Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
ConfigureDefender utility for Windows 10/11
Message
<blockquote data-quote="Andy Ful" data-source="post: 844877" data-attributes="member: 32260"><p>Some notes about the last WD test made by [USER=78686]@SeriousHoax[/USER]:</p><p>[URL unfurl="true"]https://malwaretips.com/threads/malware-samples-22-14-11-2019.96380/[/URL]</p><p></p><p>1. AL_5014513395824.vbs</p><p>The malware uses WMI to run payload. This should be blocked by ASR if it did not auto terminate (ASR rule "Block process creations originating from PSExec and WMI commands").</p><p>[URL unfurl="false"]https://app.any.run/tasks/a8184aa1-1892-4434-82a7-93bbba1364fa/[/URL]</p><p></p><p>2.JD.vbe</p><p>The malware was prevented from using ADOB.Stream to download something and the script execution was interrupted with error (probably by ASR).</p><p>[URL unfurl="false"]https://app.any.run/tasks/cd3a5e8a-9725-41aa-b3a1-9c554ee198a8/[/URL]</p><p></p><p>3. JVC_21555.vbs</p><p>The malware (<strong>QBOT</strong>) is going to download and run a payload. This should be prevented by ASR rule "Impede JavaScript and VBScript to launch executables" (the name of this rule was changed by MS to "Block JavaScript or VBScript from launching downloaded executable content").</p><p>[URL unfurl="false"]https://app.any.run/tasks/0e65507e-685a-4b68-9358-7dc619c8b4c2/[/URL]</p><p></p><p>4.ps.ps1</p><p>This malicious script is going to download and run the <strong>EMOTET trojan</strong>. Blocked probably by ASR.</p><p>[URL unfurl="false"]https://app.any.run/tasks/7e5fab0a-d591-4dde-b33f-2fe1501a3941/[/URL]</p><p></p><p>5. Order_2718032693_Proforma_invoice.jar</p><p>This is <strong>Adwind RAT</strong>.</p><p>WD has allowed the malware on the initial stage, but it seems that the malicious actions were neutralized.</p><p>"<em>This initial process executed js script which in turn ran one more js script and another .jar file. JS script also <span style="color: rgb(184, 49, 47)">used Task Scheduler</span> to run itself later. Jar file started a series of malicious activities such as using attrib.exe to mark files or folders as hidden, running VBS script files, <span style="color: rgb(184, 49, 47)">changing the autorun value in the registry</span> and more. It has been noted that sometimes Jar file runs a series of taskkill commands to shutdown processes by their names based on a list that contains names of system processes, names of common Anti-virus programs and analyzing programs, such as wireshark.exe, procexp.exe, processhacker.exe and so on."</em></p><p>[URL unfurl="false"]https://any.run/malware-trends/adwin[/URL]</p><p></p><p>Thanks to [USER=78686]@SeriousHoax[/USER] and other testers for their excellent job.<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" /></p></blockquote><p></p>
[QUOTE="Andy Ful, post: 844877, member: 32260"] Some notes about the last WD test made by [USER=78686]@SeriousHoax[/USER]: [URL unfurl="true"]https://malwaretips.com/threads/malware-samples-22-14-11-2019.96380/[/URL] 1. AL_5014513395824.vbs The malware uses WMI to run payload. This should be blocked by ASR if it did not auto terminate (ASR rule "Block process creations originating from PSExec and WMI commands"). [URL unfurl="false"]https://app.any.run/tasks/a8184aa1-1892-4434-82a7-93bbba1364fa/[/URL] 2.JD.vbe The malware was prevented from using ADOB.Stream to download something and the script execution was interrupted with error (probably by ASR). [URL unfurl="false"]https://app.any.run/tasks/cd3a5e8a-9725-41aa-b3a1-9c554ee198a8/[/URL] 3. JVC_21555.vbs The malware ([B]QBOT[/B]) is going to download and run a payload. This should be prevented by ASR rule "Impede JavaScript and VBScript to launch executables" (the name of this rule was changed by MS to "Block JavaScript or VBScript from launching downloaded executable content"). [URL unfurl="false"]https://app.any.run/tasks/0e65507e-685a-4b68-9358-7dc619c8b4c2/[/URL] 4.ps.ps1 This malicious script is going to download and run the [B]EMOTET trojan[/B]. Blocked probably by ASR. [URL unfurl="false"]https://app.any.run/tasks/7e5fab0a-d591-4dde-b33f-2fe1501a3941/[/URL] 5. Order_2718032693_Proforma_invoice.jar This is [B]Adwind RAT[/B]. WD has allowed the malware on the initial stage, but it seems that the malicious actions were neutralized. "[I]This initial process executed js script which in turn ran one more js script and another .jar file. JS script also [COLOR=rgb(184, 49, 47)]used Task Scheduler[/COLOR] to run itself later. Jar file started a series of malicious activities such as using attrib.exe to mark files or folders as hidden, running VBS script files, [COLOR=rgb(184, 49, 47)]changing the autorun value in the registry[/COLOR] and more. It has been noted that sometimes Jar file runs a series of taskkill commands to shutdown processes by their names based on a list that contains names of system processes, names of common Anti-virus programs and analyzing programs, such as wireshark.exe, procexp.exe, processhacker.exe and so on."[/I] [URL unfurl="false"]https://any.run/malware-trends/adwin[/URL] Thanks to [USER=78686]@SeriousHoax[/USER] and other testers for their excellent job.:) [/QUOTE]
Insert quotes…
Verification
Post reply
Top
