Bitcoin Forum>Economy>Trading Discussion>Reputation
Author

Topic: [Flag] User "ksystems77" spreading malware (Read 266 times)

bob123
legendary
Activity: 1624
Merit: 2481
[Flag] User "ksystems77" spreading malware
September 08, 2019, 03:04:40 PM
#6
Quote from: Lafu on September 08, 2019, 02:41:17 PM
https://www.virustotal.com/gui/file/f79fe737f51a8c8d33c9db677ff236228d66063a35290ef1ee29ed0bec86c7e1/detection

~snip~

You do know how AV engines check a file, do you ?

Mostly 2 steps:
1) Check whether this file is known already
2) Runtime analysis.

AV's are weak. They never find malware if it is coded properly.

Just because 2/70 AV's regard that as malware, that's neither an argument that it is malware, nor that it isn't malware.
This just means it is not known yet and that it doesn't raise too many red flags (e.g. like encrypting system folder).

The results i posted are from a proper analysis with detailed reports, not from simple AV scans.
I honestly don't understand how they can't check the IP the software is connecting to. This IP is related to several other illegal (hacking-) activities. Just one additional argument that AV's are extremely weak and only useful for very well-known malware.



Quote from: DireWolfM14 on September 08, 2019, 03:02:34 PM
Isn't this a ban-able offense?

Yes.
DireWolfM14
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
Re: [Flag] User "ksystems77" spreading malware
September 08, 2019, 03:02:34 PM
#5
Isn't this a ban-able offense?
Baofeng
legendary
Activity: 2576
Merit: 1655
Re: [Flag] User "ksystems77" spreading malware
September 08, 2019, 03:00:45 PM
#4
I checked Eletrum's official twitter account here https://twitter.com/electrumwallet?lang=en and there's no mentioned of this so called new portable wallet.

Supported the flag.
Lafu
legendary
Activity: 3136
Merit: 3213
Re: [Flag] User "ksystems77" spreading malware
September 08, 2019, 02:41:17 PM
#3
https://www.virustotal.com/gui/file/f79fe737f51a8c8d33c9db677ff236228d66063a35290ef1ee29ed0bec86c7e1/detection




ABCbits
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
Re: [Flag] User "ksystems77" spreading malware
September 08, 2019, 02:02:50 PM
#2
Good thing you archived it before the posts was edited Smiley

But looks like the account was hacked since :
1. His/her last posts was made on September 16, 2018, 06:52:19 PM
2. Getting merit isn't that easy, so i doubt scammer would use such valuable account


Edit : He share it again on :
1. https://bitcointalksearch.org/topic/bitcoin-core-0181-released-5174171 (https://archive.is/GVsWD)
2. https://bitcointalksearch.org/topic/--5182910 (https://archive.is/jvWmi)
bob123
legendary
Activity: 1624
Merit: 2481
Re: [Flag] User "ksystems77" spreading malware
September 08, 2019, 01:55:39 PM
#1
Original topic: https://bitcointalksearch.org/topic/--5182888
Archived: https://archive.fo/8xKAH

Reasons to believe this user is spreading malware: I run an analysis on the software he declares as "NEW PORTABLE ELECTRUM ENCRYPTED BITCOIN WALLET RELEASED!!!"

Results:
Quote from: ?? on ??
1. It contacts server 84.33.95.3 on an IRC port (6667) and transmits data which is a technique commonly used for C&C server.

2. Malicious artifacts related to 84.33.95.3 found:
Code:
URL: http://84.33.95.3/powershell_attack.txt (AV positives: 6/71 scanned on 09/08/2019 18:21:14)
URL: http://84.33.95.3/crypto-arbitrage_9-8-2.exe (AV positives: 7/71 scanned on 09/08/2019 16:40:08)
URL: http://84.33.95.3/auto-btc.exe (AV positives: 5/71 scanned on 09/08/2019 13:39:30)
URL: http://84.33.95.3/bit-trader_bot_3_7_8.exe (AV positives: 9/71 scanned on 09/08/2019 13:33:39)
URL: http://84.33.95.3/bitcoin_auto_trader-6-8-1.exe (AV positives: 5/71 scanned on 09/08/2019 13:14:10)
File SHA256: 788c42f7acee185be4743fea3a1762d78cfeb16d76ecf20975b7944802d4012e (AV positives: 51/71 scanned on 09/07/2019 15:14:14)
File SHA256: a5865823989aff1e26767625f98ea59e028a10d521ad7a09b980b30bb6bf2c37 (AV positives: 24/72 scanned on 09/07/2019 14:09:06)
File SHA256: bfabf136cc96db595ce8dd3a3bbbf4f52c979bbc740403d791713be92935f630 (AV positives: 13/66 scanned on 09/07/2019 12:29:42)
File SHA256: bdb3f9c296b79aaa2b919b5b29ae3a07a9936fd626ae47ff6290117591e9b331 (AV positives: 53/72 scanned on 09/06/2019 16:40:49)
File SHA256: 5273aa63893f04cb54478a790878dea326908e8235741dbfb80273fb148cde5e (AV positives: 37/70 scanned on 09/01/2019 07:08:21)

3. Touches files in the windows directory:
Code:
"electrum-3.5.8-portable.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"electrum-3.5.8-portable.exe" touched file "%WINDIR%\System32\rsaenh.dll"
"electrum-3.5.8-portable.exe" touched file "%WINDIR%\System32\en-US\KernelBase.dll.mui"

4. It cointains techniques to detect sandboxing and to counter debugging (not good enough  Grin)


Created a Type1-flag: FLAG
Bitcoin Forum>Economy>Trading Discussion>Reputation
Jump to: