Win32/LoadMoney

Forum for analysis and discussion about malware.
Post Reply
ikolor
Posts: 298
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Win32/LoadMoney

Post by ikolor » Fri Sep 30, 2016 12:07 pm

You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4806
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Malware collection

Post by EP_X0FF » Tue Oct 18, 2016 6:59 am

unidentified.exe - PUP InstallMonster.
notify.exe - Win32/KingSoft adware
nethost.exe - Win32/LoadMoney trojan with VM detect.

Code: Select all

F R O M       ,       S E L E C T       W H E R E     W Q L   t r u e     f a l s e   d i s p l a y N a m e   p r o d u c t S t a t e     R O O T \ S e c u r i t y C e n t e r 2     |   e   o   u   n n     o n A c c e s s S c a n n i n g E n a b l e d   p r o d u c t U p t o D a t e   R O O T \ S e c u r i t y C e n t e r   n   A n t i v i r u s P r o d u c t
S E L E C T   *   F R O M       m a n u f a c t u r e r     m o d e l   v i r t u a l b o x     v m w a r e     p a r a l l e l s   q e m u     w i n e     v i r t u a l   W i n 3 2 _ C o m p u t e r S y s t e m     R O O T \ C I M v 2     channel installed_after installed_before    name    period  type    runfile url params  $ _ _ C H N     waiting_time    infinite    run_d   openurl o p e n     & t =   l   U n k n o w n   t y p e   o f   t a s k     &   & a n t i v i r u s e s =   o n l i n e     S o f t w a r e \ M i c r o s o f t \   1   0   i n s t a l l   updateversion   updateurl   tasks         - - a f t e r u p d a t e     u p d a t e     . o l d     _ u p g r a d e . e x e     S o f t w a r e \   / D e l e t e   / F   / T N   % s   s c h t a s k s . e x e         S O F T W A R E \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ U n i n s t a l l \     % s \ % s _ % i . e x e     r   A u t h o r   n a m e   T r i g g e r 1     % 0 4 d - % 0 2 d - % 0 2 d T % 0 2 d : % 0 2 d : % 0 2 d   P T 1 5 M   % s . j o b     % s   - - r e m o v e   U n i n s t a l l S t r i n g   D i s p l a y N a m e   P u b l i s h e r   D i s p l a y V e r s i o n     S o f t w a r e \ % s \     % s \ 

Thread split, posts moved to Win32/LoadMoney.
Ring0 - the source of inspiration

markusg
Posts: 733
Joined: Mon Mar 15, 2010 2:53 pm

Re: Win32/LoadMoney

Post by markusg » Sat Mar 24, 2018 4:11 pm

You do not have the required permissions to view the files attached to this post.
Last edited by R136a1 on Sun Mar 25, 2018 11:47 am, edited 1 time in total.
Reason: Attached the file, thanks for reporting the error!

Post Reply