![windows irc client 2018 windows irc client 2018](https://thegeekpage.com/wp-content/uploads/2018/10/vclient-irc-min.png)
![windows irc client 2018 windows irc client 2018](https://i.stack.imgur.com/w4Csn.png)
The PE file is not packed nor obfuscated so it’s easy to find other interesting behaviours just be searching for interesting strings. I took 3 samples and they look quite similar based on ssdeep:ĭefault viper 59dcab059d5935f3fd21c4c976e89e7c470b1e565191590792baad33393de5fd.exe > fuzzy The standard 'This program cannot be run in DOS mode’ has been replaced by a funny string to mimic a GIF file: 'GIF89a Adobe Photoshop Elements®’. First interesting point, the PE header has been changed.
#Windows irc client 2018 code#
The strange fact is that the initial file has already a goods code on VT (55/67) and is detected by most of the classic antivirus tools. The file was submitted for the first time from the US. I detected the first occurrence on 15:48:00 UTC. It was detected thanks to my ‘psexec’ hunting rule which looks definitively an interesting keyword (see my previous diary).
#Windows irc client 2018 windows#
Last weekend, I caught on VirusTotal a trojan disguised as Windows IRC bot.