theymos (OP)
Administrator
Legendary
Offline
Activity: 5334
Merit: 13300
|
|
May 24, 2012, 07:24:27 PM |
|
I received this file via email. I suspect it is malware -- possibly a wallet-stealer. Did anyone else get this? http://www5.zippyshare.com/v/12732912/file.html ( Warning: probable malware) Invitation to ecurrency conference.
http:// asiaelektronik.com/docs/processdl.html
Please let us know if you interested.
Thanks & Regards The ecurrency part makes me think it's targeted to Bitcoin users.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
ribuck
Donator
Hero Member
Offline
Activity: 826
Merit: 1060
|
|
May 24, 2012, 07:29:54 PM |
|
I got it too. I deleted it without clicking, so I don't know where the link goes.
|
|
|
|
|
ZodiacDragon84
Sr. Member
Offline
Activity: 266
Merit: 250
The king and the pawn go in the same box @ endgame
|
|
May 25, 2012, 02:48:42 AM |
|
A screensaver miner maybe?
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
May 25, 2012, 03:32:05 AM |
|
A screensaver miner maybe? LOL well you are welcome to risk your wallet to find out. Don't say you weren't warned.
|
|
|
|
ZodiacDragon84
Sr. Member
Offline
Activity: 266
Merit: 250
The king and the pawn go in the same box @ endgame
|
|
May 25, 2012, 03:36:43 AM |
|
Truth be told, I ran it on my offline virtual machine, and I have no freaking Idea what it does.
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
May 25, 2012, 03:54:22 AM |
|
Truth be told, I ran it on my offline virtual machine, and I have no freaking Idea what it does.
Run it in a VM with Sandboxie, with logging enabled. The Sandboxie logs will tell you all the files and registry objects that the programs touches, whether in a read or a write operation.
|
|
|
|
ZodiacDragon84
Sr. Member
Offline
Activity: 266
Merit: 250
The king and the pawn go in the same box @ endgame
|
|
May 25, 2012, 04:10:14 AM Last edit: May 25, 2012, 04:36:28 AM by ZodiacDragon84 |
|
Give me a bit, and I will have a log ready as soon as I run it. Call it my White hat deed of the day...lol Cant figure out how to make a log at moment, but none of my scans are showing really anything malicious. multi scanner results http://metascan.org/result.php?scan=MzkxODYx
|
|
|
|
ZodiacDragon84
Sr. Member
Offline
Activity: 266
Merit: 250
The king and the pawn go in the same box @ endgame
|
|
May 25, 2012, 04:38:51 AM |
|
|
|
|
|
theymos (OP)
Administrator
Legendary
Offline
Activity: 5334
Merit: 13300
|
|
May 25, 2012, 05:53:31 AM |
|
It just displayed gibberish when I opened it in Office 2007. Didn't touch any files. Maybe it targets some other vulnerable software.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
Foxpup
Legendary
Offline
Activity: 4494
Merit: 3178
Vile Vixen and Miss Bitcointalk 2021-2023
|
|
May 25, 2012, 06:09:45 AM |
|
It just displayed gibberish when I opened it in Office 2007. Didn't touch any files. Maybe it targets some other vulnerable software.
It's a Win32 executable, not an Office file. The vulnerable software it targets is Windows.
|
Will pretend to do unspeakable things (while actually eating a taco) for bitcoins: 1K6d1EviQKX3SVKjPYmJGyWBb1avbmCFM4I am not on the scammers' paradise known as Telegram! Do not believe anyone claiming to be me off-forum without a signed message from the above address! Accept no excuses and make no exceptions!
|
|
|
ZodiacDragon84
Sr. Member
Offline
Activity: 266
Merit: 250
The king and the pawn go in the same box @ endgame
|
|
May 25, 2012, 06:13:18 AM |
|
It is hiding a trojan. Out of the 32 scans I ran, it only popped up in 2 of them. All the appropriate information is posted in my previous posts links.
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
May 25, 2012, 12:50:20 PM |
|
A form grabber. Interesting.
|
|
|
|
Graet
VIP
Legendary
Offline
Activity: 980
Merit: 1001
|
|
May 27, 2012, 03:24:34 AM |
|
http://anubis.iseclab.org/Anubis: Analyzing Unknown Binaries, rather useful site too
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
May 27, 2012, 03:45:19 AM |
|
Cool site! Analysis of this particular sample: http://anubis.iseclab.org/?action=result&task_id=10628d7019a46f47405a49a63bcc93a25It appears to be a trojan that does keylogging, and installs a reverse shell or VNC-type program. It does 2 DNS lookups and a few http connections, all shown in the report. Here is the beginning of the text report, not all of it will fit due to forum limits on the amount of text in one post: ___ __ _ + /- / | ____ __ __/ /_ (_)____ -\ + /s h- / /| | / __ \/ / / / __ \/ / ___/ -h s\ oh-:d/ / ___ |/ / / / /_/ / /_/ / (__ ) /d:-ho shh+hy- /_/ |_/_/ /_/\__,_/_.___/_/____/ -yh+hhs -:+hhdhyys/- -\syyhdhh+:- -//////dhhhhhddhhyss- Analysis Report -ssyhhddhhhhhd\\\\\\- /++/////oydddddhhyys/ ooooooooooooooooooooo \syyhhdddddyo\\\\\++\ -+++///////odh/- -+hdo\\\\\\\+++- +++++++++//yy+/: :\+yy\\+++++++++ /+soss+sys//yyo/os++o+: :+o++so\oyy\\sys+ssos+\ +oyyyys++o/+yss/+/oyyyy: :yyyyo\+\ssy+\o++syyyyo+ +oyyyyyyso+os/o/+yyyyyy/ \yyyyyy+\o\so+osyyyyyyo+
[#############################################################################] Analysis Report for Invitation of Ecurrency Conference.xls.scr.xls MD5: 9c1f40c32a7f32c7e59396986098afef [#############################################################################]
Summary: - Write to foreign memory areas: This executable tampers with the execution of another process.
- Packed Binary: This executable is protected with a packer in order to prevent it from being reverse engineered.
- Execution did not terminate correctly: The executable crashed.
- Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically.
- Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web.
- Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary.
- Spawns Processes: The executable produces processes during the execution.
- Performs Registry Activities: The executable creates and/or modifies registry entries.
|
|
|
|
ZodiacDragon84
Sr. Member
Offline
Activity: 266
Merit: 250
The king and the pawn go in the same box @ endgame
|
|
May 27, 2012, 08:40:43 PM |
|
Thank you for adding! I always love new tools in my arsenal
|
|
|
|
|