can anyone check what's inside these files I found in Program Data? pls, ty

[migs_k 0]

one of them looks like base64

Quote

eyJwMSI6eyI1MDk4ODAxNDYiOnsicDIiOlt7InAzIjoxNTI2MDUyNzI1LCJwNCI6ODY3NzMxODk0LCJwNSI6MH0seyJwMyI6MTUyNTk2MjkxMiwicDQiOjg2NzczMTg5NCwicDUiOjB9LHsicDMiOjE1MjU4NzYzNTIsInA0Ijo4Njc3MzE4OTQsInA1IjowfSx7InAzIjoxNTE1NTU4NzQyLCJwNCI6MjMzMDI4NDczOCwicDUiOjB9LHsicDMiOjE1MTUzMjgzMzMsInA0IjoyMzMwMjg0NzM4LCJwNSI6MH0seyJwMyI6MTUxMzc2MDQ5OCwicDQiOjMwNjgyMzc1NjcsInA1IjowfSx7InAzIjoxNTExNzUwMDg5LCJwNCI6MzgxNDAyNjY3OSwicDUiOjB9LHsicDMiOjE1MTEyNjAzNjYsInA0IjozODE0MDI2Njc5LCJwNSI6MH1dfSwiMTI3NDQ2NTkwIjp7InAyIjpbeyJwMyI6MTUxNjQxMjEzNSwicDQiOjMxOTI2MDYzMDgsInA1IjowfSx7InAzIjoxNTEzNjY1MzAyLCJwNCI6MzE5MjYwNjMwOCwicDUiOjB9XX19fQ==

 

just my flying suspicious because I saw this YouTube video https://www.youtube.com/watch?v=mhOWdH2zwMk where the malware source code is placed in whatever places 

 

EDIT: ok yeah, decoded it and its something may be part of a source code for something

Quote

{"p1":{"509880146":{"p2":[{"p3":1526052725,"p4":867731894,"p5":0},{"p3":1525962912,"p4":867731894,"p5":0},{"p3":1525876352,"p4":867731894,"p5":0},{"p3":1515558742,"p4":2330284738,"p5":0},{"p3":1515328333,"p4":2330284738,"p5":0},{"p3":1513760498,"p4":3068237567,"p5":0},{"p3":1511750089,"p4":3814026679,"p5":0},{"p3":1511260366,"p4":3814026679,"p5":0}]},"127446590":{"p2":[{"p3":1516412135,"p4":3192606308,"p5":0},{"p3":1513665302,"p4":3192606308,"p5":0}]}}}

 

 

[Marcos 5,070]

You have already decoded the string so I gather that you have answered yourself.

[migs_k 0]

theres more inside the rar which is not base64

 

is ESET capable of cleaning or detecting that sort of thing thats on the youtube video?

Edited March 4, 2021 by migs_k

[Marcos 5,070]

There was also a msi file but this forum doesn't serve as a service for analyzing suspicious files. You can upload it to virustotal.com for instance to see if it's detected by some AVs.

[migs_k 0]

looks like I'm the very first ones to upload these. is it even possible to detect pieces of code that's placed everywhere?

[Marcos 5,070]

Not sure what code you mean. The above base64 code is obviously benign and not subject to detection.

[itman 1,659]

Since the linked youtube video is about the Remcos RAT, anyrun.com has an excellent animated analysis of one sample of it here: https://any.run/malware-trends/remcos

Remcos is usually associated with a phishing e-mail; for example, one containing a MS Word attachment. The easiest way to stop crud like this is to block process startup from any MS Office executable's. In this case, any process startup from winword.exe. Or better yet, permanently disable macro use in winword.exe:

Quote

Once downloaded, the files would prompt the users to activate macros which are required for the execution of Ramcos to start.

 

Edited March 4, 2021 by itman

[itman 1,659]

I forgot to mention this.

Referring to the anyrun.com detailed analysis of Remcos RAT sample, the first process spawned from winword.exe is eqnedt32.exe. This would indicate the attacker is exploiting a known vulnerability detailed here: https://www.bleepingcomputer.com/news/security/office-equation-editor-security-bug-runs-malicious-code-without-user-interaction/ .

Again your primary security mechanism against crud like this is to ensure your OS and application software has all available security patches applied.