Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on December 26, 2018, 12:45:58 AM

Title: What malware resides here? Avast detects Win32:Malware-gen!
Post by: polonus on December 26, 2018, 12:45:58 AM

Mining detected?

Flagged: https://urlquery.net/report/208888a4-da0a-4b35-8ce9-09c4264bb3c1
See: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3Ll58bl1uZlt9ey5eXW1gXmZue3dgYG1dI3Vse3MucGhwYFtuI3t4LnBocA%3D%3D~enc
while website has outdated PHP: https://sitecheck.sucuri.net/results/www.canonfire.com/cf/index.php

On IP: https://tracker.fumik0.com/search=188.120.224.18

Many detect: https://www.virustotal.com/#/url/1f565a49a43577c255fb12fa7df842dbb0c46023d1d6587d1fac742ad36b5069/detection
and avast detects as: Win32:Malware-gen

polonus

Title: Re: What malware resides here? Avast detects Win32:Malware-gen!
Post by: polonus on December 26, 2018, 12:49:45 AM

Real interesting background read on Haruko's detection:
-https://tracker.fumik0.com/learning

Quote

Disclaimer: Examples of commands used by Attackers
For DFIR / CERT / SOC Analysts, this is a good start for signatures and learning some stuff
Disclamer : This is real cases of commands. (good or malicious)
I am not responsible for your acts

  (for educational purposes only by ethical security researchers).
As there are other tools, like: -https://manalyzer.org/report/fdc1a95188cf00160a05ea4a1d50e84c
(security researchers can revive the link  ;) from: -https://tracker.fumik0.com/links

polonus

Title: Re: What malware resides here? Avast detects Win32:Malware-gen!
Post by: Pondus on December 26, 2018, 01:32:50 PM

Quote

What malware resides here?

Coinminer

https://www.virustotal.com/#/file/f6a335b317073b793529f994c85e5db770228d3a4131ea9e29e0deae3cfc40d5/detection

Title: Re: What malware resides here? Avast detects Win32:Malware-gen!
Post by: polonus on December 26, 2018, 05:43:21 PM

Is this obfuscated miner detected and being blocked?
-https://authedmine.com/lib/authedmine.min.js
Given as a low-security risk for this optional miner: https://sitecheck.sucuri.net/results/https/authedmine.com/lib/authedmine.min.js
See: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=fHV0aHsjbVtuey5eXW1gbFtiYHx1dGh7I21bbnsubVtuLmpz~enc

polonus

Title: Re: What malware resides here? Avast detects Win32:Malware-gen!
Post by: Pondus on December 26, 2018, 07:02:44 PM

Quote

Is this obfuscated miner detected and being blocked?

URL blacklist check > authedmine.com/lib/authedmine.min.js
https://www.virustotal.com/#/url/36e027fbb6d7d5b685c06155fd09bb566144a5fee8f1639127509ca43f635135/detection

File scan > authedmine.com/lib/authedmine.min.js
https://www.virustotal.com/#/file/041c727ed0160536c361715b1e9ee7eafc7fe5838f0a4722e6ed01941f7d6ede/detection


Domaine blacklist check > authedmine.com/
https://www.virustotal.com/#/url/b6b6242a9507fcfaa11c49790e2bcb4334c03b086c87876dfd045cf02094148c/detection

File scan > output.114021424.txt
https://www.virustotal.com/#/file/b2a81b90c589408775a0622d3f5458a3f9d25011fc12e883699178ec2cb37b77/detection

Title: Re: What malware resides here? Avast detects Win32:Malware-gen!
Post by: polonus on December 27, 2018, 12:20:07 AM

Thank you, Pondus, that is overtly clear then.

Miners optional or not, are all frowned upon, and all are being alerted too.
Let there be no doubt about it that AV does not like mining code.

polonus