Xyl2k Posted October 17, 2020 Share Posted October 17, 2020 (edited) So you want to download some releases from snd? alright let's see at snd.webscene.ir, the distribution section menu contain a link pointing at hxtps://keygens.pro/ Super, looks like there a lot of cracks over here! and the site is virus free, right? So let's pick something, i don't know, maybe 7-Data.Card.Recovery.1.1.keygen-SND hxtps://keygens.pro/crack/729775/ lol @ description on the page, didn't know reagan was from snd and born in russia Anyway we got redirected on a download page after clicking 'Download only Keygen' button, we have to fill a captcha and agree to the conditions The archive is password protected and contain only one file "setup_pass-123.exe" If we try to download some other random files from the keygens.pro collection, sometime we have variations. e.g: Any.video.converter.Ultimate.keygen-URET hxtps://keygens.pro/crack/733508/ who contain a 'readme.txt' but we still have our suspicious setup_pass-123.exe inside. antiviruses aren't really happy about the file when sent to virustotal, but hey, it's kind of normal it's a crack afterall. The file in question is identified massively as 'remcos' (avira, kaspersky, f-secure,..) remcos is a know trojan, and this time they have right. I've sent the file to my capev2 (like cuckoo sandbox but with python3) who also identified it as remcos, and even exactly version 2.7.0 Pro. The process tree: path-pass-123.exe 1204 powershell.exe 764 powershell -w 1 -e cwB0AGEAcgB0AC0A [REDACTED] mc.exe 588 mc.exe 2816 trading_bot.exe 2776 services.exe 484 C:\Windows\system32\services.exe lsass.exe 2992 C:\Windows\system32\lsass.exe mc.exe do a NtOpenMutant with mutex name 'Remcos_Mutex_Inj' fews deletefile() DeletedFile: C:\Users\PC\AppData\Local\Temp\g23cbt11.tv1.ps1 DeletedFile: C:\Users\PC\AppData\Local\Temp\rgmxlij1.zlj.psm1 DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a5a4f0c9-7658-465a-89b7-50210e17552a DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aa1cabc1-b688-4c89-bf51-d9e59fc195d8 DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_33715418-423c-4ee6-9bfb-e19632c208c1 DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d9fccf31-e642-45c3-b729-86cbf5ec234c DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_99c3bc19-136a-483f-a231-8276ab84ee13 DeletedFile: C:\Users\PC\AppData\Roaming\Microsoft\mc.exe DeletedFile: C:\Users\PC\AppData\Local\Temp\webcam.png DeletedFile: C:\Users\PC\AppData\Local\Temp\screenshot.jpg DeletedFile: C:\Users\PC\AppData\Roaming\Mozilla\Firefox\Profiles\fuv0sisu.default-release\cookies.sqlite24628718 DeletedFile: C:\Users\PC\AppData\Roaming\Mozilla\Firefox\Profiles\fuv0sisu.default-release\formhistory.sqlite24628875 About the dropped files, it write a file 'logs.dat' into \AppData\Roaming\temp\, in my case: [2020/10/15 05:31:33 Offline Keylogger Started] [ Program Manager ] [Following text has been copied to clipboard:] h [End of clipboard text] { User has been idle for 400 minutes } And what's was the 'screenshot.png' he created and then deleted? this: one of my capev2 vm, the malware have a bit oversized the screenshot tought. The file sniff keystrokes, harvest/steal private information from browsers and messenger clients, take screenshots from pc and webcam if connected, and installs itself for autorun at startup, yep that not really what we where looking for. Alright... let's search for another site then.. We type "download crack" on google and we are now on keygenninja.com (former KeygenGuru) according to them. site is in second result in google main page, the authors of the sites play on search engine rankings, .. and are extremely well positioned (they pay Google for that) Let's try to download something, idk, maybe 'Panopticum IcePattern v1.2 for Adobe Photoshop' hxtps://keygenninja.com/serial/panopticum_icepattern_v1_2_for_adobe_photoshop.html We click the 'Download Keygen' button and get redirected on another site hxtps://cracknet.net/d/a95b2bff8a272ss9p.html Now we are on a page with 2 big 'download' buttons, the text indicate also that the archive password is 12345 When you click on the button the download is launched, but from another external site: hxtps://get.ziplink.xyz/ I've found also another site: serialms.com, this is just another 'showcase site'. All the cracks point to the same address (cracknet.net). they also have the same db as keygenninja.com Well, we have 3 files in the archive, one executable, and unless keygens.pro, this time we have the info files (nfo and diz file), apparently a release from team inferno (a cracking group who disbanded in 2006) The nfo says it was released in may 2020 and the files timestamp seem from 2020, is inferno back ? When extracting the executable from the archive, we got a suspicious 'rar sfx archive' icon, if we look for executable properties, windows will confirm it's a self-extracting archive. Meaning we can also rename the file to .rar and open it with winrar to see what's going on. btw that archive inside the archive [insert xzibit yo dawg meme here] is also password protected with '12345' According to virustotal only 10 on 70 engines detect it as hostile. Suspicious again huh? let's send this file to capev2 too. When sending a password protected sfx archive, you need to fill the option field with: 'arguments=-p 12345' in capev2, so it will be able to run it with the password. And.. here is the process tree.. yep a big one too, the sfx archive contain a sfx archive, who contain severals other sfx archives [insert again xzibit meme here] and execute everything, resulting a lot of new processes. Panopticum.IcePatter.exe 172 -p12345 cmd.exe 2696 C:\Windows\system32\cmd.exe /c ""C:\Users\PC\AppData\Local\Temp\RarSFX0\keygen.bat" " intro.exe 816 intro.exe 1O5ZF keygen-step-1.exe 3916 keygen-step-1.exe keygen-pr.exe 3892 keygen-pr.exe -p83fsase3Ge key.exe 1280 keygen-step-3.exe 3524 keygen-step-3.exe cmd.exe 3804 cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\PC\AppData\Local\Temp\RarSFX0\keygen-step-3.exe" PING.EXE 2572 ping 1.1.1.1 -n 1 -w 3000 keygen-step-4.exe 2624 keygen-step-4.exe file.exe 3896 002.exe 4548 Setup.exe 4152 slic.exe 4148 1 984D0A19445AA8C5.exe 1552 0011 installp1 984D0A19445AA8C5.exe 1144 200 installp1 cmd.exe 3280 cmd.exe /c taskkill /f /im chrome.exe msiexec.exe 2880 msiexec.exe /i "C:\Users\PC\AppData\Local\Temp\gdiview.msi" services.exe 472 C:\Windows\system32\services.exe svchost.exe 592 C:\Windows\system32\svchost.exe -k DcomLaunch dllhost.exe 3832 C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} dllhost.exe 2064 C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} svchost.exe 3224 C:\Windows\system32\svchost.exe -k netsvcs VSSVC.exe 3648 C:\Windows\system32\vssvc.exe One file lead to many files So what's going on? well, a lot of things. This isn't remcos RAT like in keygens.pro, i don't know what exactly is all of this, my capev2 seem to detect it as Azorult (a know password stealer) I thinks it's a false positive for 'azorult' malware familly but this one is also harvesting credentials from browsers, bitcoin wallets clients, FTP clients, email clients... BTRSetp.exe seem packed with 'Eshelon revolution protector', it have also a mention to lenin. // Module [module: SuppressIldasm] [module: Glory_to_the_Great_Lenin_and_the_October_Revolution!!!("Eshelon Revolution Protector ")] [module: EF58C16E8C("Discord Link : v1.0.0-custom")] The batch file keygen.bat unpack keygen-step-4.exe with password 83fsase3Ge This archive contain key.exe and JOzWR.dat, when key.exe is executed it will look in the same folder for the file JOzWR.dat, who is later decoded by key.exe and loaded in memory a 'lzma decoder' screenshot here in memory 1060×847 png 60,4 kB dumped JOzWR.dat is detected by 13 engines. ASCII "-txt -scanlocal -file:potato.dat" potato.dat is a file that will be later created in %TEMP% and who contain harvested serial numbers from your applications, including windows license key. exemple of what contain the file in my capev2: Computer: PC-PC - Main scan Microsoft Office Professional Plus 2010 - License Key - REDACTED-REDACTED-REDACTED-REDACTED-REDACTED Microsoft Office Professional Plus 2010 - Product ID - REDACTED-REDACTED-REDACTED-REDACTED Microsoft Office Professional Plus 2010 - License Key - REDACTED-REDACTED-REDACTED-REDACTED-REDACTED Windows 7 Ultimate - Extra info - Full product name: Windows 7 Ultimate Service Pack 1 Product ID match to CD Key data Product Part No.: REDACTED Installed from 'Full Packaged Product' media. Is OEM: No Windows 7 Ultimate - License Key - REDACTED-REDACTED-REDACTED-REDACTED-REDACTED Windows 7 Ultimate - Product ID - REDACTED-REDACTED-REDACTED-REDACTED Windows 7 Ultimate - User - PC Computer: PC-PC - Deep scan The guy who want free serials get his serials harvested, isn't that a paradox? In conclusion: never open or visit crack sites if you don't have the knowledge to avoid infections, use common sense as some will even try to trick you with fake nfo/fake releases. Maybe buy your softwares (or crack them yourself) to avoid that, and don't trust crack sites at all, even if they was 'legitimate' like keygens.pro, they can go rogue anytime. Edited October 17, 2020 by Xyl2k readability 8 3 1 Link to comment Share on other sites More sharing options...
r0ger Posted October 18, 2020 Share Posted October 18, 2020 well i've also came across these files like setup_pass123.exe when i was going to rip some gfx from several groups like tPORt. (they weren't on tPORt's releases, but on other groups' releases) i however accesed these sites through a VM (plus some vpn) so i won't have any risk of getting rogue'd on the real hardware. perhaps they put that file (setup_pass123.exe) only if the searched release isn't found, rather than saying "Deleted due to abuse" after entering that captcha. plus the description from every release page is actually generated tho . Link to comment Share on other sites More sharing options...
Xyl2k Posted October 19, 2020 Author Share Posted October 19, 2020 Well i haven't looked a lot on keygens.pro as remcos don't really interest me at all, but funny that "if crack not found then get a trojan" i looked a bit more on cracknet.net, and when i was saying "I thinks it's a false positive for 'azorult' malware familly" yep. it appear to be Elysium Stealer/Zeromax Stealer/yahooylo. some log from the vm, that was tried to be exfiltrated to the cnc: related, datas from cnc or just "you got owned bro": 1280×720 jpeg 87,8 kB some stolen logs from a pc, where you can see browser history and also running process with "keygen-step-5.exe" google chrome default.txt https://keygenninja.com/ds/indiafont+v2/ Indiafont v2 keygen,serial,crack,generator,unlock,key https://keygenninja.com/serial/indiafont_v2.html Indiafont v2 serial key or number https://cracknet.net/d/3c15acbca42738268.html? Get Indiafont v2 keygen here https://keygencrackpatch.blogspot.com/2019/06/indiafont-v100-patch-174-mb.html APPLICATION CENTER - Full version, Latest Update N Direct Download Links - Crack, Patch, Keygen, Serial Keys, Patches, License keys for free https://iplogger.org/1Hgx67 1Hgx67 (1×1) https://www.zuketcreation.net/indiafont-v1-0-0-patch-174-mb IndiaFont v1.0.0 + Patch | 174 MB Application Full Version information.txt: [Processes] ---------- System [4] ------------------------------ Registry [96] - smss.exe [436] - csrss.exe [660] - wininit.exe [748] ---------- services.exe [892] - lsass.exe [916] - svchost.exe [400] - svchost.exe [600] - fontdrvhost.exe [608] - WUDFHost.exe [956] - svchost.exe [1064] - svchost.exe [1120] - WUDFHost.exe [1260] - svchost.exe [1380] - svchost.exe [1392] - svchost.exe [1408] - svchost.exe [1452] - svchost.exe [1568] - svchost.exe [1652] - svchost.exe [1676] - svchost.exe [1832] - igfxCUIService.exe [1876] - svchost.exe [1884] - svchost.exe [1932] - svchost.exe [1960] - svchost.exe [1808] - svchost.exe [2060] - svchost.exe [2108] - svchost.exe [2148] - svchost.exe [2156] - svchost.exe [2264] - svchost.exe [2324] - svchost.exe [2360] - svchost.exe [2456] - svchost.exe [2452] - svchost.exe [2500] - svchost.exe [2508] - svchost.exe [2564] - Memory Compression [2596] - svchost.exe [2688] - svchost.exe [2716] - svchost.exe [2888] - svchost.exe [2924] - svchost.exe [2984] - svchost.exe [2980] - svchost.exe [3136] - svchost.exe [3224] - spoolsv.exe [3312] - svchost.exe [3348] - svchost.exe [3528] - svchost.exe [3664] - AdminService.exe [3908] - IntelCpHDCPSvc.exe [3920] - svchost.exe [3936] - svchost.exe [3944] - svchost.exe [3960] - DAX3API.exe [3968] - svchost.exe [3984] - escsvc64.exe [3996] - esif_uf.exe [4020] - FMService64.exe [4076] - svchost.exe [4084] - svchost.exe [3280] - svchost.exe [3392] - RtkAudUService64.exe [4104] - svchost.exe [4136] - TeamViewer_Service.exe [4204] - svchost.exe [4216] - svchost.exe [4240] - svchost.exe [4256] - svchost.exe [4292] - svchost.exe [4412] - IntelCpHeciSvc.exe [4676] - svchost.exe [5184] - svchost.exe [5232] - svchost.exe [5940] - svchost.exe [6428] - WmiPrvSE.exe [6960] - PresentationFontCache.exe [6044] - Lenovo.Modern.ImController.exe [6608] - svchost.exe [2176] - svchost.exe [6844] - svchost.exe [7176] - SearchIndexer.exe [4284] - svchost.exe [8552] - SecurityHealthService.exe [1704] - svchost.exe [9156] - svchost.exe [9804] - jhi_service.exe [10304] - GoogleCrashHandler.exe [10340] - LMS.exe [10352] - GoogleCrashHandler64.exe [10372] - SgrmBroker.exe [11036] - svchost.exe [11124] - svchost.exe [10752] - svchost.exe [10848] - svchost.exe [4756] - svchost.exe [2088] - svchost.exe [4528] - svchost.exe [12100] - svchost.exe [8128] - svchost.exe [4276] - csrss.exe [10004] - svchost.exe [10084] - csrss.exe [4188] - svchost.exe [14536] - csrss.exe [3560] - MsMpEng.exe [9024] - AdobeUpdateService.exe [8088] - svchost.exe [10364] - AGSService.exe [4248] - AGMService.exe [5552] - unsecapp.exe [7572] - svchost.exe [16776] - servicehost.exe [16228] - AnyDesk.exe [2192] - svchost.exe [13356] - svchost.exe [3432] - dasHost.exe [10468] - svchost.exe [16176] - csrss.exe [12040] - usocoreworker.exe [3256] - MusNotification.exe [16784] - MusNotification.exe [17076] - UsoClient.exe [19348] - UsoClient.exe [3572] - taskhostw.exe [10116] - armsvc.exe [2204] - UsoClient.exe [1544] - dllhost.exe [17804] - UsoClient.exe [2392] - UsoClient.exe [15712] - UsoClient.exe [20924] - UsoClient.exe [756] - UsoClient.exe [19624] - UsoClient.exe [2852] - UsoClient.exe [20052] - svchost.exe [15972] - UsoClient.exe [20316] - UsoClient.exe [10528] - UsoClient.exe [5284] - UsoClient.exe [9532] - UsoClient.exe [5716] - UsoClient.exe [2844] - UsoClient.exe [5908] - UsoClient.exe [13548] - UsoClient.exe [408] - csrss.exe [2900] - winlogon.exe [2828] ---------- dwm.exe [16548] - fontdrvhost.exe [8828] - DAX3API.exe [10020] ---------- conhost.exe [13580] - dptf_helper.exe [15840] - uihost.exe [17652] - unsecapp.exe [17100] - ctfmon.exe [20632] - sihost.exe [16724] - svchost.exe [21104] - svchost.exe [1072] - taskhostw.exe [6080] - explorer.exe [20552] - svchost.exe [14568] - StartMenuExperienceHost.exe [1560] - RuntimeBroker.exe [10268] - dllhost.exe [13680] - RuntimeBroker.exe [5056] - SettingSyncHost.exe [1248] - SearchUI.exe [6904] - SecurityHealthSystray.exe [6872] - RtkAudUService64.exe [12328] - E_YATIUPE.EXE [18708] - Skype.exe [8044] - AnyDesk.exe [14352] - Creative Cloud.exe [1436] - CCXProcess.exe [17116] ---------- node.exe [14396] ------------------------------ conhost.exe [6652] - Skype.exe [19276] - Skype.exe [2968] - Skype.exe [19672] - Skype.exe [9980] - Adobe CEF Helper.exe [16216] - svchost.exe [8896] - HostAppServiceUpdater.exe [19324] - Adobe CEF Helper.exe [21376] - Adobe CEF Helper.exe [19716] - Creative Cloud Helper.exe [10876] - CoreSync.exe [16436] - RemindersServer.exe [13996] - YourPhone.exe [9456] - AdobeNotificationClient.exe [14372] - RuntimeBroker.exe [4236] - RuntimeBroker.exe [15880] - UsoClient.exe [16168] - ApplicationFrameHost.exe [9368] - SystemSettings.exe [12956] - UserOOBEBroker.exe [18064] - commsapps.exe [19960] - RuntimeBroker.exe [12668] - HxTsr.exe [4504] - Video.UI.exe [19924] - RuntimeBroker.exe [21156] - RuntimeBroker.exe [16580] - ShellExperienceHost.exe [10000] - RuntimeBroker.exe [7012] - CCLibrary.exe [5744] ---------- node.exe [12980] ------------------------------ conhost.exe [19340] - Microsoft.Photos.exe [7784] - RuntimeBroker.exe [20952] - svchost.exe [8772] - WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe [21036] - UsoClient.exe [4836] - SecurityHealthHost.exe [13896] - MpCmdRun.exe [5600] - WmiPrvSE.exe [14636] - keygen-step-5.exe [10256] - WmiPrvSE.exe [15036] - smartscreen.exe [7868] - svchost.exe [17932] - FB2B.tmp.exe [17260] - svchost.exe [15108] - svchost.exe [19700] - FF1C.tmp.exe [8244] - 3C0.exe [17576] - convimage.exe [14528] - NisSrv.exe [16212] - 3BD9.exe [20636] - 8AB5.tmp.exe [17776] - explorer.exe [7320] - explorer.exe [8356] - explorer.exe [16624] - explorer.exe [8688] - powershell.exe [19404] - explorer.exe [8612] - explorer.exe [14944] - explorer.exe [14260] - conhost.exe [15188] - explorer.exe [13328] - svchost.exe [3400] - RegAsm.exe [20132] - explorer.exe [16236] - WerFault.exe [12020] - taskhostw.exe [14684] - backgroundTaskHost.exe [20296] - TrustedInstaller.exe [16464] - explorer.exe [13440] - TiWorker.exe [15312] - explorer.exe [12264] - explorer.exe [9032] - explorer.exe [18328] - explorer.exe [17444] - explorer.exe [9072] - explorer.exe [19640] - FileCoAuth.exe [884] - explorer.exe [1580] - explorer.exe [7160] - explorer.exe [11820] - explorer.exe [15652] - explorer.exe [7324] - explorer.exe [11296] And here is a chaos mosaic i did with vt-graph, landscape map with cracknet and friends: https://www.virustotal.com/graph/embed/g1eb67876dc2343c7bad3310f6dcd7db61d2ee76f7842479fbd19afea3dbaee8f 2 Link to comment Share on other sites More sharing options...
Xyl2k Posted November 11, 2020 Author Share Posted November 11, 2020 Tango down for 109.201.133.80 (keygens.pro, serials.be, crack.ms) Meanwhile, 54.36.184.139 (crackinns.com, torrentheap.com, crackheaps.com, cracknets.net, cracksnet.net, cracknet.net, keygenit.net, keygenom.net, cracksgurus.com, keygenninja.com, serialms.com, mackeygens.com, mediagetsite.com, get.ziplink.xyz, get.ziplink.stream) are still spreading malware. Abuse sent too, but nothing followed for the moment, so here is some insight about their infra in the meantime (when all else fails, crowbar the fornicationer) Embedded mini-admin panel to administrate the fake sites, allow them to disable links, blacklist keywords on site, redirect on affil, etc.. Okay cool, you might want to see some numbers now? The site with highest traffic is keygenninja with around 13k visits per day, and they infect/install roughly 10k per day. As mentioned in previous post the end user get a bunch of crap (trojan.miner, password stealer, serial numbers stealer, PUPs..) The exfiltrated passwords are sent to t4p.xyz, domain registered by alelolay[@]protonmail.com, who also own fews other domains (q1f.xyz, crypto-trad1ng.xyz , trading-solutions.xyz) That all, for the moment! 8 3 Link to comment Share on other sites More sharing options...
Xyl2k Posted December 15, 2020 Author Share Posted December 15, 2020 keygens.pro is back as expected. Still distributing randomly 'setup_pass-123.exe' and some other craps like htxps://keygens.pro/crack/122490/ https://www.virustotal.com/gui/file/1c6d9872dd7e6cf5fe515fbdafd055885ba07c3f1f214e4a789662e6ed046439/detection shity vb6 layer on that one 'Projekt1test\ApCrypterStub' appear to be communicating with dontfornicationjesus.no-ip.info, PoisonIvy RAT Meanwhile, cracknet syndicat is still resilient. Although they dropped infections to 6k daily because we're making their job more difficult. Some of theirs malwares who connect to download more (not exhaustive list): down.05779b0d24fb315d.xyz/index.exe 67C68B858942BEF785B1A5FC9CDDDB01 down.05779b0d24fb315d.xyz/index_no2.exe 802FE2BA6D91BDEADAA9DE19213EC133 www.sodown.xyz/index.exe 67C68B858942BEF785B1A5FC9CDDDB01 1105355415.rsc.cdn77.org/index.exe 67C68B858942BEF785B1A5FC9CDDDB01 1105355415.rsc.cdn77.org/index_no2.exe 802FE2BA6D91BDEADAA9DE19213EC133 1105355415.rsc.cdn77.org/bot_no.exe 34BD9B901914A3051989E95CE2A47BA3 1105355415.rsc.cdn77.org/bot.exe 06F4985B578AD995DBF6F07B0EEB6279 www.cleimmo.ma/rh/soft.exe 6FDB7328D15D2EE2AD9F6B072054A7BE www.evograph.ro/js/sooft.exe BDBB8E4DE8FFAA96552DF10D184B3195 www.evograph.ro/js/fw1.exe 5BD6A17341164EB9BE5C4149E619AA6A icaterp.com/db/jamkee.exe 35CC7255BA16D183A4A132650D67D2DF These one have daily hash change: dream.pics/setup_10.2_mix3.exe B9E36254F804771139987B8FAB28C2D2 dream.pics/setup_10.2_mix2.exe 898BE5FDC5F6CBC87BCAA4648F241742 dream.pics/setup_10.2_mix1.exe 3FECE26FB5465927C205B0D9A2B94872 dream.pics/setup_10.2_mix.exe DF5C0B910F5E53C92894B5C33A14B409 dream.pics/setup_10.2_mix.exe 1C882DC851AD5E56FD1F5A678A966767 dream.pics/setup_10.2_mix.exe A834C2FB14754929ED71A2030E7BEDD6 dream.pics/setup_10.2_mix.exe 089461312BC99FA6220BBEE93FDE4716 dream.pics/setup_10.2_mix.exe 8A09EC6492F6568E0DF78F35389D330A dream.pics/setup_10.2_mix.exe 5FC34A006FA51232DBE699FE709F05B6 dream.pics/setup_10.2_mix.exe 4F6B2CCD06FBE9F307C6182C258E5CFD dream.pics/setup_10.2_mix.exe 310F175EF3484C2AF64EC1582BBB6E8A dream.pics/setup_10.2_mix.exe 53B6B6893176F9DD0BEE1B21E9B4E452 2 Link to comment Share on other sites More sharing options...
Roentgen Posted January 3, 2021 Share Posted January 3, 2021 Me personally never had any issue with keygens.pro (well, at least I checked some of my old releases and they are not altered). The whole situation is quite sad, because end-users blame crackers for making/spreading viruses but the crackers have nothing to do with the malware Link to comment Share on other sites More sharing options...
r0ger Posted January 17, 2021 Share Posted January 17, 2021 Now they've added the SetupPass123.zip files on all the cracks, even on tPORt's releases. Link to comment Share on other sites More sharing options...
Xyl2k Posted February 6, 2021 Author Share Posted February 6, 2021 I tried to look at the new shenanigan of keygens.pro but that thing just wont run on my systems. SetupPass-123.exe - 468f3af5f80792d566b0601ed58e429fca80adda x64 file, vs2015 runtime on import, and also "vcruntime140_1.dll" for one function (?!) the same file can be observed also in the wild at: hxxp://cuckoorental.com/backup.exe some news also about cracknet: seem they now use their domain 'crackheap' as gateway to replace cracknet. they also renewed their vidar license, as it's being used as payload in their latest malware, from the last run of today: https://app.any.run/tasks/0cafbb3a-5a58-4241-94c5-1e119668831d/ (the 'Vbox.exe' process) Link to comment Share on other sites More sharing options...
suspicious_link Posted March 28, 2021 Share Posted March 28, 2021 created an account on this site to respond to this, it's MingLoa / CopperStealer https://www.trendmicro.com/en_us/research/21/c/websites-hosting-cracks-spread-malware-adware.html https://twitter.com/JAMESWT_MHT/status/1355432089378811904 https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft Link to comment Share on other sites More sharing options...
Matsilagi Posted May 16, 2021 Share Posted May 16, 2021 (edited) So, i was desperate for a Keygen and ended up falling for one of those sites (CracksGuru), ran it, and it did part of it's payload, however, i refused one of it's things to run, but the other went through. After seeing the CPU consumption skyrocket and a weird iplogger page appear, i panicked and downloaded MBAM and scanned, it found a few threats (An autoexec entry, a Registry Key and a exe), and removed those, then, o scanned with Spybot Search and Destroy, and it found nothing. Besides changing passwords and all that safety rodeo, should i go with formatting or can I sleep safe knowing that the virus had been eliminated? Forgot to say but, after the scans, i did not notice anything weird, and nothing new seemed to be installed. Still gotta check the browser extensions, and none of the MSI payloads ran when I first executed the fake Keygen before the scan (i had 2 MSI installers but they were on background, and i killed them). Any other places to look at after the virus are welcome for me, since I'm not new to computers, just happened to be unfortunate. Edited May 16, 2021 by Matsilagi Link to comment Share on other sites More sharing options...
Xyl2k Posted May 20, 2021 Author Share Posted May 20, 2021 check if you don't have anything 'weird' or at least that you don't recognise who launch at startup with windows. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now