Jump to content

Trojan.VBS.TaskExecution infection.


Recommended Posts

Hey! recently I have caught something Im not exactly sure where it appeared from, but one of the following days my Malwarebytes did a scan, and I got a few detections that looked like that:

 

image.png.c41442438df1982cdf52a67e54b46aa3.png

Detections showing I have been infected with whats appears to be called Trojan.VBS.TaskExecution Trojan.BitCoinStealer in different locations of my system.

I've had them quarantined, however seeing that this is a task scheduling virus that tried infecting areas of my system that have to do with boot, I am sure just getting these files quarantined is just not enough, this virus is just bound to return upon the next time I restart my pc.

I booted my system from safe mode and I scanned my pc with various anti viruses, without luck I couldnt find really much of anything, HOWEVER, the ESET on the other hand has detected that theres a powershell execution virus in my Google Chrome's cache folder!

image.png.b4a661c738046cd92374b2484910980d.png

I had the virus deleted, scans my computer a few times more and I couldnt find anything.

launching chrome again or restarting my pc (while remaining in safe mode) doesnt seem to bring the ransom/malware back.

howvever since defender just plain out crashes when I try launching it in safe mode (win11 btw), I booted my operating system through normal boot and I accessed defender to do an offline scan, which returned with no results.
I went back to safe mode and I did a quickscan with ESET, and nothing came up, I ran another scan however this time it was a custom scan targeting the chrome folder, and I the Powershell/agent.GZ.trojan came back!

And when I try and do a quickscan with my malwarebytes, the scan ends within seconds as soon as its starts scanning files after scanning memory files and all the stuff it does in the beginning, however the scan works whenever I do a custom scan. obviously no results,

 

When researching the virus I stumbled by this github topic, and the behavior within my virus and the spoken virus in the thread are similar, it seems like my virus is using different directories and places to hide in.

https://gist.github.com/infernoboy/cf114fda56ff3706478e0d1e6a1a1b27?permalink_comment_id=4140687#gistcomment-4140687 

 

I also found this thread on malwarebytes, this person is facing a virus under the same name:

https://forums.malwarebytes.com/topic/286641-was-trojanvbstaskexecution/?do=findComment&comment=1515706

However, it seems that the virus's infected directories are more similar to that github thread I linked, 

BUT! the user on the malwarebytes topic mentions the virus runs a powershell execution from this location:

%localappdata%\\Google\\Chrome\\User Data\\Default\\Extensions

However for me, it runs from:

%localappdata%\\Google\\Chrome\\User Data\\Default\\Cache\\Cache_Data

Which makes me assume am I facing a slightly altered version of the same virus.

 

I also ran the infected cache file through virustotal which suggests more information about what this virus could be, like how Kasparsky rather named it "HEUR:Trojan-Banker.PowerShell.ClipBanker.gen" while Eset names it ""PowerShell/Agent.GZ".

https://www.virustotal.com/gui/file/3cd4d63a2f17e72f725aaa0d5babbf645f2947ca129f08b5f7c4f67cbb04973a?nocache=1

 

Help putting a fight against this thing would be really appreciated, thanks!

Link to comment
Share on other sites

  • Administrators

Please do the following:
1, Instead of running a scan with ESET Online Scanner, install ESET Smart Security Premium and activate a trial version. Make sure to keep LiveGrid enabled.
2, Enable detection of potentially unsafe and unwanted applications.
3, Run a full disk scan.
4, Provide:
a) logs collected with ESET Log Collector
b) the content of the C:\ProgramData\Malwarebytes\MBAMService\Quarantine folder.

Link to comment
Share on other sites

It appears MalwareBytes is helping you with this issue: https://forums.malwarebytes.com/topic/287592-infected-with-trojanvbstaskexecution/ .

Since MBAM is your real-time solution, it is proper and correct they assist you in removal of the malware. If and when MBAM completes their efforts and the issue remains unresolved, then it would be appropriate for you to ask for assistance in this forum. Note that this forum's purpose is to assist with Eset products issues.

Edited by itman
Link to comment
Share on other sites

6 hours ago, itman said:

It appears MalwareBytes is helping you with this issue: https://forums.malwarebytes.com/topic/287592-infected-with-trojanvbstaskexecution/ .

Since MBAM is your real-time solution, it is proper and correct they assist you in removal of the malware. If and when MBAM completes their efforts and the issue remains unresolved, then it would be appropriate for you to ask for assistance in this forum. Note that this forum's purpose is to assist with Eset products issues.

I haven't really been recieving any replies and every time I turn to their forum I get the bare minimum of support so I end up wiping me pc when situations such as these gnarly infections happen. 

Well all though respect their moderators have so many tickets to handle and work with on the daily and have been for years, so I understand why my thread is being dealt this way, but it's not helping much, so I turned over here since Eset at least gives me extra clues on what other detections exist on my machine, and this detection seems like Eset had recognized and probably understands more since as for MB it's not. 

I also browsed through the threads here a bit and I've noticed there are so many threads about people getting infected with powershell powered viruses recently, that's crazy! It's like browsing through the forums when wannacry hit town on everyone. 

Link to comment
Share on other sites

10 hours ago, Radically said:

ike how Kasparsky rather named it "HEUR:Trojan-Banker.PowerShell.ClipBanker.gen"

Since we are talking about ClipBanker malware, here's a detail analysis of a variant Cynet performed a while back: https://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/ . Note the Behavioral Analysis section for scheduled tasks created.

A common theme running through the Eset forum PowerShell cryptominer postings is almost everyone had cracked software installed.

Edited by itman
Link to comment
Share on other sites

41 minutes ago, itman said:

Since we are talking about ClipBanker malware, here's a detail analysis of a variant Cynet performed a while back: https://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/ . Note the Behavioral Analysis section for scheduled tasks created.

A common theme running through the Eset forum PowerShell cryptominer postings is almost everyone had cracked software installed.

Sounds pretty severe, sounds like I'm better off reinstalling the OS in this case. 

I'm gonna be backing some of my files however some of them I'm using as setting configuration for software I use, some are productive projects, games, and etc.. How do I make sure wouldn't catch the same threat again if it goes undetected by most AV? 

I scan and inspect every file I open or execute including any associated files like DLLs and such and I run them through virustotal, even if they come from legitimate sources, when I got infected that's when it surprised me the most, so I'm assuming the virus that brought this kind of a payload is not registered in thr archives, it could probably be a new malware or one that not many have executed yet. 

Thank you in advance! 

Link to comment
Share on other sites

What's interesting in the Cynet analysis is:

Quote

Cynet has detected EguiProxy.exe (the Trojan Downloader) that was launched by RegAsm.exe (LOLBin):

  • First Downloader: EguiProxy.exe
  • MD5: f70428c34a100f9b3a6dbe58aea05def
  • SHA-1: 9dd57f78f6f488bc7e96b592a7201040049f4933
  • SHA-256: 4a471f05c7624238ef374bbf3af4eeb2abc20f87579ecdbeefea61356e23ae69
  • SSDEEP: 96:Iz3j1+n7W7AtmLykrFVEODJtutwc79LaB+UMWmLgt3x3kJ+iGczNt:mQ74OhkphDEwq9LaB+UMWmLgt32gm

 

It so happens that EguiProxy.exe is the name of a legit Eset process.

Edited by itman
Link to comment
Share on other sites

14 minutes ago, itman said:

What's interesting in the Cynet analysis is:

It so happens that EguiProxy.exe is the name of a legit Eset process.

So Cynet is trying to claim that one of the files associated with Eset is a Trojan Downloader? Haha

Link to comment
Share on other sites

This article is hillarious: https://asec.ahnlab.com/en/32825/ .

A malware developer was selling his malware development toolkit to other wanna-be hackers and infecting them at the same time with ClipBanker malware. "No honor among thieves" as the saying goes.

Link to comment
Share on other sites

  • Most Valued Members
On 6/19/2022 at 10:50 PM, Radically said:

Sounds pretty severe, sounds like I'm better off reinstalling the OS in this case. 

I'm gonna be backing some of my files however some of them I'm using as setting configuration for software I use, some are productive projects, games, and etc.. How do I make sure wouldn't catch the same threat again if it goes undetected by most AV? 

I scan and inspect every file I open or execute including any associated files like DLLs and such and I run them through virustotal, even if they come from legitimate sources, when I got infected that's when it surprised me the most, so I'm assuming the virus that brought this kind of a payload is not registered in thr archives, it could probably be a new malware or one that not many have executed yet. 

Thank you in advance! 

As itman mentioned If you do use cracked software I'd avoid it from now on as a lot of infections come from dodgy websites and cracks.

Link to comment
Share on other sites

5 hours ago, peteyt said:

As itman mentioned If you do use cracked software I'd avoid it from now on as a lot of infections come from dodgy websites and cracks.

Yeah I avoid them in general, might have downloaded something that was already patched without even realizing it, but still somehow it still went under the radar, crazy! 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...