Nightowl
-
Posts
1,858 -
Joined
-
Days Won
17
Posts posted by Nightowl
-
-
11 minutes ago, itman said:
I don't believe either of the above .exe's are really what they are named as.
It appears to me they are actually renamed versions of pyinstaller.exe. Note that the command line string used in both starts with "--" which is the format used by Pyinstaller.
Pyinstaller allows for creation of a Win based .exe using an existing Python script. It adds all the needed Python run-time components plus the code contained in the script resulting in a fully functional Win .exe without the need to have Python installed.
I believe they are normal versions of the EXE , the .dlls are just hijacked
fake firefox that came with it , had an icon from older versions of firefox , you can notice it's an old version of firefox.
vlc also it looked like the real one , but the .dlls are hijacked , this is why scanners aren't picking the them , python.exe , firefox.exe , vlc.exe , because I think they are legit , just the .dlls are messed up.
I believe Python.exe is needed to be able to run the Python script that is hidden somewhere , since there is no Python installed on PC.
If they were edited or messed up , then I would have got an indicator that the exes aren't signed properly. tampered or edited.
Edit :
QuotePyinstaller allows for creation of a Win based .exe using an existing Python script. It adds all the needed Python run-time components plus the code contained in the script resulting in a fully functional Win .exe without the need to have Python installed.
I didn't read properly , yes it could explain it what you have said , and could be those aren't real executables and just made by the script
I sent them to ESET the whole packs of the fake stuff , but I removed the python.exe actually , and I don't think I can get it back , because at that time , ESET picked it's python39.dll , and I still believe somehow that the python.exe is a normal one.
I believe , the fake stuff , firefox vlc python all were real but versions that have vulnerabilities and can be changed,modified , that's why they all packed with hijacked DLLs and weird file types that would just change after execution.
-
13 hours ago, itman said:
A comment about the scheduled tasks behavior. They all employed; e.g.:
C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\python39.dll",#1
That is rundll32.exe spawning a copy of itself to run a malicious .dll. As far as I am aware of, I know of nothing that does likewise. I am adding a HIPS rule to alert when rundll32.exe starts itself.
This is what runs the malicious Python in Adobe in Scheduler:
Quote<Command>C:\Users\xxxxxxx\AppData\Roaming\Adobe\python.exe</Command>
<Arguments>--yoky=66585 --uapb --vgb --mgxfde</Arguments>And this what runs the malicious VLC in Scheduler :
Quote<Command>C:\Users\xxxxxxx\AppData\Roaming\36c011cd\vlc.exe</Command>
<Arguments>-cbriqvr</Arguments> -
19 minutes ago, Marcos said:
We have received the files, however, there was no email address associated with the tickets. Couldn't it be that you checked the box to submit the file anonymously? I've made a test myself using the latest Endpoint 10 as well and a ticket was associated with my email so I don't expect it to be caused by a bug.
It should be received from another endpoint , no I don't think there is a bug.
because i sent examples from 2 endpoints , one without email , one with email.
I will send in PM.
-
3 minutes ago, itman said:
Of interest here is how the attacker created python.exe in C:\Users\xxxxxx\AppData\Roaming\Adobe directory.
I block all python execution via registry debugger assignment. However, Eset again needs to provide global wildcard capability; e.g. *\python.exe, to prevent attacks like this.
I worked with HIPS to see who reads and writes , but once I wasn't able to stop it , remove it or archieve it , I thought it's better to block the whole place, I blocked and restarted PC , and I removed it
I believe when you run the malicious exe that is hidden as pif , it asks for admin? I don't know , I didn't ask
I saved also the XMLs for Schedulers
And the PC doesn't have anything to belong to Adobe , but I believe the virus will gain admin somewhere with VLC and CMD
-
1 hour ago, Peter Randziak said:
Hello @Nightowl,
thank you for a nice analysis 😉
I contacted the Detections team, the files e9262441ef8e401acce28d13100c63e90e3de2ffb0ec6763611eebdc1aa60dbd, 65327e1555994dacee595d5da9c9b98967d1ea91ccb20e8ae4195cd0372e05a0 and e7754d8e4c33b35b85d85554488069fe731190201fa9e42d1b53f38c843025a3 will be added to detection.
Can you please provide us with files "mozilla.md5", "idea.mp3" and "tree.mp4" to check them further?
Please send them to me in an encrypted archive via a private message, with the encryption password included 🙂Peter
Hello Peter
I have attached the whole folder of fake VLC and fake Firefox and attached them to 7z archive and passworded them with "malware" , I sent through ESET GUI , with my email address , I have confirmed that they have reached through Events logs but I kept a backup incase they didn't reach , I was having a trouble cleaning the python39.dll because it kept telling me it's running somewhere , something held it but I didn't catch it , I restarted it , what held it , stopped , I tried to archieve it , but ESET got it it seems that it received updates. so I didn't pack the .dll because ESET already knows it
I think what held it is Task Scheduler somewhere , I made sure it didn't come back in Task Scheduler
What I noticed , I had hands on 2 infections , one with W10 and one with W11
The only difference I saw that in W10 it was able to make a startup entry , in W11 it didn't , I will double check to make sure.
Thanks to all also , it's my pleasure
-
I sent 2 more remenants that aren't detected , but looked Suspicious , I cleaned the system scheduler it had a vlc and python commands to run at startup and at 7PM
The remenants are here :
Unsigned files for Python and VLC , It looked suspicious to scanners.
This is a rememnant also not detected but I wasn't able to send it , I deleted it by mistake :
https://www.virustotal.com/gui/file/65327e1555994dacee595d5da9c9b98967d1ea91ccb20e8ae4195cd0372e05a0
ssl3.dll
Size . . . . . . . : 132,712 bytes
Age . . . . . . . : 4.9 days (2023-03-17 12:42:24)
Entropy . . . . . : 6.1
SHA-256 . . . . . : 65327E1555994DACEE595D5DA9C9B98967D1EA91CCB20E8AE4195CD0372E05A0
Product . . . . . : Network Security Services
Publisher . . . . : Mozilla Foundation
Description . . . : NSS SSL Library
Version . . . . . : 3.11.5
RSA Key Size . . . : 2048
LanguageID . . . . : 1033
Authenticode . . . : Invalid
> SurfRight . . . . : Mal/Generic-S
Fuzzy . . . . . . : 122.0Scheduler :
I made a restart now , I willl check if it comes back , I believe the Scheduler is what revived it and ESET kept removing it as Spy Agent in Advanced Memory Scanner.
I sent the 2 examples to ESET the same way I did for first post , Right click > ESET > Submit for Analysis.
-
4 minutes ago, Marcos said:
The file is currently blocked by LiveGrid, will be detected as Win32/TrojanDownloader.Rugmi.AAI trojan.
\TrueCrypt.exe - Suspicious Object
It depends on what plan / bundle you have purchased.
Advanced Threat Defense includes ESET LiveGrid Advanced and is available in ESET PROTECT Advanced and ESET PROTECT Complete:
Thank you Marcos , ITMAN
It isn't my business account , I just worked to clean the PC because I was asked to , and ESET was there for my luck
I will inform if I was asked about LiveGuard.
-
6 minutes ago, itman said:
Assuming you downloaded MerchantSticpayAgreements.pif.exe, was it sent to LiveGuard?
I didn't notice that , I sent manually , the product on PC is ESET Endpoint Security
I think Endpoint Security doesn't have LiveGuard yet , it's only available on Smart Security
And file came through Skype to the affected machine.
-
Just now, itman said:
It's a .exe; i.e.MerchantSticpayAgreements.pif.exe , just hidden as .pif file.
yea i noticed that now when i got into anyrun link
-
-
14 minutes ago, itman said:
Appears to be an old hacked version of TrueCrypt.exe . It's signed but the sigs are invalid. The behavior of the bugger: https://www.virustotal.com/gui/file/b1afbce51ad052f936b989214964d56e2290a7fb5548763273c1fc4382cd5c1c/behavior is pretty nasty.
Yes it's targeting financial areas , it will come as a financial file for you , it isn't me , I worked to clean the person PC , shortcut isn't detected so it's made new also , the shortcut is what was got uploaded to virustotal , but virustotal takes to truecrypt.exe , but i believe the 1.5 shortcut is something hidden , it will just become something else
you can see it here also : https://any.run/report/b1afbce51ad052f936b989214964d56e2290a7fb5548763273c1fc4382cd5c1c/f26fd95b-3cc1-4578-abf1-17289380ebe5
-
https://www.virustotal.com/gui/file/b1afbce51ad052f936b989214964d56e2290a7fb5548763273c1fc4382cd5c1c
This is not being detected by ESET , but ESET is picking it up through Advanced Memory Scanner after being ran because it came through Skype as a 1.5mb shortcut pif , i kept a copy of it inside a passworded archieve , I sent the shortcut also for Analysis through right click and submit for analysis
a variant of Win32/Spy.Agent.QGW trojan
C7552D69B8A7257A489BCDC31BAD099F5C2D67EA
a variant of Win32/Rescoms.B trojan
D00E62B42CEE99EFF56C604CF7190E2F68B3F86E
Those are files that the dropper drops them , but ESET memory scanner and startup scanner picks .dlls from Appdata\local\temp\threat.dll
-
On 3/18/2023 at 9:45 PM, Bartosz said:
pls help me Is there eset on the Valorant anti-cheat software? I have error 9002 and I don't know how to fix it, I gave it to the firewall and there is no tutorial on youtube and I am counting on your help.
QuoteIf you see Error Code VAN9002 when attempting to log into VALORANT, it's likely because you have Windows Exploit Protection disabled. To get yourself back in the game, you must enable Exploit Protection on your machine. Don't know how? Well, I'm here to help!
-
Firewalling the RDP port to specific IP addresses , password protecting ESET , account auto lock for failures for RDP , it will limit the attack space for RDP attacks.
-
4 hours ago, rotaru said:
As always, not ESET's fault......
If someone can log into RDP and disable ESET , then ESET is not capable of defending anything
Still it is not recommended to be using Windows 7 at all , since if ESET missed the threat since that can happen with any AV available on the market , then there is no way of defense against that malware
Since Microsoft doesn't fix anything with 7 and 8 anymore , you are better of with 10 and 11 , or even Linux if you are against using those two systems , but not 7 and 8.
-
Both sites are official I bet
See here you get the blue skin : http://www.videolan.org/index.en_GB.html
And here you will get the orange skin : http://www.videolan.org/vlc/#download
-
I am not sure about it since I don't work for ESET,but I believe ESET Protect will see the computer as idle , once the screensaver kicks in.
Just from my thoughts , I could be totally wrong.
Try to set that policy for one computer and leave that computer and see when it kicked in , and check in the same time the screensaver setting for that computer
And also if you have Domain Controllers , you can use Group Policy to modify when the PC will be idle/locked.
-
2 hours ago, obee said:
Hi @Nightowl
Thank you for your reply
You are welcome my brother.
-
1 hour ago, obee said:
Hi, I have a question about Supported OS for ESET Server Security for Linux (ESSL).
In this url we found that ESSL supported RedHat Enterprise Linux 7, 8
but in this url we can found that ESSL supported RedHat Enterprise Linux 7, 8, and 9
is there a difference stated in the url eset.com and help.eset.com? which one is correct?
Thank you in advanced.
I think the help page of the second screenshot of yours have more accurate information.
https://help.eset.com/essl/91/en-US/?system_requirements.html
-
3 minutes ago, Marcos said:
Could you please elaborate more on why you want give end users the right to decide if a detected file should be kept or deleted? Are they knowledgeable enough to make the right decision when it comes to malware detection and cleaning?
However, even then there would be a risk that malware could run if the machine is unattended and no user is logged in.
If you decide to disable automatic cleaning, you can do so seaparately for each protection module (realt-time protection, on-demand scan profiles, startup scans, web access and email protection, etc.)
If someone said something earlier than you , we say your life is longer than mine , so it's that way Marcos
I wanted to actually say the same ,
Are the endpoint users with enough knowledge to decide if it's really a threat or a false positive?, It is not recommended to do so because it is in purpose they are not working in I.T department, so they shouldn't have this decision.
-
17 minutes ago, leborim12 said:
I think I got hacked in chats.
He is able to track my online activity. Sometimes he uses in chats the name of the wifi that are near me or phone names that are connected in my wifi netwrok. Knows my name also.
I tried malawarebytes premium and did not detect anything.
Also, because on internet there is a lot of info, I would appreciate if you can tell a way to find any backdoors on my PC or any other solution.
Try to install ESET Smart Security or ESET Internet Security
- Run it as a trial for 30 days , after that you will have to buy a license to continue using it.
- Run a deep scan in your system
- Update your router to latest firmware available by manufacturers
- Reset your router admin password , Reset your WIFI password
If your router is no longer maintained and updated by the manufacturers , I highly recommend getting one that is supported , your Internet Service Provider can provide you one if you don't want to bother yourself getting one from a shop.
-
Just a suggestion , since you blocked Polish language of Facebook , it might just re-direct to some other domain or english language
Try blocking *.facebook.com
-
17 hours ago, VanBuran said:
These downloads only stated since I reinstalled Windows. I have a laptop and another desktop that do not download the updates.
Indeed I was wrong , I doubled checked and they do stop , I remember seeing them for a while even when I had ESET installed.
-
44 minutes ago, VanBuran said:
Well I have tried everything suggested here and on Google, and I still get the downloads.
You cannot stop Defender from Updating , those Updates will be received along Windows Update files , and from Windows Update Service
I believe it keeps updating because it can be used as secondary scanner with ESET (not real-time) but as on demand scanner
I don't think it harms , let it update and even you can schedule it to run at different time or once per certain time to scan and give you a second opinion among ESET
Trojan Dropper Remcos
in Malware Finding and Cleaning
Posted
It isn't bro , because when the trojan troubled me with coming back to life everytime I kill it
I thought to change strategy and remove Python from the computer that would render it's scripts useless , but there is no Python on the PC , I thought it was installed from before
then I used HIPS to monitor what access this area , and then I thought I should get more aggressive now , I blocked the whole area to prevent anything from reading or writing to it using HIPS and I restarted then , python.exe and python39.dll ceased to be used by something else, something held them and prevented anything to touch it , even I can't add a firewall rule for it because I wanted to block it from communicating.
I felt like maybe other scanner got it for restart cleaning? , but nope no scanner identified the python39.dll as malicious , only as suspicous because it's not Signed , but all the rest of the files even the modified ones have the company names , like for Firefox , everything have Mozilla , even the modified ones.(Unsigned)