Jump to content
toadboy

Check these files please

Recommended Posts

So, I don't believe this is a false positive but after talking to one of your experts, they suggested I make a post here.

This post is related to the one I posted yesterday:

 

What happened:

So I have this crypto wallet for Verge Currency (XVG) and last week there was an update for it. 6.0. So I had to download and install the new one. No problems.

Then yesterday I got a msg on Discord from someone called Verge UpdateBot that said that 6.1 was out and I needed to install it.

This made me think back on the previous update that they had a few months back. 5.0 came out and a couple of days later there was another update, 5.1.

So I went in to the github and it looked legit, so I downloaded the zip file, extracted the .exe file and replaced the legit .exe file in my programs and I ran it.

I notification warning came up (don't remember what it said) but I stupidly ignored it and continued because I thought it was a false positive, which has happened before with this wallet.

That's when I believe Win Def kicked in and quarantined it.

I did some scans on both windef and mbam and I removed the two files which were called:

Trojan:Win32/Conteban.B!ml

Trojan:Win32/Suloc.l!cl

I did some googling and I suspect they might be ransomware.

Mbam said it was a keylogger.

I uploaded the zip files to VirusTotal and I got these results back: https://www.virustotal.com/gui/file/66b8b7f71492853cbf34e4ee0d178d6bacff247e1835035817cb40d384b130f3/detection

The files I downloaded is at: https://github.com/vergescurrency/VERGE/releases/tag/v6.1.0

The specific file I downloaded is: https://github.com/vergescurrency/VERGE/releases/download/v6.1.0/verge-6.1.0-win64.zip and the file I executed was the one called: verge-qt.exe

(If the Github and the files are taken down before you can check them, let me know and I can send you the zip file)

I've spoken with the XVG team and they have confirmed that this is not legit and didn't come from them.

I hope you can give me some information about these files and what they do etc.

My system seems fine and I haven't noticed any problems after this incident but I would like to make sure that I'm safe and find out if there is anything else that I can do.

Thank you

 

mbamreport.txt

Share this post


Link to post
Share on other sites
3 hours ago, toadboy said:

Hi, David

I uploaded the exe file to VirusTotal and got these results back: https://www.virustotal.com/gui/file/8f1b589503ff1beb6a85c636e4af1c3045d0e5348e091b24b3937d557e68471f/detection

 

 

This archive has Backdoor.Quasar in it

MD5: 35843A5F14D942C815F55F21B51E8F82 => https://www.virustotal.com/gui/file/1fde04dd38b0e62c6e39c9cf83d946052d665ab43be1aad712c665d4f216becf/detection

That is what is being detected. I'm not seeing a false positive here regarding the other archives attached.

C:\Users\<USER>\AppData\Roaming\1337\System32.exe

If that file is on your system, I'd remove it.

Share this post


Link to post
Share on other sites

Thanks for the reply.

I literally found that 1337 folder right before you replied. There was no System32.exe file there but the verge-qt.exe was there. I deleted the whole folder.

I also saw that there is something in my registry at: Computer\HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\users\USER\appdata\roaming\1337\verge-qt.exe.ApplicationCompany

C:\users\USER\appdata\roaming\1337\verge-qt.exe.FriendlyAppName

Are these also a part of the malware and can I safely delete these ? I don't know much about how the registry works...

 

Share this post


Link to post
Share on other sites

I would leave those alone. These are harmless leftovers of the verge QT software. They are not malware.

Share this post


Link to post
Share on other sites

Ok, thanks.

Is there anything else that I should do that you can think of?

Any other thing I should check on my pc?

Do you think I'm in the safe?

Share this post


Link to post
Share on other sites
3 hours ago, toadboy said:

Any other thing I should check on my pc?

If you suspect your infected then please read and follow the instructions in this topic and then create a new topic in our malware removal area by clicking here and one of our malware removal specialists will assist you in checking and clearing the system of any threats.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.