AMD/ATI Pixel Clock Patcher
|
11-10-2019, 01:49 PM
(Last edited: 11-10-2019, 02:31 PM by board-temp)
Post: #944
|
|||
|
|||
RevengeRat Trojan in atikmdag-patcher.exe
Hello, registered this account to post here because after installing atikmdag-patcher.exe on my system i was infected with a trojan.
it creates a task scheduler job that triggers a javascript file on user logon, which transfers data from and to pastebin periodically, and also tries to run a C2 channel to a russian IP 178.140.134.36 on port 4322. my palo alto firewall detected and blocked it as "RevengeRat Command and Control Traffic". i sent the atikmdag-patcher.exe to joes sandbox and got everything confirmed: http://joesandbox.com/analysis/188753/0/html so if you don't believe me, this analysis report should change your mind. if the file was infected on my system by some other means then sorry, but i thought i better warn users here of the potential infection. (edit: i redownloaded the file from page 1 of this thread on 2019-11-10 14:45 GMT and it still detects as malicious) (edi2: i downloaded the exe fresh from sourceforge on 2019-11-10 15_25 and it also detects as malicious. will report there too) check your system for the following modifications: Autostart Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\user\Desktop\atikmdag-patcher.exe C:\Users\user\Desktop\atikmdag-patcher.exe /exenoupdates /forcecleanup /prereqs "0" Task Scheduler Run new task: Network path: C:\Program Files (x86)\Common Files\driver.js if you're infected, you also have a powershell.exe running connecting periodically to the ip i mentioned above. this is the c2 channel. cheers. |
|||
« Next Oldest | Next Newest »
|
User(s) browsing this thread: 7 Guest(s)