Report Malware and Suspicious Links here so Mods can take Action ! - page 6.

Lafu

legendary

Activity: 2996

Merit: 3114

And we have a new Fake Ann Thread with an new Fake Github Account with Malware Link for ObscurityCoin (OBSC) !

The Fake Github Account was created 2 Days ago !

Fake Github : github.com/Obscurity-Network/

The Windows QT File there is 670 MB big and the Linux only 19 MB and thats very suspicious!

Account : Makkoortin <--- Please ban or Lock that Account and delete the Thread
This user recently woke up from a long period of inactivity.
Registered since October 02, 2021 , Hacked or sold Account

Fake Ann Thread : [ANN] ObscurityCoin (OBSC) - Securing Your Digital Transactions with Privacy!
Self-Moderated Thread as always from the Hackers

Quote from: Makkoortin on December 22, 2023, 08:38:03 PM

Code:

https://github.com/Obscurity-Network/ObscurityCoin

This post is also a reference for the Github Report !

Lafu

legendary

Activity: 2996

Merit: 3114

Quote from: jerry0 on December 18, 2023, 08:11:55 PM

Are links on the coinmarketcap website dangerous? There are so many links you can click on whether it's about a coin and things like that. They highlight so many different things. Also on the right side, there are lot of posts from people that seem to be twitter posts regarding the coin. So clicking those links are unsafe or not?

First at all every Link can be dangerous on the internet or at any Website.
But normaly that Links on coinmarketcap are should be okay but what you will be find or can be download on that clicked Links can be dangerous.
You should be doing your own research if not sure if its safe or not looking on google maybe or here on the Forum if there are some Informations.

jerry0

full member

Activity: 1736

Merit: 186

Are links on the coinmarketcap website dangerous? There are so many links you can click on whether it's about a coin and things like that. They highlight so many different things. Also on the right side, there are lot of posts from people that seem to be twitter posts regarding the coin. So clicking those links are unsafe or not?

Crypto Library

hero member

Activity: 882

Merit: 773

Find your Digital Services at- cryptolibrary.pro

Quote from: Bitcoin_Arena on December 17, 2023, 06:08:48 PM

Why the quick posts advertising some software that looks like tradingview. The person is trying to spread malware but rather more subtle way and also trying to provide clean virustotal results in each post when not even asked. Guilty conscience? I say yes!

The proverbs work here "A guilty in mind is always suspicious".

And they didn't just open four of the same topic, they opened several more. But the interesting thing is that those accounts are not newly registered accounts, All these accounts are opened up a few years ago. Roll Eyes

I think they should be banned or locked in addition to deleting their posts.

Bitcoin_Arena

copper member

Activity: 2030

Merit: 1788

฿itcoin for all, All for ฿itcoin.

Quote from: Crypto Library on December 17, 2023, 05:57:32 PM

It's Looks suspicious that Same topic created 4time from 4 different accounts Roll Eyes

. Just take a look, aren't they spreading malware?

Code:

https://mega.nz/file/ihN13B6D#CIJVDW-nlS-5-tUKxgM1kvgwY2IqAWKzWDCMvZJw9kw

1. ProChart Navigator: Empowering Your Trading Experience ?
2. ProChart Navigator: Empowering Your Trading Experience
3. ProChart Navigator: Empowering Your Trading Experience
4. ProChart Navigator with Download Link !

Sorry I didn't have enough smerits, but something is definitely not adding up. Why the quick posts advertising some software that looks like tradingview. The person is trying to spread malware but rather more subtle way and also trying to provide clean virustotal results in each post when not even asked. Guilty conscience? I say yes!

Here is what I asked in one of the posts

Quote from: ?? on ??

Binaries uploaded on Mega.nz give me chills. It doesn't matter if the virustotal results are clean or not. Tongue

I have some questions;
1. What advantageous difference does your app have over the original trustable trading view app? What is funny is your executable app is also named "Tradingview.exe"
2. Did you tinker with the tradingview code?

Crypto Library

hero member

Activity: 882

Merit: 773

Find your Digital Services at- cryptolibrary.pro

It's Looks suspicious that Same topic created 4time from 4 different accounts Roll Eyes

. Just take a look, aren't they spreading malware?

Code:

https://mega.nz/file/ihN13B6D#CIJVDW-nlS-5-tUKxgM1kvgwY2IqAWKzWDCMvZJw9kw

Lafu

legendary

Activity: 2996

Merit: 3114

And we have a new Fake Ann Thread with an Fake Github Account with Malware for [KASPAR] Kasparov !

Fake Github : github.com/tehasholdem/Kasparov
The File on the Fake Github has already the size of 170 MB as the other Malware files
Github Account was created on 10 November this is also the same date as the github.com/toootoooo/NetworkPHYS Account

Code:

C:\Users\user\AppData\Local\Temp\db4dfn0r.gxn\kasparov-gui.exe" /VERYSILENT
C:\Users\user\AppData\Local\Temp\is-LFTIA.tmp\kas.tmp" /SL5="$B019A,159993928,842240,C:\Program Files (x86)\My Program\kas.exe"
C:\Program Files (x86)\My Program\electrum.exe
C:\Program Files (x86)\My Program\kas.exe

C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="KDX genkeypair" program="C:\Program Files\Kaspa\KDX\bin\windows-x64\genkeypair.exe" dir=out action=allow enable=yes
C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

ET MALWARE Observed Malicious SSL Cert
ET MALWARE Generic AsyncRAT Style SSL Cert
ET INFO External IP Lookup Domain in DNS Lookup
Suspicious DNS Query for IP Lookup Service APIs

Source: https://www.virustotal.com/gui/file/6b639de205612d838e0f40ca43372f6e67a16c034b0108b0c4095af618841e97/behavior

Account : boxpackaging <--- Please ban or Lock that Account and delete the Thread
Registered since August 04, 2020 , Hacked or sold Account !

Fake Ann Thread: [ANN] [KASPAR] Kasparov - experimental fork Kaspa with new algo (POW+CPU mining)

Quote from: boxpackaging on December 15, 2023, 06:35:32 AM

Wallets

Code:

Windows GUI: https://github.com/tehasholdem/Kasparov/releases/download/0.9.0/kasparov-gui.zip
Source: https://github.com/tehasholdem/Kasparov/

This post is also a reference for the Github Report !

Lafu

legendary

Activity: 2996

Merit: 3114

And we have a new Fake Ann with a new Fake Github Account with malware Link for [PHYS] PhysicalNetwork !

Github Account was created on November 10, 2023

Fake Github : github.com/toootoooo/NetworkPHYS

Same here as from the other Fake Github Files that was posted from the Hackers

Code:

Processes created

C:\Users\user\AppData\Local\Temp\qcdh5c4k.vj2\physnetwork-qt\physnetwork-qt.exe" /VERYSILENT
C:\Program Files (x86)\My Program\electrum.exe
C:\Program Files (x86)\My Program\kas.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Files Dropped
C:\Program Files\Kaspa\KDX\
C:\Program Files\Kaspa\KDX\bin\windows-x64\genkeypair.exe

ET MALWARE Observed Malicious SSL Cert
ET MALWARE Generic AsyncRAT Style SSL Cert
ET INFO External IP Lookup Domain in DNS Lookup
Suspicious DNS Query for IP Lookup Service APIs

Source : https://www.virustotal.com/gui/file/d103c368f748aeea587e47888c9a832cb1abc5d03797639af59ae58bf3e775c6/behavior

Account : rednick <--- Please ban or Lock that Account and delete the Thread
This user recently woke up from a long period of inactivity.
Registered since February 27, 2018, lst post was March 09, 2021 , Hacked or sold Account

Fake Ann Thread : [ANN] [PHYS] PhysicalNetwork - scalable and private network [GPU/ghostdag]

Quote from: rednick on December 13, 2023, 04:52:17 PM

Wallets

Code:

Windows: https://github.com/toootoooo/NetworkPHYS/releases/download/1.0.0/physnetwork-qt.zip
Linux: https://github.com/toootoooo/NetworkPHYS/releases/download/1.0.0/phys-linux.zip

This post is also a reference for the Github Report !

Lafu

legendary

Activity: 2996

Merit: 3114

And we have a new Fkae Ann Thread with an Fake Github , Malware downlaod Link for [NRP] Physical Network !

Fake Github : github.com/waynedickey/phys-network

Very bad things going on when you start the File from that Github.

Code:

Hidden Tear Ransomware
HanaLoader (Sysmon detection)
PsiXBot Malware behavior
Orcus RAT detection
DropboxAES RAT (Sysmon detection)
Change PowerShell Policies to an Insecure Level
POLICY-OTHER HTTP request by IPv4 address attempt

Source : https://www.virustotal.com/gui/file/f42ba385274e659f519fcecf8e673c527ccf7277d3b4b139989fb35202aa3007/behavior

Account : blouch <--- Please ban or Lock that Account and delete the Thread
Hacked or sold Account

Fake Ann Thread : [ANN] [NRP] Physical Network - experimental POW mining (ghostdag)

Quote from: blouch on December 12, 2023, 09:26:25 AM

Wallets

Code:

Windows: https://github.com/waynedickey/phys-network/releases/download/0.0.1/phys-qt-win64.zip
Linux: https://github.com/waynedickey/phys-network/releases/download/0.0.1/phys-linux.zip

This post is also a reference for the Github Report !

Lafu

legendary

Activity: 2996

Merit: 3114

Quote from: BABY SHOES on December 11, 2023, 09:30:47 AM

Thanks Lafu, I will keep posting here when I find fake ANNs spreading malware with fake github here.
I've updated it with code so someone can't click on it.

Nice Thanks for the edit and this helps for sure that its not accidentally clickable for other Users.
Also thanks for keeping your eyes open and you are right on that last Fake Ann.

There is more evidence and information about that Fake Github File when you looking on the behavior of the File.

And its the same file as we got it from Fake Github github.com/troyseate/electrum-kas just a other Github Account.

Code:

C:\Program Files (x86)\My Program\MyProg.exe
C:\Program Files (x86)\My Program\electrumkas.exe
C:\Program Files (x86)\My Program\electrumkas.exe.config
C:\Program Files (x86)\My Program\electrumkas.exe\:Zone.Identifier

Source : https://www.virustotal.com/gui/file/90865b85c96429951ec2d1014398dfaf336e5be6cfd6d6fcbb13827184e1a4f8/behavior

Whats interesting on that File is that here:

Code:

fullnode-win64/fullnode-win64-qt.exe
256 - C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="KDX kaspa-miner" program="C:\Program Files\Kaspa\KDX\bin\windows-x64\gpuminer.exe" dir=out action=allow enable=yes

It modifies your Firewall when you start the Wallet.exe and a lot of other bad things.

BABY SHOES

sr. member

Activity: 294

Merit: 433

HODL - BTC

A fake ANN that spreads malware from github and accounts just woke up with 5 years of sleep.

User: ranastic Please ban or Lock that Account - This user recently woke up from a long period of inactivity.
ANN Fake: [ANN] BURNSTAR - New GEM for GPU mining (GPU PoW/ghostDAG/blockDAG)

Quote from: ?? on ??

Code:

[b]OUR WALLETS[/b]
Windows: https://github.com/tpillatzke/burnstar/releases/download/1.0.0/fullnode-win64.zip
Linux: https://github.com/tpillatzke/burnstar/releases/download/1.0.0/burnstar-linux.zip
Source: https://github.com/tpillatzke/burnstar

Virustotal: https://www.virustotal.com/gui/file/90865b85c96429951ec2d1014398dfaf336e5be6cfd6d6fcbb13827184e1a4f8/detection

Quote from: Lafu on December 10, 2023, 05:49:20 PM

I really appreciate it that you keep your eyes open and posting this things here in the thread to collect as much data for the Fake Github Account.
But again is it possible when you write your posts that you use the code function ( as i have done it in your quote ) for the Links so that nobody can click on them , that would be nice.

Thanks Lafu, I will keep posting here when I find fake ANNs spreading malware with fake github here.
I've updated it with code so someone can't click on it.

Lafu

legendary

Activity: 2996

Merit: 3114

Quote from: BABY SHOES on December 08, 2023, 06:57:56 AM

I reported a fake ANN with the same case above, and now the old account is alive again to spread malware through github.

Github fake

Quote from: ?? on ??

GITHUB

Code:

WINDOWS: https://github.com/troyseate/purn-network/releases/download/1.0.0/purn-qt-win64.zip
LINUX: https://github.com/troyseate/purn-network/releases/download/1.0.0/purn-qt-linux.zip
SOURCE: https://github.com/troyseate/purn-network

Yes there was a few of them the last days but they got already all deleted.
I really appreciate it that you keep your eyes open and posting this things here in the thread to collect as much data for the Fake Github Account.
But again is it possible when you write your posts that you use the code function ( as i have done it in your quote ) for the Links so that nobody can click on them , that would be nice.

BABY SHOES

sr. member

Activity: 294

Merit: 433

HODL - BTC

I reported a fake ANN with the same case above, and now the old account is alive again to spread malware through github.

User: Toto2020 Please ban or Lock that Account
ANN Fake: [ANN] PURN-NETWORK - Kaspa fork with new features (GPU PoW/ghostDAG)

Virustotal: https://www.virustotal.com/gui/file/281768a452b533759c21c0dc80b81cf0d49de1be645368fbdda8c66dcb7120d3/detection

Github fake

Code:

WINDOWS: https://github.com/troyseate/purn-network/releases/download/1.0.0/purn-qt-win64.zip
LINUX: https://github.com/troyseate/purn-network/releases/download/1.0.0/purn-qt-linux.zip
SOURCE: https://github.com/troyseate/purn-network

Lafu

legendary

Activity: 2996

Merit: 3114

And we have again a new Fake Ann Thread with the Fake Github Link with Malware for PURN !

Fake Github : github.com/troyseate/purn-network

This Fake Github Account have already other Links in it too.

Code:

github.com/troyseate/purn-network
github.com/troyseate/electrum-kas
github.com/troyseate/pyrinwallet
github.com/troyseate/electrum
github.com/troyseate/awesome-nodejs

Windows already gives you a Warning vor Virus and Trojan when you try to download the File from the Fake Github.

Account : Digitminer <--- Please ban or Lock that Account and delete the Thread
Registered since July 15, 2017 , Hacked or sold Account

Quote from: Digitminer on December 07, 2023, 08:53:59 AM

WINDOWS:

Code:

https://github.com/troyseate/purn-network/releases/download/1.0.0/windows.zip

This post is also a reference for the Github Report !

Lafu

legendary

Activity: 2996

Merit: 3114

We have a new Fake Ann Thread with anew Fake Github Account with Malware and Trojan download Link for KASTLS (kaspa tools project) !

The Fake Github download File was created 2 Days ago.

Fake Github : github.com/troyseate/electrum-kas

A Many shady and bad things happen when you start the Wallet File:

Code:

MALWARE TROJAN EVADER RAT

Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.
Detects the addition of a new rule to the Windows firewall via netsh
Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
Detects the creation of scheduled tasks in user session
Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes
Detects loading of Amsi.dll by uncommon processes
Detects a WMI modules being loaded by an uncommon process

C:\Program Files\Kaspa\KDX\bin\windows-x64\genkeypair.exe
C:\Program Files\Kaspa\KDX\bin\windows-x64\gpuminer.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\RestartManager

C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Discord startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Also your Discord App will be compromised with it on the startup.

Source : https://www.virustotal.com/gui/file/4dcae6a5ede0c0059bf0cdce636b144c40faa65c4539f91d456cc8df333509ff/behavior

Account : fanepatent2 <--- Please ban or Lock that Account and delete the Thread and Posts
Registered since November 23, 2017 possible hacked or sold Account

Fake Ann Thread : [ANN] KASTLS - kaspa tools project (For using)

Quote from: fanepatent2 on December 05, 2023, 03:13:01 PM

Hello community!

Code:

https://github.com/troyseate/electrum-kas/tree/main

Fake Posts :
https://bitcointalksearch.org/topic/ann-pyrin-pyi-gpu-pow-ghostdag-blockdag-5476198
https://bitcointalksearch.org/topic/ann-karlsen-kls-gpu-pow-a-fork-of-kaspa-with-kheavyhash-asic-resistance-5475216
https://bitcointalksearch.org/topic/ann-kaspa-kas-cpu-pow-ghostdag-5373286

This post is also a reference for the Github Report !

BABY SHOES

sr. member

Activity: 294

Merit: 433

HODL - BTC

I found a suspicious thread that did not share a link within GitHub but rather with a free website from GoDaddy and there it appeared to be spreading a virus downloaded via mega.nz

User: FunkySkunk
ANN Fake: Release: New Altcoin - A even Lite version of Litecoin Called Obsidian (OBS)

Virustotal: https://www.virustotal.com/gui/file/8f836b7a9ecfcc716ee78bef17494d4789134646b695df05b656714a98b57ea1/detection

I found Obsidian project's old ANN : Obsidian ODN - CryptoCurrency & Secure Anonymous Messaging

Lafu

legendary

Activity: 2996

Merit: 3114

We have a new Fake Ann Thread with a new Fake Github Malware download Link for MentaCoin (MNLC) !

The Fake Github Account was just created 1 Hour ago.

Fake Github : github.com/MNLCoinNetwork/MentaCore
Real Github : github.com/MentaCoin

Lot of bad things happen when you download and start the Files from the Fake Github.

Code:

Drops script at startup location
Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems.
Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets
This detection method points out highly relevant Antivirus events
A Network Trojan was detected
Device Retrieving External IP Address Detected

C:\Users\user\AppData\Local\Oliver Robinson\SocialPulse Monitor.pif
C:\Users\user\AppData\Local\Temp\8819\5865\jsc.exe
C:\Users\user\AppData\Local\Temp\flofy.exe
C:\Users\user\AppData\Local\Temp\noply.exe
C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Legal + Rebel + Desktops + Sleeve + Romania 5865\Peeing.pif
C:\Windows\SysWOW64\WerFault.exe -u -p 6800 -s 2176
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\user\AppData\Local\Temp\QY7M5JAACrWc.bat"

Source : https://www.virustotal.com/gui/file/0a483d211b2e8cefa76989095cb7965eae7a13d67626a96497dc213b0fae4a80/behavior

Account : Taoktoyre <--- Please ban or Lock that Account and delete the Thread
This user recently woke up from a long period of inactivity.
Registered since October 02, 2021 , Hacked or sold Account

Fake Ann Thread : [ANN] MentaCoin (MNLC) - Unleashing the Power of Minting for Mental Health

Quote from: ?? on ??

Code:

https://github.com/MNLCoinNetwork/MentaCore/

This post is also a reference for the Github Report !

BABY SHOES

sr. member

Activity: 294

Merit: 433

HODL - BTC

The old account suddenly woke up by posting to spread the virus via a github link.

User: Jesus32 - Please ban this user and lock the thread.
ANN Fake: [Pre-ANN] TOCKXS - world processor (Ghostrider, Build own exchange)

Virustotal: https://www.virustotal.com/gui/file/b0058392ab90e7fa53d0bef8a88bb4a3b207144704565731406962f35211d3dc/behavior

Quote from: ?? on ??

Wallets
WIndows: https://github.com/tockx/tockx-core/releases/tag/1.0.0
Source: https://github.com/tockx/tockxs-core

Lafu

legendary

Activity: 2996

Merit: 3114

And we have a new Fake Ann Thread again with a new Fake Github Malware download Link for MNSC !

The Fake Github was just created 4 Hours ago.

Fake Github : github.com/voknelez/MNSCoin
Real Github : github.com/NewMNSavings/NewMNSCoin/

Same here for the Fake Github files:

Code:

Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.
Detects the stopping of a Windows service

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Virustotal : https://www.virustotal.com/gui/file/9b3d70ad7020b97311fcbe6d69a6181acc09d83e886f0f08f1eff35d0cb8b076/behavior

Account : salmanb <--- Please ban or Lock that Account and delete the Thread
This user recently woke up from a long period of inactivity.
Registered since December 06, 2018 , Hacked or sold Account

Fake Ann Thread : [ANN] Concept blockchain technology for QUARK (Pow, Quark)

Quote from: ?? on ??

Wallets

Code:

Windows: https://github.com/voknelez/MNSCoin/releases/download/1.0.0/MNSC-Win.zip

Original Ann Thread : New Masternode Savings Coin (nMNSC)

Account : Kryptoyaner

Quote from: Kryptoyaner on August 30, 2023, 12:31:33 AM

Wallets:
• Windows: https://github.com/NewMNSavings/NewMNSCoin/releases/download/v1.0.0/nMNSC-Win.zip

New Fake Ann Thread again for NikiChain

Same Fake Github Account as for MNSC

Fake Github : github.com/voknelez/MNSCoin
Fake Github : github.com/voknelez/nikichain

Account : kuzgun51 <--- Please ban or Lock that Account and delete the Thread
This user recently woke up from a long period of inactivity.
Hacked or sold Account

Fake Ann Thread : [ANN] NikiChain - blockchain with crypto bridges (CPU, Mine and Exchange now)

Quote

NikiChain Wallet:

Code:

Windows : https://github.com/voknelez/nikichain/releases/download/2.0.2.3/windows-nikichain-2.0.2.3.zip

Quote from https://bitcointalksearch.org/topic/--5474315

This post is also a reference for the Github Report !

Lafu

legendary

Activity: 2996

Merit: 3114

And we have a new Fake Ann Thread with an new Fake Github Malware download Link for CommunityCoin !

The Fake Github was created 16 Hours ago.

Fake Github : github.com/CommunityCash
Real Github : github.com/CommunityCoin

Virustotal with 6 detections : https://www.virustotal.com/gui/file/21767196a889ef21fba60611b753272154634011499000685d53534da33a247a/behavior

Code:

Detects suspicious new RUN key element pointing to an executable in a suspicious folder
Detects modification of autostart extensibility point (ASEP) in registry.

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

The Fake Github was not long ago updated with new Files that now have Malware and Trojan in it.

Code:

Generic.Malware.AI.DDS
Generic ML PUA (PUA)
Malware.SwollenFile!1.E38A (CLASSIC)
Trojan.Barys

Account : Xabikonjes <--- Please ban or Lock that Account and delete the Thread
This user recently woke up from a long period of inactivity.
Registered since October 02, 2021 , Hacked or sold Account

Fake Ann Thread : [ANN] CommunityCoin: Empowering the Community with CMNT
The Thread is self-moderated

Quote from: ?? on ??

Code:

https://github.com/CommunityCash/CommunityCoin

This post is also a reference for the Github Report !

Pages:

«
1
2
3
4
5
6
7
8
9
10
»

Bitcoin Forum>Other>Meta

Jump to:

Topic: Report Malware and Suspicious Links here so Mods can take Action ! - page 6. (Read 34654 times)