Jump to content

Recommended Posts

  • Root Admin

Thank you @Elitestore

Can we get some logs from the computer in question

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

  • Root Admin

Please see the following for more information on this infection

https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html

It does have a payload in the PowerShell and attempts to contact

newworkandrdp.ddns.net

(which we block)

Once I get your logs back we can review further to help ensure this is removed from the system @Elitestore

 

 

Link to post
Share on other sites

So upon further self-examination, I remembered to check Windows Task Scheduler and I did find an entry there that was set to invoke wscript every 2 minutes in an attempt to run the payload script file (which I uploaded originally).  I deleted that entry.  I then found a very small .iso file in the client's Download folder so I must assuem they received it via an email attachment and then opened it.  I am attaching that iso file to this msg.  A paid Malwarebytes Premium is running on the client computer so maybe it somewhat thwarted the infection but I am sorely disappointed that it is not detecting the payload files.  At this time, I don't see a need to run any more diagnostic or logging tools but I hope you (or someone) reviews the iso payload and can help get this type of attack "detected".  Thanks.

NRPQN-677.zip

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.