x

[SwayStar123]

x

[ranochigo]

This shouldn't be a question. The payload can consist of more than the clipboard malware by itself. Removing the virus doesn't guarantee that the other undetected malware would be gone too.

It isn't that much of a hassle to just get a new wallet on a separate computer and wipe the current computer after backing it up. You can't be too safe.

[bob123]

[...] found out about the trojan and removed it successfully.

Removing malware completely can be quite hard.

What did you exactly do? Just deleted the file ? Using some AV ?
What were the steps you took ?

But now im wondering if the hacker got access to my bitcoin wallet private key (no funds but i used it to stake my account on bitcointalk) and any other things, any tips from the good folks here?

This fully depends on what kind of malware this was.
Maybe it just was some clipping malware, maybe your whole system if compromised and maybe it even was a root kit where formatting the drive doesn't help you clean your PC.

To be honestly, since it changed your clipping board, i doubt that it is a root kit. I also doubt (if your wallet is not empty yet) that it got access to your private keys (but still possible!).

Just.. if i would create such a malware i would either:
1) Change clipping board and instantly steal all funds or
2) Slowly gather as many private keys as possible and later steal everything (hoping that you will own more cryptos in the future)

Changing the clipping board instantly and still having your system compromised to wait for more funds doesn't make sense in my eyes.
Either your malware is hidden until it steals everything, or it reveals itself and instantly steals everything it has access to.


However, formatting the drive is still the preferred way.
If you don't want to risk losing more, reinstall your OS (please NOT a cracked windows version; EVERY cracked software is infected with malware, that's their business model).

Also should i do something about the staked address i have on bitcointalk now?

Preferably quote the post where you staked your address and sign 2 messages:
Sign one message with a new address and sign another message where you state that you change it due to the fact that it might be compromised (using your old address).

[bob123]

I scanned my pc and deleted the files, the av didn't find anything so I'm assuming it's clean now

Simply deleting files usually doesn't clean your computer.

Also AV's only find very well known threats (heuristics) or blatantly obvious malware (runtime analysis).


Properly coded malware is not being detected by any AV software. Do not assume it is clean just because one or multiple AV's didn't report anything.


I'd recommend to backup important files and reinstall your OS to be on the safe side.

also the address didn't have any funds so maybe its hoping new funds come in and then transfer them out?

Very well imaginable.

[DaCryptoRaccoon]

On a second note your should also submit the URL and or file that contains the malware to places like Virus total or Hybrid-analysis as this will help to pass the infected file around AV company's and it may help others block this malware.

https://www.virustotal.com/gui/

https://www.hybrid-analysis.com/

[DaCryptoRaccoon]

I have the code for the virus on pastebin, maybe you can check it and see what it does? Im no good at programming but im gonna try and see too

https://github.com/nodeoperate/gekko
https://pastebin.com/N8T2DZu8

I don't see anything in the pastebin that looks like a virus it seems to be a trading stratagy?
I'm guessing you got the virus when trying to run the bot from github?

My thoughts would be there is a downloader somewhere in the codebase and on runtime reaches to some server and downloads the payload.

[bob123]

You fell to a malicious fork of gekko (which itself is a legit trading bot).

The original trading bot can be found here: https://github.com/askmike/gekko


The malicious one, forked it from github and literally only made 1 commit: https://github.com/nodeoperate/gekko/commit/7474952aa05f80a3de0f244764702e8a3805e824.
The author of it replaced a binary file (EMA Cross ByBit v1.exe ). This most probably is the malware.

What it exactly does, can not be told without runtime analysis (can be circumvented by malware through multiple checks whether run in a sandbox etc.) or reverse engineering (very time consuming).

Honestly, i highly doubt the author put a lot of effort into the malware, therefore runtime analysis might be an option to see what it does.
If you are interested in checking what files it changes, what network connections it opens etc.. you might want to upload that file to https://any.run/.

This site requires an account (free), but i personally didn't use that site yet, but based on other opinions it should be pretty neat.

[bob123]

NICE! does that mean i dont have to format my pc and can get rid of it another way?

No, this means i can't say what the malware is exactly doing, since there is no source code.

The source code you are looking at is the code from the legit project gekko. But the author of this malicious version changed 1 file (executable file).
And THIS file contains the malware.

[DaCryptoRaccoon]

If I was you I would still wipe down you can never be sure there is not something lurking on the system after infection.
Your best to DC from the internet and cleardown.

You could run some tools like malware bytes to check for additional infections but my advice would be to fully wipe down to be sure your not keeping anything that may be infected.

@bob123 good spot I think I will submit this EXE to virus total ect and report the repo to github for malware.

[DaCryptoRaccoon]

https://www.virustotal.com/gui/url/37a835c912cc5f98786ddf4f19b4d97398fb9aa76739aa89387e83a0bd268394/detection

Here is the report from VT on that file suspect it's crypted hence not being detected by AV scanners to I am surprised that Malware bytes actually removed it.

This is another reason to show that AV is basicly useless in the wild now since swapping a few bytes in the code seems to be enough to bypass most AV's out there now.

Bad times.


Edit*    Include Hybrid analysis report if you look at this report your will see it's detected by this platform more so than Virus total.

https://www.hybrid-analysis.com/sample/c41c028d807d241027ce0c62e317f46cd68426c5ce1a3204bfc20a8b05ccd47f

[bob123]

i used malware bytes and removed all the (only 1) thing it found

Removing the file might be not enough.

The first step after infecting a system (from the attackers point of view) is to gain persistent access.
There are several methods of doing this. The most common is to simply migrate into another process (automatically on start up).


If the malware has been created by some 13 year old script kiddie, your computer is clean.
If that is not the first malware from the author and he knows what he is doing, it is still compromised.


The only way to be sure is to reinstall your OS. It is completely up to you if you do this or not. But if you want to be somewhat sure, you need to do this.

[DaCryptoRaccoon]

Full report is now ready..

https://www.hybrid-analysis.com/sample/c41c028d807d241027ce0c62e317f46cd68426c5ce1a3204bfc20a8b05ccd47f/5d10ca27038838004c83abab

Code:

Found potential URL in binary/memory

details
    Heuristic match: "iplogger.org"
    Heuristic match: "pastebin.com"
    Pattern match: "https://iplogger.org/templates/new/i/200x200.png"
    Pattern match: "https://maper.info/XuBf3"
    Pattern match: "https://iplogger.org/rules/"
    Heuristic match: "GET /raw/diuCKBNL HTTP/1.1
    Host: pastebin.com" 
source
    String
relevance
    10/10

it also seems to contact a US server and a DE (german) server I will try do some more indepth on the EXE when I have some more time later.

Bob is correct the best thing to do is to wipe down.

You can look at something like DBAN  ( https://dban.org/ )
This will allow you to securely wipe the HD and make sure there is nothing left on the system..

Another things possibly you should check is your bios make sure nothing has been modified in the BIOS but from looking at this malware I don't think it's packed with a rootkit or bootkit.

Code:

Domain 	Address 	Registrar 	Country
iplogger.org
	88.99.66.31
TTL: 1487 	Regtime Ltd.
Name Server: NS1.FASTVPS.RU
Creation Date: Sun, 03 Apr 2011 15:52:04 GMT 	Flag of Germany Germany
pastebin.com
	104.20.209.21
TTL: 233 	ENOM, INC.
Organization: WHOISGUARD, INC.
Name Server: SUE.NS.CLOUDFLARE.COM
Creation Date: Tue, 03 Sep 2002 00:00:00 GMT 	Flag of United States United States
Contacted Hosts
IP Address 	Port/Protocol 	Associated Process 	Details
88.99.66.31
443
TCP 	ema20cross20bybit20v1.exe
PID: 2920 	Flag of Germany Germany
104.20.209.21
443
TCP 	ema20cross20bybit20v1.exe
PID: 2920 	Flag of United States United States
Contacted Countrie

Attack surface processing.  Seems to hook.