migs_k 0 Posted March 4, 2021 Share Posted March 4, 2021 one of them looks like base64 Quote eyJwMSI6eyI1MDk4ODAxNDYiOnsicDIiOlt7InAzIjoxNTI2MDUyNzI1LCJwNCI6ODY3NzMxODk0LCJwNSI6MH0seyJwMyI6MTUyNTk2MjkxMiwicDQiOjg2NzczMTg5NCwicDUiOjB9LHsicDMiOjE1MjU4NzYzNTIsInA0Ijo4Njc3MzE4OTQsInA1IjowfSx7InAzIjoxNTE1NTU4NzQyLCJwNCI6MjMzMDI4NDczOCwicDUiOjB9LHsicDMiOjE1MTUzMjgzMzMsInA0IjoyMzMwMjg0NzM4LCJwNSI6MH0seyJwMyI6MTUxMzc2MDQ5OCwicDQiOjMwNjgyMzc1NjcsInA1IjowfSx7InAzIjoxNTExNzUwMDg5LCJwNCI6MzgxNDAyNjY3OSwicDUiOjB9LHsicDMiOjE1MTEyNjAzNjYsInA0IjozODE0MDI2Njc5LCJwNSI6MH1dfSwiMTI3NDQ2NTkwIjp7InAyIjpbeyJwMyI6MTUxNjQxMjEzNSwicDQiOjMxOTI2MDYzMDgsInA1IjowfSx7InAzIjoxNTEzNjY1MzAyLCJwNCI6MzE5MjYwNjMwOCwicDUiOjB9XX19fQ== just my flying suspicious because I saw this YouTube video https://www.youtube.com/watch?v=mhOWdH2zwMk where the malware source code is placed in whatever places EDIT: ok yeah, decoded it and its something may be part of a source code for something Quote {"p1":{"509880146":{"p2":[{"p3":1526052725,"p4":867731894,"p5":0},{"p3":1525962912,"p4":867731894,"p5":0},{"p3":1525876352,"p4":867731894,"p5":0},{"p3":1515558742,"p4":2330284738,"p5":0},{"p3":1515328333,"p4":2330284738,"p5":0},{"p3":1513760498,"p4":3068237567,"p5":0},{"p3":1511750089,"p4":3814026679,"p5":0},{"p3":1511260366,"p4":3814026679,"p5":0}]},"127446590":{"p2":[{"p3":1516412135,"p4":3192606308,"p5":0},{"p3":1513665302,"p4":3192606308,"p5":0}]}}} Link to comment Share on other sites More sharing options...
Administrators Marcos 4,706 Posted March 4, 2021 Administrators Share Posted March 4, 2021 You have already decoded the string so I gather that you have answered yourself. Link to comment Share on other sites More sharing options...
migs_k 0 Posted March 4, 2021 Author Share Posted March 4, 2021 (edited) theres more inside the rar which is not base64 is ESET capable of cleaning or detecting that sort of thing thats on the youtube video? Edited March 4, 2021 by migs_k Link to comment Share on other sites More sharing options...
Administrators Marcos 4,706 Posted March 4, 2021 Administrators Share Posted March 4, 2021 There was also a msi file but this forum doesn't serve as a service for analyzing suspicious files. You can upload it to virustotal.com for instance to see if it's detected by some AVs. Link to comment Share on other sites More sharing options...
migs_k 0 Posted March 4, 2021 Author Share Posted March 4, 2021 looks like I'm the very first ones to upload these. is it even possible to detect pieces of code that's placed everywhere? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,706 Posted March 4, 2021 Administrators Share Posted March 4, 2021 Not sure what code you mean. The above base64 code is obviously benign and not subject to detection. Link to comment Share on other sites More sharing options...
itman 1,541 Posted March 4, 2021 Share Posted March 4, 2021 (edited) Since the linked youtube video is about the Remcos RAT, anyrun.com has an excellent animated analysis of one sample of it here: https://any.run/malware-trends/remcos Remcos is usually associated with a phishing e-mail; for example, one containing a MS Word attachment. The easiest way to stop crud like this is to block process startup from any MS Office executable's. In this case, any process startup from winword.exe. Or better yet, permanently disable macro use in winword.exe: Quote Once downloaded, the files would prompt the users to activate macros which are required for the execution of Ramcos to start. Edited March 4, 2021 by itman Link to comment Share on other sites More sharing options...
itman 1,541 Posted March 4, 2021 Share Posted March 4, 2021 I forgot to mention this. Referring to the anyrun.com detailed analysis of Remcos RAT sample, the first process spawned from winword.exe is eqnedt32.exe. This would indicate the attacker is exploiting a known vulnerability detailed here: https://www.bleepingcomputer.com/news/security/office-equation-editor-security-bug-runs-malicious-code-without-user-interaction/ . Again your primary security mechanism against crud like this is to ensure your OS and application software has all available security patches applied. Link to comment Share on other sites More sharing options...
Recommended Posts