How I got infected last time thread

ScandinavianFish

Level 7
Verified
Dec 12, 2021
317
Im gonna admit something too, I (almost) got compromised by Agent Tesla.

I was being careless and shoulve done it in an VM (Im not honestly sure what I was thinking) and decided to install an torrented program that I wanted, it worked as expected, but my antivirus at the time (Symantec Endpoint) popped up saying it blocked ISBgeneric (or something similarly named) in Powershell, this happened on every restart, until I eventually decided to root around the folders that malware tends to hide in (Temp, appdata Roaming, ProgramData, etc), but I didnt find anything, but the stupid thing is that I went right past it when looking for it, it was in C:\Users\(My username), called CRSS.exe which I actually looked at for a few seconds, but in that moment of panic I must have gone right past it.

I decided to uninstall Symantec as it wasnt finding anything (which was pretty stupid of me to do), but seconds later after updating Windows Defender, it caught the malware that Symantec missed, the exact CRSS.exe file that I had gone right over, Symantec must have simply blocked the initial attempt of execution, but did not find the dropped payload.

Moral of the story, I screwed up and realized I am not as invulnerable as I previously thought, I was being too confident with my security which was eventually what resulted in myself almost getting compromised. I learnt my lesson and now understand what its like going trough something like this, not being able to think clearly and making stupid decisions when i already supposedly knew what to do in the event of malware on my system. Ever since then I have completely embraced the Zero Trust/Default Deny strategy using Hard_Configurator.

I figured its just nice knowing that we are not alone, everyone make mistakes, even people like Jim Browning.
 
Last edited:
G

Guilhermesene

Dear noble robot friend @RoboMan, come to the robot side of the force 🤖
DyRAEEuWoAAwPVG.jpg
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
my suggestion for scanning large files that can't be uploaded to VT
- download Kaspersky virus removal tool and Eset online scanner -> update and scan
- you can download Hitman Pro, install the context scan and scan files with the right click (not sure about the size limit)
 

devjit2020

Level 2
Apr 7, 2022
91
my suggestion for scanning large files that can't be uploaded to VT
- download Kaspersky virus removal tool and Eset online scanner -> update and scan
- you can download Hitman Pro, install the context scan and scan files with the right click (not sure about the size limit)
Does KVRT and ESET online scanner include right click context menu for scanning individual files? The last time I used them they didn't have that option. HitmanPro and Malwarebytes have the context scan option. VoodooShield used to query the VT service previously but they have stopped using that feature now as far as I am aware. I really liked that feature of VS.
 
  • Like
Reactions: Sorrento

Andrezj

Level 6
Nov 21, 2022
248
2) No antivirus is 100% perfect and so it's always safe to keep back-up of the important files.(it also protects from hardware failure).
using either a free or paid backup solution, especially one with robust os recovery if the windows bootloader is damaged, is a wise move
a backup solution such as macrium is moeny well spent
3) This one is purely my own suggestion. A program like Sandboxie or Shadow Defender comes handy when you want to test out a software that you're not sure of.
even children can learn how to use shadow defender within minutes
despite not receiving any updates it still works well on windows 11 and should be considered a first-line purchase
 

simmerskool

Level 32
Verified
Top Poster
Well-known
Apr 16, 2017
2,177
VoodooShield used to query the VT service previously but they have stopped using that feature now as far as I am aware. I really liked that feature of VS.
VS still checks a file in VT with a right click. VS pops-up with its ratings with option "get second opinion" if you click that, it goes to VT webpage in your default browser.
 

oldschool

Level 83
Verified
Top Poster
Well-known
Mar 29, 2018
7,279
Does KVRT and ESET online scanner include right click context menu for scanning individual files?
No
VS still checks a file in VT with a right click. VS pops-up with its ratings with option "get second opinion" if you click that, it goes to VT webpage in your default browser.
Yes, but it no longer checks locally with VT integration, i.e. without the browser.
 

simmerskool

Level 32
Verified
Top Poster
Well-known
Apr 16, 2017
2,177
No

Yes, but it no longer checks locally with VT integration, i.e. without the browser.
Ok, I think we both answered @devjit2020 comment correctly, he merely said "...stopped using that feature." You are (perhaps) more correct. I had forgotten that once upon a time VS used to do it differently than now. I've forgotten a lot, why I'm reading here every day lately. o_O Read a lot, learn at least a little, :whistle: or not.
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Does KVRT and ESET online scanner include right click context menu for scanning individual files? The last time I used them they didn't have that option. HitmanPro and Malwarebytes have the context scan option. VoodooShield used to query the VT service previously but they have stopped using that feature now as far as I am aware. I really liked that feature of VS.
usually, they have to install something to have that feature which I don't like. I want them to be completely portable
it's very very rare that we have to scan files larger than 250MB
 

Andrezj

Level 6
Nov 21, 2022
248
usually, they have to install something to have that feature which I don't like. I want them to be completely portable
it's very very rare that we have to scan files larger than 250MB
looking at the average malware size submitted to the various malware analysis sandboxes, over millions and millions of samples the average is 5-6 mb
more sophisticated threat actors are aware of the sandbox and virustotal upload limits for api and non-api upload
they are also aware of antivirus that struggle to detect by large file size or unusual file type such as iso
 

Shadowra

Level 34
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,397
New crack scam campaign on YouTube, but RedLine is replaced by another : ArkeiStealer!

The principle and the way it works is the same, a weight of 800Mb and a tempting video of a crack... (same detection as the VT without the ZIP)

Capture d’écran 2023-01-01 130720.png
 

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,562
New crack scam campaign on YouTube, but RedLine is replaced by another : ArkeiStealer!

The principle and the way it works is the same, a weight of 800Mb and a tempting video of a crack... (same detection as the VT without the ZIP)

View attachment 271699
Never saw a more accurate classification for a 800 mb malicious file than this one 😄

Screenshot 2023-01-01 132843.jpg
 

Stopspying

Level 19
Verified
Top Poster
Well-known
Jan 21, 2018
814
Does KVRT and ESET online scanner include right click context menu for scanning individual files? The last time I used them they didn't have that option. HitmanPro and Malwarebytes have the context scan option. VoodooShield used to query the VT service previously but they have stopped using that feature now as far as I am aware. I really liked that feature of VS.
ESET Online Scanner doesn't have the right-click scan option, as others have said here, but you can scan individual files from the main GUI. Not the same thing, and a few extra clicks, but it is an option.
 

Attachments

  • Eset Online Scanner 1.PNG
    Eset Online Scanner 1.PNG
    21.7 KB · Views: 152
  • Eset Online Scanner 2.PNG
    Eset Online Scanner 2.PNG
    25.8 KB · Views: 129
  • Eset Online Scanner 3.PNG
    Eset Online Scanner 3.PNG
    29.9 KB · Views: 156

SeriousHoax

Level 48
Verified
Top Poster
Well-known
Mar 16, 2019
3,716
New crack scam campaign on YouTube, but RedLine is replaced by another : ArkeiStealer!

The principle and the way it works is the same, a weight of 800Mb and a tempting video of a crack... (same detection as the VT without the ZIP)

View attachment 271699
A good place to add the comment I was thinking about making which is, you guys know Microsoft Defender's cloud protection has a Block/Zero tolerance level and also there's an ASR rule named "Block executable files from running unless they meet a prevalence, age, or trusted list criterion".
Now these two, specially with the ASR rule, you would think Microsoft Defender would simply block any PE file that's not trusted/prevalent but either of the two can not block this huge file sized malware. It simply can not check these huge files with its cloud database. There must be a certain size limit which hinders Microsoft Defender, and it let these swollen malware files get executed on the system anyway.
If separate small sized payloads are downloaded or complied by the malware then most of them are likely to get detected by Microsoft Defender but if the large file itself is something that steals your data then Microsoft Defender even with the cloud level and ASR rule can not help. Those who are using these two rules, keep this in mind.
These malware are spread from fake crack websites, YouTube or malvertisements, so barely anyone in this forum is likely to be fallen for these, but always check the size of a newly downloaded file before running it, just in case.
My File Explorer is set in Details mode, and I've been using it like this for many years now, so the file size is something that I notice by default in most situations.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top