Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Android apps with 250M downloads still vulnerable to patched bug

Featured Deal: Get a Microsoft 365 Family 12-month sub + $50 Amazon Gift Card for $99

Cyber Monday Deals:

Limited Time: Get 50% off Malwarebytes Premium (Only 1 Day Left)

Limited Time: Get 68% off NordVPN + 3 months FREE (Only 1 Day Left)

Limited Time: Get 70% off ethical hacking, security, programming courses, more (Only 1 Day Left)

Limited Time: The Best Black Friday 2020 Security, IT, VPN, & Antivirus Deals (Only 1 Day Left)

Version of Privazer calling out to random .bid domains

Started by sylokdefiled , May 10 2018 08:27 AM

Please log in to reply

6 replies to this topic

#1 sylokdefiled

Members
3 posts
OFFLINE

Gender:Male
Local time:07:11 AM

Posted 10 May 2018 - 08:27 AM

Looks like a Trojan to me.

Also has bank names in strings in memory.

Tries to reach out to: (all dead)

bun.companythings[.]bid ny.feelingeffect[.]bid ake.needmonth[.]bid hxxp://ake.needmonth[.]bid/stub_maker.php?program=sevenzip&tid=20568506&pid=3262&b_typ=pe&reb=1&name=PrivaZer.Donors.v3.0.42.0.E.Portable.Multilingua

SHA: 9dacaf54c9bafd7618c1d166752a823054f878a0ce72003cf1a539355c32a754

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 buddy215

Moderator
16,667 posts
ONLINE

Gender:Male
Location:West Tennessee
Local time:05:11 AM

Posted 10 May 2018 - 10:06 AM

If you haven't scanned your computer for malware and adware....you should. You can get help with that

starting a new topic in the Am I infected? What do I do? or ask a moderator (hamluis) to move this topic to that forum.

Be sure to mention the site you downloaded that program from if you start a new topic.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”― Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

RED VANITY to be replaced by BLUE SANITY on 01-20-21 in the WH.

Back to top

#3 Didier Stevens

BC Advisor
2,933 posts
OFFLINE

Gender:Not Telling
Local time:12:11 PM

Posted 10 May 2018 - 01:56 PM

Yes, this looks suspicious.

I downloaded the latest PrivaZer from their site (MD5 F5A9F1730D03A3F945A8F2C190E8C700), and it does not contain these bid URLs.

This one does have a valid digital signature, your sample does not.

Where did you get this sample? It was submitted only once to VirusTotal March 17th 2018.

Edited by Didier Stevens, 10 May 2018 - 01:58 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2021

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"

Back to top

#4 Didier Stevens

BC Advisor
2,933 posts
OFFLINE

Gender:Not Telling
Local time:12:11 PM

Posted 10 May 2018 - 02:22 PM

The bid URLs contain BASE64 that decodes to:

PrivaZer.Donors.v3.0.42.0.E.Portable.Multilingua

Probably cracked software.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2021

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"

Back to top

#5 sylokdefiled

Topic Starter

Members
3 posts
OFFLINE

Gender:Male
Local time:07:11 AM

Posted 11 May 2018 - 09:08 AM

I got it from VTI after doing a retrohunt with some specific yara rules. I do not know the original vector.

Back to top

#6 midimusicman79

Sec & Web Browser Enthusiast

BC Advisor
1,890 posts
OFFLINE

Gender:Male
Location:Norway
Local time:12:11 PM

Posted 11 May 2018 - 11:20 AM

Hi, sylokdefiled!

Are you a security researcher?

Otherwise, analyzing malware is risky.

Security researchers use Virtual Machines to analyze malware, but that does not imply that any normal (unskilled in malware analysis) computer user could do the same, because some malware could even escape the Virtual Machine, and then security researchers know how to handle it, but normal computer users do not.

Regards,
midimusicman79

Edited by midimusicman79, 11 May 2018 - 11:23 AM.

MS Win 10 Pro 64-bit V. 20H2 (19042), EAM Pro/EEK, MB 4 Prem., WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, EBS, MBBE, Ph.AI IDN P, Nc, Grammarly Free and HTTPS Ew., Acronis TI 2021, SUMo Free. I have 25.5 Years of PC Experience.