This is a winlocker of Indian origin. (used to try to get people to call tech support scams)
Using any one of hardcoded serials "h7c9-7c67-jb" "g6r-qrp6-h2" "yt-mq-6w" starts explorer and appwiz, probably so whoever is remoted in can remove the winlocker.
Also, ctrl+shift+S just kills the winlocker, and does nothing else.
Also, ctrl+shift+T starts a bundled teamviewer setup (seems to be legitimate, judging by signature)
Attached: "PC Cleaner.exe" (installer, .msi in resources), plus deobfuscated versions of the three binaries included that are obfuscated with .NET Reactor + native wrapper. (Which, for the record, makes the detection rate of the packed files higher than the unpacked files.)
Installer: https://www.virustotal.com/en-gb/file/b ... 462299202/
MSI: https://www.virustotal.com/en-gb/file/9 ... 462299262/
MicrosoftTool.exe (does half of the job of setting up the winlocker, it gets added to the GAC by the .msi which runs its MicrosoftInstaller.Install() function): https://www.virustotal.com/en-gb/file/0 ... 462299550/
microsoft.exe (main winlocker, packed): https://www.virustotal.com/en-gb/file/d ... 462299752/
microsoft.exe (main winlocker, unpacked): https://www.virustotal.com/en-gb/file/0 ... 462299768/
PC_cleaner_database.exe (checks for a number to call, runs the main winlocker if found, packed): https://www.virustotal.com/en-gb/file/b ... 462299862/
PC_cleaner_database.exe (unpacked): https://www.virustotal.com/en-gb/file/3 ... 462299870/
Forum for analysis and discussion about malware.
1 post • Page 1 of 1