chevron_left chevron_right
Login Register invert_colors photo_library
Stay updated and chat with others! - Join the Discord!
Thread Rating:
  • 2 Vote(s) - 5 Average


How to check for/cleaning @awyeah's PoS rat filter_list
Author
Message
How to check for/cleaning @awyeah's PoS rat #1
Hi all, the other thread was locked so I just thought I'd let you lot know if you got hit with @awyeah's garbage RAT.
Note that this affects all uploads by @awyeah.

It seems to like to drop itself by making a directory in C:\Program Files\LAN Manager or C:\Program Files (x86)\LAN Manager if it can.
If not, it'll put itself in %temp% under a random name (the name being the bind ID on his end).
[Image: pYv0VYc.png]

If you have process explorer, you can open the process in Properties, then go to Strings.
[Image: aRXavfz.png]
It'll be pretty blatant.

Currently the C&C address is 77.81.104.169 on port 5557 so block that in your firewall if you see that this is running. DDNS hostname is "iufgaj.hopto.org" and it uses ports 5550-5559.

@Killpot made a program to get around this: https://sinister.ly/Thread-Disable-exter...cal-status
DO NOT KILL THE PROCESS, IT WILL CRASH YOUR COMPUTER. The Nanocore RAT will call a windows api call on start up to mark it as system critical and killing it will result in a BSOD. Just turn off your computer, boot into safe mode, and delete the executable.

There are also log files in %appdata% under a randomly named folder (but usually 6695C42B[...]). Dir contents:
[Image: 96Wsf1x.png]
Config is run.dat
[Image: hQUrto9.png]
Keylogs. You can delete those.

So yeah, hope any of you who opened the AdFly bot or anything else got cleaned up and stay safe! c:

[+] 4 users Like Wildfire's post
Reply




Messages In This Thread
How to check for/cleaning @awyeah's PoS rat - by Wildfire - 06-29-2016, 02:57 AM



Users browsing this thread: 1 Guest(s)