"You IP MAY BE DANGEROUS!" TROJAN

Malware
,
1

[color=#FF00]Link (Dangerous): Attention! Your IP address is currently exposed. (check-myip.com) [/color]

Registered via NameCheap on April 5, 2023 - Whois check-myip.com

image

Users are asked to install “Radon VPN” at FileToSend (ffile-tosend.com)

[color=#FF0000]VirusTotal - VirusTotal - File - 25c39395c1ccd3f190ee3d19e427edaa1877506332374617fa57aa5d92706ff7[/color]

image
image1278×360 32.2 KB

[color=#]Any.Run - Analysis https://ffile-tosend.com/download.php?filename=KC4XICFjfnEyDHY5KXAbfyc7KHc0JQFg&flow_id=BhcQMg%3D%3D&click_id=BRcUMwwVIy00DCspLy0Yfhk7Bn4%3D&sourcename=Bhc2MQ4rAjQeDyRs Malicious activity - Interactive analysis ANY.RUN [/color]

image

Program contains the Cerbu & Kryptik trojans

1 Like
2

I checked and the original link link is still good. I downloaded the file it offered to my Flare VM and found it’s a different file, as the SHA-256 is different than the one shown in your Virustotal link. Gotta get ready for work now, but will take a look at it later and see what I find.

3

Forgot to include the SHA-256 on the file I got. Here it is:
RadonVpn.exe SHA-256
e42f7887bad946d14ffc4ca5b150315b45aa60bbfc457d88960e0cb1d63d551d

None of the scanners on VT detects this file as anything so far. I’ll work on it more this evening if I have time.