Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Version of Privazer calling out to random .bid domains


  • Please log in to reply
6 replies to this topic

#1 sylokdefiled

sylokdefiled

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 10 May 2018 - 08:27 AM

Looks like a Trojan to me. 

 

Also has bank names in strings in memory.

 

Tries to reach out to: (all dead)

 

bun.companythings[.]bid ny.feelingeffect[.]bid ake.needmonth[.]bid hxxp://ake.needmonth[.]bid/stub_maker.php?program=sevenzip&tid=20568506&pid=3262&b_typ=pe&reb=1&name=PrivaZer.Donors.v3.0.42.0.E.Portable.Multilingua

 

SHA: 9dacaf54c9bafd7618c1d166752a823054f878a0ce72003cf1a539355c32a754

 



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,318 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:29 AM

Posted 10 May 2018 - 10:06 AM

If you haven't scanned your computer for malware and adware....you should. You can get help with that

starting a new topic in the Am I infected? What do I do?  or ask a moderator (hamluis) to move this topic to that forum.

Be sure to mention the site you downloaded that program from if you start a new topic.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:29 AM

Posted 10 May 2018 - 01:56 PM

Yes, this looks suspicious.

 

I downloaded the latest PrivaZer from their site (MD5 F5A9F1730D03A3F945A8F2C190E8C700), and it does not contain these bid URLs.

This one does have a valid digital signature, your sample does not.

 

Where did you get this sample? It was submitted only once to VirusTotal March 17th 2018.


Edited by Didier Stevens, 10 May 2018 - 01:58 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:29 AM

Posted 10 May 2018 - 02:22 PM

The bid URLs contain BASE64 that decodes to:

 

PrivaZer.Donors.v3.0.42.0.E.Portable.Multilingua

 

Probably cracked software.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 sylokdefiled

sylokdefiled
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 11 May 2018 - 09:08 AM

I got it from VTI after doing a retrohunt with some specific yara rules. I do not know the original vector.



#6 midimusicman79

midimusicman79

  • Members
  • 764 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:09:29 AM

Posted 11 May 2018 - 11:20 AM

Hi, sylokdefiled!

Are you a security researcher?

Otherwise, analyzing malware is risky.

Security researchers use Virtual Machines to analyze malware, but that does not imply that any normal (unskilled in malware analysis) computer user could do the same, because some malware could even escape the Virtual Machine, and then security researchers know how to handle it, but normal computer users do not.

Regards,
midimusicman79

Edited by midimusicman79, 11 May 2018 - 11:23 AM.

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#7 sylokdefiled

sylokdefiled
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 11 May 2018 - 01:25 PM

I am. This was analyzed in a lab environment. No worries. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users