Jump to content

can anyone check what's inside these files I found in Program Data? pls, ty

migs_k
 Share

Recommended Posts

migs_k

migs_k 0

Posted
Posted

one of them looks like base64

Quote

eyJwMSI6eyI1MDk4ODAxNDYiOnsicDIiOlt7InAzIjoxNTI2MDUyNzI1LCJwNCI6ODY3NzMxODk0LCJwNSI6MH0seyJwMyI6MTUyNTk2MjkxMiwicDQiOjg2NzczMTg5NCwicDUiOjB9LHsicDMiOjE1MjU4NzYzNTIsInA0Ijo4Njc3MzE4OTQsInA1IjowfSx7InAzIjoxNTE1NTU4NzQyLCJwNCI6MjMzMDI4NDczOCwicDUiOjB9LHsicDMiOjE1MTUzMjgzMzMsInA0IjoyMzMwMjg0NzM4LCJwNSI6MH0seyJwMyI6MTUxMzc2MDQ5OCwicDQiOjMwNjgyMzc1NjcsInA1IjowfSx7InAzIjoxNTExNzUwMDg5LCJwNCI6MzgxNDAyNjY3OSwicDUiOjB9LHsicDMiOjE1MTEyNjAzNjYsInA0IjozODE0MDI2Njc5LCJwNSI6MH1dfSwiMTI3NDQ2NTkwIjp7InAyIjpbeyJwMyI6MTUxNjQxMjEzNSwicDQiOjMxOTI2MDYzMDgsInA1IjowfSx7InAzIjoxNTEzNjY1MzAyLCJwNCI6MzE5MjYwNjMwOCwicDUiOjB9XX19fQ==

 

just my flying suspicious because I saw this YouTube video https://www.youtube.com/watch?v=mhOWdH2zwMk where the malware source code is placed in whatever places 

 

EDIT: ok yeah, decoded it and its something may be part of a source code for something

Quote

{"p1":{"509880146":{"p2":[{"p3":1526052725,"p4":867731894,"p5":0},{"p3":1525962912,"p4":867731894,"p5":0},{"p3":1525876352,"p4":867731894,"p5":0},{"p3":1515558742,"p4":2330284738,"p5":0},{"p3":1515328333,"p4":2330284738,"p5":0},{"p3":1513760498,"p4":3068237567,"p5":0},{"p3":1511750089,"p4":3814026679,"p5":0},{"p3":1511260366,"p4":3814026679,"p5":0}]},"127446590":{"p2":[{"p3":1516412135,"p4":3192606308,"p5":0},{"p3":1513665302,"p4":3192606308,"p5":0}]}}}

 

 

Link to comment
Share on other sites
migs_k

migs_k 0

Posted
  • Author
Posted (edited)

theres more inside the rar which is not base64

 

is ESET capable of cleaning or detecting that sort of thing thats on the youtube video?

Edited by migs_k
Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,706

Posted
  • Administrators
Posted

There was also a msi file but this forum doesn't serve as a service for analyzing suspicious files. You can upload it to virustotal.com for instance to see if it's detected by some AVs.

Link to comment
Share on other sites
migs_k

migs_k 0

Posted
  • Author
Posted

looks like I'm the very first ones to upload these. is it even possible to detect pieces of code that's placed everywhere?

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,706

Posted
  • Administrators
Posted

Not sure what code you mean. The above base64 code is obviously benign and not subject to detection.

Link to comment
Share on other sites
itman

itman 1,541

Posted
Posted (edited)

Since the linked youtube video is about the Remcos RAT, anyrun.com has an excellent animated analysis of one sample of it here: https://any.run/malware-trends/remcos

Remcos is usually associated with a phishing e-mail; for example, one containing a MS Word attachment. The easiest way to stop crud like this is to block process startup from any MS Office executable's. In this case, any process startup from winword.exe. Or better yet, permanently disable macro use in winword.exe:

Quote

Once downloaded, the files would prompt the users to activate macros which are required for the execution of Ramcos to start.

 

Edited by itman
Link to comment
Share on other sites
itman

itman 1,541

Posted
Posted

I forgot to mention this.

Referring to the anyrun.com detailed analysis of Remcos RAT sample, the first process spawned from winword.exe is eqnedt32.exe. This would indicate the attacker is exploiting a known vulnerability detailed here: https://www.bleepingcomputer.com/news/security/office-equation-editor-security-bug-runs-malicious-code-without-user-interaction/ .

Again your primary security mechanism against crud like this is to ensure your OS and application software has all available security patches applied.

 

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...