chevron_left chevron_right
Login Register invert_colors photo_library
Stay updated and chat with others! - Join the Discord!
Thread Rating:
  • 2 Vote(s) - 5 Average


How to check for/cleaning @awyeah's PoS rat filter_list
Author
Message
How to check for/cleaning @awyeah's PoS rat #1
Hi all, the other thread was locked so I just thought I'd let you lot know if you got hit with @awyeah's garbage RAT.
Note that this affects all uploads by @awyeah.

It seems to like to drop itself by making a directory in C:\Program Files\LAN Manager or C:\Program Files (x86)\LAN Manager if it can.
If not, it'll put itself in %temp% under a random name (the name being the bind ID on his end).
[Image: pYv0VYc.png]

If you have process explorer, you can open the process in Properties, then go to Strings.
[Image: aRXavfz.png]
It'll be pretty blatant.

Currently the C&C address is 77.81.104.169 on port 5557 so block that in your firewall if you see that this is running. DDNS hostname is "iufgaj.hopto.org" and it uses ports 5550-5559.

@Killpot made a program to get around this: https://sinister.ly/Thread-Disable-exter...cal-status
DO NOT KILL THE PROCESS, IT WILL CRASH YOUR COMPUTER. The Nanocore RAT will call a windows api call on start up to mark it as system critical and killing it will result in a BSOD. Just turn off your computer, boot into safe mode, and delete the executable.

There are also log files in %appdata% under a randomly named folder (but usually 6695C42B[...]). Dir contents:
[Image: 96Wsf1x.png]
Config is run.dat
[Image: hQUrto9.png]
Keylogs. You can delete those.

So yeah, hope any of you who opened the AdFly bot or anything else got cleaned up and stay safe! c:

[+] 4 users Like Wildfire's post
Reply

RE: How to check for/cleaning @awyeah's PoS rat #2
Fantastic. Good to know you are looking out for us.
[Image: Y3jduas.png]

[+] 1 user Likes Skullmeat's post
Reply

RE: How to check for/cleaning @awyeah's PoS rat #3
Good job, +4 from me.

If anyone needs help cleaning up their PC...
Feel free to PM me or email contact@skryptec.pw
[Image: oAqtc2l.png]

Reply

RE: How to check for/cleaning @awyeah's PoS rat #4
How braindead do you have to be to spread to the group most likely to find and detect your shitty malware?

Reply

RE: How to check for/cleaning @awyeah's PoS rat #5
It's great that you actually went to the trouble of doing this, aha. Tongue
[Image: 7ajmN5P.jpg]

Skype: oni_sl (Add)
Steam: Oni | SL (Add)

Reply

RE: How to check for/cleaning @awyeah's PoS rat #6
I wonder how many people this guy got before we caught him.
[Image: Y3jduas.png]

Reply

RE: How to check for/cleaning @awyeah's PoS rat #7
Glad to see a thread like this was made. Shit looked pretty sketchy to begin with but for anyone who did decide to download it this is nice.
Discord: Nyx#8048

Reply

RE: How to check for/cleaning @awyeah's PoS rat #8
good to see members are still helping the community. well done.

Reply

RE: How to check for/cleaning @awyeah's PoS rat #9
Thanks for the tut man. It is nice to see that someone cares enough to write one out for people to use should they need it.

-CircleJerkDarkMuse
Scientia potentia est

[Image: inkexplosion.jpg]

Reply






Users browsing this thread: 1 Guest(s)