How to check for/cleaning @awyeah's PoS rat 06-29-2016, 02:57 AM
#1
Hi all, the other thread was locked so I just thought I'd let you lot know if you got hit with @"awyeah"'s garbage RAT.
Note that this affects all uploads by @"awyeah".
It seems to like to drop itself by making a directory in C:\Program Files\LAN Manager or C:\Program Files (x86)\LAN Manager if it can.
If not, it'll put itself in %temp% under a random name (the name being the bind ID on his end).
![[Image: pYv0VYc.png]](http://i.imgur.com/pYv0VYc.png)
If you have process explorer, you can open the process in Properties, then go to Strings.
![[Image: aRXavfz.png]](http://i.imgur.com/aRXavfz.png)
It'll be pretty blatant.
Currently the C&C address is 77.81.104.169 on port 5557 so block that in your firewall if you see that this is running. DDNS hostname is "iufgaj.hopto.org" and it uses ports 5550-5559.
@"Killpot" made a program to get around this: https://sinister.ly/Thread-Disable-exter...cal-status
DO NOT KILL THE PROCESS, IT WILL CRASH YOUR COMPUTER. The Nanocore RAT will call a windows api call on start up to mark it as system critical and killing it will result in a BSOD. Just turn off your computer, boot into safe mode, and delete the executable.
There are also log files in %appdata% under a randomly named folder (but usually 6695C42B[...]). Dir contents:
![[Image: 96Wsf1x.png]](http://i.imgur.com/96Wsf1x.png)
Config is run.dat
![[Image: hQUrto9.png]](http://i.imgur.com/hQUrto9.png)
Keylogs. You can delete those.
So yeah, hope any of you who opened the AdFly bot or anything else got cleaned up and stay safe! c:
Note that this affects all uploads by @"awyeah".
It seems to like to drop itself by making a directory in C:\Program Files\LAN Manager or C:\Program Files (x86)\LAN Manager if it can.
If not, it'll put itself in %temp% under a random name (the name being the bind ID on his end).
If you have process explorer, you can open the process in Properties, then go to Strings.
It'll be pretty blatant.
Currently the C&C address is 77.81.104.169 on port 5557 so block that in your firewall if you see that this is running. DDNS hostname is "iufgaj.hopto.org" and it uses ports 5550-5559.
@"Killpot" made a program to get around this: https://sinister.ly/Thread-Disable-exter...cal-status
DO NOT KILL THE PROCESS, IT WILL CRASH YOUR COMPUTER. The Nanocore RAT will call a windows api call on start up to mark it as system critical and killing it will result in a BSOD. Just turn off your computer, boot into safe mode, and delete the executable.
There are also log files in %appdata% under a randomly named folder (but usually 6695C42B[...]). Dir contents:
Config is run.dat
Keylogs. You can delete those.
So yeah, hope any of you who opened the AdFly bot or anything else got cleaned up and stay safe! c:
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
![[Image: skullsigirys.png]](http://i.skull.moe/skullsigirys.png)
![[Image: oAqtc2l.png]](https://i.imgur.com/oAqtc2l.png)
![[Image: fSEZXPs.png]](https://i.imgur.com/fSEZXPs.png)
![[Image: inkexplosion.jpg]](http://i0.wp.com/techverse.net/wp-content/uploads/2013/09/inkexplosion.jpg)