Nightowl

I understood what you mean now, The Network Scanner that shows you which devices were inside your LAN Incase it's your LAN and it shows some Public IP from the scan , can you post a screenshot of it ? , you can blur most of the IP if you don't want to show it. And also for your better peace of mind , update your router to latest version offered by manufacturer , and change your WIFI passwords and check the computers that are connected in the network that they aren't somehow infected (could be not).

When ESET shows blocked attempts in Firewall logs or in Network Troubleshooter It means that the firewall is working and blocking attempts from the Internet But for example if you are connected to an Office WIFI or Home WIFI , and yet you are still seeing some Public IP addresses are trying to communicate with your PC , then you have to check your router and properly configure the firewall to block or reject all Incoming connections and keep All Outgoing as allowed , this incase you don't use any kind of service or portforwarding inside your LAN and have no need to come from Internet Side to Office/Home side.

Since you modified it brother , you broke the signature, you modified the contents as then the signature of the maker is broken This will give an indicator to A.I scanners that this file might be malicious. Because the A.I usually knows this software/installer as trusted and signed , then suddenly you uploaded it differently and unsigned , it will look suspicious to the Bots(A.I). The new un-modified installer that you uploaded got 2 detections , those are false-positives , the A.I might detect them because installer is new , it might feel it's a bit suspicous once you played with the HEX and added ZEROs, 2 more A.I hated your modification and found it suspicious and also you broke the signature of the developers. Since I was marked as a solution , I may be wrong or not 100% accurate , if I am mistaken , please correct me

I believe so not , but you can make it a bit different Connect the drive to some endpoint and you can force the endpoint to scan there , I think that works . but very slow.

Since AVs mark those applications as SAFE , most of their actions would be considered to be normal to the AVs if not all of their actions , and it's why malware developers get into the hassle of using a legit software for their illegal operation.

Thank you also Peter for assistance One last note is after clearing everything , one should reset Windows Firewall settings incase it's used because the Trojan will open ports for itself in Windows Firewall

Thanks to everyone involved in topic with help for this threat , I believe endpoints are clean now , will keep monitoring for weird things , if something happens I will report back And also thanks to ESET and Fortinet.

Also you are being blocked by Fortinet Try to download the website files to your computer , see which file ESET is sensitive to , replace it with original , or see what has been hijacked between original and modified one.

I can confirm detections of what I sent because I sent same folder to both ESET and Fortinet because that what endpoints work with. <Regenererede.vbs> with MD5: e627f016283c17b4badc6f5b47f677d3 - <VBS/Agent.77d3!tr> <SciLexer.dll> with MD5: 688c0480ed192ed336911d7ed3730561 - <W32/Rugmi.0561!tr> <Fruit.png> with MD5: c2a09a3c72717c71a6ac22c9f342a0d2 - <Data/Agent.STGP!tr> <ms.png> with MD5: 7b2f3421621a080c2043e6c90821c618 - <Data/Agent.STGP!tr> <Fruit.png> with MD5: fd5cb5160053fcd028ad81016357dff5 - <Data/Agent.STGP!tr> <Pine.png> with MD5: 7f5546e1202e06e17c3eabe86107a504 - <Data/Agent.STGP!tr> <Fruit.png> with MD5: 0086f1ed58e6516027bdc7d8a6c2c9ad - <Data/Agent.STGP!tr>

So , since not most of the files are detected , most of them to be found in AppData/Roaming , with weird namings or Adobe , or in Local as Bhromium something like this , and somewhere in AppData you can find the firefox Simply searching for vlc.exe , firefox.exe , python.exe , notepad++.exe in AppData , will show you where it is staying most likely, and you can manually remove them Blocking *.imgur.com , and C&C server that is found on AnyRun report , will isolate the Trojan , the load cannot be downloaded from imgur again, and if there was infection , there is no connection to C&C ESET can pick it and clean the infected Powershell , and clean the things that was reported earlier in Threat , other scanners like Hitman , didn't pick anything , ESET did all the job , but still unpicked stuff , I deleted them manually. Task Schedulers for VLC and Python and Notepad ++ which are the legit softwares , but they are using them to load the Loads Once all cleaned , and schedulers disabled and removed , it shouldn't come back to life , nor be alive. Thanks for the note bro Actually this photo from BleepingComputer post you mentioned is actually how the trojan works File(came through whatever way) --> dll with whatever vulnerable software --> PNG from IMGUR -->Powershell to C&C (communication blocked by Fortinet first) , then ESET was installed to clean Powershell , which was successful to do so. Since dll beside a trusted application is a stealthy way for a malware to proceed , since everything mark is Trusted/Safe then trojan have no problem to proceed however it likes With pngs being downloaded from a Trusted/Safe place , no webfilter/dns filter would stop imgur.com unless it was filtered on purpose to stop users from accessing it Powershell would silently communicate with it's c2c server without being detected by anyone unless the c2c and the shell are detected by security vendors. If shell is not detected, and will be always revived by Schedulers if something happened to it , then access would be granted to the device all the time , and then anything can happen , ransomware or any other attacks.

Most scanners doesn't care about images in their nature I think? , this is why now malware developers use this way And since uploading the image to a very well known place like imgur, when the Trojan communicates with imgur , you will find it normal , someone is surfing photos. And the trojan would evade any web/dns filters you would set , since Imgur is trusted. This is one of the Fruits.

Those are the threats my brother , the trojan downloads them from imgur , to stay stealthy , and then will be changed to the wanted extention , fortinet already detects one of them , Fruit.png With every fake program the Trojan uses , it will have a .png file for it Notepad++ , VLC , Python , Firefox They are all legit versions , but probably some kind of old versions that have vulnerabilities , and Trojan uses them to acheive what need to be achieved , and communicates to C&C with Powershell , but ESET can stop it and remove it (powershell one).

I have sent more archieves that are supposed to be threats , they all have same password of "infected" they are attached on my email also with ESET sending. example of files : https://www.virustotal.com/gui/file/cadd19935b6d2bd7208402c760923bbaa2807633d0306c3cb15337227179399e?nocache=1 https://www.virustotal.com/gui/file/4bb7fcab55b4f55f74d98c20205148a69f33dc39f3f99d9c11d1b22a4476562f?nocache=1 https://www.virustotal.com/gui/file/08739fea7bfdf3b641709a3d5b6e6d64be4ea75375dda9fe5cf7234e40cfbe12/detection https://www.virustotal.com/gui/file/b2b8b97427bacead4a3de569d4901c13fb60131d7d9c5ba10fa885e13a9cc1f7?nocache=1

Try using this to prevent the script from running till you find the source of it : https://www.thewindowsclub.com/how-to-turn-on-or-off-windows-powershell-script-execution Look in System Scheduler , and look in Startup entries , this is the most usual places of how a malware could keep reviving itself after being removed.

I think so also

It isn't bro , because when the trojan troubled me with coming back to life everytime I kill it I thought to change strategy and remove Python from the computer that would render it's scripts useless , but there is no Python on the PC , I thought it was installed from before then I used HIPS to monitor what access this area , and then I thought I should get more aggressive now , I blocked the whole area to prevent anything from reading or writing to it using HIPS and I restarted then , python.exe and python39.dll ceased to be used by something else, something held them and prevented anything to touch it , even I can't add a firewall rule for it because I wanted to block it from communicating. I felt like maybe other scanner got it for restart cleaning? , but nope no scanner identified the python39.dll as malicious , only as suspicous because it's not Signed , but all the rest of the files even the modified ones have the company names , like for Firefox , everything have Mozilla , even the modified ones.(Unsigned)

I believe they are normal versions of the EXE , the .dlls are just hijacked fake firefox that came with it , had an icon from older versions of firefox , you can notice it's an old version of firefox. vlc also it looked like the real one , but the .dlls are hijacked , this is why scanners aren't picking the them , python.exe , firefox.exe , vlc.exe , because I think they are legit , just the .dlls are messed up. I believe Python.exe is needed to be able to run the Python script that is hidden somewhere , since there is no Python installed on PC. If they were edited or messed up , then I would have got an indicator that the exes aren't signed properly. tampered or edited. Edit : I didn't read properly , yes it could explain it what you have said , and could be those aren't real executables and just made by the script I sent them to ESET the whole packs of the fake stuff , but I removed the python.exe actually , and I don't think I can get it back , because at that time , ESET picked it's python39.dll , and I still believe somehow that the python.exe is a normal one. I believe , the fake stuff , firefox vlc python all were real but versions that have vulnerabilities and can be changed,modified , that's why they all packed with hijacked DLLs and weird file types that would just change after execution.

This is what runs the malicious Python in Adobe in Scheduler: And this what runs the malicious VLC in Scheduler :

It should be received from another endpoint , no I don't think there is a bug. because i sent examples from 2 endpoints , one without email , one with email. I will send in PM.

I worked with HIPS to see who reads and writes , but once I wasn't able to stop it , remove it or archieve it , I thought it's better to block the whole place, I blocked and restarted PC , and I removed it I believe when you run the malicious exe that is hidden as pif , it asks for admin? I don't know , I didn't ask I saved also the XMLs for Schedulers And the PC doesn't have anything to belong to Adobe , but I believe the virus will gain admin somewhere with VLC and CMD

Hello Peter I have attached the whole folder of fake VLC and fake Firefox and attached them to 7z archive and passworded them with "malware" , I sent through ESET GUI , with my email address , I have confirmed that they have reached through Events logs but I kept a backup incase they didn't reach , I was having a trouble cleaning the python39.dll because it kept telling me it's running somewhere , something held it but I didn't catch it , I restarted it , what held it , stopped , I tried to archieve it , but ESET got it it seems that it received updates. so I didn't pack the .dll because ESET already knows it I think what held it is Task Scheduler somewhere , I made sure it didn't come back in Task Scheduler What I noticed , I had hands on 2 infections , one with W10 and one with W11 The only difference I saw that in W10 it was able to make a startup entry , in W11 it didn't , I will double check to make sure. Thanks to all also , it's my pleasure

I sent 2 more remenants that aren't detected , but looked Suspicious , I cleaned the system scheduler it had a vlc and python commands to run at startup and at 7PM The remenants are here : https://www.virustotal.com/gui/file/e9262441ef8e401acce28d13100c63e90e3de2ffb0ec6763611eebdc1aa60dbd/detection/f-e9262441ef8e401acce28d13100c63e90e3de2ffb0ec6763611eebdc1aa60dbd-1679390226 https://www.virustotal.com/gui/file/e7754d8e4c33b35b85d85554488069fe731190201fa9e42d1b53f38c843025a3/detection/f-e7754d8e4c33b35b85d85554488069fe731190201fa9e42d1b53f38c843025a3-1679390159 Unsigned files for Python and VLC , It looked suspicious to scanners. This is a rememnant also not detected but I wasn't able to send it , I deleted it by mistake : https://www.virustotal.com/gui/file/65327e1555994dacee595d5da9c9b98967d1ea91ccb20e8ae4195cd0372e05a0 ssl3.dll Size . . . . . . . : 132,712 bytes Age . . . . . . . : 4.9 days (2023-03-17 12:42:24) Entropy . . . . . : 6.1 SHA-256 . . . . . : 65327E1555994DACEE595D5DA9C9B98967D1EA91CCB20E8AE4195CD0372E05A0 Product . . . . . : Network Security Services Publisher . . . . : Mozilla Foundation Description . . . : NSS SSL Library Version . . . . . : 3.11.5 RSA Key Size . . . : 2048 LanguageID . . . . : 1033 Authenticode . . . : Invalid > SurfRight . . . . : Mal/Generic-S Fuzzy . . . . . . : 122.0 Scheduler : I made a restart now , I willl check if it comes back , I believe the Scheduler is what revived it and ESET kept removing it as Spy Agent in Advanced Memory Scanner. I sent the 2 examples to ESET the same way I did for first post , Right click > ESET > Submit for Analysis.

Thank you Marcos , ITMAN It isn't my business account , I just worked to clean the PC because I was asked to , and ESET was there for my luck I will inform if I was asked about LiveGuard.

I didn't notice that , I sent manually , the product on PC is ESET Endpoint Security I think Endpoint Security doesn't have LiveGuard yet , it's only available on Smart Security And file came through Skype to the affected machine.

yea i noticed that now when i got into anyrun link