Bitcoin Forum
September 26, 2020, 06:47:21 PM *
News: Latest Bitcoin Core release: 0.20.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: [Flag] User "ksystems77" spreading malware  (Read 177 times)
bob123
Legendary
*
Offline Offline

Activity: 1330
Merit: 2075



View Profile WWW
September 08, 2019, 06:55:39 PM
Merited by suchmoon (4), LoyceV (1), Baofeng (1)
 #1

Original topic: https://bitcointalk.org/index.php?topic=5182888.0
Archived: https://archive.fo/8xKAH

Reasons to believe this user is spreading malware: I run an analysis on the software he declares as "NEW PORTABLE ELECTRUM ENCRYPTED BITCOIN WALLET RELEASED!!!"

Results:
1. It contacts server 84.33.95.3 on an IRC port (6667) and transmits data which is a technique commonly used for C&C server.

2. Malicious artifacts related to 84.33.95.3 found:
Code:
URL: http://84.33.95.3/powershell_attack.txt (AV positives: 6/71 scanned on 09/08/2019 18:21:14)
URL: http://84.33.95.3/crypto-arbitrage_9-8-2.exe (AV positives: 7/71 scanned on 09/08/2019 16:40:08)
URL: http://84.33.95.3/auto-btc.exe (AV positives: 5/71 scanned on 09/08/2019 13:39:30)
URL: http://84.33.95.3/bit-trader_bot_3_7_8.exe (AV positives: 9/71 scanned on 09/08/2019 13:33:39)
URL: http://84.33.95.3/bitcoin_auto_trader-6-8-1.exe (AV positives: 5/71 scanned on 09/08/2019 13:14:10)
File SHA256: 788c42f7acee185be4743fea3a1762d78cfeb16d76ecf20975b7944802d4012e (AV positives: 51/71 scanned on 09/07/2019 15:14:14)
File SHA256: a5865823989aff1e26767625f98ea59e028a10d521ad7a09b980b30bb6bf2c37 (AV positives: 24/72 scanned on 09/07/2019 14:09:06)
File SHA256: bfabf136cc96db595ce8dd3a3bbbf4f52c979bbc740403d791713be92935f630 (AV positives: 13/66 scanned on 09/07/2019 12:29:42)
File SHA256: bdb3f9c296b79aaa2b919b5b29ae3a07a9936fd626ae47ff6290117591e9b331 (AV positives: 53/72 scanned on 09/06/2019 16:40:49)
File SHA256: 5273aa63893f04cb54478a790878dea326908e8235741dbfb80273fb148cde5e (AV positives: 37/70 scanned on 09/01/2019 07:08:21)

3. Touches files in the windows directory:
Code:
"electrum-3.5.8-portable.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"electrum-3.5.8-portable.exe" touched file "%WINDIR%\System32\rsaenh.dll"
"electrum-3.5.8-portable.exe" touched file "%WINDIR%\System32\en-US\KernelBase.dll.mui"

4. It cointains techniques to detect sandboxing and to counter debugging (not good enough  Grin)


Created a Type1-flag: FLAG

1601146041
Hero Member
*
Offline Offline

Posts: 1601146041

View Profile Personal Message (Offline)

Ignore
1601146041
Reply with quote  #2

1601146041
Report to moderator
1601146041
Hero Member
*
Offline Offline

Posts: 1601146041

View Profile Personal Message (Offline)

Ignore
1601146041
Reply with quote  #2

1601146041
Report to moderator
1601146041
Hero Member
*
Offline Offline

Posts: 1601146041

View Profile Personal Message (Offline)

Ignore
1601146041
Reply with quote  #2

1601146041
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1601146041
Hero Member
*
Offline Offline

Posts: 1601146041

View Profile Personal Message (Offline)

Ignore
1601146041
Reply with quote  #2

1601146041
Report to moderator
1601146041
Hero Member
*
Offline Offline

Posts: 1601146041

View Profile Personal Message (Offline)

Ignore
1601146041
Reply with quote  #2

1601146041
Report to moderator
1601146041
Hero Member
*
Offline Offline

Posts: 1601146041

View Profile Personal Message (Offline)

Ignore
1601146041
Reply with quote  #2

1601146041
Report to moderator
ETFbitcoin
Legendary
*
Offline Offline

Activity: 2128
Merit: 2513

Use SegWit and enjoy lower fees.


View Profile WWW
September 08, 2019, 07:02:50 PM
Last edit: September 08, 2019, 07:18:49 PM by ETFbitcoin
Merited by LoyceV (1)
 #2

Good thing you archived it before the posts was edited Smiley

But looks like the account was hacked since :
1. His/her last posts was made on September 16, 2018, 06:52:19 PM
2. Getting merit isn't that easy, so i doubt scammer would use such valuable account



Edit : He share it again on :
1. https://bitcointalk.org/index.php?topic=5174171.msg52398714#msg52398714 (https://archive.is/GVsWD)
2. https://bitcointalk.org/index.php?topic=5182910.0 (https://archive.is/jvWmi)

Lafu
Legendary
*
Offline Offline

Activity: 1652
Merit: 1651



View Profile
September 08, 2019, 07:41:17 PM
 #3

https://www.virustotal.com/gui/file/f79fe737f51a8c8d33c9db677ff236228d66063a35290ef1ee29ed0bec86c7e1/detection








▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄    ▄▄▄▄                  ▄▄▄   ▄▄▄▄▄        ▄▄▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄▄    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄
 ▀████████████████▄  ████                 █████   ▀████▄    ▄████▀  ▄██████████████   ████████████▀  ▄█████████████▀  ▄█████████████▄
              ▀████  ████               ▄███▀███▄   ▀████▄▄████▀               ████   ████                ████                   ▀████
   ▄▄▄▄▄▄▄▄▄▄▄█████  ████              ████   ████    ▀██████▀      ██████████████▄   ████████████▀       ████       ▄▄▄▄▄▄▄▄▄▄▄▄████▀
   ██████████████▀   ████            ▄███▀     ▀███▄    ████        ████        ████  ████                ████       ██████████████▀
   ████              ████████████▀  ████   ██████████   ████        ████████████████  █████████████▀      ████       ████      ▀████▄
   ▀▀▀▀              ▀▀▀▀▀▀▀▀▀▀▀   ▀▀▀▀   ▀▀▀▀▀▀▀▀▀▀▀▀  ▀▀▀▀        ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀   ▀▀▀▀▀▀▀▀▀▀▀▀        ▀▀▀▀       ▀▀▀▀        ▀▀▀▀▀

#1 CRYPTO CASINO & SPORTSBOOK
  WELCOME
BONUS
.INSTANT & FAST.
.TRANSACTION.....
.PROVABLY FAIR.
......& SECURE......
.24/7 CUSTOMER.
............SUPPORT.
BTC      |      ETH      |      LTC      |      XRP      |      XMR      |      BNB      |     more
Baofeng
Legendary
*
Offline Offline

Activity: 1274
Merit: 1190


View Profile
September 08, 2019, 08:00:45 PM
 #4

I checked Eletrum's official twitter account here https://twitter.com/electrumwallet?lang=en and there's no mentioned of this so called new portable wallet.

Supported the flag.

..bustadice..         ▄▄████████████▄▄
     ▄▄████████▀▀▀▀████████▄▄
   ▄███████████    ███████████▄
  █████    ████▄▄▄▄████    █████
 ██████    ████████▀▀██    ██████
██████████████████   █████████████
█████████████████▌  ▐█████████████
███    ██████████   ███████    ███
███    ████████▀   ▐███████    ███
██████████████      ██████████████
██████████████      ██████████████
 ██████████████▄▄▄▄██████████████
  ▀████████████████████████████▀
                     ▄▄███████▄▄
                  ▄███████████████▄
   ███████████  ▄████▀▀       ▀▀████▄
               ████▀      ██     ▀████
 ███████████  ████        ██       ████
             ████         ██        ████
███████████  ████     ▄▄▄▄██        ████
             ████     ▀▀▀▀▀▀        ████
 ███████████  ████                 ████
               ████▄             ▄████
   ███████████  ▀████▄▄       ▄▄████▀
                  ▀███████████████▀
                     ▀▀███████▀▀
           ▄██▄
           ████
            ██
            ▀▀
 ▄██████████████████████▄
██████▀▀██████████▀▀██████
█████    ████████    █████
█████▄  ▄████████▄  ▄█████
██████████████████████████
██████████████████████████
    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
    ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
       ████████████
......Play......
DireWolfM14
Copper Member
Hero Member
*****
Offline Offline

Activity: 882
Merit: 1845


Join the world-leading crypto sportsbook NOW!


View Profile WWW
September 08, 2019, 08:02:34 PM
 #5

Isn't this a ban-able offense?

  ▄▄█████▄▄███████▄▄
 ███████████
     ▀▀███▄
█████████████        ▀██▄
█████████████          ██▄
███████████            ██▄
██▀▀█████▀▀              ██
██                       ██
██                       ██
▀██                     ██▀
 ▀██                   ██▀
  ▀██▄               ▄██▀
    ▀███▄▄       ▄▄███▀
       ▀▀█████████▀▀
███████████    LEADING CRYPTO SPORTSBOOK & CASINO    ███████████
MULTI
CURRENCY
1500+
CASINO GAMES
CRYPTO EXCLUSIVE
CLUBHOUSE
FAST & SECURE
PAYMENTS
..PLAY NOW!..
bob123
Legendary
*
Offline Offline

Activity: 1330
Merit: 2075



View Profile WWW
September 08, 2019, 08:04:40 PM
Last edit: September 09, 2019, 09:28:14 AM by bob123
Merited by morvillz7z (1)
 #6


You do know how AV engines check a file, do you ?

Mostly 2 steps:
1) Check whether this file is known already
2) Runtime analysis.

AV's are weak. They never find malware if it is coded properly.

Just because 2/70 AV's regard that as malware, that's neither an argument that it is malware, nor that it isn't malware.
This just means it is not known yet and that it doesn't raise too many red flags (e.g. like encrypting system folder).

The results i posted are from a proper analysis with detailed reports, not from simple AV scans.
I honestly don't understand how they can't check the IP the software is connecting to. This IP is related to several other illegal (hacking-) activities. Just one additional argument that AV's are extremely weak and only useful for very well-known malware.



Isn't this a ban-able offense?

Yes.

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!