Jump to content

Possible RedLineStealer


Versety

Recommended Posts

Hello everyone.

 

I am possibly having a bit of a problem here, so it would be great if somebody could help me.

I have accidentally double clicked on .scr disguised as a video file - it had an extension of .mp4 and a thumbnail disguised as a video file. I have recently reinstalled windows so I did not feel suspicious about generic video thumbnail of this file (I am using MPC-HC as my video player - it has different thumbnails for videos)

After double clicking it I have immediately felt that something has been executed on my PC - cursor flashed for a second. I am using Windows defender with everything turned to on, but it didn't react to this execution.

I have run a quick scan in windows defender - it showed nothing.

Then I have run a custom scan of the "video file" - it showed nothing.

Still being suspicious about the file, I have opened it with 7z as an archive. It contained two files: 

 

"1.VideoMP4.exe"

"2"

 

"2" was just a filler to make the file heavy to look more like a video file, as far as I understand.

At this point I have installed Malwarebytes and ran a full scan of the C: drive, including rootkit detection.

The only file that turned out positive was "1.VideoMP4.exe" that I have just unpacked myself...

Original ...mp4.scr container file is not detected as a virus by malwarebytes, only the small exe file is.

Below you can find a virustotal result for the exe file. Container file was too big to upload to virustotal.

https://www.virustotal.com/gui/file/9ba200be2e73a09a92992637c328e36ea13cd3af24fada465a1a194efc1c00e6/detection

I have since tried windows malware removal tool and malwarebytes adwcleaner - they show everything as clean. No chrome PUPs even.

Original "video file" was contained inside .iso file. I have figured out it was a dvd rip of some sort, but looking back it was very suspicious. Maybe .iso file should have been mounted as a drive for a "full" attack?

I have since disconnected my external hard drive and prepared windows installation USB stick. Any advice on how to move forward? Was I even infected in the first place? If the "video" file shows up as a false negative, I would gladly share it as a sample in order to improve the detection.

Link to post
Share on other sites

Computer is currently disconnected from network and turned off. I still have "virus" samples on drive and haven't touched the windows installation in order to preserve current state of possible infestation.

There is a small amount of info on this pc which can be easily backed up. Most of my backups are on external drive, which was, sadly, connected to the computer at the time of possible infestation.

Link to post
Share on other sites

Should I just give up and reinstall Windows with formatting the system drive?

 

It looks like this malicious exe would take a lot of effort to analyse. Is there a possibility that the virus is targeting patched exploits of older versions of Windows and thus didn't activate properly on my system?

 

Should I be worried about it infecting my other drives?

Link to post
Share on other sites

  • Root Admin

Hello  and  :welcome:      @Versety

 

My screen name is AdvancedSetup and I will assist you with your system issues.
 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow all steps in the provided order and post back all requested logs
  • Please attach all log files to your post, unless otherwise requested
  • Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed.
  • Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed.
  • Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing.
  • Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim. Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. If there are any on the system you should uninstall them before we proceed.
  • Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours.
  • If your system is running Discord, please be sure to Exit it while this case is ongoing.

 

 

 

 

Please upload the following file to https://virustotal.com and have them scan it. Once completed, please post the link to scan.

 

C:\USERS\DEN\DOWNLOADS\VIDEO\VIDEO\1.VIDEOMP4.EXE

 

 

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

It's late for me so I'm heading to bed. Please run the following and I'll check back on you sometime tomorrow @Versety

 

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

Thank you for your time.

I have used the tool according to your instructions, logs are attached to this message. I had to connect my PC to network for this step, hope no harm comes from this. Only the .exe file extracted from original .scr file of the virus was detected. I keep the whole virus package in DOWNLOADS folder by purpose, in order to check if the tools are, at least, detecting the original virus correctly. For that reason I have chosen "skip" for this file. The most concerning part is that original .scr file that I have executed is also present in my bait folder, but STILL not detected as a virus by any antivirus tool. Only the .exe file extracted by me manually from .scr file is detected. This is very concerning, as .scr file is the way possible future victims would be infected by the virus and the way I was infected by it myself.

By the way, I have checked the behavior tab on virustotal scan report and noted the files that are generated by the virus. I have checked the relevant folders and realized that I have the files from report, with creation date set right at the time when I opened the virus. It seems that my PC is indeed infected by a very new or rare malware, which is not yet properly detected by antivirus programs.

I am regretting my actions that got me in this mess. This was the first time in a very long while when I have downloaded something sketchy...

2022-09-27_20-10-52-708.png

report_2022.09.27_19.41.44.txt

Link to post
Share on other sites

At this point maybe I should just provide the community with virus samples (especially the 700 mb .scr file which is not detected as a virus by anything) and nuke my system drive with everything on it. 700 mb is just over the file size limit of virustotal and the reason I cannot upload it there.

 

Link to post
Share on other sites

  • Root Admin

Yes, most antivirus has a file size limit that they simply won't look at as it takes a lot of time to load into memory to scan it. Then that slows down their product and makes them look bad.

We can remove such items and look to see where it's being called or loaded, but if you're downloading the files yourself via P2P or other means then it would be difficult to address automatically

 

Link to post
Share on other sites

@AdvancedSetup

Thank you for telling me about a size limit, I didn't know it. Does that mean that an antivirus software would not look inside the file even if told explicitly to scan only that one file?

 

Thank you for your time and effort, this mistake is completely on me. It is the first time I did something like this in years. The last time my PC was infected with a virus was around 10 years ago, so I got complacent about it. I regret my actions and will learn from this experience.

 

Anyway, It seems that the actual payload of the malware (which was most probably downloaded afterwards) is not detected by any tool at this point. I am going to format the drive and reinstall Windows from the scratch.

 

Last question - is there a possibility that my other drives are infected too or am I thinking too much about it? (Not that I have means to detect it at this stage anyway, it seems)

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.