A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #31427  by FakeAVHunter
 Mon Apr 09, 2018 6:27 am
Windows Optimal Settings Rouge software aka FakePAV
Including fake MSE Alert + fakeav installed after reboot
Image
pass : infected
(2.29 MiB) Downloaded 24 times
 #31429  by Fedor22
 Mon Apr 09, 2018 7:03 pm
Netcom3 (Rogue)
Image
Creates registry entries:
Code: Select all
HKEY_CURRENT_USER\Software\Netcom3 Cleaner
HKEY_CURRENT_USER\Software\SpyClean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Netcom3 Cleaner_is1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETCOM3
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netcom3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETCOM3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netcom3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
VT (25/66): https://www.virustotal.com/en/file/0575 ... /analysis/
Attachments
(2.11 MiB) Downloaded 22 times
 #31476  by FakeAVHunter
 Wed Apr 25, 2018 5:20 pm
System Security 2009 Rogue + Desktophijack spyware and fake bsod inside setup
DesktopHijack : Image

Rogue : Image
Code Activation : WNDS-S0DF5-GS5E0-FG14S-2DF8G
Attachments
pass : infected
(451.05 KiB) Downloaded 25 times
 #31477  by FakeAVHunter
 Wed Apr 25, 2018 5:23 pm
AdwarePunisher
Image of rogue antispyware :
Image
pass : infected
(2.71 MiB) Downloaded 20 times
 #31490  by Fedor22
 Fri Apr 27, 2018 1:52 pm
SpyDevastator
Image
Creates registry entries:
Code: Select all
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\SpyDevastator.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{528A3CF7-AAF9-42FE-A5D0-2A8EDA9E299E}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyDevastator
HKEY_CURRENT_USER\Software\SpyDevastator
HKEY_CLASSES_ROOT\CLSID\{26F094F0-D2BD-5F02-03AE-2232D5E967E0}
HKEY_CLASSES_ROOT\CLSID\{4A277263-267B-42dc-8514-7B69E02048B3}
HKEY_CLASSES_ROOT\CLSID\{528A3CF7-AAF9-42FE-A5D0-2A8EDA9E299E}
HKEY_CLASSES_ROOT\CLSID\{D35BF620-EF22-4062-839C-64C534B4589B}
HKEY_CLASSES_ROOT\COMApp.1
HKEY_CLASSES_ROOT\COMApp
HKEY_CLASSES_ROOT\IEBHO.IEBHO.1
HKEY_CLASSES_ROOT\IEBHO.IEBHO
HKEY_CLASSES_ROOT\Interface\{0B682116-47F0-4C10-AD55-6161694DD89C}
HKEY_CLASSES_ROOT\Interface\{0D473E55-8ADE-4CBE-9505-A9B667D7F2EA}
HKEY_CLASSES_ROOT\Interface\{1741D490-88B5-4F58-A652-C74580E3AA49}
HKEY_CLASSES_ROOT\Interface\{18E539E7-CCBD-4CBE-BDF8-ED5EFD83D73B}
HKEY_CLASSES_ROOT\Interface\{1F351F56-F6BD-4CF0-83D0-7DF734C1F87D}
HKEY_CLASSES_ROOT\Interface\{1FADDE65-F172-4389-AFD5-2767F914E570}
HKEY_CLASSES_ROOT\Interface\{22668F72-05FE-4948-86B0-433C2E8B9155}
HKEY_CLASSES_ROOT\Interface\{2790D1D2-8F0D-4C3B-B50D-B534A7FD55AC}
HKEY_CLASSES_ROOT\Interface\{3E46CA64-6162-4379-B753-734F0A29F341}
HKEY_CLASSES_ROOT\Interface\{3EEF6634-DCFC-41C7-9369-3449C0158CAB}
HKEY_CLASSES_ROOT\Interface\{6C2EEB7A-51DF-4F6C-95C8-E5CFD49BF902}
HKEY_CLASSES_ROOT\Interface\{7D50576E-8784-434C-AD31-8067AD7FB168}
HKEY_CLASSES_ROOT\Interface\{95930A77-3895-4979-B0B9-25FF937FB584}
HKEY_CLASSES_ROOT\Interface\{ABA89A1A-2910-4712-B71C-5F46A23A9343}
HKEY_CLASSES_ROOT\Interface\{D6B7A318-3226-46BE-A776-A2D913985E19}
HKEY_CLASSES_ROOT\Interface\{DBF00870-1505-4570-8F3F-D3242032A038}
HKEY_CLASSES_ROOT\Interface\{F80B6555-44DC-461D-AB70-B06CD50212BB}
HKEY_CLASSES_ROOT\SpyDevastator.COMApp.1
HKEY_CLASSES_ROOT\SpyDevastator.COMApp
HKEY_CLASSES_ROOT\TypeLib\{09935339-92A8-4055-BB35-7247F6D12D6A}
HKEY_CLASSES_ROOT\TypeLib\{6FC10398-DF37-4894-88D1-5CC73B66B5AE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{528A3CF7-AAF9-42FE-A5D0-2A8EDA9E299E}
It also create the following registry entry so that it executes whenever Windows starts:
Code: Select all
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Run\"SpyDevastator" = "C:\Program Files\SpyDevastator\SpyDevastator.exe /h"
VT (39/50): https://www.virustotal.com/en/file/09c6 ... /analysis/
Attachments
(2.33 MiB) Downloaded 20 times
 #31496  by FakeAVHunter
 Sat Apr 28, 2018 10:36 am
SpyDawn Rogue
IMAGE :
Image
Sample :
pass : infected
(3.08 MiB) Downloaded 18 times
 #31497  by FakeAVHunter
 Sat Apr 28, 2018 10:39 am
RegistryFox Rogue Registry Cleaner
Image : Image
pass : infected
(1.47 MiB) Downloaded 14 times
 #31498  by FakeAVHunter
 Sat Apr 28, 2018 10:44 am
SpyVampire
Image : Image
Fakesmoke sample :
pass : infected
(3.22 MiB) Downloaded 17 times
 #31504  by FakeAVHunter
 Sat Apr 28, 2018 8:03 pm
Fedor22 wrote: Fri Apr 27, 2018 1:52 pm SpyDevastator
Image
Creates registry entries:
Code: Select all
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\SpyDevastator.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{528A3CF7-AAF9-42FE-A5D0-2A8EDA9E299E}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyDevastator
HKEY_CURRENT_USER\Software\SpyDevastator
HKEY_CLASSES_ROOT\CLSID\{26F094F0-D2BD-5F02-03AE-2232D5E967E0}
HKEY_CLASSES_ROOT\CLSID\{4A277263-267B-42dc-8514-7B69E02048B3}
HKEY_CLASSES_ROOT\CLSID\{528A3CF7-AAF9-42FE-A5D0-2A8EDA9E299E}
HKEY_CLASSES_ROOT\CLSID\{D35BF620-EF22-4062-839C-64C534B4589B}
HKEY_CLASSES_ROOT\COMApp.1
HKEY_CLASSES_ROOT\COMApp
HKEY_CLASSES_ROOT\IEBHO.IEBHO.1
HKEY_CLASSES_ROOT\IEBHO.IEBHO
HKEY_CLASSES_ROOT\Interface\{0B682116-47F0-4C10-AD55-6161694DD89C}
HKEY_CLASSES_ROOT\Interface\{0D473E55-8ADE-4CBE-9505-A9B667D7F2EA}
HKEY_CLASSES_ROOT\Interface\{1741D490-88B5-4F58-A652-C74580E3AA49}
HKEY_CLASSES_ROOT\Interface\{18E539E7-CCBD-4CBE-BDF8-ED5EFD83D73B}
HKEY_CLASSES_ROOT\Interface\{1F351F56-F6BD-4CF0-83D0-7DF734C1F87D}
HKEY_CLASSES_ROOT\Interface\{1FADDE65-F172-4389-AFD5-2767F914E570}
HKEY_CLASSES_ROOT\Interface\{22668F72-05FE-4948-86B0-433C2E8B9155}
HKEY_CLASSES_ROOT\Interface\{2790D1D2-8F0D-4C3B-B50D-B534A7FD55AC}
HKEY_CLASSES_ROOT\Interface\{3E46CA64-6162-4379-B753-734F0A29F341}
HKEY_CLASSES_ROOT\Interface\{3EEF6634-DCFC-41C7-9369-3449C0158CAB}
HKEY_CLASSES_ROOT\Interface\{6C2EEB7A-51DF-4F6C-95C8-E5CFD49BF902}
HKEY_CLASSES_ROOT\Interface\{7D50576E-8784-434C-AD31-8067AD7FB168}
HKEY_CLASSES_ROOT\Interface\{95930A77-3895-4979-B0B9-25FF937FB584}
HKEY_CLASSES_ROOT\Interface\{ABA89A1A-2910-4712-B71C-5F46A23A9343}
HKEY_CLASSES_ROOT\Interface\{D6B7A318-3226-46BE-A776-A2D913985E19}
HKEY_CLASSES_ROOT\Interface\{DBF00870-1505-4570-8F3F-D3242032A038}
HKEY_CLASSES_ROOT\Interface\{F80B6555-44DC-461D-AB70-B06CD50212BB}
HKEY_CLASSES_ROOT\SpyDevastator.COMApp.1
HKEY_CLASSES_ROOT\SpyDevastator.COMApp
HKEY_CLASSES_ROOT\TypeLib\{09935339-92A8-4055-BB35-7247F6D12D6A}
HKEY_CLASSES_ROOT\TypeLib\{6FC10398-DF37-4894-88D1-5CC73B66B5AE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{528A3CF7-AAF9-42FE-A5D0-2A8EDA9E299E}
It also create the following registry entry so that it executes whenever Windows starts:
Code: Select all
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Run\"SpyDevastator" = "C:\Program Files\SpyDevastator\SpyDevastator.exe /h"
VT (39/50): https://www.virustotal.com/en/file/09c6 ... /analysis/
I Tested this rogueantispyware ;D
 #31508  by FakeAVHunter
 Sun Apr 29, 2018 4:12 am
TRE Antivirus from Fakesmoke family
Image
pass : infected
(1001.03 KiB) Downloaded 16 times
  • 1
  • 8
  • 9
  • 10
  • 11
  • 12