Author

Topic: [Flag] User "ksystems77" spreading malware (Read 266 times)

legendary
Activity: 1624
Merit: 2481
September 08, 2019, 03:04:40 PM
#6

You do know how AV engines check a file, do you ?

Mostly 2 steps:
1) Check whether this file is known already
2) Runtime analysis.

AV's are weak. They never find malware if it is coded properly.

Just because 2/70 AV's regard that as malware, that's neither an argument that it is malware, nor that it isn't malware.
This just means it is not known yet and that it doesn't raise too many red flags (e.g. like encrypting system folder).

The results i posted are from a proper analysis with detailed reports, not from simple AV scans.
I honestly don't understand how they can't check the IP the software is connecting to. This IP is related to several other illegal (hacking-) activities. Just one additional argument that AV's are extremely weak and only useful for very well-known malware.



Isn't this a ban-able offense?

Yes.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
September 08, 2019, 03:02:34 PM
#5
Isn't this a ban-able offense?
legendary
Activity: 2576
Merit: 1655
September 08, 2019, 03:00:45 PM
#4
I checked Eletrum's official twitter account here https://twitter.com/electrumwallet?lang=en and there's no mentioned of this so called new portable wallet.

Supported the flag.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
September 08, 2019, 02:02:50 PM
#2
Good thing you archived it before the posts was edited Smiley

But looks like the account was hacked since :
1. His/her last posts was made on September 16, 2018, 06:52:19 PM
2. Getting merit isn't that easy, so i doubt scammer would use such valuable account



Edit : He share it again on :
1. https://bitcointalksearch.org/topic/bitcoin-core-0181-released-5174171 (https://archive.is/GVsWD)
2. https://bitcointalksearch.org/topic/--5182910 (https://archive.is/jvWmi)
legendary
Activity: 1624
Merit: 2481
September 08, 2019, 01:55:39 PM
#1
Original topic: https://bitcointalksearch.org/topic/--5182888
Archived: https://archive.fo/8xKAH

Reasons to believe this user is spreading malware: I run an analysis on the software he declares as "NEW PORTABLE ELECTRUM ENCRYPTED BITCOIN WALLET RELEASED!!!"

Results:
1. It contacts server 84.33.95.3 on an IRC port (6667) and transmits data which is a technique commonly used for C&C server.

2. Malicious artifacts related to 84.33.95.3 found:
Code:
URL: http://84.33.95.3/powershell_attack.txt (AV positives: 6/71 scanned on 09/08/2019 18:21:14)
URL: http://84.33.95.3/crypto-arbitrage_9-8-2.exe (AV positives: 7/71 scanned on 09/08/2019 16:40:08)
URL: http://84.33.95.3/auto-btc.exe (AV positives: 5/71 scanned on 09/08/2019 13:39:30)
URL: http://84.33.95.3/bit-trader_bot_3_7_8.exe (AV positives: 9/71 scanned on 09/08/2019 13:33:39)
URL: http://84.33.95.3/bitcoin_auto_trader-6-8-1.exe (AV positives: 5/71 scanned on 09/08/2019 13:14:10)
File SHA256: 788c42f7acee185be4743fea3a1762d78cfeb16d76ecf20975b7944802d4012e (AV positives: 51/71 scanned on 09/07/2019 15:14:14)
File SHA256: a5865823989aff1e26767625f98ea59e028a10d521ad7a09b980b30bb6bf2c37 (AV positives: 24/72 scanned on 09/07/2019 14:09:06)
File SHA256: bfabf136cc96db595ce8dd3a3bbbf4f52c979bbc740403d791713be92935f630 (AV positives: 13/66 scanned on 09/07/2019 12:29:42)
File SHA256: bdb3f9c296b79aaa2b919b5b29ae3a07a9936fd626ae47ff6290117591e9b331 (AV positives: 53/72 scanned on 09/06/2019 16:40:49)
File SHA256: 5273aa63893f04cb54478a790878dea326908e8235741dbfb80273fb148cde5e (AV positives: 37/70 scanned on 09/01/2019 07:08:21)

3. Touches files in the windows directory:
Code:
"electrum-3.5.8-portable.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"electrum-3.5.8-portable.exe" touched file "%WINDIR%\System32\rsaenh.dll"
"electrum-3.5.8-portable.exe" touched file "%WINDIR%\System32\en-US\KernelBase.dll.mui"

4. It cointains techniques to detect sandboxing and to counter debugging (not good enough  Grin)


Created a Type1-flag: FLAG
Jump to: