Fraud/Rouge software

Forum for analysis and discussion about malware.
User avatar
FakeAVHunter
Posts: 91
Joined: Thu Feb 01, 2018 6:20 pm
Location: Romania
Contact:

Re: Fraud/Rouge software

Post by FakeAVHunter » Mon Apr 09, 2018 6:27 am

Windows Optimal Settings Rouge software aka FakePAV
Including fake MSE Alert + fakeav installed after reboot
Image
Windows Optimal Settings.zip
You do not have the required permissions to view the files attached to this post.

Fedor22
Posts: 30
Joined: Sun Dec 03, 2017 5:50 pm
Location: Russian Federation

Re: Fraud/Rouge software

Post by Fedor22 » Mon Apr 09, 2018 7:03 pm

Netcom3 (Rogue)
Image
Creates registry entries:

Code: Select all

HKEY_CURRENT_USER\Software\Netcom3 Cleaner
HKEY_CURRENT_USER\Software\SpyClean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Netcom3 Cleaner_is1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETCOM3
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netcom3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETCOM3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netcom3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
VT (25/66): https://www.virustotal.com/en/file/0575 ... /analysis/
You do not have the required permissions to view the files attached to this post.

User avatar
FakeAVHunter
Posts: 91
Joined: Thu Feb 01, 2018 6:20 pm
Location: Romania
Contact:

Re: Fraud/Rouge software

Post by FakeAVHunter » Wed Apr 25, 2018 5:20 pm

System Security 2009 Rogue + Desktophijack spyware and fake bsod inside setup
DesktopHijack : Image

Rogue : Image
Code Activation : WNDS-S0DF5-GS5E0-FG14S-2DF8G
You do not have the required permissions to view the files attached to this post.

User avatar
FakeAVHunter
Posts: 91
Joined: Thu Feb 01, 2018 6:20 pm
Location: Romania
Contact:

Re: Fraud/Rouge software

Post by FakeAVHunter » Wed Apr 25, 2018 5:23 pm

AdwarePunisher
Image of rogue antispyware :
Image
AdwarePunisher.zip
You do not have the required permissions to view the files attached to this post.

Fedor22
Posts: 30
Joined: Sun Dec 03, 2017 5:50 pm
Location: Russian Federation

Re: Fraud/Rouge software

Post by Fedor22 » Fri Apr 27, 2018 1:52 pm

SpyDevastator
Image
Creates registry entries:

Code: Select all

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\SpyDevastator.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{528A3CF7-AAF9-42FE-A5D0-2A8EDA9E299E}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyDevastator
HKEY_CURRENT_USER\Software\SpyDevastator
HKEY_CLASSES_ROOT\CLSID\{26F094F0-D2BD-5F02-03AE-2232D5E967E0}
HKEY_CLASSES_ROOT\CLSID\{4A277263-267B-42dc-8514-7B69E02048B3}
HKEY_CLASSES_ROOT\CLSID\{528A3CF7-AAF9-42FE-A5D0-2A8EDA9E299E}
HKEY_CLASSES_ROOT\CLSID\{D35BF620-EF22-4062-839C-64C534B4589B}
HKEY_CLASSES_ROOT\COMApp.1
HKEY_CLASSES_ROOT\COMApp
HKEY_CLASSES_ROOT\IEBHO.IEBHO.1
HKEY_CLASSES_ROOT\IEBHO.IEBHO
HKEY_CLASSES_ROOT\Interface\{0B682116-47F0-4C10-AD55-6161694DD89C}
HKEY_CLASSES_ROOT\Interface\{0D473E55-8ADE-4CBE-9505-A9B667D7F2EA}
HKEY_CLASSES_ROOT\Interface\{1741D490-88B5-4F58-A652-C74580E3AA49}
HKEY_CLASSES_ROOT\Interface\{18E539E7-CCBD-4CBE-BDF8-ED5EFD83D73B}
HKEY_CLASSES_ROOT\Interface\{1F351F56-F6BD-4CF0-83D0-7DF734C1F87D}
HKEY_CLASSES_ROOT\Interface\{1FADDE65-F172-4389-AFD5-2767F914E570}
HKEY_CLASSES_ROOT\Interface\{22668F72-05FE-4948-86B0-433C2E8B9155}
HKEY_CLASSES_ROOT\Interface\{2790D1D2-8F0D-4C3B-B50D-B534A7FD55AC}
HKEY_CLASSES_ROOT\Interface\{3E46CA64-6162-4379-B753-734F0A29F341}
HKEY_CLASSES_ROOT\Interface\{3EEF6634-DCFC-41C7-9369-3449C0158CAB}
HKEY_CLASSES_ROOT\Interface\{6C2EEB7A-51DF-4F6C-95C8-E5CFD49BF902}
HKEY_CLASSES_ROOT\Interface\{7D50576E-8784-434C-AD31-8067AD7FB168}
HKEY_CLASSES_ROOT\Interface\{95930A77-3895-4979-B0B9-25FF937FB584}
HKEY_CLASSES_ROOT\Interface\{ABA89A1A-2910-4712-B71C-5F46A23A9343}
HKEY_CLASSES_ROOT\Interface\{D6B7A318-3226-46BE-A776-A2D913985E19}
HKEY_CLASSES_ROOT\Interface\{DBF00870-1505-4570-8F3F-D3242032A038}
HKEY_CLASSES_ROOT\Interface\{F80B6555-44DC-461D-AB70-B06CD50212BB}
HKEY_CLASSES_ROOT\SpyDevastator.COMApp.1
HKEY_CLASSES_ROOT\SpyDevastator.COMApp
HKEY_CLASSES_ROOT\TypeLib\{09935339-92A8-4055-BB35-7247F6D12D6A}
HKEY_CLASSES_ROOT\TypeLib\{6FC10398-DF37-4894-88D1-5CC73B66B5AE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{528A3CF7-AAF9-42FE-A5D0-2A8EDA9E299E}
It also create the following registry entry so that it executes whenever Windows starts:

Code: Select all

HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Run\"SpyDevastator" = "C:\Program Files\SpyDevastator\SpyDevastator.exe /h"
VT (39/50): https://www.virustotal.com/en/file/09c6 ... /analysis/
You do not have the required permissions to view the files attached to this post.

User avatar
FakeAVHunter
Posts: 91
Joined: Thu Feb 01, 2018 6:20 pm
Location: Romania
Contact:

Re: Fraud/Rouge software

Post by FakeAVHunter » Sat Apr 28, 2018 10:36 am

SpyDawn Rogue
IMAGE :
Image
Sample :
SpyDawn.zip
You do not have the required permissions to view the files attached to this post.

User avatar
FakeAVHunter
Posts: 91
Joined: Thu Feb 01, 2018 6:20 pm
Location: Romania
Contact:

Re: Fraud/Rouge software

Post by FakeAVHunter » Sat Apr 28, 2018 10:39 am

RegistryFox Rogue Registry Cleaner
Image : Image
RegistryFox.zip
You do not have the required permissions to view the files attached to this post.

User avatar
FakeAVHunter
Posts: 91
Joined: Thu Feb 01, 2018 6:20 pm
Location: Romania
Contact:

Re: Fraud/Rouge software

Post by FakeAVHunter » Sat Apr 28, 2018 10:44 am

SpyVampire
Image : Image
Fakesmoke sample :
SpyVampire.zip
You do not have the required permissions to view the files attached to this post.

User avatar
FakeAVHunter
Posts: 91
Joined: Thu Feb 01, 2018 6:20 pm
Location: Romania
Contact:

Re: Fraud/Rouge software

Post by FakeAVHunter » Sat Apr 28, 2018 8:03 pm

Fedor22 wrote:
Fri Apr 27, 2018 1:52 pm
SpyDevastator
Image
Creates registry entries:

Code: Select all

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\SpyDevastator.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{528A3CF7-AAF9-42FE-A5D0-2A8EDA9E299E}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyDevastator
HKEY_CURRENT_USER\Software\SpyDevastator
HKEY_CLASSES_ROOT\CLSID\{26F094F0-D2BD-5F02-03AE-2232D5E967E0}
HKEY_CLASSES_ROOT\CLSID\{4A277263-267B-42dc-8514-7B69E02048B3}
HKEY_CLASSES_ROOT\CLSID\{528A3CF7-AAF9-42FE-A5D0-2A8EDA9E299E}
HKEY_CLASSES_ROOT\CLSID\{D35BF620-EF22-4062-839C-64C534B4589B}
HKEY_CLASSES_ROOT\COMApp.1
HKEY_CLASSES_ROOT\COMApp
HKEY_CLASSES_ROOT\IEBHO.IEBHO.1
HKEY_CLASSES_ROOT\IEBHO.IEBHO
HKEY_CLASSES_ROOT\Interface\{0B682116-47F0-4C10-AD55-6161694DD89C}
HKEY_CLASSES_ROOT\Interface\{0D473E55-8ADE-4CBE-9505-A9B667D7F2EA}
HKEY_CLASSES_ROOT\Interface\{1741D490-88B5-4F58-A652-C74580E3AA49}
HKEY_CLASSES_ROOT\Interface\{18E539E7-CCBD-4CBE-BDF8-ED5EFD83D73B}
HKEY_CLASSES_ROOT\Interface\{1F351F56-F6BD-4CF0-83D0-7DF734C1F87D}
HKEY_CLASSES_ROOT\Interface\{1FADDE65-F172-4389-AFD5-2767F914E570}
HKEY_CLASSES_ROOT\Interface\{22668F72-05FE-4948-86B0-433C2E8B9155}
HKEY_CLASSES_ROOT\Interface\{2790D1D2-8F0D-4C3B-B50D-B534A7FD55AC}
HKEY_CLASSES_ROOT\Interface\{3E46CA64-6162-4379-B753-734F0A29F341}
HKEY_CLASSES_ROOT\Interface\{3EEF6634-DCFC-41C7-9369-3449C0158CAB}
HKEY_CLASSES_ROOT\Interface\{6C2EEB7A-51DF-4F6C-95C8-E5CFD49BF902}
HKEY_CLASSES_ROOT\Interface\{7D50576E-8784-434C-AD31-8067AD7FB168}
HKEY_CLASSES_ROOT\Interface\{95930A77-3895-4979-B0B9-25FF937FB584}
HKEY_CLASSES_ROOT\Interface\{ABA89A1A-2910-4712-B71C-5F46A23A9343}
HKEY_CLASSES_ROOT\Interface\{D6B7A318-3226-46BE-A776-A2D913985E19}
HKEY_CLASSES_ROOT\Interface\{DBF00870-1505-4570-8F3F-D3242032A038}
HKEY_CLASSES_ROOT\Interface\{F80B6555-44DC-461D-AB70-B06CD50212BB}
HKEY_CLASSES_ROOT\SpyDevastator.COMApp.1
HKEY_CLASSES_ROOT\SpyDevastator.COMApp
HKEY_CLASSES_ROOT\TypeLib\{09935339-92A8-4055-BB35-7247F6D12D6A}
HKEY_CLASSES_ROOT\TypeLib\{6FC10398-DF37-4894-88D1-5CC73B66B5AE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{528A3CF7-AAF9-42FE-A5D0-2A8EDA9E299E}
It also create the following registry entry so that it executes whenever Windows starts:

Code: Select all

HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Run\"SpyDevastator" = "C:\Program Files\SpyDevastator\SpyDevastator.exe /h"
VT (39/50): https://www.virustotal.com/en/file/09c6 ... /analysis/
I Tested this rogueantispyware ;D

User avatar
FakeAVHunter
Posts: 91
Joined: Thu Feb 01, 2018 6:20 pm
Location: Romania
Contact:

Re: Fraud/Rouge software

Post by FakeAVHunter » Sun Apr 29, 2018 4:12 am

TRE Antivirus from Fakesmoke family
Image
TRE AntiVirus.zip
You do not have the required permissions to view the files attached to this post.

Post Reply