Sinisterly

Full Version: How to check for/cleaning @awyeah's PoS rat
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hi all, the other thread was locked so I just thought I'd let you lot know if you got hit with @awyeah's garbage RAT.
Note that this affects all uploads by @awyeah.

It seems to like to drop itself by making a directory in C:\Program Files\LAN Manager or C:\Program Files (x86)\LAN Manager if it can.
If not, it'll put itself in %temp% under a random name (the name being the bind ID on his end).
[Image: pYv0VYc.png]

If you have process explorer, you can open the process in Properties, then go to Strings.
[Image: aRXavfz.png]
It'll be pretty blatant.

Currently the C&C address is 77.81.104.169 on port 5557 so block that in your firewall if you see that this is running. DDNS hostname is "iufgaj.hopto.org" and it uses ports 5550-5559.

@Killpot made a program to get around this: https://sinister.ly/Thread-Disable-exter...cal-status
DO NOT KILL THE PROCESS, IT WILL CRASH YOUR COMPUTER. The Nanocore RAT will call a windows api call on start up to mark it as system critical and killing it will result in a BSOD. Just turn off your computer, boot into safe mode, and delete the executable.

There are also log files in %appdata% under a randomly named folder (but usually 6695C42B[...]). Dir contents:
[Image: 96Wsf1x.png]
Config is run.dat
[Image: hQUrto9.png]
Keylogs. You can delete those.

So yeah, hope any of you who opened the AdFly bot or anything else got cleaned up and stay safe! c:
Fantastic. Good to know you are looking out for us.
Good job, +4 from me.

If anyone needs help cleaning up their PC...
Feel free to PM me or email contact@skryptec.pw
How braindead do you have to be to spread to the group most likely to find and detect your shitty malware?
It's great that you actually went to the trouble of doing this, aha. Tongue
I wonder how many people this guy got before we caught him.
Glad to see a thread like this was made. Shit looked pretty sketchy to begin with but for anyone who did decide to download it this is nice.
good to see members are still helping the community. well done.
Thanks for the tut man. It is nice to see that someone cares enough to write one out for people to use should they need it.

-CircleJerkDarkMuse