid-analysis is very rarely wrong." seems to need reference because there are official and well-known softwares (but not corporation scale ) which reported to be Suspicious, meaning false-positive also seems prevalent.
- PuTTy: https://www.hybrid-analysis.com/sample/2034e4697dd92f942d93288c7ccb4ef32985f180e955e7b5d9e29f8fb48139fe
- CrystalDiskMark : https://www.hybrid-analysis.com/sample/cc6c578a386db391f88df4acbf0217c17e00a2f5158392716ce3ad23993dd449
- CCleaner : https://www.hybrid-analysis.com/sample/ea2b0fe19acc526f8c634fe933f63b7f2a1911a27a74dc2d87a5ea6ac4a8f2b3


1. Terminates other processes using tskill/taskkill
Process "taskkill.exe" with commandline "/f /im "BitTab.exe"" (Show Process)
relevance 9/10
=> Hybrid-analysis considered it as a KEY(or Core) relevance because it took 9 out of 10 score for declare it as a malware.
However, as answered above fairly clearly, "taskkill.exe" is a 'native' Microsoft Windows application for various uses and we only utilize it to terminate 'our app: bittab.exe' for force update to newer version of BitTab.exe


2. External Systems
1/37 Antivirus vendors marked sample as malicious (2% detection rate)
relevance 8/10
=> It also responsible for 8/10 score. We think it is due to 'heuristic scanning' feature which means Anti-virus did NOT clearly analyze the file but rather 'suspect' it because of 'taskkill' or something like that maybe..
unfortunately, we could not track which anti-virus engine reported it as a virus. If we would know, we will send report to them for 'precise scrutinization' and we do expect a positive answer.
as we and you mentioned above, we have report for 'perfectly clean' result.
https://www.virustotal.com/gui/file/d24057f9965dcf819c4c8e55b461f1231e8a6916f3fc081c6dcae646a5f624f5/detection
If you cannot believe because of '$50 solution' thing, we would provide more information if you want and if available.
We think it could partially answers this 'external systems' analysis. Also, please note that VirusTotal consists of 71 engines while Hybrid-analysis consists of 37 engines.


3. The analysis extracted a file that was identified as malicious
1/94 Antivirus vendors marked dropped file "BitTabSetup2.1b.2.tmp" as malicious (classified as "W32.Neshta.D" with 1% detection rate)
1/94 Antivirus vendors marked spawned process "BitTabSetup2.1b.2.tmp" (PID: 2876) as malicious (classified as "W32.Neshta.D" with 1% detection rate)
relevance 10/10
=> this is a difficult part because we don't know any about such malware and never related to it. For the technical things, Sophos says "When W32/Neshta-A is installed the following files are created:\svchost.com" but BitTab never do it.
Also, if that 'W32.Neshta.D' is detected in only single engine while other anti-viruses didn't, it can also be interpreted as false-positive for that one engine. That engine went wrong or other tens of engines were failed to detect an already reported threat. Which one would you think is more convincible and possible explanation?
You provided the link https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Neshta-A/detailed-analysis.aspx and none of them are being executed by neither installer nor BitTab.exe itself. It says "The file directx.sys in the Windows folder is updated with the path of the last infected file to be run." but we even don't know what directx.sys is for.



4. Installation/Persistance
Allocates virtual memory in a remote process
"BitTabSetup2.1b.2.tmp" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer"
"BitTabSetup2.1b.2.tmp" allocated memory in "%PUBLIC%\Desktop\BitTab.lnk"
relevance 7/10
=> Our setup program makes Shortcut icon to Desktop and access to Explorer registry for disable 'clicking' sound in Windows7 (you know the sound)

5. Writes data to a remote process
"BitTabSetup2.1b.2.exe" wrote 1500 bytes to a remote process "%TEMP%\is-E7TPH.tmp\BitTabSetup2.1b.2.tmp" (Handle: 204)
"BitTabSetup2.1b.2.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-E7TPH.tmp\BitTabSetup2.1b.2.tmp" (Handle: 204)
"BitTabSetup2.1b.2.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-E7TPH.tmp\BitTabSetup2.1b.2.tmp" (Handle: 204)
"BitTabSetup2.1b.2.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-E7TPH.tmp\BitTabSetup2.1b.2.tmp" (Handle: 204)
"BitTabSetup2.1b.2.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-E7TPH.tmp\BitTabSetup2.1b.2.tmp" (Handle: 204)
"BitTabSetup2.1b.2.tmp" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\taskkill.exe" (Handle: 528)
"BitTabSetup2.1b.2.tmp" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\taskkill.exe" (Handle: 528)
"BitTabSetup2.1b.2.tmp" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\taskkill.exe" (Handle: 528)
"BitTabSetup2.1b.2.tmp" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\taskkill.exe" (Handle: 528)
"BitTabSetup2.1b.2.tmp" wrote 32 bytes to a remote process "C:\Program Files (x86)\BitTab\BitTab.exe" (Handle: 732)
"BitTabSetup2.1b.2.tmp" wrote 52 bytes to a remote process "C:\Program Files (x86)\BitTab\BitTab.exe" (Handle: 732)
"BitTabSetup2.1b.2.tmp" wrote 4 bytes to a remote process "C:\Program Files (x86)\BitTab\BitTab.exe" (Handle: 732)
"BitTabSetup2.1b.2.tmp" wrote 8 bytes to a remote process "C:\Program Files (x86)\BitTab\BitTab.exe" (Handle: 732)
relevance 6/10
=> okay. this is the same thing. make a temporary file for installing and use taskkill.exe to terminate running 'bittab.exe' if exists. and overwrite bittab.exe to newer one.

6. Checks for a resource fork (ADS) file
"BitTab.exe" checked file "C:"
relevance 5/10
=> as you can see in https://en.wikipedia.org/wiki/NTFS#Alternate_data_streams_(ADS) it is not a malicious behavior.
"Very small ADS (named "Zone.Identifier") are added by Internet Explorer ... the local shell would then require user confirmation before opening them."
This is a familiar thing. After the first download from internet, you have to confirm for running. And it is more strict if the file is not a 'world wide popular' one like this small software.

7. Contains ability to reboot/shutdown the operating system
ExitWindowsEx@user32.dll (Show Stream)
ExitWindowsEx@user32.dll (Show Stream)
ExitWindowsEx@USER32.DLL from BitTabSetup2.1b.2.tmp (PID: 2876) (Show Stream)
relevance 5/10
=> okay.. this installer has ability to 'reboot' if core file like BitTab.exe cannot be updated this time. This is a common way for any other installers.
Honestly, we don't understand why this 'ability' takes 5/10 malicious behavior score.

8. Contains native function calls
NtdllDefWindowProc_W@NTDLL.DLL from BitTabSetup2.1b.2.tmp (PID: 2876) (Show Stream)
NtdllDefWindowProc_W@NTDLL.DLL from BitTabSetup2.1b.2.tmp (PID: 2876) (Show Stream)
relevance 5/10
=> Here is a link what NTDLL.DLL is https://en.wikipedia.org/wiki/Microsoft_Windows_library_files#NTDLL.DLL
We think this NTDLL report is related to Windows Explorer.


This is a long answer and we put efforts to explain in detail that this is false-positive. We hope our explanation could answer your questions.
If any other exists, please let us know.

As you mentioned. being opened in such a cryptocurrency environment is nice and that is why we are answering things. But it might be understandable that this kind of software can also be not open-sourced. Plus, you probably agree that those kinds of tools are 'tools', not a responsible judge.  

And we do hope this long and technical text would rather not make scary.
bittab
Jr. Member
*
Offline Offline

Activity: 123
Merit: 5


View Profile WWW
June 06, 2019, 09:57:26 AM
 #65

New update!

<Fixed>
* You can watch the prices on the list without any widgets showing (bar or box widget)
* Improved Japanese and Korean translation
* Slightly faster retrieval

<Added>
* Official support for Euro. (Previously, only USD was supported)
 - BitTab automatically convert crypto prices to EUR or USD
* Supports rounding off decimal : crypto price and fiat currency
* Supports international decimal symbols (radix) :  . (period) and , (comma)




<What is BitTab?>

The only and decent way to watch your coin prices on Windows desktop.
Easy, safe, powerful and intuitive.



For more : https://bittab.io
Original article: https://bitcointalk.org/index.php?topic=4679957.0
bittab
Jr. Member
*
Offline Offline

Activity: 123
Merit: 5


View Profile WWW
June 14, 2019, 07:59:57 AM
 #66

New exchange announcement.

Omgfin Exchange



Omgfin is the pioneer in building a trading system for digital assets focused on young investors and social network.
By connecting with professional investors, the goal is to bring together a community of traders who share experiences and help each other achieve their individual profit goals.

Check it out on http://bittab.io/
bittab
Jr. Member
*
Offline Offline

Activity: 123
Merit: 5


View Profile WWW
June 16, 2019, 09:14:47 AM
 #67

New exchange announcement.

Bitso Exchange



1. Fund your account wherever you are.
2. Send and receive money between your account and your bank.
3. Bitso keep your funds safe with the best processes and the most effective technology.
4. All of the wallets are multi-signature, meaning maximum security for your cryptos.

Check it out on http://bittab.io/
bittab
Jr. Member
*
Offline Offline

Activity: 123
Merit: 5


View Profile WWW
June 21, 2019, 07:56:27 AM
 #68

New exchange announcement.

BitMEX Exchange



Up to 100x leverage.
Trading without expiry dates.
Industry-leading security.

Check it out on http://bittab.io/
TryNinja
Legendary
*
Offline Offline

Activity: 1106
Merit: 1432


CS <3


View Profile
June 21, 2019, 08:38:13 AM
 #69

Can I request exchanges? There isn’t any BTC/BRL exchange.

https://apidocs.bitcointrade.com.br/?version=latest
https://docs.foxbit.com.br/EN/index.html

bittab
Jr. Member
*
Offline Offline

Activity: 123
Merit: 5


View Profile WWW
June 22, 2019, 01:15:04 AM
 #70


Any plans on adding Bitmex to the list?

Finally! BitMEX on the BitTab! Please enjoy.
bittab
Jr. Member
*
Offline Offline

Activity: 123
Merit: 5


View Profile WWW
June 22, 2019, 01:15:42 AM
 #71


Thank you for your request! We will start to check it soon!
Pages: « 1 2 3 [4]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!