Status
Not open for further replies.

RmG152

Level 12
Verified
11:37
"Winbox" is a tool to configure mikrotik routers. Not a tool for malicious proposes.

If you have the "sample" can upload to VT to check if it's a FP? (FP on url, not on qihu)
 

Rolo

Level 18
Verified
Nice review.

Some suggestions:
- The GoDaddy page isn't a phishing site; the phishing site was taken down and the registrar (GoDaddy) reclaimed the domain, likely for violating TOS/EULA
- For remaining samples, try a script (e.g. FOR EACH) that launches the next file with a small delay. Additionally, you could couple that with an auto-click type software (e.g. Push The Freakin' Button--PTFB) to close "access denied" type dialogs automatically after a short delay
- 360 does provide HIPS as you saw (sensitive registry entries, start-on-boot, etc.)
- I don't know what it does for IE, but for other browsers, there is an extension (they're on that settings page you went to) that will scan for running processes when you enter a shopping site and alert you of anything suspicious
- You could also follow-up with a cloud-based/VT (Zemana, herdProtect, SecureAPlus, et. al.) second opinion scan to see what's remaining in addition to HMP
 
Status
Not open for further replies.
Top