Topic: BitBot Faucet Farmer - Malware Warning (Read 2461 times)
Here is the thief wallet : https://blockchain.info/address/1Jo41wAw5SC712avT6jfxXGyAjeE57KQ9p
I downloaded the file off: https://bitcointalk.org/index.php?topic=353317.20 -> malware://ge.tt/7b0tCb71/v/0
MD5SUM
\373a8c958464d1fb665755e9ea2500b4 *Downloads\\BitCoin Miner.exe
It is a self-extracting RAR archive (Proof)
Inside, there are several suspicious-looking files.
The VBS launched has this code inside:
cMegS.exe is a renamed AutoIt interpreter, and mzBrYaXnW.SIM is script, filled with blank lines so it's not easily read.
Let's clean it up: >findstr ".." mzBrYaXnW.SIM>malware.au3
My AV software recognizes it as Win32/Injector.Autoit.YC
Besides doing some evil things, it decrypts and loads QTj.MUK...
Let's decrypt it -> https://www.virustotal.com/en/file/7d1d803aeb3f20310c3c1dfb3d09ee44c1c0593764e045a134dbc9561d80d569/analysis/1386574798/
TL;DR - User x55xx77 at https://bitcointalk.org/index.php?topic=353317.20 is distributing malware
MD5SUM
\373a8c958464d1fb665755e9ea2500b4 *Downloads\\BitCoin Miner.exe
It is a self-extracting RAR archive (Proof)
Inside, there are several suspicious-looking files.
The VBS launched has this code inside:
Code:
CreateObject("WScript.Shell").Exec "cMegS.exe mzBrYaXnW.SIM"cMegS.exe is a renamed AutoIt interpreter, and mzBrYaXnW.SIM is script, filled with blank lines so it's not easily read.
Let's clean it up: >findstr ".." mzBrYaXnW.SIM>malware.au3
My AV software recognizes it as Win32/Injector.Autoit.YC
Besides doing some evil things, it decrypts and loads QTj.MUK...
Let's decrypt it -> https://www.virustotal.com/en/file/7d1d803aeb3f20310c3c1dfb3d09ee44c1c0593764e045a134dbc9561d80d569/analysis/1386574798/
TL;DR - User x55xx77 at https://bitcointalk.org/index.php?topic=353317.20 is distributing malware
Unfortunately it has come to my attention that my computer was infected and someone merged my tool with a "Remote Administration tool" sorry for the inconvinience i am going to take the program down until i fix the issue , i hope no damage was done
I don't see any reason why it shouldn't be a virus. Common sense: Don't download things that is supposed to give you money in return of nothing.
I know. It's always fun to see how they work, tho.
I don't see any reason why it shouldn't be a virus. Common sense: Don't download things that is supposed to give you money in return of nothing.
I downloaded the file off: https://bitcointalk.org/index.php?topic=353317.20 -> malware://ge.tt/7b0tCb71/v/0
MD5SUM
\373a8c958464d1fb665755e9ea2500b4 *Downloads\\BitCoin Miner.exe
It is a self-extracting RAR archive (Proof)
Inside, there are several suspicious-looking files.
The VBS launched has this code inside:
cMegS.exe is a renamed AutoIt interpreter, and mzBrYaXnW.SIM is script, filled with blank lines so it's not easily read.
Let's clean it up: >findstr ".." mzBrYaXnW.SIM>malware.au3
My AV software recognizes it as Win32/Injector.Autoit.YC
Besides doing some evil things, it decrypts and loads QTj.MUK...
Let's decrypt it -> https://www.virustotal.com/en/file/7d1d803aeb3f20310c3c1dfb3d09ee44c1c0593764e045a134dbc9561d80d569/analysis/1386574798/
TL;DR - User x55xx77 at https://bitcointalk.org/index.php?topic=353317.20 is distributing malware
MD5SUM
\373a8c958464d1fb665755e9ea2500b4 *Downloads\\BitCoin Miner.exe
It is a self-extracting RAR archive (Proof)
Inside, there are several suspicious-looking files.
The VBS launched has this code inside:
Code:
CreateObject("WScript.Shell").Exec "cMegS.exe mzBrYaXnW.SIM"cMegS.exe is a renamed AutoIt interpreter, and mzBrYaXnW.SIM is script, filled with blank lines so it's not easily read.
Let's clean it up: >findstr ".." mzBrYaXnW.SIM>malware.au3
My AV software recognizes it as Win32/Injector.Autoit.YC
Besides doing some evil things, it decrypts and loads QTj.MUK...
Let's decrypt it -> https://www.virustotal.com/en/file/7d1d803aeb3f20310c3c1dfb3d09ee44c1c0593764e045a134dbc9561d80d569/analysis/1386574798/
TL;DR - User x55xx77 at https://bitcointalk.org/index.php?topic=353317.20 is distributing malware
Jump to: