URL you wish to be added:
https://ru-torproject.ru/en/
Why you believe this should be added:
This website claims to be the official website of Tor Browser. However, the download leads to a double archive (the second one is protected with the password 123. Very secure) containing a self extracting archive, which runs both the legitimate Tor installer (so users won't suspect anything) and a trojan, which creates and executes C:\Users%username%\AppData\Roaming\Microsoft\xampresinquepics\ampresinquepic.exe
Sandbox (it evaded it, but dropped that file beforehand. It ran without incident on my old Windows 10 VM and created a RunOnce item. Sadly, I didn't have much logging setup so I don't know if it stole stuff from browsers, contacted any C2s, etc): https://tria.ge/230217-xd8nksgc9x/behavioral2
Add to list:
Malware
Other info you think we should know:
Also reported to the uBo list at uBlockOrigin/uAssets#16799
URL you wish to be added:
https://ru-torproject.ru/en/Why you believe this should be added:
This website claims to be the official website of Tor Browser. However, the download leads to a double archive (the second one is protected with the password 123. Very secure) containing a self extracting archive, which runs both the legitimate Tor installer (so users won't suspect anything) and a trojan, which creates and executes C:\Users%username%\AppData\Roaming\Microsoft\xampresinquepics\ampresinquepic.exe
Sandbox (it evaded it, but dropped that file beforehand. It ran without incident on my old Windows 10 VM and created a RunOnce item. Sadly, I didn't have much logging setup so I don't know if it stole stuff from browsers, contacted any C2s, etc): https://tria.ge/230217-xd8nksgc9x/behavioral2
Add to list:
Malware
Other info you think we should know:
Also reported to the uBo list at uBlockOrigin/uAssets#16799