stackz
ESET Insiders-
Posts
407 -
Joined
-
Last visited
-
Days Won
19
Everything posted by stackz
-
The loader and xworm payload are contained in the batch file. The payload is an encoded resource of the loader. If it's not executed as administrator, or is run in a virtual environment or thinks it's being debugged/analyzed, the loader will exit. If there were no other detections outside of the batch files, then I doubt infection took place. If your 'C' drive wasn't added as an exclusion in Defender, then the loader likely exited without infecting.
-
The final payload is xworm 5.2 - https://www.virustotal.com/gui/file/e5c423b29909bed8ab996d2f73db11e1e72d84a6ace0ba73feb1411764259d50?nocache=1 If Windows Defender is used, then the "C" drive is added as an exclusion. Like all RATs there's potentially passwords stolen and information from the clipboard. There should be a scheduled task (OneNote 71730) and shell:startup entry. This is the loader for the above file: https://www.virustotal.com/gui/file/7d5742c543a7f6412985e3ac832204931be7e1e20ca600e7434b534bbbc1e3a9
-
Does Eset detects Batcloak engine based malwares
stackz replied to The_Eagle_007's topic in Malware Finding and Cleaning
Re 77E5E64742EF85E2DD5F05C7571A98D0C6583346 - Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 3/07/2023 9:58:53 AM;Real-time file system protection;file;D:\Downloads\77E5E64742EF85E2DD5F05C7571A98D0C6583346.bat;PowerShell/Kryptik.FU trojan;cleaned by deleting;;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zFM.exe (6F47DBFD6FF36DF7BA581A4CEF024DA527DC3046).;77E5E64742EF85E2DD5F05C7571A98D0C6583346;3/07/2023 9:58:45 AM -
PowerShell/TrojanDownloader.Agent.ETC on virustotal link
stackz replied to User13's topic in Malware Finding and Cleaning
I can reproduce this. When you go to the VT page you are actually landing on the behavior page and ESET is picking up on some of the displayed Powershell script parts. See example pics below. So essentially there's no live malware to get infected from. At VT: In cache: -
Comodo Webiste Compromised??
stackz replied to el el amiril's topic in ESET Internet Security & ESET Smart Security Premium
By removing the zeros, you've turned turned all those executables into binary junk that doesn't even run. That some AVs detect these things, shows that those AVs are not very good (to put it nicely). -
Suspicious startup app
stackz replied to el el amiril's topic in ESET Internet Security & ESET Smart Security Premium
That entry is a leftover from a removed app that was located in one of the Program Files folders, Download Autoruns. https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns Extract Autoruns64.exe and right click run as administrator. Accept the EULA. When it finishes scanning, select the Logon tab, the entry will be highlighted in yellow. Right click on the entry and delete it. -
I assume it's a false positive as none of the app files are detected. https://github.com/winsiderss/si-builds/releases/download/3.0.6226/systeminformer-3.0.6226-setup.exe Real-time file system protection; file;D:\Downloads\systeminformer-setup.exe; Suspicious Object; cleaned by deleting; Event occurred on a new file created by the application: C:\Windows\explorer.exe (B2F6AB62DD429F078FBA2B7B42E88B51BD98EA3A).;B7C44AFD35ABFFC7292560E5CB4EB2219EE21EF3;
-
It's where you were instructed in this post: https://answers.microsoft.com/message/d469b249-d6f3-4cda-a151-64d0b504aa12?threadId=313c4bbd-2faf-4689-a7be-ed56289563c9 Right click the tray icon and select Advanced setup. Web and email > Email client protection > Toggle off 'Integrate into Microsoft Outlook' or
-
Setup.exe rebuilt - https://www.virustotal.com/gui/file/a188e096c0f19e43d979132e16ec6f4499cac50d777e1de65d7a4ad777c897de/detection
-
Event ID=1108
stackz replied to Pete12's topic in ESET Internet Security & ESET Smart Security Premium
It's definitely not ESET. The ID 1108 entries persist with ESET removed. -
Event ID=1108
stackz replied to Pete12's topic in ESET Internet Security & ESET Smart Security Premium
I just rebooted my system to look after reading this thread. I have a run of 1108 logged as audit success from early in boot, right after lsass starting and the auditing subsystem initialization. Here's the OP's screenshot translated -
ESSP - SSL/TLS list not populating
stackz replied to stackz's topic in ESET Internet Security & ESET Smart Security Premium
OK, I'm not particularly concerned, just it used to always populate automatically with all the apps that connected via SSL. -
html/Refresh.BC trojan alert when typing 192.168.1.254
stackz replied to gryn2's topic in Malware Finding and Cleaning
It's just Chrome preloading links from the search results. I get the same thing happen when Google searching the same address with MS Edge. -
blendjets.su are serving up malware in the form of a fake Blender download. I emailed samples@eset.com over the weekend without response so far.
-
Rebuild the performance counters: https://docs.microsoft.com/en-us/troubleshoot/windows-server/performance/manually-rebuild-performance-counters Create a new data collector set by running performance monitor. The process is similar to the following guide, just select all the GPU related performance counters. https://help.tableau.com/current/server/en-us/perf_collect_perfmon.htm I don't believe this problem has anything to do with ESET, as the problem is affecting a far wider audience. Doing the above procedure worked for me.
-
More LiveGuard Concerns
stackz replied to itman's topic in ESET Internet Security & ESET Smart Security Premium
The script was also blocked here. -
HIPS Serious Problem!!!
stackz replied to Mr_Frog's topic in ESET Internet Security & ESET Smart Security Premium
It just seems rather ridiculous, that if I have for example, C:\1\2\3\protected_file.txt If I make a rule to prevent modification of any file in 3, I also need to make a similar rule for 1 and 2 in case either 1 or 2 get renamed. -
HIPS Serious Problem!!!
stackz replied to Mr_Frog's topic in ESET Internet Security & ESET Smart Security Premium
Just tested and confirmed. This is a real show stopper.