Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

some FB shared malware.

This forum focuses on analyzing malware and any aspects of dealing with packer protections.
Locked
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

some FB shared malware.

Post by evaluator »

some hot link was shared on FB:

http://tiny.cc/nt7ebx#UZwLn=Avier

goes to

http://www.fileshareservices.net/ads21. ... ub_id=1702

ps did not ran myself yet

EDIT update:
I ran this in VM and it has downloaded another NET runtime thingies..

password: malware
Attachments
FLVGuncelle.zip
(136.02 KiB) Downloaded 129 times
wbe
Posts: 139
Joined: Fri Oct 19, 2001 7:53 am
Location: Ankara, Turkey

Post by wbe »

FB is the root of all eval, ...erm, evil. :devil:

P.S.: Guncelle=Update in TR. Fancy that, looks like some compatriot has involved in spreading malware.
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

do you mean, it is NOT malware??
and 34 of 50 AV are wrong?
https://www.virustotal.com/en/file/42af ... /analysis/
User avatar
Woodmann
Posts: 3605
Joined: Fri Jan 26, 2001 6:28 pm

Post by Woodmann »

He's saying it is a malware with some info included that indicates someone
from his country is involved.

Woodmann
Learn Or Die.
malice
Junior Member
Posts: 3
Joined: Sun Mar 16, 2014 1:28 am

Post by malice »

The piece you attached is a very simplistic downloader, probably written by a teenager. It achieves persistence via registry, then connects to http://www.fileshareservices.org/extFil ... rol409.txt to get the URL for another file, which it then downloads and executes. Presently the file control409.txt does not exist at fileshareservices.org though, so the malware is basically harmless until someone creates it.
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

well, at that day I downloaded more then 2mb other NET executables, then deleted those.. did not want to keep such trash even in thread..
Locked