[Flag] User "ksystems77" spreading malware

[bob123]

Original topic: https://bitcointalk.org/index.php?topic=5182888.0
Archived: https://archive.fo/8xKAH

Reasons to believe this user is spreading malware: I run an analysis on the software he declares as "NEW PORTABLE ELECTRUM ENCRYPTED BITCOIN WALLET RELEASED!!!"

Results:

1. It contacts server 84.33.95.3 on an IRC port (6667) and transmits data which is a technique commonly used for C&C server.

2. Malicious artifacts related to 84.33.95.3 found:

Code:

URL: http://84.33.95.3/powershell_attack.txt (AV positives: 6/71 scanned on 09/08/2019 18:21:14)
URL: http://84.33.95.3/crypto-arbitrage_9-8-2.exe (AV positives: 7/71 scanned on 09/08/2019 16:40:08)
URL: http://84.33.95.3/auto-btc.exe (AV positives: 5/71 scanned on 09/08/2019 13:39:30)
URL: http://84.33.95.3/bit-trader_bot_3_7_8.exe (AV positives: 9/71 scanned on 09/08/2019 13:33:39)
URL: http://84.33.95.3/bitcoin_auto_trader-6-8-1.exe (AV positives: 5/71 scanned on 09/08/2019 13:14:10)
File SHA256: 788c42f7acee185be4743fea3a1762d78cfeb16d76ecf20975b7944802d4012e (AV positives: 51/71 scanned on 09/07/2019 15:14:14)
File SHA256: a5865823989aff1e26767625f98ea59e028a10d521ad7a09b980b30bb6bf2c37 (AV positives: 24/72 scanned on 09/07/2019 14:09:06)
File SHA256: bfabf136cc96db595ce8dd3a3bbbf4f52c979bbc740403d791713be92935f630 (AV positives: 13/66 scanned on 09/07/2019 12:29:42)
File SHA256: bdb3f9c296b79aaa2b919b5b29ae3a07a9936fd626ae47ff6290117591e9b331 (AV positives: 53/72 scanned on 09/06/2019 16:40:49)
File SHA256: 5273aa63893f04cb54478a790878dea326908e8235741dbfb80273fb148cde5e (AV positives: 37/70 scanned on 09/01/2019 07:08:21) 

3. Touches files in the windows directory:

Code:

"electrum-3.5.8-portable.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"electrum-3.5.8-portable.exe" touched file "%WINDIR%\System32\rsaenh.dll"
"electrum-3.5.8-portable.exe" touched file "%WINDIR%\System32\en-US\KernelBase.dll.mui" 

4. It cointains techniques to detect sandboxing and to counter debugging (not good enough  )

Created a Type1-flag: FLAG

[1714106033]

1714106033

[1714106033]

1714106033

[1714106033]

1714106033

[ABCbits]

Good thing you archived it before the posts was edited

But looks like the account was hacked since :
1. His/her last posts was made on September 16, 2018, 06:52:19 PM
2. Getting merit isn't that easy, so i doubt scammer would use such valuable account


Edit : He share it again on :
1. https://bitcointalk.org/index.php?topic=5174171.msg52398714#msg52398714 (https://archive.is/GVsWD)
2. https://bitcointalk.org/index.php?topic=5182910.0 (https://archive.is/jvWmi)

[Lafu]

https://www.virustotal.com/gui/file/f79fe737f51a8c8d33c9db677ff236228d66063a35290ef1ee29ed0bec86c7e1/detection

[Baofeng]

I checked Eletrum's official twitter account here https://twitter.com/electrumwallet?lang=en and there's no mentioned of this so called new portable wallet.

Supported the flag.

[DireWolfM14]

Isn't this a ban-able offense?

[bob123]

https://www.virustotal.com/gui/file/f79fe737f51a8c8d33c9db677ff236228d66063a35290ef1ee29ed0bec86c7e1/detection

~snip~

You do know how AV engines check a file, do you ?

Mostly 2 steps:
1) Check whether this file is known already
2) Runtime analysis.

AV's are weak. They never find malware if it is coded properly.

Just because 2/70 AV's regard that as malware, that's neither an argument that it is malware, nor that it isn't malware.
This just means it is not known yet and that it doesn't raise too many red flags (e.g. like encrypting system folder).

The results i posted are from a proper analysis with detailed reports, not from simple AV scans.
I honestly don't understand how they can't check the IP the software is connecting to. This IP is related to several other illegal (hacking-) activities. Just one additional argument that AV's are extremely weak and only useful for very well-known malware.

Isn't this a ban-able offense?

Yes.