note that the bananasquad malware is now fortunately outdated!!!
Current SHA256 hash (of each malware): | File name | SHA256 |
---|---|---|
pl.py (=bananasquad) (OUTDATED) | d278063c3acc2c145e154f039b94bb36a70d249671deac3ab9df189209b92339 |
|
gruppe.py (=funcaptcha) | 41000461584d35c3a691d6f86457639189d22b852db3c7565d5410a413521b79 |
(PS: Une version en français est disponible (README.fr.md))
[!NOTE]
This file only contains the steps on how to remove the malware. Accounts that are reported to be spreading malware on GitHub are in the ACCOUNTS.md file. Thanks![!WARNING] I am not responsible for any kind of problem that you might have. You can either contact me on Discord (check my profile) or on GitHub if you want some help. Finally, as the malware can continue to evolve, this guide might be outdated a few times after I've posted it. But I will keep investigating the malware; don't worry!
Even if this guide is to remove the malware from your computer, it is also a good entry point for me to warn you about precautions that you SHOULD have.
Always take a step back when you're downloading something and don't download too fast even if it is open source; Are you sure that it does not contain any kind of suspicious behavior? PLEASE always check the lines of the code, if you can. For example, if you find something like this
exec(Fernet(b'<something>').decrypt(b'<something>'))
in the code, it's likely to be Bananasquad/Funcaptcha.
And also, DON'T SAVE ANY CREDENTIALS ON YOUR BROWSER. This is the easiest way for a malware like this to grab any credentials (as long as you've saved them).
For the moment, I will only put (manual) instructions to remove the Bananasquad/Funcaptcha malware. I will make a program that does these steps itself later on.
please reinstall them with the official websites:
del %appdata%\gruppe_storage
del %temp%\RuntimeBroker.exe
del %temp%\RuntimeBroker2.exe
del %temp%\hakabonk.exe
del %appdata%\Microsoft\runpython.py
del "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\hvnc.py"
rmdir /S /Q C:\Windows\WinEmptyfold
powershell.exe -Command "Remove-MpPreference -ExclusionExtension '.exe'"
powershell.exe -Command "Remove-MpPreference -ExclusionExtension '.dll'"
powershell.exe -Command "Remove-MpPreference -ExclusionExtension 'exe'"
powershell.exe -Command "Remove-MpPreference -ExclusionExtension 'dll'"
powershell.exe -Command "Remove-MpPreference -ExclusionPath 'C:'"
del %temp%\*
These commands will:
notepad.exe C:\Windows\System32\drivers\etc\hosts
. You will arrive to a file window. At the bottom of the file, add THESE lines:
0.0.0.0 bananasquad.ru
0.0.0.0 funcaptcha.ru
0.0.0.0 1312stealer.ru
0.0.0.0 kleinanzeigen.ru
and save the file. This will prevent your PC from making requests to the bananasquad.ru domain. You can also block requests to transfer.sh (0.0.0.0 transfer.sh
) that transfers your credentials to their server.
If you can, block those precise requests: