Jump to content

Unregonized virus


Recommended Posts

After the first run, is placed in the autostart, when the system reboots, opens a QEMU window and have a title “deSecurity_test”, on the computer, this virus can get in without user involvement, presumably it is a vulnerability that has full access to windows.

UNREGONIZED_VIRUS.zip

Edited by koza4ok
Link to comment
Share on other sites

15 minutes ago, Marcos said:

Please provide logs collected with ESET Log Collector.

I would like to add a note, I was test this virus on an Oracle VM VirtualBox virtual machine for security purposes.

This virus will create a second explorer.exe file, which destinate in c:\windows\syswow64, where he can't be in default system. I'll block network to him through Windows Firewall.

And, presumably, this virus create a second, fake cmd and powershell file, and this files will destinate in syswow64 folder too

ELC_logs.zip

Link to comment
Share on other sites

  • Administrators

ESET is not installed on the machine. For an unknown reason the installer was unable to connect to the download server:

Failed to connect to server. Error: 0x8007043C

You might need to boot from a 100% clean drive and then run a full disk scan.

Link to comment
Share on other sites

I understand, but I would like you to analyze this virus if possible.

especially if you upload these files to virustotal, they are not detected by any antivirus.

Link to comment
Share on other sites

  • Administrators
5 minutes ago, koza4ok said:

especially if you upload these files to virustotal, they are not detected by any antivirus.

What files are you referring to? Please provide a link to VT results.

The files in your initial post are clean. There are 2 obfuscated data files which look like a part of a NSIS Injector but they alone do not pose any risk.

Link to comment
Share on other sites

In order for you to understand me exactly, try to run this file, and see what happens to the system, look for example through the program System Informer, and when you delete two obfuscated files, the virus does not work correctly.

Link to comment
Share on other sites

1 hour ago, koza4ok said:

Refer to VT Behavior Analysis. The sandbox detects it as malicious; i.e. YARA rule detection for RemcosRAT;

Quote

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Remcos 3.x/4.x TLS Connection"; flow:established,to_server; ja3.hash; content:"a85be79f7b569f1df5e6087b69deb493"; classtype:command-and-control; sid:2036594; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_19, deployment Perimeter, malware_family Remcos, confidence High, signature_severity Major, updated_at 2023_10_19;)

Edited by itman
Link to comment
Share on other sites

Also of note is many AV's won't detect anything in this archive until its contents have been extracted.

You need to extract its file contents and see if whatever AV you have installed detects any malware within the archive contents.

Link to comment
Share on other sites

The problem is that this virus got on the computer by itself, secondly I checked the files and not in the archive separately, still was not detected.

Link to comment
Share on other sites

  • Administrators

There's a patched dll that exploits dll side-loading. Will be detected as Win64/Agent.ERF trojan.

Link to comment
Share on other sites

4 hours ago, koza4ok said:

The problem is that this virus got on the computer by itself, secondly I checked the files and not in the archive separately, still was not detected.

My guess is this app installer dialed out to attacker's C&C server and downloaded the malicious .dll and dropped it in directory where the app installed. Windows; via its since day one vulnerable .dll side loading feature, will search the directory where the app installed first in regards to .dll loading.

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...