Rogue Antimalware (FakeAV, 2013 year)

Topic locked

Rogue Antimalware (FakeAV, 2013 year)

#17613 by grum
Sat Jan 05, 2013 7:02 am

remark start

2010 year FakeAV
2011 year FakeAV
2012 year FakeAV

remark end

super FakeAV for all research :lol: ver 2013

Attachments

superbro2.zip

infected
(27.94 KiB) Downloaded 287 times

Last edited by EP_X0FF on Sat Jan 05, 2013 7:58 am, edited 2 times in total. Reason: see remark

Username

grum

Posts

38

Joined

Tue Nov 06, 2012 12:16 pm

Re: Rogue Antimalware (FakeAV, 2013 year)

#17615 by EP_X0FF
Sat Jan 05, 2013 7:47 am

Thats "XP Defender". It changes default reg ".exe" association so every time you try to launch exe this crap will popup.

Main part of FakeAV downloads from

hxxp://terminologyipadinitiating.org/

"Definitions", resources and decrypted loader attached.

Attachments

decrypted_loader.rar

pass: malware
(9.73 KiB) Downloaded 216 times

Malware.rar

pass: malware
(685.01 KiB) Downloaded 298 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Rogue Antimalware (FakeAV, 2013 year)

#17827 by rusl
Wed Jan 23, 2013 12:38 pm

Rogue - Security Defender

SecurityDefender.7z

password: infected
(19.71 KiB) Downloaded 183 times

Username

rusl

Posts

8

Joined

Sat Jul 07, 2012 10:45 am

Re: Rogue Antimalware (FakeAV, 2013 year)

#17828 by ISergey256
Wed Jan 23, 2013 2:09 pm

rusl wrote:Rogue - Security Defender
SecurityDefender.7z

Activation Code: ?O?Z?L?W?I?T?F?Q?C?N?Y?K?V?H?S?E

Username

ISergey256

Posts

32

Joined

Wed Oct 05, 2011 11:42 am

Location

Ukraine

Re: Rogue Antimalware (FakeAV, 2013 year)

#17936 by Xylitol
Thu Jan 31, 2013 9:54 am

Disk Antivirus Professional

Original: https://www.virustotal.com/file/95e4027 ... 359625432/ > 21/46
Unpack: https://www.virustotal.com/file/41fc7f7 ... 359625192/ > 12/45
Network:

Code: Select all

GET /api/urls/?ts=f3626e3f&affid=00100 HTTP/1.1
Host: 112.121.178.189
---
GET /api/stats/install/?ts=f3626e3f&affid=00100&ver=3070024&group=dap HTTP/1.1
Host: 112.121.178.189
---
GET /p/?&lid=3070024&affid=00100&nid=8065D52C&group=dap HTTP/1.1
Host: kilopaybilling.com

Attachments

Bureau.zip

infected
(746.93 KiB) Downloaded 279 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: Rogue Antimalware (FakeAV, 2013 year)

#17940 by gied
Thu Jan 31, 2013 12:31 pm

Does it has Geo / VM protection?

Username

gied

Posts

10

Joined

Fri Jul 15, 2011 2:06 pm

Contact

Re: Rogue Antimalware (FakeAV, 2013 year)

#17988 by fixrogues
Sat Feb 02, 2013 11:28 am

I was able to run it on a VMVare Machine.

Username

fixrogues

Posts

10

Joined

Sat Jun 02, 2012 6:41 am

Re: Rogue Antimalware (FakeAV, 2013 year)

#17989 by EP_X0FF
Sat Feb 02, 2013 11:44 am

gied wrote:Does it has Geo / VM protection?

It has at least VPC/Vmware detection.

Vmware by cpuid "VmwareVmware" and by VMX backdoor.
VPC by invalid command.

This detection located at @0043AEB7 in Xylitol dump.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Rogue Antimalware (FakeAV, 2013 year)

#18226 by secObs
Sat Feb 16, 2013 8:57 pm

Another Disk Antivirus Professional.

Detection 5/46
https://www.virustotal.com/en/file/e8e4 ... 361048122/

MD5: d86062cf9c363fbe817b04665f311555
SHA-1: f4a18d4e939418133120ecdb9a959bfa4249fb10