A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #32204  by Ene
 Sat Oct 27, 2018 5:32 pm
Potentially unwanted & Rogue software

Alright, I dedicate this thread basically to PUPs and FakeAVs. Essentially, another rogue threads are dead, thus I want another one :)
If you want to contribute to this thread, please attach a screenshot of the malware and the archive, preferrably with "infected" password.

With that said, let's start the thread!

Shield Antivirus

Still up, ready to "optimize" computers ;) Available in different languages (using google translate), drops itself into Program Files, incredibly intrusive and constantly uses CPU.

SHA-256: 341b542a8a1eedfb88c654a23cf7d0cb6161137589ca9903dbc6ce52e66615bc
VirusTotal fail [1/67]: https://www.virustotal.com/#/file/341b5 ... /detection

hxxp://shieldapps.com/products/shield-antivirus

Screenshot:
Image
Attachments
Password: infected
(8.96 MiB) Downloaded 44 times
 #32207  by Ene
 Sun Oct 28, 2018 4:37 pm
WinThruster 2018

Another annoying fake registry scanner, usually comes with downloaders and opencandy installers. Pretends it's a panacea from every single malware sample :D (e. g. hxxp://www.solvusoft.com/en/malware/trojans/trojan-vundo-gen5). Available on different languages (russian in my case). Takes a lot of RAM (nearly 400MB) and CPU (10-20%) probably because of awful scanning system. There are its "twins" as well, located on the same site, like Driver Doc or WinSweeper.

SHA-256: 850f5c5df4bd2f5c0604a3e30098655e0605fe3664560a0895228365e4213b05
VirusTotal [10/67]: https://www.virustotal.com/#/file/850f5 ... /community

hxxp://www.solvusoft.com/en/software/winthruster

Screenshot:
Image
Attachments
Password: infected
(2.54 MiB) Downloaded 38 times
 #32208  by Fedor22
 Sun Oct 28, 2018 4:42 pm
Antivirus 10
After launch is located in the folder "Temp" and create a dropper in the "Program Files". Blocks browser processes, changes internet settings in registry, detects fake infections and displaying alert messages to scare users.
Antivirus 10:
MD5: 8dec83870332ff5e1c1de9da28cb0cb5
SHA1: 1da00992b80e4f1d3ff1d9bc15cd16e75a55c212
SHA256: 05972b5703989db7c849a4de9bb448136574b667553ab4b8d3c012fadd960fec
VirusTotal (46/62): https://www.virustotal.com/en/file/0597 ... /analysis/
Dropper:
MD5: fc1054b2812128760d3f9e0307ded322
SHA1: 8f140709feb7f9c364ccb7b2ce6b4c6bd6c78b9b
SHA256: 503069a6471c2ae20c618911253aec85a1a4d8b89e4c306dbe8b984fd1cf6d4d
VirusTotal (46/67): https://www.virustotal.com/en/file/5030 ... /analysis/
Site (dead): hxxp://security-plus4you.xp3.biz
Screenshot:
Image
Installer and dropper in attach.
Attachments
Password "infected" without quotes.
(2.27 MiB) Downloaded 61 times
 #32222  by Fedor22
 Fri Nov 02, 2018 5:04 pm
DriverIdentifier
Creates itself in "Program Files", shows advertisements in the scan results and shows false positives to mislead users.
Installer:
MD5: b1504d5dc801c27f56e8b7e07502c142
SHA1: 415230c32f0314ae5f24087b3519566142ef7714
SHA256: 965993496a43e7c2979695f1b5fa3966f5c0c0231040a6c1c6f6a2297e5e85c1
VirusTotal fail (1/69): https://www.virustotal.com/en/file/9659 ... /analysis/
Site: hxxp://driveridentifier.com
Screenshot:
Image
Attachments
Password "infected" without quotes.
(4.07 MiB) Downloaded 27 times
 #32317  by Fedor22
 Fri Dec 14, 2018 6:40 pm
WiperSoft
Creates itself in "Program Files" and in the scheduled tasks, shows false positives to mislead users and after that asks to buy a product.
Installer:
MD5: 9e3604e2f65d31c8a6a01fd3ddbecc39
SHA1: d0efc6e4a424e277239c535802d66b619bd02872
SHA256: af24fcdd574c1097cc1709c9be008fe129c7a9d0ec9690c7694940e3b482afa6
VirusTotal fail (2/69): https://www.virustotal.com/en/file/af24 ... 544812215/
Site: hxxp://wipersoft.com
Screenshots:
Image
Attachments
Password "infected" without quotes.
(839.98 KiB) Downloaded 22 times
 #32318  by FakeAVHunter
 Sat Dec 15, 2018 8:27 am
XP MICRO ANTIVIRUS
His Interface : Image
And Ghost Antivirus with Error fixed and database repaired
His Gui Image
Attachments
pass : infected
(1.73 MiB) Downloaded 38 times
password : infected
(702.13 KiB) Downloaded 22 times
 #32395  by FakeAVHunter
 Tue Jan 08, 2019 10:59 am
Debbuged Total PC Defender 2010 to full version
NHDY-HD6G-7Fd4-M2753 that is that i found on this fake antivirus
sample of cracking used file : password infected
(1.29 MiB) Downloaded 17 times
Attachments
Screenshot (217).png
Screenshot (217).png (965.03 KiB) Viewed 723 times