Jump to content

Address has been blocked


Rep

Recommended Posts

This address is being blocked and appears all the time, even when I don't have the browser open.

image.png

 

image.thumb.png.197eb0b1b77001094469d005f1fc5df6.png

 

 

<?xml version="1.0" encoding="utf-8" ?>
<ESET>
  <LOG>
    <RECORD>
      <COLUMN NAME="Hora">26/09/2023 0:04:11</COLUMN>
      <COLUMN NAME="URL">https://controlpanel29.com</COLUMN>
      <COLUMN NAME="Estado">Bloqueado</COLUMN>
      <COLUMN NAME="Detección">Lista negra Anti-Phishing</COLUMN>
      <COLUMN NAME="Aplicación">C:\Windows\explorer.exe</COLUMN>
      <COLUMN NAME="Usuario">NT AUTHORITY\SYSTEM</COLUMN>
      <COLUMN NAME="Dirección IP">139.28.38.154</COLUMN>
      <COLUMN NAME="Hash">F6F8C077C21EB30CB71DC9CA294C6CCE11579D91</COLUMN>
    </RECORD>
 </LOG>
</ESET>

 

 

Link to comment
Share on other sites

The IP address is associated with Zemlyaniy Dmitro Leonidovich;

Quote

We consider Zemlyaniy Dmitro Leonidovich to be a potentially high fraud risk ISP, by which we mean that web traffic from this ISP potentially poses a high risk of being fraudulent. Other types of traffic may pose a different risk or no risk. They operate 18,407 IP addresses, some of which are running servers and anonymizing VPNs. They manage IP addresses for organisations including Zemlyaniy Dmitro Leonidovich, DeltaHost, and NetProtect LLC. Scamalytics see low levels of web traffic from this ISP across our global network, most of which is, in our view, fraudulent. We apply a risk score of 75/100 to Zemlyaniy Dmitro Leonidovich, meaning that of the web traffic where we have visibility, approximately 75% is suspected to be potentially fraudulent.

https://scamalytics.com/ip/isp/zemlyaniy-dmitro-leonidovich

-EDIT- Although Zemlyaniy Dmitro Leonidovich overall is suspect, this particular IP address looks OK: https://scamalytics.com/ip/139.28.38.154

Edited by itman
Link to comment
Share on other sites

  • Administrators

PowerShell/Agent.AEW trojan is being continually detected, we'll need a registry dump for perusal. Please collect fresh ECL logs with "Threat detection" template selected in the ELC menu.

Link to comment
Share on other sites

One thing to be pointed out is the detection's posted in this thread are originating from explorer.exe. This is highly suspect and  "smells" of malware activity.

Link to comment
Share on other sites

  • Administrators

Does deleting HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{26D015BE-52F8-423E-B5A2-512B57B991A1} in safe mode make a difference?

Also please provide me with the file c:\program files\windowsmalwareprotection\config\systemreset.exe.

Link to comment
Share on other sites

6 hours ago, Marcos said:

Does deleting HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{26D015BE-52F8-423E-B5A2-512B57B991A1} in safe mode make a difference?

Also please provide me with the file c:\program files\windowsmalwareprotection\config\systemreset.exe.

Hi, I dont have that regedit entry anymore (I ran MalwareBytes in meanwhile, there were some entries which were deleted, cant remember now). In attachment is the req file.systemreset.rar

EDIT: MalwareBytes log:mb-results.txt

EDIT2: It does not make any difference, the issue still persists.

Edited by murko
Attached MalwareBytes log
Link to comment
Share on other sites

Prior incidents of PowerShell/Agent.AEW trojan in the forum usually involved the creation of a Win service: https://forum.eset.com/topic/32255-powershellagentaew-trojan-keeps-coming-back-after-cleaning-and-reboot/?do=findComment&comment=150342 ; the service running SyncAppvPublishingServer.vbs; with the service being started via scheduled task.

This current instance is different. It appears explorer.exe connects to the domain in question to either download the PowerShell malware or to run it remotely. In a remote PowerShell attack, the script being deployed must exist on the target device. So it is possible what is attempting to download from this domain is the script.

SysInternal's Autoruns migh be of assistance here looking for suspect explorer.exe task running at system startup time.

Link to comment
Share on other sites

  • Administrators

Please delete systemreset.exe. It's a 1,4 GB Themida malware, specifically CoinMiner. Will be detected as Win64/Packed.Themida.QI trojan.

Link to comment
Share on other sites

18 minutes ago, Marcos said:

Please delete systemreset.exe. It's a 1,4 GB Themida malware, specifically CoinMiner. Will be detected as Win64/Packed.Themida.QI trojan.

Hi, seems it fixed the issue, so far no connection attempts to that IP.

Link to comment
Share on other sites

24 minutes ago, itman said:

Prior incidents of PowerShell/Agent.AEW trojan in the forum usually involved the creation of a Win service: https://forum.eset.com/topic/32255-powershellagentaew-trojan-keeps-coming-back-after-cleaning-and-reboot/?do=findComment&comment=150342 ; the service running SyncAppvPublishingServer.vbs; with the service being started via scheduled task.

This current instance is different. It appears explorer.exe connects to the domain in question to either download the PowerShell malware or to run it remotely. In a remote PowerShell attack, the script being deployed must exist on the target device. So it is possible what is attempting to download from this domain is the script.

SysInternal's Autoruns migh be of assistance here looking for suspect explorer.exe task running at system startup time.

Hi, what would you need from the Autoruns?

Link to comment
Share on other sites

Well, the joy was only temporary.  After around 13min, the issue is back. Also see the attached screen, apart from explorer.exe, cmd.exe is being also listed.

Snímka2.PNG

Link to comment
Share on other sites

As far as Autoruns goes of note is this from the Malwarebytes posting;

Quote

I have disabled 2 scheduled tasks and removed triggers for now:
System32\Tasks\MicrosoftMalwareProtection
System32\Tasks\systemreset

Run Autoruns64.exe. Once it fully initializes, search for MicrosoftMalwareProtection and systemreset. Take a screenshot of the section where they are located. Don't modify anything yet.

Link to comment
Share on other sites

1 hour ago, itman said:

As far as Autoruns goes of note is this from the Malwarebytes posting;

Run Autoruns64.exe. Once it fully initializes, search for MicrosoftMalwareProtection and systemreset. Take a screenshot of the section where they are located. Don't modify anything yet.

This is for systemreset:

image.thumb.png.236691e57c5c65b5287a35afb0aedc92.png

For MicrosoftMalwareProtection there is nothing, only remotely similiar is: WindowsMalwareProtection

image.thumb.png.c2d337717b90b623a97d60a06e1bccb4.png

Link to comment
Share on other sites

  • Administrators

Please provide the content of the C:\Program Files\WindowsMalwareProtection folder. Move the folder to c:\esetvir for instance and reboot the machine.

You can then select the 2 scheduled tasks and delete them.

Link to comment
Share on other sites

12 minutes ago, Marcos said:

Please provide the content of the C:\Program Files\WindowsMalwareProtection folder. Move the folder to c:\esetvir for instance and reboot the machine.

You can then select the 2 scheduled tasks and delete them.

C:\Program Files\WindowsMalwareProtection : WindowsMalwareProtection.rar

Link to comment
Share on other sites

After removing the task schedule entries + WindowsMalwareProtection folder, it seems its finally resolved, at least for now - almost 45min without issue.

Link to comment
Share on other sites

Another posting about this bugger on Reddit;

Quote

I think I have found it. It is an executable called MicrosoftMalwareProtection.exe under C:/Program Files/ WindowsMalwareProtection/config. Everything in this folder is signed by Microsoft except for that one. It is executed at start up and a conhost with that weird command is called by it. 99% it is a malware. I'll try to reverse engineering it to find out what it does.

Yesterday I opened the task manager and noticed an unusually high RAM usage. I went in the processes list and nothing, everything looked fine. So I started digging a little and found out that there is a conhost process that is using around 2.5 GB of RAM and that doesn't show up in the task manager. Here is a picture with the details.

image.png.088f9414290e42b644f785c3dca3d7d1.png

 

https://www.reddit.com/r/techsupport/comments/zaqigb/is_this_a_maleware/

The interesting part is most of its binaries are Microsoft signed. It also appears the payload is embedded within conhost.exe. Based on what was recently posted in this thread, it appears cmd.exe was started or conhost.exe standalone; most likely in suspended mode, then process hollowing and/or command line modification was done on conhost.exe, and conhost.exe was started.

Perhaps its time Eset start setting deep behavior inspection hooks into conhost.exe as it does for cmd.exe.

Edited by itman
Link to comment
Share on other sites

Another important detail from the Reddit article I forgot to post. It is conhost.exe that is performing the remote communication;

Quote

Another thing that made me suspect is that it periodically opens and close a TCP connection with some server that appears located in Ukraine.

Eset_conhost.png.f08ece9d8fb5c6de84203a9af4819037.png

 

Makes sense since conhost is what contains the malware code. So I will add an Eset firewall rule to block conhost.exe communication.

Edited by itman
Link to comment
Share on other sites

8 minutes ago, itman said:

Another important detail from the Reddit article I forgot to post. It is conhost.exe that is performing the remote communication;

Makes sense since conhost is what contains the malware code. So I will add an Eset firewall rule to block conhost.exe communication.

Nice summary. As a preventive measure, its good to block that conhost.exe, but it doesnt solve the root of the issue - where does it came from/what causes exactly/how to detect it beforehand imho.

Link to comment
Share on other sites

36 minutes ago, murko said:

Nice summary. As a preventive measure, its good to block that conhost.exe, but it doesnt solve the root of the issue - where does it came from/what causes exactly/how to detect it beforehand imho.

This puppy has been flying under the radar for some time. The Reddit article is 10 months old.

Out of curiosity, check Win add/remove programs and see if there is an entry for WindowsMalwareProtection or MicrosoftMalwareProtection

Link to comment
Share on other sites

2 minutes ago, itman said:

This puppy has been flying under the radar for some time. The Reddit article is 10 months old.

Out of curiosity, check Win add/remove programs and see if there is an entry for WindowsMalwareProtection or MicrosoftMalwareProtection

Already checked, nothin there. Also scanned all drives for such files/folders, nothing except the mentioned before.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...