Author Topic: IDP.HELU.MSEx4 - Fileless Malware  (Read 5881 times)

0 Members and 1 Guest are viewing this topic.

Offline PDI

  • Avast team
  • Full Member
  • *
  • Posts: 101
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #30 on: October 31, 2019, 10:09:30 AM »
Hi,

I checked provided logs and I haven't found anything suspicious inside it.

Regards,
PDI

Offline Oliv.C

  • Jr. Member
  • **
  • Posts: 23
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #31 on: October 31, 2019, 10:35:34 AM »
Hi, sorry for the delay, here is the Fixlog of BITSADMIN.
thanks for your help guys

Offline Oliv.C

  • Jr. Member
  • **
  • Posts: 23
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #32 on: October 31, 2019, 10:44:40 AM »
Hello PDI,
So what to think then about this message?
thank you

Offline PDI

  • Avast team
  • Full Member
  • *
  • Posts: 101
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #33 on: October 31, 2019, 02:46:37 PM »
Hi,

do you have any other computer on the network when the detection occurs?

Maybe we are looking on wrong computer.

PDI

Offline Oliv.C

  • Jr. Member
  • **
  • Posts: 23
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #34 on: October 31, 2019, 02:51:15 PM »
nope, it's just me connected on my box via wifi...

Offline PDI

  • Avast team
  • Full Member
  • *
  • Posts: 101
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #35 on: October 31, 2019, 03:46:29 PM »
Hi Oliv.C,

last chance is WMI.

Can you download https://github.com/vinaypamnani/wmie2/releases and follow these steps?

1) press Connect button
2) navigate to the ROOT\subscription
3) for each subscription
    a) press right mouse button on it and run Enumerate Classes and navigate into the Classes subwindow
    b) select ActiveScriptEventConsumer, press right mouse button on it and run Enumerate Instances
    c) select CommandLineEventConsumer, press right mouse button on it and run Enumerate Instances
  if there are any records for instances in steps b) or c) please try to get of the instance and share it with us

Thanks,
PDI

Offline Oliv.C

  • Jr. Member
  • **
  • Posts: 23
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #36 on: November 01, 2019, 06:37:23 PM »
Hello PDI,
so i ran WmiExplorer, and found a few classes that had ActiveScriptEventConsumer and CommandLineEventConsumer but none of them had any instance.
Thanks

Offline Oliv.C

  • Jr. Member
  • **
  • Posts: 23
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #37 on: November 12, 2019, 11:54:12 AM »
Hello again, so does anybody have another idea please?
thanks a lot

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2708
  • Volunteer
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #38 on: November 12, 2019, 05:40:32 PM »
I have reached out to PDI for comment.
*Volunteer*.
Tier I SOC Analyst; Threat Hunter; Digital Forensics (no cert); HTB Competitor; Pentester (no cert).

4th Year BCS Student.

Offline PDI

  • Avast team
  • Full Member
  • *
  • Posts: 101
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #39 on: November 12, 2019, 08:26:24 PM »
Hi,

unfortunately if there aren't instances in the WMI then I cannot help you anymore now. If I find something I'll let you know.

Regards,
PDI

Offline Sass Drake

  • MyCity AMF R2
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 769
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #40 on: November 12, 2019, 11:39:42 PM »
Please post new FRST.txt and Addition.txt logs.

Offline Oliv.C

  • Jr. Member
  • **
  • Posts: 23
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #41 on: November 15, 2019, 03:57:08 PM »
Hello sorry for the delay here are the newest files. thanks

Offline Sass Drake

  • MyCity AMF R2
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 769
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #42 on: November 15, 2019, 05:59:37 PM »
Logs look clean. Please scan PC with TDSSKiller.
http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe

Offline Oliv.C

  • Jr. Member
  • **
  • Posts: 23
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #43 on: November 16, 2019, 11:11:40 AM »
Hello, TDSSKiller didn't return any threat...
Thank you

Offline Oliv.C

  • Jr. Member
  • **
  • Posts: 23
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #44 on: December 07, 2019, 06:25:54 PM »
Hello guys, so does somebody have any more ideas?
i'm still getting this annoying message.
thanks