Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Steamunlocked malware?
Message
<blockquote data-quote="SkeletalDemise" data-source="post: 1055491" data-attributes="member: 103400"><p>Hello,</p><p>[USER=51151]@likeastar20[/USER] posted this for me as I didn't have an account. I'm the one who originally discovered this malware in FRST logs from two infected people. Both had been infected by malicious steamunlocked redirects. They both had adware named Chromstera and this Nulloy folder which I thought was suspicious. Nulloy is an open source music player: <a href="https://github.com/nulloy/nulloy" target="_blank">GitHub - nulloy/nulloy: Music player with a waveform progress bar</a></p><p></p><p>My initial thoughts were that the malware was using Nulloy to load itself and I was right. In the FRST logs there was this startup entry:</p><p>[ICODE][HKEY_USERS\S-1-5-21-1023096371-1434211140-3977317714-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</p><p>"Nulloy"="C:\Users\user\AppData\Roaming\Nulloy\Plugins\platforms\NvStTest.exe 4a4hJ"</p><p>[/ICODE]</p><p>It runs NvStTest.exe with the arg "4a4hJ"</p><p>There are some articles talking about malware using legitimate programs like NvStTest to load itself:</p><p>[URL unfurl="true"]https://securityaffairs.com/114667/malware/javali-trojan.html[/URL]</p><p>[URL unfurl="true"]https://www.cybereason.com/blog/research/brazilian-financial-malware-banking-europe-south-america[/URL]</p><p></p><p>I have two separate samples of this malware, the only difference between them are two suspicious .tmp files that I'm pretty sure contain the payload.</p><p>For the one on triage, the payload is in "BITRJLW.tmp" It's URL encoded base64. Decoding it reveals a high entropy string so it seems to be encrypted using modern encryption like AES. RC4, etc.</p><p></p><p>You can see in the triage report that it connects to a C2. The domain was recently registered.</p><p>[URL unfurl="true"]https://www.virustotal.com/gui/url/345704886367be50d0828cf5cc3aaed6cafc56ccda7f0c09914e344199046e08/detection[/URL]</p><p>[URL unfurl="true"]https://www.virustotal.com/gui/domain/eriegentsfsepara.com[/URL]</p><p></p><p>One of my friends sent the zipped Nulloy folder to Bitdefender and they claimed it was clean.</p><p>Also, [USER=93976]@Sandbox Breaker[/USER] the 7zip activity in triage is benign. I had to unzip the folder to run it.</p></blockquote><p></p>
[QUOTE="SkeletalDemise, post: 1055491, member: 103400"] Hello, [USER=51151]@likeastar20[/USER] posted this for me as I didn't have an account. I'm the one who originally discovered this malware in FRST logs from two infected people. Both had been infected by malicious steamunlocked redirects. They both had adware named Chromstera and this Nulloy folder which I thought was suspicious. Nulloy is an open source music player: [URL='https://github.com/nulloy/nulloy']GitHub - nulloy/nulloy: Music player with a waveform progress bar[/URL] My initial thoughts were that the malware was using Nulloy to load itself and I was right. In the FRST logs there was this startup entry: [ICODE][HKEY_USERS\S-1-5-21-1023096371-1434211140-3977317714-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Nulloy"="C:\Users\user\AppData\Roaming\Nulloy\Plugins\platforms\NvStTest.exe 4a4hJ" [/ICODE] It runs NvStTest.exe with the arg "4a4hJ" There are some articles talking about malware using legitimate programs like NvStTest to load itself: [URL unfurl="true"]https://securityaffairs.com/114667/malware/javali-trojan.html[/URL] [URL unfurl="true"]https://www.cybereason.com/blog/research/brazilian-financial-malware-banking-europe-south-america[/URL] I have two separate samples of this malware, the only difference between them are two suspicious .tmp files that I'm pretty sure contain the payload. For the one on triage, the payload is in "BITRJLW.tmp" It's URL encoded base64. Decoding it reveals a high entropy string so it seems to be encrypted using modern encryption like AES. RC4, etc. You can see in the triage report that it connects to a C2. The domain was recently registered. [URL unfurl="true"]https://www.virustotal.com/gui/url/345704886367be50d0828cf5cc3aaed6cafc56ccda7f0c09914e344199046e08/detection[/URL] [URL unfurl="true"]https://www.virustotal.com/gui/domain/eriegentsfsepara.com[/URL] One of my friends sent the zipped Nulloy folder to Bitdefender and they claimed it was clean. Also, [USER=93976]@Sandbox Breaker[/USER] the 7zip activity in triage is benign. I had to unzip the folder to run it. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
