06-07-2020, 12:27 PM
Thanks to @HailHydra, this woudn't have been revealed without him notifiying me about Betski's software posts
When loading the executable, it will unpack in a folder (%appdata%), here are the files extracted by the application
wof.bat is where the malware gets downloaded, via this command
av.bat tries to disable Windows Defender via the regedit
i haven't been able to decompile test.exe, however, it has a lot of detections on virustotal and browsing through it via MiTeC EXE Explorer shows a interactions with the "Downloads" folder
The file that gets downloaded (Systemas.exe) can't be downloaded anymore, so i can't go further, however, the script renames it a System32.exe, which is a supicious file name
The thread was released 1 day after the edits on the application has been made (containing the malwares)
here's a download link with only the standalone application:
Files (1):
When loading the executable, it will unpack in a folder (%appdata%), here are the files extracted by the application
wof.bat is where the malware gets downloaded, via this command
av.bat tries to disable Windows Defender via the regedit
i haven't been able to decompile test.exe, however, it has a lot of detections on virustotal and browsing through it via MiTeC EXE Explorer shows a interactions with the "Downloads" folder
[To see links please register here]
The file that gets downloaded (Systemas.exe) can't be downloaded anymore, so i can't go further, however, the script renames it a System32.exe, which is a supicious file name
The thread was released 1 day after the edits on the application has been made (containing the malwares)
here's a download link with only the standalone application:
Files (1):
Hidden Content