something is trolling my pc? serious or harmless

Discussion in 'PC' started by EddieXx, Dec 30, 2021.

  1. r4e

    r4e Audiosexual

    Joined:
    Sep 6, 2014
    Messages:
    851
    Likes Received:
    1,201
    OK, added the virustotal link for that file (Figuqci.exe is its real name) so you could take a
    little look inside that process and its behaviour. Also copied it to a virtual machine and loaded it
    into a debugger and for me it seemed pretty malicious too. Looks like it tries to collect some
    sensitive data and I'd like to debug every step of it but for that I'd need to set up a new virtual machine
    with a fresh OS cause on my current test VM, I still have some test data & findings from some of my other
    "projects" which I don't want to lose.

    But because I'm lazy, I'll do that the next days (tomorrow is new years eve in Germany and I'm one of those
    fireworks loving guys).
     
    • Like Like x 2
    • Winner Winner x 1
    • Love it! Love it! x 1
    • List
  2. EddieXx

    EddieXx Audiosexual

    Joined:
    Sep 13, 2015
    Messages:
    1,316
    Likes Received:
    759
    simply fantastic, many thanks r4e for taking the time!

    btw, watching the results you got on that website and comparing with other files i think its useful for not so initiated users to differentiate files that are labeled "hacktools" like "patch.exes because they can have a legit purpose like regular hacks in audiowarez, at least its worth to have it under consideration.

    and also, it feels like when it shows on virustotal that a file contacts remote ips then its really alarming. right? and the one you uploaded certainly did that
     
    Last edited: Dec 30, 2021
  3. clone

    clone Audiosexual

    Joined:
    Feb 5, 2021
    Messages:
    5,946
    Likes Received:
    2,525
    none of your programs should be contacting remote ip addresses. This is called outbound solicitation. The problem with this, is some firewall rulesets will allow a connection to be "piped" back to the client. Because the client initiated the outbound, the reply traffic is normal, expected, and allowed, when it should not be.

    You need a "firewall" blocking the initial outbound solicitation.
     
    • Agree Agree x 3
    • Like Like x 1
    • List
  4. r4e

    r4e Audiosexual

    Joined:
    Sep 6, 2014
    Messages:
    851
    Likes Received:
    1,201
    When a file has a time stemp of 20 years in the future and contains just weird letters in its name,
    it's most likely a tool with a bad behavour. I mean yes, there are a lot of other helpful tools that get
    flagged as malicious but in such cases, you're running them on your own intention and with the knowledge
    what they'll do for you (keygens for example).

    This tool runs hidden, even hides behind a base64 regkey, you don't know where it's from and what it's
    doing and it doesn't want you to know these things neither - I'd bet a 100$ that this is no little helper.

    And as mentioned before, hidden outbound connections from such "tools" are never a good sign.
    I'd suggest you to run a nice firewall which detects where programs wants to connect to.
    SimpleWall is a nice candidate for that task.
     
    Last edited: Dec 30, 2021
    • Like Like x 1
    • Agree Agree x 1
    • Interesting Interesting x 1
    • List
  5. clone

    clone Audiosexual

    Joined:
    Feb 5, 2021
    Messages:
    5,946
    Likes Received:
    2,525
    might help you go on IRC and start spamming Viagra. :guru:
     
  6. EddieXx

    EddieXx Audiosexual

    Joined:
    Sep 13, 2015
    Messages:
    1,316
    Likes Received:
    759
    Ill keep that in mind, its the kind of useful details that are not that much discussed.

    btw i have a "block all in and out" (besides my allowed programs) in windows firewall. i havent tested it very thoroughly though, so maybe certain devils can bypass it, but so far when ive watched the traffic its always been only local and known targets
     
    Last edited: Dec 31, 2021
  7. r4e

    r4e Audiosexual

    Joined:
    Sep 6, 2014
    Messages:
    851
    Likes Received:
    1,201
    You can set rules to block/unblock processes in the firewall using the registry.
    After a restart those rules are active then. If a malware has enough access to add such a key
    and create tasks, it's also able to allow itself accessing the net and you won't see it as the
    windows firewall "thinks" that connection is allowed.
    SimpleWall on the other side needs a user interaction even if such a key already exists.
     
    Last edited: Dec 31, 2021
    • Like Like x 1
    • Agree Agree x 1
    • List
  8. demberto

    demberto Rock Star

    Joined:
    Nov 27, 2018
    Messages:
    931
    Likes Received:
    325
    Hiding code in the registry seems like a real neat idea.
     
  9. uhub

    uhub Kapellmeister

    Joined:
    Dec 9, 2016
    Messages:
    185
    Likes Received:
    72
    You're welcome :winker: and what about that .macosx empty file ???
     
  10. thomas78

    thomas78 Kapellmeister

    Joined:
    Apr 15, 2020
    Messages:
    203
    Likes Received:
    70
    when youve got some sparetime, this guy has a nice video about hiding code in the registry
     
    • Interesting Interesting x 2
    • List
  11. LoveToGig

    LoveToGig Producer

    Joined:
    Oct 19, 2020
    Messages:
    122
    Likes Received:
    76
    I recommend that you scan your computer using a bootable offline scanner.
    For identifying malware loading points, I recommend FRST (Farbar Recovery Scan Tool).
     
  12. BuntyMcCunty

    BuntyMcCunty Rock Star

    Joined:
    Nov 13, 2019
    Messages:
    579
    Likes Received:
    319
    Location:
    Liverpool
    I can't believe I've just spent an hour and a half watching that. Really interesting.
     
  13. Sylenth.Will.Fall

    Sylenth.Will.Fall Audiosexual

    Joined:
    Aug 21, 2015
    Messages:
    2,420
    Likes Received:
    1,638
    Hey Eddie?? You've been reading my posts a fair bit then I take it.,. That about sums it up for me.
     
  14. Sylenth.Will.Fall

    Sylenth.Will.Fall Audiosexual

    Joined:
    Aug 21, 2015
    Messages:
    2,420
    Likes Received:
    1,638
    I'm going with sarcasm,, but I cant be sure..
     
  15. BuntyMcCunty

    BuntyMcCunty Rock Star

    Joined:
    Nov 13, 2019
    Messages:
    579
    Likes Received:
    319
    Location:
    Liverpool
    No, I really did spend an hour and a half on it. I've always been interested in malware but the papers written on it are really dry and hard to follow without a high level of programming expertise (which I don't have.) The guy in the video does a really good job of spelling out how clever and innovative the bastards who rape your computer for fun and profit actually are.
     
  16. Sylenth.Will.Fall

    Sylenth.Will.Fall Audiosexual

    Joined:
    Aug 21, 2015
    Messages:
    2,420
    Likes Received:
    1,638
    Funny you should say about being interested in malware etc. I wonder sometimes if the first computer viruses were written by virus companies to get you to buy their products and then it just got out of hand?. Then it made me wonder about Covid.. And then I thought... I'm going to get something to eat cos it's doing my nut in!
     
Loading...
Loading...