Jump to content

can anyone check what's inside these files I found in Program Data? pls, ty


Recommended Posts

one of them looks like base64

Quote

eyJwMSI6eyI1MDk4ODAxNDYiOnsicDIiOlt7InAzIjoxNTI2MDUyNzI1LCJwNCI6ODY3NzMxODk0LCJwNSI6MH0seyJwMyI6MTUyNTk2MjkxMiwicDQiOjg2NzczMTg5NCwicDUiOjB9LHsicDMiOjE1MjU4NzYzNTIsInA0Ijo4Njc3MzE4OTQsInA1IjowfSx7InAzIjoxNTE1NTU4NzQyLCJwNCI6MjMzMDI4NDczOCwicDUiOjB9LHsicDMiOjE1MTUzMjgzMzMsInA0IjoyMzMwMjg0NzM4LCJwNSI6MH0seyJwMyI6MTUxMzc2MDQ5OCwicDQiOjMwNjgyMzc1NjcsInA1IjowfSx7InAzIjoxNTExNzUwMDg5LCJwNCI6MzgxNDAyNjY3OSwicDUiOjB9LHsicDMiOjE1MTEyNjAzNjYsInA0IjozODE0MDI2Njc5LCJwNSI6MH1dfSwiMTI3NDQ2NTkwIjp7InAyIjpbeyJwMyI6MTUxNjQxMjEzNSwicDQiOjMxOTI2MDYzMDgsInA1IjowfSx7InAzIjoxNTEzNjY1MzAyLCJwNCI6MzE5MjYwNjMwOCwicDUiOjB9XX19fQ==

 

just my flying suspicious because I saw this YouTube video https://www.youtube.com/watch?v=mhOWdH2zwMk where the malware source code is placed in whatever places 

 

EDIT: ok yeah, decoded it and its something may be part of a source code for something

Quote

{"p1":{"509880146":{"p2":[{"p3":1526052725,"p4":867731894,"p5":0},{"p3":1525962912,"p4":867731894,"p5":0},{"p3":1525876352,"p4":867731894,"p5":0},{"p3":1515558742,"p4":2330284738,"p5":0},{"p3":1515328333,"p4":2330284738,"p5":0},{"p3":1513760498,"p4":3068237567,"p5":0},{"p3":1511750089,"p4":3814026679,"p5":0},{"p3":1511260366,"p4":3814026679,"p5":0}]},"127446590":{"p2":[{"p3":1516412135,"p4":3192606308,"p5":0},{"p3":1513665302,"p4":3192606308,"p5":0}]}}}

 

 

Link to comment
Share on other sites

  • Administrators

You have already decoded the string so I gather that you have answered yourself.

Link to comment
Share on other sites

Posted (edited)

theres more inside the rar which is not base64

 

is ESET capable of cleaning or detecting that sort of thing thats on the youtube video?

Edited by migs_k
Link to comment
Share on other sites

  • Administrators

There was also a msi file but this forum doesn't serve as a service for analyzing suspicious files. You can upload it to virustotal.com for instance to see if it's detected by some AVs.

Link to comment
Share on other sites

looks like I'm the very first ones to upload these. is it even possible to detect pieces of code that's placed everywhere?

Link to comment
Share on other sites

  • Administrators

Not sure what code you mean. The above base64 code is obviously benign and not subject to detection.

Link to comment
Share on other sites

Since the linked youtube video is about the Remcos RAT, anyrun.com has an excellent animated analysis of one sample of it here: https://any.run/malware-trends/remcos

Remcos is usually associated with a phishing e-mail; for example, one containing a MS Word attachment. The easiest way to stop crud like this is to block process startup from any MS Office executable's. In this case, any process startup from winword.exe. Or better yet, permanently disable macro use in winword.exe:

Quote

Once downloaded, the files would prompt the users to activate macros which are required for the execution of Ramcos to start.

 

Edited by itman
Link to comment
Share on other sites

I forgot to mention this.

Referring to the anyrun.com detailed analysis of Remcos RAT sample, the first process spawned from winword.exe is eqnedt32.exe. This would indicate the attacker is exploiting a known vulnerability detailed here: https://www.bleepingcomputer.com/news/security/office-equation-editor-security-bug-runs-malicious-code-without-user-interaction/ .

Again your primary security mechanism against crud like this is to ensure your OS and application software has all available security patches applied.

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...