How to Remove Zr89YEwgl7.exe "Zr89" Spyware/Malware [Trojan:Win32/Wacatac.B!ml]

We may receive a commission for purchases made through some ads/links on this page A new data-stealing malware is on the loose! First repor...

Tuesday, May 25, 2021

How to Remove Zr89YEwgl7.exe "Zr89" Spyware/Malware [Trojan:Win32/Wacatac.B!ml]


We may receive a commission for purchases made through some ads/links on this page

A new data-stealing malware is on the loose! First reported in May of this year, the software behind this virus can harvest your browser data as well as computer specifications. Read our analysis below to learn exactly how the malware works or skip directly to our removal guide if you believe your computer has been infected.

The malicious file discussed in this analysis, named “Zr89YEwgl7.exe” (or “Zr89” for short), is a simple yet dangerous spyware designed to run on Windows machines. This malware analysis will cover how it may be distributed by threat actors, how it behaves on an infected machine, and how it can steal data right from under your nose.

General Info: 

Filenames - Zr89YEwgl7.exe, f415405d413c1ad16b85c003f2ec6cda83d24518c4fb8a6e4aaaafc58dbb1254.exe

Target Machines - Intel

Filesize - 726,528 Bytes (Total)

File Hash:

SHA-256 - f415405d413c1ad16b85c003f2ec6cda83d24518c4fb8a6e4aaaafc58dbb1254

SHA-1 - 1ff795745683e6801fe689d2e566be7c25259d79

MD5 - aef64b80f75e200594408843bdb9bc83

Libraries Accessed (Windows) - ws2_32.dll, esent.dll, winhttp.dll

Test Sample Used - Malware Bazaar

Disclaimer:

This analysis covers the behavior of the test sample file linked above on a virtual machine. Depending on how the software was programmed, it may behave differently on other virtual machines or real computers. The authors behind the malware may also release newer variants in the future, which may prove to be more difficult to detect. That being said, our removal guide and antivirus tool will likely still work against future variants and reverse their effect on the file system. This post and our tool will be updated as new information about the software behind this malware is made publicly available. Subscribe to this blog to be notified of any updates made on this page.


Distribution:

Spyware viruses like Zr89YEwgl7.exe often target highly-selective information on infected computers before sending it back to their creators and going dormant. Distribution methods for this type of malware will therefore differ from those used by ransomware or other types. The “Zr89” sample file tested for this post is very selective about which data it swipes, making it perfect for targeted drive by downloads on compromised websites or bought ad spaces.

Compromised Websites - One of the most effective techniques attackers use to spread their malware is compromising a trusted website and replacing the software on that site with their own. If a targeted website happens to contain an unpatched vulnerability that allows hackers to control file transfer capabilities, they could replace apps, links, and more with malware. This can lead to millions (in some cases) of unsuspecting users accidentally downloading dangerous files and executing them on their computers. In one 2018 case, an elaborate cyber-attack scheme compromised thousands of websites to spread malware across the internet.

Emails - Sending spam emails with attached malware is perhaps the most preferred method of today’s malware distribution. SMTP spam services provide a cheap way to send malicious files in bulk across the internet and computer viruses are often hidden inside fake documents. Zr89YEwgl7.exe or Zr89 itself can be smuggled through compressed ZIP files or document macros. Always be sure to avoid downloading files or navigating links sent by suspicious emails.

Behavior:

Once the Zr89 virus executes on a Windows machine, it will immediately query volume information as well as other details about the computer it is running on. It will also test its environment for signs that it is running on a virtual machine, leading many to believe that it may act differently on a real, physical computer. After running these short scans, the malware will then proceed to check the Windows network adapter settings. Although it does not immediately change configurations, this behavior indicates that the virus will contact a C&C server after it has successfully stolen data. While monitoring network activities during the virtual machine testing of the malicious sample file, this may have been confirmed.

 


 

The next notable feature of Zr89YEwgl7.exe is how it steals information from infected computers. Similar to other spyware variants we covered on this blog, Zr89 opens the following folder to steal cookies from Chrome:

-C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies

Threat actors can use stolen cookies to access online accounts since they often store sensitive login data. Because of this, a Zr89 infection on your computer can leave everything from your email to your online bank account compromised. Removing such a spyware infection is critically important.

Zr89YEwgl7.exe also has file downloading capabilities, and made direct contact with a web server during our analysis of the sample. By masking its requests under common user agents such as Chrome and Firefox, it is able to stealthily connect to 101.36.107.74, a server commonly seen as a connection location for similar spyware. It is unclear whether this server is operated by threat actors or whether it is being connected to for other reasons. After contacting 101.36.107.74, Zr89 proceeds to drop two files into the directory it is executed on (see below).

It is not currently known what role these files play for the spyware, although one of the files (named “d.INTEG.RAW”) resembles the output of a diagnostic tool for the Microsoft Exchange Server. The Microsoft Exchange server is a mail server developed by Microsoft which can be directly accessed from Microsoft computers, making it possible that Zr89 uses the server to deploy or distribute copies of itself and/or the data it steals. 

Removal:

Removing Zr89YEwgl7.exe or its other files and variants is done most easily with the malware removal tool built into our antivirus app, Malscope. Differing removal methods may exist but the following steps are our tested instructions for Zr89YEwgl7 malware removal:

1. Purchase or download the Malscope Antivirus from our webpage and unzip the installer. If you purchase a yearly plan, you can actually use the code “zr89” to get 30% off Malscope, an app that is equipped to detect hidden versions of Zr89YEwgl7.exe along with possible variants and highlight any malicious files it discovers. The discount code will expire in 30 days, so be sure to use it as soon as possible!

2. Run the “Malscope” app and enter the product key you received after your purchase (check your email). If you happen to already have a product key, you may skip the purchasing steps and enter it now.

3. Wait for Malscope to set up its environment. Once controls for the app are loaded, you can begin removing the Zr89 infection.


4. Click the drop-down box under “Virus Removal” on Malscope to select a malware type to remove. Click “Zr89YEwgl7.exe [Trojan:Win32/Wacatac.B!ml]” and then press remove. If the Zr89 virus is or was active on your computer, Malscope will automatically remove all associated files and reverse damages to your system’s settings and execution policies.


5. If you think you downloaded Zr89YEwgl7.exe by mistake, be sure to scan the directory you saved it to with the “Scan Directory” button. This will prompt you to select a folder which you can scan with a single click. Malscope will automatically mark suspicious files and print them onto the usage log for you to read. You may then choose to delete the files either manually or through Malscope’s “Scan File Now” data removal option.

Prevention:

Since Malscope Antivirus is equipped with the ability to detect Zr89 and variants of this virus, we recommend using the tool to prevent an infection as well as removing it. Downloaded executable files should be regularly scanned with Malscope to ensure their safety.

Additional Notes:

-Zr89YEwgl7.exe may attempt to evade antivirus detection and analysis by looping various Windows sleep functions before running its malicious data-stealing operation on infected computers. Looping harmless functions is a common tactic malware authors use to disguise and obfuscate dangerous code.


-Zr89 connects to the server mentioned above (101.36.107.74) via two different ports: 80 (HTTP) and 49704.

-This malware also has the capability to read and store data from the CPU, a feature which may help Zr89 adjust processing priorities for its functions and web server connections.

-Despite being relatively simple compared to some of its competitors in the spyware world, Zr89YEwgl7.exe and its variants should be taken seriously. Spyware targeting local browser data can lead to the loss of online accounts as well as finances and should be removed as soon as possible using the best available tools.

Wednesday, April 21, 2021

How to Remove Galimatimod/Taurus_1.exe [Trojan:Win32/Predator!ml] Spyware + Windows Malware Analysis


Has your computer been infected with the Galimatimod spyware virus? This new malware has some dangerous capabilities, including microphone access and password stealing. Read our analysis below to learn more about how Galimatimod infects Windows computer systems or skip directly to our removal guide.

Galimatimod was first discovered in April, and it’s behavior shares a few striking similarities with calimalimodunator.exe, another spyware virus we covered earlier this year. However, Galimatimod’s more unnoticeable features makes it even more threatening on an unprotected PC. Our malware analysis will reveal how Galimatimod runs its spyware operations on victim computers, how it sends data back to threat actors, and how it can evade antivirus as well as investigation.

General Info:

Filenames - SecuriteInfo.com.W32.AIDetect.malware1.18890.7779, SecuriteInfo.com.W32.AIDetect.malware1.18890.exe, galimatimod, galimatimod.exe, Taurus_1.exe, Taurus_2.exe

File Size - 407,040 Bytes

Compiler/Icon Language - Spanish

File Hash:

SHA-256 - a423314d33b74a166ce89ccef59bd5da0b25a6cfdc4ab59ac0fe157dad3082cd

SHA-1 - f92013c1762eafbbb430892e8cb32356d07e29e6

MD5 - 6d248c611de8a4ab22d9a4cf7e7b1fb3

Librarie(s) Accessed (Windows) - kernel32.dll

Test Sample Used - Malware Bazaar

Possible Malware Family - Taurus Stealer

Disclaimer:

Our extensive malware testing analysis is based on the investigation of the test sample listed above. Since our research involves analyzing file properties and data profiles associated with the Galimatimod malware, our antivirus tool is highly likely to flag new variants and remove file systems changes made by those variants as well as the original sample. That being said, malicious variants may vary and exhibit unique behaviors as well as differing structures not listed in this report. New information about the software behind the sample file may also be made publicly available after this post. Subscribe to the Riserbo Blog to be notified of any updates made on this page.

Distribution:

Spyware viruses are designed to target highly-selective information on infected computers. Distribution methods for this type of malware often differ from those used by ransomware or other types. The Galimatimod/Taurus Stealer variant we tested accesses keyboard, microphone, and browser data. This means that the malware’s distribution methods may capitalize on computers with microphones or the Chrome browser installed.

Direct Download - During our virtual machine testing phase of the Galimatimod malware, very little visible activity was seen upon execution of an infected file. Despite this, Galimatimod runs dozens of operations in the background, even after it has “finished” executing. To evade antivirus detection, the virus employs a technique known as software packing which effectively hides its file signature behind encrypted or unreadable data. This technique allows Galimatimod to be distributed online via direct download links, since most antivirus engines will not detect newly packed versions.

Malicious Websites - Buying websites to spread malware is a common distribution tactic for threat actors. Some sites can be bought with cryptocurrency, providing malware developers with relative anonymity when making their purchase. Some sites are also stolen for distribution purposes, especially those with serious vulnerabilities. It’s possible that Galimatimod itself is spread via malicious websites due to the fact that it makes requests to at least one recently domain website during its infection.

Emails - Sending emails with attached malware is another preferred method of distribution among today’s threat actors. Spam emails are known to carry malicious software hidden underneath links or attachments. According to Dataprot, almost 85% of all emails are spam and a lot of this spam contains malware. Galimatimod itself can be smuggled through compressed ZIP files or document macros. Avoid downloading files or navigating links sent by suspicious emails.

Behavior:

Upon running Galimatimod or Taurus_1.exe, no visible processes or windows will appear. Instead, the virus works in the background, silently stealing information behind the scenes. The file may also use Microsoft’s KMS Connection Broker to identify and connect to available desktops. Galimatimod then extracts browser data by searching through the following directories:

- C:\Users\victim\AppData\Local\Google\Chrome\User Data\Default\Web Data

- C:\Users\victim\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data

- C:\Users\victim\AppData\Local\Application Data\Google\Chrome\User Data\Default\Cookies

- C:\Users\victim\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\History

Along with stealing browser data, Galimatimod has the ability to swipe FTP/SSH file transfer login data, a common feature of the Taurus Stealer malware family. It can do this by accessing and reading the Windows registry key for WinSCP:

HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions

Note: This key is only present for WinSCP users. With FTP or SSH login data, threat actors can access file servers and spread their malware further.

In order to send stolen data back to Galimatimod’s controllers, this malware uses a very stealthy approach to obfuscate/secure information. Instead of simply sending raw passwords, login data, or etc. to a C&C (Control and Command) server, Galimatimod establishes an encrypted channel first by using Microsoft’s Enhanced Cryptographic Provider. This effectively hides C&C traffic to prevent malicious servers from being taken down or attacked and stops malware analyzers from identifying exactly what kind of data is being sent.

Taurus or Galimatimod can steal WinSCP login data via the Windows registry

More of Taurus_1.exe or Galimatimod’s capabilities include acquiring the victim’s timezone (possibly used for tracking infections and victim location), screen capturing, keyboard input capturing, microphone monitoring, and antivirus/virtual machine detection. This last feature may indicate that galimatimod.exe behaves differently when executed on a virtual machine (as done in our analysis) to distract analysts from logging real behavior on a physical machine. It should be mentioned that the victim’s timezone is critical data for a virus like Galimatimod or Taurus Stealer which can potentially swipe credit card information. Threat actors will need to use a VPS, or a virtual private server, to use stolen credit cards online and make it appear as though they are making purchases close to the victim’s real location so they can bypass automatic fraud detection software.

Removal:

Removing the Galimatimod virus, Taurus_1.exe, or its other files and variants is very easy to do with the malware removal tool built into our antivirus app, Malscope. Differing removal methods may exist but the following steps are our tested instructions for Galimatimod malware removal:

1. Purchase or download the Malscope Antivirus from our webpage and unzip the installer. If you purchase a yearly plan, you can use the code “taurus1” to get 30% off Malscope, an app that is equipped to detect Galimatimod along with its possible variants and highlight any malicious files it discovers. The discount code will expire in 30 days, so be sure to use it as soon as possible! 

Visit our webpage to download Malscope Antivirus

2. Run the “Malscope” app and enter the product key you received after your purchase (check your email). If you already have a product key, you may skip the purchasing steps and enter it now.

Enter your product key on Malscope to being using the features

After entering your product key on Malscope, you may begin removing Galimatimod or Taurus infection

3. Wait for Malscope to set up its environment. Once controls for the app are loaded, you can begin removing the Galimatimod infection.

Malscope can be used to effectively reverse file systems changes made by Galimatimod or Taurus Stealer

4. Click the drop-down box under “Virus Removal” on Malscope to select a malware type to remove. Click “Galimatimod/Taurus_1 [Trojan:Win32/Predator!ml]” and then press remove. If the Galimatimod virus is or was active on your computer, Malscope will automatically remove all associated files and reverse damages to your system’s settings and execution policies.

Select the dropdown menu on Malscope and click Galimatimod/Taurus_1 [Trojan:Win32/Predator!ml] to remove the virus

5. If you downloaded Galimatimod or Taurus_1.exe by mistake, be sure to scan the directory you saved it to with the “Scan Directory” button. This will prompt you to select a folder which you can scan with a single click. Malscope will automatically mark suspicious files and print them onto the usage log for you to read. You may then choose to delete the files either manually or through Malscope’s “Scan File Now” data removal option.

Scan your downloads folder with Malscope to find more Taurus or Galimatimod files

 Prevention:

Since Malscope Antivirus is equipped with the ability to detect Galimatimod, Taurus_1.exe and its variants, we recommend using this tool to prevent an infection as well as removing it. Downloaded executable files should be regularly scanned with Malscope to ensure their safety.

Additional Notes:

-Galimatimod may also harvest data from the Windows Mail app by accessing the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles

-The malware makes requests to three URLs during its attack:

hxxp://legend0.ru/cfg/ and hxxp://legend0.ru/log/

Note: These requests may be domains associated with a Taurus C&C server or they may simply be more obfuscation attempts.

-The image below is the icon present on Galimatimod executables.

Galimatimod Icon (also used in Taurus Stealer variants)

 

Monday, March 15, 2021

What is CxUtilSvc.exe and How to Fix CxUtilSvc.exe Fan Speed Error on Windows


CxUtilSvc.exe Errors can affect your PC fan speed

CxUtilSvc.exe is a Conexant SmartAudio process designed to run on Windows computers. This file is not malware, however it can cause several Windows-related issues if it happens to malfunction or is overwritten. In this article, we will explain how CxUtilSvc.exe works and what to do if you notice a connection between this process and unusual fan activity on a Windows PC.

How CxUtilSvc.exe Works

Conexant Systems developed CxUtilSvc.exe as a service program to be supported by Windows OS. Both Conexant software and hardware is commonly used in PCs. CxUtilSvc.exe, otherwise known as the Conexant Utility Service, is associated with Conexant SmartAudio II, a program which allows user access to Conexant audio chipset settings.

If you know CxUtilSvc.exe is essential to your PC or Windows apps, avoid uninstalling it to prevent further problems.

File Info:

Name - CxUtilSvc.exe

Publisher - Conexant Systems, Inc

Version Used - 2.3.0.0

MD5 - 9a59df2ca690019fea3b265d5a7eb619

SHA1 - edcc7a48bd9cee92c792e91fb33e72589233a0e7

CxUtilSvc.exe Fan Speed-Related Error

Some Windows users have discovered a correlation between the Conexant Utility Service and strange fan activity. Symptoms of this problem include higher PC fan speeds while the mouse is being used and when the CxUtilSvc.exe program is active. Follow this step-by-step guide to diagnose and fix the problem.

Step 1 - Identify the CxUtilSvc.exe file location on your computer. You can do this by right-clicking on the application in Task Manager (Ctrl + Shift + Esc) and clicking “Open file location”. Alternatively, you can check the following directories: C:\Windows\System32, C:\Program Files\Conexant, and C:\Windows\CxSvc.

Download Malscope Antivirus to upgrade your Windows security

If you find the application under C:\Windows\System32, avoid uninstalling CxUtilSvc.exe as it may be essential to your computer system. If you fail to find CxUtilSvc.exe under any of the aforementioned directories but still see the file running as a process in Task Manager, it’s possible your computer has been infected by malware impersonating the Conexant Utility Service. Software impersonation is a common tactic used by malware developers to extend the lifetime of a virus on an infected PC.

Step 2 - Reinstall the Conexant SmartAudio driver. This can be done via the Device Manager, which can be opened by pressing the Windows key and “R” to open the Run Dialogue and entering “devmgmt.msc”.

Open the Device Manager to reinstall the Conexant SmartAudio driver


Once you’ve successfully run the Device Manager, find the “Audio inputs and outputs” tab and click it. Look for “Conexant SmartAudio” and right-click the text before selecting “Uninstall”. The driver should automatically reinstall the next time you restart your computer.

Step 3 - If CxUtilSvc.exe is still causing fan problems on your PC, try using Microsoft’s system file checker. First, open Command Prompt as an administrator by typing “CMD” in the Windows search box, and clicking “Run as administrator”.

Search for Command Prompt on Windows search to access the sfc tool

Then, click “Yes” and type “sfc /scannow”. This will execute the SFC (system file checker) tool on your PC. The scan may take some time, but if any Conexant Utility Service errors are identified they will be automatically repaired.

Defend your data with Opticole encryption

Step 4 - Uninstall the Conexant Utility Service application if the steps above did not resolve your PC fan error. Note: this should only be done if CxUtilSvc.exe is not essential to your computer. Begin by opening the control panel via the Windows search box.

Search for Control Panel on Windows Search to uninstall CxUtilSvc.exe

Click on “Uninstall a program” under “Programs” and find the “Conexant Utility Service” label. Select it and click “Uninstall”. This will remove the CxUtilSvc.exe app from your PC and hopefully fix any fan-related issues connected to it. Restart your computer to observe any changes.

Click on Uninstall a program under Control Panel to remove CxUtilSvc.exe

More Errors

Other problems associated with CxUtilSvc.exe include System Error notifications and corrupt application data. When approaching these errors, make sure CxUtilSvc.exe is up-to-date. You can check a file’s version by opening PowerShell (via Windows search) and typing “(Get-Command C:\Path\Of\File.exe).FileVersionInfo.FileVersion”. 

Open PowerShell to find file version

If you believe the CxUtilSvc.exe file on your computer is illegitimate, in other words, if you think you're dealing with another program impersonating the Conexant Utility Service, you can always verify the file by calculating a checksum and comparing it to the hashes listed above.

Monday, March 1, 2021

How to Remove Calimalimodunator [Trojan:Win32/Wacatac.DA!ml] + Complete Malware Analysis


Welcome to a complete removal guide for the calimalimodunator.exe virus (otherwise known as A954E0~1.EXE). This new spyware is specifically designed to steal user credentials and harvest sensitive browser data. An infection should be removed as soon as possible. Click here to skip directly to our removal guide.

Calimalimodunator or A954E0~1.exe harvested data

By making use of a dangerous arsenal of dropped dynamic link library files (DLLs), Calimalimodunator can change your system policies to compromise your environment and swipe data. Our malware analysis will reveal how Calimalimodunator runs its data-stealing operations on victim computers, how it executes dropped files, and how it can evade antivirus and investigation.

General Info:

Filenames - Calimalimodunator.exe, SecuriteInfo.com.W32.AIDetect.malware1.4821.3208, SECURI~1.exe, A954E0~1.exe

Dropped Filenames - SECURI~1.EXE.dll, A954E0~1.EXE.dll, A954E0~1.EXE.id0, A954E0~1.EXE.id1, A954E0~1.EXE.id2, A954E0~1.EXE.nam, A954E0~1.EXE.til

Total File Size - 6,272,000 Bytes

Possible Malware Origin - Slovakia, Iran

File Hash:

SHA256 - a954e03d2300786bf77ab0caab269c05b75c34d62e0497979bfbb6919befcff5

SHA1 - dfccc553dd00dee74dc212373a82cae24e2648b5

MD5 - 03b1daa2ee50da70c70c779b7471f492

Librarie(s) Accessed (Windows) - kernel32.dll

Test Sample Used - Malware Bazaar

Variants (Disclaimer):

As is common with most malware targeting Windows machines in today’s world, the original Calimalimodunator file will likely join a large list of software variants designed by threat actors to make improvements to the existing source code. Our extensive malware testing analysis is based on the investigation of the test sample listed above. Since our research involves analyzing file properties and data profiles associated with the Calimalimodunator or A954E0~1.exe malware, our antivirus tool is highly likely to flag new variants and remove file systems changes made by those variants as well as the original sample. That being said, malicious variants may vary and exhibit unique behaviors as well as differing structures not listed in this report. Subscribe to this blog to be notified of any updates made on this page. 

Distribution:

Spyware viruses are usually designed to target highly-selective information on infected computers. Distribution methods for this type of malware often differ from those used by ransomware or other types. The Calimalimodunator variant we tested accesses browser data from Chrome. This means that Chrome users are an ideal target for the threat actors behind Calimalimodunator and that their distribution methods may capitalize on this fact.

Direct Download - During our virtual machine testing phase of the Calimalimodunator malware, no fake windows or popups were found, indicating that the virus was attempting to disguise itself as legitimate software. For this reason, it’s possible that Calimalimodunator was developed for a specific target or a group of targets that can be physically accessed. After execution, the software immediately drops its malicious files right into the application’s parent directory. From a victim’s perspective, these files would seem highly suspicious, and the malware would be more effective if it were to modify its environment in a carefully selected, hidden directory. If Calimalimodunator or A954E0~1.exe was transported via flash drive and executed directly on a target computer behind a wall of folders, it could operate largely undetected by the victim.

Malicious Websites - Buying websites to spread malware is a common distribution tactic for threat actors. Some sites can be bought with cryptocurrency, providing malware developers with relative anonymity when making their purchase. Some sites are also stolen for distribution purposes, especially those with serious vulnerabilities. It’s possible that Calimalimodunator itself is spread via malicious websites due to the fact that it makes requests to at least one recently registered website during its infection.

Behavior:

Upon execution, the Calimalimodunator virus immediately drops the following files into its parent directory: A954E0~1.EXE.dll, A954E0~1.EXE.id0, A954E0~1.EXE.id1, A954E0~1.EXE.id2, A954E0~1.EXE.nam, A954E0~1.EXE.til (filenames may vary). Most of these files are not immediately written to and their function is likely to store stolen data harvested from the host computer.

 

 
Calimalimodunator then uses PowerShell to write a bypass to the execution policy for a hidden, temporary dropped file. This allows the malware to run its own PowerShell scripts on the targeted system. Windows execution policy normally restricts these scripts from being executed, however, Calimalimodunator finds a way around this to continue its spyware operations. In addition to bypassing PowerShell execution policy, this malware also scans infected computers to identify antivirus engines, a function which allows Calimalimodunator to behave differently depending on its environment and avoid being studied by an antivirus program or the security analysts behind it.
 
Use Opticole to defend your computer data
 
When it comes to its data-stealing capabilities, Calimalimodunator selects a very particular browser to swipe information from: Chrome. The malware will scan through an infected computer’s Chrome log files to look for browser settings, internet history, cookies, and login data. If this information is sent back to threat actors, it could potentially place all of the victim's online accounts at risk of being hacked. Cookie stealing (or session hijacking), which involves swiping cookie data and injecting it on another computer to login using saved sessions, is a common tactic hackers use to break into emails. From a compromised email, hackers may then find sensitive banking information or reset some online passwords. For this reason, spyware is extremely damaging to victims and profitable for cyber-criminals. Calimalimodunator is also known to schedule tasks, meaning it can execute its own files or more malicious activities at preset times.
 
Calimalimodunator or A954E0~1.exe processes

Finally, Calimalimodunator or A954E0~1.exe also accesses the Windows registry during its infection and makes a connection request to the following address: hxxp://pesterbdd.com/images/Pester.png

This domain was registered this January in Hong Kong, and may be linked to Calimalimodunator’s operation, particularly the data transfer stage of its information-stealing endeavors. However, our testing did not confirm this and it is possible that the connection was formed to obfuscate other attempts at transferring data to the threat actor.

Removal:

Removing the Calimalimodunator virus, A954E0~1.exe, or its other files and variants is very easy to do with the malware removal tool built into our antivirus app, Malscope. Differing removal methods may exist but the following steps are our tested instructions for Calimalimodunator malware removal:

1. Purchase or download the Malscope Antivirus from our webpage and unzip the installer. If you purchase a yearly plan, you can use the code “calimali” to get 30% off Malscope, an app that is equipped to detect Calimalimodunator along with its possible variants and highlight any malicious files it discovers. The discount code will expire in 30 days, so be sure to use it as soon as possible!
 
Malscope Antivirus website page

 
2. Run the “Malscope” app and enter the product key you received after your purchase (check your email). If you already have a product key, you may skip the purchasing steps and enter it now.
 
Enter product key on Malscope Antivirus (step 1)

Enter product key on Malscope Antivirus (step 2)

3. Wait for Malscope to set up its environment. Once controls for the app are loaded, you can begin removing the Calimalimodunator infection.

Malscope Antivirus app layout

4. Click the drop-down box under “Virus Removal” on Malscope to select a malware type to remove. Click “Calimalimodunator [Trojan:Win32/Wacatac.DA!ml]” and then press remove. If the Calimalimodunator virus is or was active on your computer, Malscope will automatically remove all dropped files and reverse damages to your system’s settings and execution policies.

Remove Calimalimodunator with Malscope Antivirus

5. If you downloaded Calimalimodunator.exe by mistake, be sure to scan the directory you saved it to with the “Scan Directory” button. This will prompt you to select a folder which you can click and wait for Malscope to scan. Malscope will automatically mark suspicious files and print them onto the usage log for you to read. You may then choose to delete the files either manually or through Malscope’s “Scan File Now” data removal option.

Select folder to scan with Malscope Antivirus

Prevention:

Since Malscope Antivirus is equipped with the ability to detect Calimalimodunator and its variants, we recommend using this tool to prevent an infection as well as removing it. Downloaded executable files should be regularly scanned with Malscope to ensure their safety.

Additional Notes:

-The Calimalimodunator malware was written in Delphi, a dialect of Object Pascal programming languages.

-The compilation system language of Calimalimodunator and A954E0~1 is Slovak, indicating that this virus likely originated from Slovakia.

-”Vsekdag” is the internal legal copyright name of the software used to run Calimalimodunator. This name may refer to a threat actor or malware author, as it has also been used in association with a more infectious spyware known as Calanilimodumator or m8kdtboA0T.exe.

-The image below is the app icon attached to the Calimalimodunator virus.

Calimalimodunator or A954E0~1.exe icon

Sunday, January 10, 2021

How to Remove ys808e.exe Virus [Trojan:Win32/Wacatac.DE!ml] + Windows Malware Analysis


Welcome to a complete removal guide and malware analysis for the ys808e.exe virus (Trojan:Win32/Wacatac.DE!ml), also known as Random.exe and “SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.13968”. This Windows Trojan threat was reported on 1/9/2021.

The ys808e.exe virus can access a variety of critical Windows 10 files during infection.

Thanks to an array of analysis/antivirus-evasion tools built into the virus, ys808e malware can not be detected by McAfee, BitDefender, Comodo, or TrendMicro antivirus apps at the time of writing this. Once ys808e.exe is executed on a target PC, it will pursue your private information and make edits to critical Windows system files. Read this article to understand how ys808e works and how to defend yourself against an infection. Click here to skip to our removal guide and security recommendations.

General Info:

Filenames - ys808e.exe, ys808e (1).exe, Random.exe, file.exe, SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.13968, ebe410ca4e64d62e4366e9e1fcf10ad1bf7a99958a847af3d0e9d3850eb003a7.exe (sample name)

File Size - 625,152 Bytes

File Overlay - N/A (Overlay not present)

Possible Malware Family: RedLine Payload

File Hash:

SHA256 - ebe410ca4e64d62e4366e9e1fcf10ad1bf7a99958a847af3d0e9d3850eb003a7

SHA1 - c460f158701e0a5ef5d4eddd9a0257bd1c350c25

MD5 - 9da896f4111c89fee054c1ed44565ecb

Libraries Accessed (Windows) - winhttp.dll, kernel32.dll

Test Sample Used - Malware Bazaar

Variants:

The information written in this article will correspond with the sample testing and static analysis done for the file listed above. Throughout January, variants of the ys808e virus with similar behavioral traits have also been released and sampled. Below are the file hashes (SHA256) that match with these older variants:

Reported on Jan 5 - ecebc42356531d726c29149265632f77431e6d597e88372326d19d821952f565

Reported on Jan 6 - e774c62260c1a3095072af8779ce8d1f7382b41857d93ac3bfc8db6b053ff455

Reported on Jan 8 - 0a5faef2bdcce3d5b58e9062bf8f936596a96eaf0b270ed86cac3033cd922537

Distribution:

Ys808e malware is packed with UPX, a tool used to pack raw executables for supported operating systems in several different formats. UPX works by auto-decompressing executed files and creating a temporary, virtual environment where the original file can run. This tool may have been abused by ys808e.exe malware authors to obfuscate malicious payloads or it may have been used to package code in a way that makes ys808e executable on Windows machines. You might receive ys808e.exe, Random.exe, or a similar file through any of the following mediums:

Emails - Sending emails with attached malware is a preferred method of distribution among today’s threat actors. Spam emails are known to carry malicious software hidden underneath links or attachments. According to Fortinet, up to 1 in 3,000 spam messages can contain some form of malware. ys808e.exe itself can be smuggled through compressed ZIP files or document macros. Please do not attempt to download files or navigate links sent by suspicious emails.

Web Downloads - The distribution method ys808e is most associated with is web downloads. You might find variants of this malware on server addresses or software distributor websites. Since ys808e.exe is not currently detected as malware on most antivirus engines, there’s a good chance threat actors will still be able to spread ys808e across the internet to unsuspecting users.

Fake Software - ys808e’s evasive features open the possibility for malicious payloads to be executed through faulty or fake software. Legitimate applications may be duplicated to covertly download ys808e.exe which will then run unbeknownst to the everyday Windows user. Online downloads can also contain the ys808e.exe payload while pretending to run entirely separate programs.

Behavior:

After opening an app infected with ys808e, the virus will obtain your computer system manufacturer data to test the environment for virtualized software. This behavior indicates an intent to evade analysis since most live malware samples (including ours) are tested on virtual machines. Because of this, it is unclear whether or not ys808e.exe will behave differently on a real, physical Windows computer. If you have experience with this file that differs from our virtually-tested behavioral analysis, please contact us by email. This section of the article will be updated if new data is discovered.

Once ys808e has found your system manufacturer, it will begin calling the Windows API command “GetSystemTimeAsFileTime” in a repetitive loop to likely delay further analysis or detection. In the background, ys808e.exe will also access the registry and harvest all mail client-related data under the following Microsoft Outlook keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\Capabilities\Hidden

HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook\Capabilities

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\Capabilities\FileAssociations

Interestingly, ys808e.exe or Random.exe also activates WerFault.exe, a tool designed by Microsoft for Windows error reporting. Several edits were also made to system Font files during our sample tests of the file. It is currently unclear why this tool was used or why these edits were made.

ys808e.exe makes edits to every all Windows 10 font files

Some variants of ys808e.exe are also known to spawn network activity by repeatedly testing local connections to 192.168.1.7 through up to 37 various ports. In one instance, the file made a DNS request to oribba.xyz, a domain created very recently and not currently activated in the DNS.

Regardless of some of the seemingly harmless activity ys808e.exe generates, this file and its variants should be taken seriously. The analysis-evading processes behind them suggest a more sinister objective behind this malware operation and ys808e’s behavior on physical computers is yet to be revealed. If you have opened this file by mistake or believe you are dealing with a ys808e infection, read our removal guide below.

Removal:

Removing the ys808e.exe virus entirely from a computer system might be difficult, but not impossible. Differing removal methods may exist but the following steps are our tested instructions for ys808e.exe removal:

1. Purchase or download the Malscope Antivirus from our webpage and unzip the installer. If you purchase a yearly plan, you can use the code “ys808e” to get 30% off Malscope (discount will expire on February 11). This app is equipped to detect ys808e.exe along with its older variants and will highlight any malicious files it discovers.

Visit the Malscope webpage to download our antivirus and remove ys808e.exe or random.exe

Begin using Malscope for ys808e.exe or random.exe removal by extracting the Malscope.zip file

2. Run the “Malscope” app and enter the product key you received after your purchase (check your email). If you already have a product key, you may skip the purchasing steps and enter it now.

Enter your product key on the Malscope console to unlock features allowing you to remove ys808e.exe and random.exe

3. Wait for Malscope to set up its environment. Once controls for the app are loaded, you can begin removing a ys808e.exe infection. 

Malscope Antivirus First Setup - Remove modern malware variants 
 
4. Click the “Scan File Now” button to select any file and scan it for viruses. If a virus is found, Malscope will prompt you to remove it. After clicking “yes”, the data in the malicious file will be shredded before it is permanently deleted. Begin doing this for the first file(s) which executed the ys808e.exe virus - these are most likely in your Downloads folder. If you’re not sure which files executed the virus, you may skip to the next step. 

Scan single files for ys808e.exe or Random.exe with Malscope Antivirus
 
5. Click “Scan System” and wait for Malscope to thoroughly scan through your entire system. Malscope will automatically filter through files most likely to introduce threats and warn you if they are associated with ys808e.exe. Be sure to remove all files confirmed to be malicious or rescan them individually if you're not sure. 
 
Scan your entire Windows system for ys808e.exe random.exe and similar files with Malscope Antivirus

Note: In the next update, Malscope will gain a new feature specifically designed for automated malware removal. Follow the Riserbo Blog by email to be notified of a blogpost discussing this new feature or purchase a copy of Malscope today with the discount listed above to receive updated software directly in your inbox.

Prevention:

Since Malscope Antivirus is equipped with the ability to detect ys808e and its variants, we recommend using this tool to prevent an infection as well as removing it. Downloaded executable files should be regularly scanned with Malscope to ensure their safety.

Additional Notes:

VirusTotal

VirusTotal initially listed 18 engines that detect ys808e.exe and random.exe variants

McAfee and Bitdefender were among many antivirus engines that failed to detect ys808e.exe and its variants

-During our static analysis of this virus, we discovered the internal name of the file listed as “vebug.ekze” and the legal copyright of ys808e.exe to be marked as “Copyri (C) 2019, permudationzy”. Similar names have been found within various RedLine password-stealer malware versions. For this reason, we believe it’s possible ys808.exe might be related to this particular malware family.

-Most ys808e variants start or modify a total of 19 Windows processes

-The following file icon is associated with ys808e.exe, Random.exe, and other related files:

 

The ys808e.exe and Random.exe icon appears to be a yellow wrench

-The Porteguese language was found within several ys808e.exe binary/debugging resources

-Update: The domain kypersan16.top has been identified as a live source of the ys808e virus