Topic: x (Read 204 times)

i used malware bytes and removed all the (only 1) thing it found

Full report is now ready..

https://www.hybrid-analysis.com/sample/c41c028d807d241027ce0c62e317f46cd68426c5ce1a3204bfc20a8b05ccd47f/5d10ca27038838004c83abab




it also seems to contact a US server and a DE (german) server I will try do some more indepth on the EXE when I have some more time later.

Bob is correct the best thing to do is to wipe down.

You can look at something like DBAN  ( https://dban.org/ )
This will allow you to securely wipe the HD and make sure there is nothing left on the system..

Another things possibly you should check is your bios make sure nothing has been modified in the BIOS but from looking at this malware I don't think it's packed with a rootkit or bootkit.







Attack surface processing.  Seems to hook.

Removing the file might be not enough.

The first step after infecting a system (from the attackers point of view) is to gain persistent access.
There are several methods of doing this. The most common is to simply migrate into another process (automatically on start up).


If the malware has been created by some 13 year old script kiddie, your computer is clean.
If that is not the first malware from the author and he knows what he is doing, it is still compromised.


The only way to be sure is to reinstall your OS. It is completely up to you if you do this or not. But if you want to be somewhat sure, you need to do this.

https://www.virustotal.com/gui/url/37a835c912cc5f98786ddf4f19b4d97398fb9aa76739aa89387e83a0bd268394/detection

Here is the report from VT on that file suspect it's crypted hence not being detected by AV scanners to I am surprised that Malware bytes actually removed it.

This is another reason to show that AV is basicly useless in the wild now since swapping a few bytes in the code seems to be enough to bypass most AV's out there now.

Bad times.


Edit*    Include Hybrid analysis report if you look at this report your will see it's detected by this platform more so than Virus total.

https://www.hybrid-analysis.com/sample/c41c028d807d241027ce0c62e317f46cd68426c5ce1a3204bfc20a8b05ccd47f

If I was you I would still wipe down you can never be sure there is not something lurking on the system after infection.
Your best to DC from the internet and cleardown.

You could run some tools like malware bytes to check for additional infections but my advice would be to fully wipe down to be sure your not keeping anything that may be infected.

@bob123 good spot I think I will submit this EXE to virus total ect and report the repo to github for malware.

No, this means i can't say what the malware is exactly doing, since there is no source code.

The source code you are looking at is the code from the legit project gekko. But the author of this malicious version changed 1 file (executable file).
And THIS file contains the malware.

You fell to a malicious fork of gekko (which itself is a legit trading bot).

The original trading bot can be found here: https://github.com/askmike/gekko


The malicious one, forked it from github and literally only made 1 commit: https://github.com/nodeoperate/gekko/commit/7474952aa05f80a3de0f244764702e8a3805e824.
The author of it replaced a binary file (EMA Cross ByBit v1.exe ). This most probably is the malware.

What it exactly does, can not be told without runtime analysis (can be circumvented by malware through multiple checks whether run in a sandbox etc.) or reverse engineering (very time consuming).

Honestly, i highly doubt the author put a lot of effort into the malware, therefore runtime analysis might be an option to see what it does.
If you are interested in checking what files it changes, what network connections it opens etc.. you might want to upload that file to https://any.run/.

This site requires an account (free), but i personally didn't use that site yet, but based on other opinions it should be pretty neat.

I don't see anything in the pastebin that looks like a virus it seems to be a trading stratagy?
I'm guessing you got the virus when trying to run the bot from github?

My thoughts would be there is a downloader somewhere in the codebase and on runtime reaches to some server and downloads the payload.

On a second note your should also submit the URL and or file that contains the malware to places like Virus total or Hybrid-analysis as this will help to pass the infected file around AV company's and it may help others block this malware.

https://www.virustotal.com/gui/

https://www.hybrid-analysis.com/

Simply deleting files usually doesn't clean your computer.

Also AV's only find very well known threats (heuristics) or blatantly obvious malware (runtime analysis).


Properly coded malware is not being detected by any AV software. Do not assume it is clean just because one or multiple AV's didn't report anything.


I'd recommend to backup important files and reinstall your OS to be on the safe side.




Very well imaginable.

Removing malware completely can be quite hard.

What did you exactly do? Just deleted the file ? Using some AV ?
What were the steps you took ?




This fully depends on what kind of malware this was.
Maybe it just was some clipping malware, maybe your whole system if compromised and maybe it even was a root kit where formatting the drive doesn't help you clean your PC.

To be honestly, since it changed your clipping board, i doubt that it is a root kit. I also doubt (if your wallet is not empty yet) that it got access to your private keys (but still possible!).

Just.. if i would create such a malware i would either:
1) Change clipping board and instantly steal all funds or
2) Slowly gather as many private keys as possible and later steal everything (hoping that you will own more cryptos in the future)

Changing the clipping board instantly and still having your system compromised to wait for more funds doesn't make sense in my eyes.
Either your malware is hidden until it steals everything, or it reveals itself and instantly steals everything it has access to.


However, formatting the drive is still the preferred way.
If you don't want to risk losing more, reinstall your OS (please NOT a cracked windows version; EVERY cracked software is infected with malware, that's their business model).




Preferably quote the post where you staked your address and sign 2 messages:
Sign one message with a new address and sign another message where you state that you change it due to the fact that it might be compromised (using your old address).

This shouldn't be a question. The payload can consist of more than the clipboard malware by itself. Removing the virus doesn't guarantee that the other undetected malware would be gone too.

It isn't that much of a hassle to just get a new wallet on a separate computer and wipe the current computer after backing it up. You can't be too safe.

x