[Boards: 3 / a / aco / adv / an / asp / b / biz / c / cgl / ck / cm / co / d / diy / e / fa / fit / g / gd / gif / h / hc / his / hm / hr / i / ic / int / jp / k / lgbt / lit / m / mlp / mu / n / news / o / out / p / po / pol / qa / qst / r / r9k / s / s4s / sci / soc / sp / t / tg / toy / trash / trv / tv / u / v / vg / vip /vp / vr / w / wg / wsg / wsr / x / y ] [Search | Home]
4Archive logo
Got virus in mail
If images are not shown try to refresh the page. If you like this website, please disable any AdBlock software!

You are currently reading a thread in /g/ - Technology

Thread replies: 27
Thread images: 7
File: asdfg.jpg (7 KB, 300x200) Image search: [iqdb] [SauceNao] [Google]
asdfg.jpg
7 KB, 300x200
I just got a mail with a zip, gmail flagged it as virus, there was 1 javascript file in the zip.


This is the script:

http://pastebin.com/manWMYpM


I dont know javascript very well, but there where some base64 strings and using base64decode.org I found 2 links to exe files.
Virustotal link:
https://www.virustotal.com/en/file/2831210517e598212abe19328a0741ff32e116379beca98dae06977a1172cd0d/analysis/1453810937/

Anyone interested in revers engineering the virus or finding out who owns the website?

I would like to know but don't know how.
>>
bro that's way over our heads this board is just for discussing cell phones, graphics cards, and gaming laptops
>>
File: Untitled.png (594 KB, 1554x782) Image search: [iqdb] [SauceNao] [Google]
Untitled.png
594 KB, 1554x782
>>52631179
This. You overestimate /g/
>>
>>52631179
>>52631219
I know /g/ is mostly memes now, but I thought there should be at least a few people who know this kind of stuff
>>
On line 20 you see eval. All this procedure of decoding and fucking with it is unnessecary, just replace eval with alert (or console.log) to get original code.
http://pastebin.com/9gCP8AQV -> http://pastebin.com/WzJnsAR4
>>
>>52631404
Oh, also this will download and exec
hXXp://helahhoast.net/93.exe.MALWARE

with backup host of belahhoastbil.com.MALWARE

This is classic, I should look up the exe, it's probably ransomware desu
>>
I hate does faggots sending viruses to people.
>>
VT Hash c33875e0c096292b27bd d17b2821d4c2cd8 9a6dbce97e7aede1 3a1de57462b84

helahhoast is long gone, but auxiliary domain is still active
>>
>>52631179
>>52631219
>>52631337
Getting real sick of this bullshit we can't talk about more advanced technology because most of /g/ are consumer whores. If you want to improve /g/, talk about stuff that will attract people who want to talk about better technology.
>>
This is one interesting exe... Seems like it's GUI, but all words in exe some kind of random
I would run it in VM, but I don't have it right now
>>
>>
>>
Malware is made by a russian, despite domain belahhoastbil.com.MALWARE being registered in Portugal
https://en.wikipedia.org/wiki/Tatars
>>
>>
>>52631781
>>52631793
wat
>>
>>52632371
floorspace housekeeping footman
>>
>>52631819
>https://en.wikipedia.org/wiki/Tatars

source on how you found this out anon?
>>
>>52632461
>>
>>52632485
Whats that?
>>
>>52632626
ResEdit
>>
>>52631179

3.5/4 star post.
>>
OP here, nice to see some serious answers

>>52631404
Didn't know that, thanks

>>52631781
>>52631793
Nice to see some printscreens, did it actually do anything besides showing random gibberish?

>>52631819
>>52632485
>>52632641
Of course it was the Russians, thanks for finding out
>>
>>52633037
>Nice to see some printscreens, did it actually do anything besides showing random gibberish?
If this thread will be alive by the time I will get onto my VM, I will run it on VM
>>
Lol, albanian virus is real
>>
>>52633055
some site runs it on a VM, google the link from helahhoast and you'll find it, it's on malwr dot cum (can't post link because spam)

pic related, it's ransomware
>>
>>52633122
like i said
>>
>>52633122
Domain Name: BELAHHOAST.NET
Registrar: WEB COMMERCE COMMUNICATIONS LIMITED DBA WEBNIC.CC
Sponsoring Registrar IANA ID: 460
Whois Server: whois.webnic.cc
Referral URL: http://www.webnic.cc
Name Server: NS1.LOOSEMONGO.PW
Name Server: NS1.MARSIISAWA.PW
Status: ok https://www.icann.org/epp#OK
Updated Date: 24-jan-2016
Creation Date: 24-jan-2016
Expiration Date: 24-jan-2017

^ shit man shit's fresh
Thread replies: 27
Thread images: 7
Thread DB ID: 482633



[Boards: 3 / a / aco / adv / an / asp / b / biz / c / cgl / ck / cm / co / d / diy / e / fa / fit / g / gd / gif / h / hc / his / hm / hr / i / ic / int / jp / k / lgbt / lit / m / mlp / mu / n / news / o / out / p / po / pol / qa / qst / r / r9k / s / s4s / sci / soc / sp / t / tg / toy / trash / trv / tv / u / v / vg / vip /vp / vr / w / wg / wsg / wsr / x / y] [Search | Home]

[Boards: 3 / a / aco / adv / an / asp / b / biz / c / cgl / ck / cm / co / d / diy / e / fa / fit / g / gd / gif / h / hc / his / hm / hr / i / ic / int / jp / k / lgbt / lit / m / mlp / mu / n / news / o / out / p / po / pol / qa / qst / r / r9k / s / s4s / sci / soc / sp / t / tg / toy / trash / trv / tv / u / v / vg / vip /vp / vr / w / wg / wsg / wsr / x / y] [Search | Home]

All trademarks and copyrights on this page are owned by their respective parties. Images uploaded are the responsibility of the Poster. Comments are owned by the Poster.
This is a 4chan archive - all of the shown content originated from that site. This means that 4Archive shows their content, archived. If you need information for a Poster - contact them.
If a post contains personal/copyrighted/illegal content, then use the post's [Report] link! If a post is not removed within 24h contact me at [email protected] with the post's information.