Sinisterly
How to check for/cleaning @awyeah's PoS rat - Printable Version

+- Sinisterly (https://sinister.ly)
+-- Forum: Computers (https://sinister.ly/Forum-Computers)
+--- Forum: Antivirus & Protection (https://sinister.ly/Forum-Antivirus-Protection)
+--- Thread: How to check for/cleaning @awyeah's PoS rat (/Thread-How-to-check-for-cleaning-awyeah-s-PoS-rat)



How to check for/cleaning @awyeah's PoS rat - Wildfire - 06-29-2016

Hi all, the other thread was locked so I just thought I'd let you lot know if you got hit with @awyeah's garbage RAT.
Note that this affects all uploads by @awyeah.

It seems to like to drop itself by making a directory in C:\Program Files\LAN Manager or C:\Program Files (x86)\LAN Manager if it can.
If not, it'll put itself in %temp% under a random name (the name being the bind ID on his end).
[Image: pYv0VYc.png]

If you have process explorer, you can open the process in Properties, then go to Strings.
[Image: aRXavfz.png]
It'll be pretty blatant.

Currently the C&C address is 77.81.104.169 on port 5557 so block that in your firewall if you see that this is running. DDNS hostname is "iufgaj.hopto.org" and it uses ports 5550-5559.

@Killpot made a program to get around this: https://sinister.ly/Thread-Disable-external-process-critical-status
DO NOT KILL THE PROCESS, IT WILL CRASH YOUR COMPUTER. The Nanocore RAT will call a windows api call on start up to mark it as system critical and killing it will result in a BSOD. Just turn off your computer, boot into safe mode, and delete the executable.

There are also log files in %appdata% under a randomly named folder (but usually 6695C42B[...]). Dir contents:
[Image: 96Wsf1x.png]
Config is run.dat
[Image: hQUrto9.png]
Keylogs. You can delete those.

So yeah, hope any of you who opened the AdFly bot or anything else got cleaned up and stay safe! c:


RE: How to check for/cleaning @awyeah's PoS rat - Skullmeat - 06-29-2016

Fantastic. Good to know you are looking out for us.


RE: How to check for/cleaning @awyeah's PoS rat - Skryptec - 06-29-2016

Good job, +4 from me.

If anyone needs help cleaning up their PC...
Feel free to PM me or email contact@skryptec.pw


RE: How to check for/cleaning @awyeah's PoS rat - sleaze - 06-29-2016

How braindead do you have to be to spread to the group most likely to find and detect your shitty malware?


RE: How to check for/cleaning @awyeah's PoS rat - Oni - 06-29-2016

It's great that you actually went to the trouble of doing this, aha. Tongue


RE: How to check for/cleaning @awyeah's PoS rat - Skullmeat - 06-29-2016

I wonder how many people this guy got before we caught him.


RE: How to check for/cleaning @awyeah's PoS rat - Nyx - 06-29-2016

Glad to see a thread like this was made. Shit looked pretty sketchy to begin with but for anyone who did decide to download it this is nice.


RE: How to check for/cleaning @awyeah's PoS rat - Despised - 06-29-2016

good to see members are still helping the community. well done.


RE: How to check for/cleaning @awyeah's PoS rat - DarkMuse - 06-29-2016

Thanks for the tut man. It is nice to see that someone cares enough to write one out for people to use should they need it.

-CircleJerkDarkMuse