Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remote Access SCAMMERS Tools left behind. Can someone here analyze them?


  • Please log in to reply
6 replies to this topic

#1 Iam1nsan3

Iam1nsan3

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:08:04 PM

Posted 20 August 2016 - 07:28 AM

Hello,

I am a Desktop Support Technician, today 20th August 2016 attended a call for someone who thought that they had been Scammed.

The short answer is Yes, big time.

The Scammer had removed users paid for AV and replaced with Vipre AV. But he also left 5 executables on the Desktop which he had yet to set up. He tried this while I was there and after me calling him a low life and that he was busted and a bit more I told him not to call this number again and I hung up on him.

He had already hacked the web browser and had managed to withdraw $10000 from this pensioners bank account in the 12 hours since he called.

2 of the exe's have the following in the file description exif data.

"Terminates malware processes so that you can run your normal security programs." Bleeping Computer.com. Original name RKill.exe.

These exe's are named "Banking Protection" and "Firewall", same file.  There is also "WiFi Protection" and "NET BLOCKER". The EXIF data on the last 2 files in empty. The last file is ATF-Cleaner, which he probably uses to clean after himself.

 

Is there anyone here who could pull these apart and analyze them, and see what the were designed to do? I have reported the incident with ScamWatch Australia and customer has informed his Bank who are investigating. But I also advised him to contact the Police considering the amount stolen. I will be providing his Bank and the Police with a report of what was found, it would be pretty awesome if I could also add an analysis of the tools as well.

 

If the answer is YES. Please advise where I upload the archived files to?

I am thinking it will be a YES, he is using Bleeping Computers tools for EVIL.

 

Thank you


Edited by hamluis, 20 August 2016 - 07:30 AM.
Moved from MRL to General Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:04 AM

Posted 20 August 2016 - 07:57 AM

You should upload those files to virustotal. If they are malicious, you will see quite a few detections.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 Iam1nsan3

Iam1nsan3
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:08:04 PM

Posted 20 August 2016 - 08:28 AM

Thank you xXToffeeXx.

I did exactly that.

It appears that the 2 Rkill.exe files that are renamed to "Banking Protection" & "Firewall" are CLEAN.

But the other 3. I have added screenshots of the results below.

 

85e8649711.png

 

85e56becb5.png

 

85ab84d4ee.png


Edited by Iam1nsan3, 20 August 2016 - 08:44 AM.


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,718 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:04 AM

Posted 20 August 2016 - 10:05 AM

Obviously not happy that these scumbags are using my Rkill tool.

 

For the other three, can you upload to http://www.bleepingcomputer.com/submit-malware.php?channel=3 please



#5 Iam1nsan3

Iam1nsan3
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:08:04 PM

Posted 20 August 2016 - 10:31 AM

Thank you Lawrence, files are archived and named "SCAMMER Hack Tools.7z" I have also uploaded the Rkill copies named "Rkill modified.7z". The files use a different icon so they maybe modified.

Thank you.



#6 Will5200

Will5200

  • Members
  • 141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:05:04 AM

Posted 22 August 2016 - 10:58 AM

Did anyone catch the their phone number?



#7 Iam1nsan3

Iam1nsan3
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:08:04 PM

Posted 22 August 2016 - 09:27 PM

Actually yes. This is what was in a text document on clients desktop.

 

contact number- 0730408989
contact person- Dean Watson
computer id-083050ms789

 

I tried to do a reverse number check and got as far as the phone number is either in Brisbane QLD or Bribie Island QLD.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users