Jump to content

stackz

ESET Insiders
  • Posts

    406
  • Joined

  • Last visited

  • Days Won

    19

Posts posted by stackz

  1. The loader and xworm payload are contained in the batch file. The payload is an encoded resource of the loader. If it's not executed as administrator, or is run in a virtual environment or thinks it's being debugged/analyzed, the loader will exit.

    If there were no other detections outside of the batch files, then I doubt infection took place. If your 'C' drive wasn't added as an exclusion in Defender, then the loader likely exited without infecting.

  2. The final payload is xworm 5.2 -

    https://www.virustotal.com/gui/file/e5c423b29909bed8ab996d2f73db11e1e72d84a6ace0ba73feb1411764259d50?nocache=1

    If Windows Defender is used, then the "C" drive is added as an exclusion. Like all RATs there's potentially passwords stolen and information from the clipboard.

    There should be a scheduled task (OneNote 71730) and shell:startup entry. 

    This is the loader for the above file:

    https://www.virustotal.com/gui/file/7d5742c543a7f6412985e3ac832204931be7e1e20ca600e7434b534bbbc1e3a9

  3. Re 77E5E64742EF85E2DD5F05C7571A98D0C6583346 - 

     

    Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
    3/07/2023 9:58:53 AM;Real-time file system protection;file;D:\Downloads\77E5E64742EF85E2DD5F05C7571A98D0C6583346.bat;PowerShell/Kryptik.FU trojan;cleaned by deleting;;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zFM.exe (6F47DBFD6FF36DF7BA581A4CEF024DA527DC3046).;77E5E64742EF85E2DD5F05C7571A98D0C6583346;3/07/2023 9:58:45 AM
     

  4. That entry is a leftover from a removed app that was located in one of the Program Files folders, Download Autoruns.

    https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns

    Extract Autoruns64.exe and right click run as administrator. Accept the EULA. When it finishes scanning, select the Logon tab, the entry will be highlighted in yellow. Right click on the entry and delete it.

  5. I assume it's a false positive as none of the app files are detected.

    https://github.com/winsiderss/si-builds/releases/download/3.0.6226/systeminformer-3.0.6226-setup.exe

    Real-time file system protection;
    file;D:\Downloads\systeminformer-setup.exe;
    Suspicious Object;
    cleaned by deleting;
    Event occurred on a new file created by the application: C:\Windows\explorer.exe (B2F6AB62DD429F078FBA2B7B42E88B51BD98EA3A).;B7C44AFD35ABFFC7292560E5CB4EB2219EE21EF3;

  6. Rebuild the performance counters: 

    https://docs.microsoft.com/en-us/troubleshoot/windows-server/performance/manually-rebuild-performance-counters

    Create a new data collector set by running performance monitor. The process is similar to the following guide, just select all the GPU related performance counters.

    https://help.tableau.com/current/server/en-us/perf_collect_perfmon.htm

    I don't believe this problem has anything to do with ESET, as the problem is affecting a far wider audience. Doing the above procedure worked for me.

×
×
  • Create New...