{
	"id": "1edd4f3d-601f-47f3-9442-e4340b2b1d0d",
	"created_at": "2026-04-06T00:15:51.293714Z",
	"updated_at": "2026-04-10T03:21:17.484046Z",
	"deleted_at": null,
	"sha1_hash": "b6839109c0e322d557e8b7f15d14150dbede9d72",
	"title": "Inside Braviax/FakeRean: An analysis and history of a FakeAV family",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 76429,
	"plain_text": "Inside Braviax/FakeRean: An analysis and history of a FakeAV family\r\nBy Posted on\r\nPublished: 2015-11-30 · Archived: 2026-04-05 22:06:51 UTC\r\nSince September 2014 I’ve been seeing a FakeAV family pop up from time to time. This family is known under two\r\nnames, Braviax and FakeRean. The family has been active for quite some years, it was first spotted by [S!Ri]\r\n(https://twitter.com/siri_urz “S!Ri Twitter”) back in April 2009. In this blogpost I will perform an analysis on the\r\ncurrent version of this family making it’s rounds online and a history of it starting back in 2009. A big thank you goes\r\nout to [S!Ri](https://twitter.com/siri_urz) for sharing some historical data on this group.\r\nThe reason why I’m releasing this article now on a group active back in January of this year is that, if you follow the\r\ntimeline I show below, is that they should have reappeared around this time of year (although I haven’t seen them yet).\r\nThe Braviax/Fakerean family has quite some similarities with the Tritrax (dubbed Namechanger FakeAV) family I\r\nanalyzed and hunted down back in February 2014 (Post: [Analysis of the Tritax FakeAV family, their active campaign\r\nand the FakeAV social engineering kit](http://blog.0x3a.com/post/75474731248/analysis-of-the-tritax-fakeav-family-their-active)).\r\nBraviax/Fakerean is also one constantly changing its name as you can see from a combination of screenshots made\r\nfrom samples starting in September 2014 until the start of January 2015:\r\n![image]\r\n(https://40.media.tumblr.com/bca28376345d856691adf3322a30394c/tumblr_nlm2bkOQtZ1qflx2go5_r1_540.png)\r\nAs said, back in September 2014 this new variant became active. After seeing it pass by multiple times I decided to\r\nlook into it a bit. At some point I started noticing the name changes due to the fact that the website, website banner and\r\nthe actual ‘antivirus’ names didn’t match up at all, I tweeted about this on the 27th of September:\r\n#FakeAV website calls it ‘Rango Antivirus’, banner ‘Win XP Security’, sample run ‘A-Secure’\r\n(https://t.co/EgYDdzDqFd) pic.twitter.com/i1amKQLsIy\r\n— Yonathan Klijnsma (@ydklijnsma)\r\nNovember 27, 2014\r\n//platform.twitter.com/widgets.js\r\nFrom this point on I started looking into this FakeAV threat some more, it started to hit quite often. Quite quickly I\r\ncould pin this as one as part of the Fakerean/Braviax family and started to analyze it.\r\n## Analysis: Spreading mechanism\r\nWe’ll start the analysis of this family with the method of how it was spread, simply by mail. Around the 18th of\r\nDecember 2014 fake FedEx emails began to appear, one of these carying methods of infecting victims with this\r\nFakeAV. The email looked like this:\r\n![image]\r\n(https://40.media.tumblr.com/83777a2a260029f791336b77ed05447f/tumblr_nlm9l2sz5h1qflx2go4_r1_1280.png)\r\nIn the emails’ attachment we find a JS file:\r\nhttps://0x3asecurity.wordpress.com/2015/11/30/134260124544/\r\nPage 1 of 7\n\n![image]\r\n(https://41.media.tumblr.com/a29311709ac1ee9ab3148c19d90e1186/tumblr_nlm9l2sz5h1qflx2go5_r1_1280.png)\r\nInside of this script we find a large piece of obfuscated script:\r\n![image]\r\n(https://40.media.tumblr.com/681e7d4b1d06109e42d8329afd3e149d/tumblr_nlm9l2sz5h1qflx2go6_r1_1280.png)\r\nIf we clean it up we can see its just a simple downloader which tries to infect the user with 3 pieces of malware\r\n(shotgun approach much..):\r\n![image]\r\n(https://41.media.tumblr.com/2f198864b3493728355ab3919fe6a06a/tumblr_nlm9l2sz5h1qflx2go7_r1_1280.png)\r\nFrom the three payloads only one is the interesting one for this article; its the Braviax/FakeRean sample. Would you\r\nwant to perform a more detailed analysis (rather than the very short one below), the sample coming from this email and\r\nused further is: [1d01611a1f88c7015c54efedacfcbc8fec55ad6de9a438087abff3be78c19901]\r\n(https://www.virustotal.com/en/file/1d01611a1f88c7015c54efedacfcbc8fec55ad6de9a438087abff3be78c19901/analysis/)\r\n## Quick analysis: a Braviax/FakeRean sample\r\nBecause this article is more about the history of this family rather than the specifics of the FakeAV this part will be a\r\nvery(!) short analysis of the sample.\r\nWhen ran the FakeAV shows the usual pop-up with information on your system being infected:\r\n![image]\r\n(https://36.media.tumblr.com/628a1e91dbebef773867c074d0c7c9b4/tumblr_nlm9l2sz5h1qflx2go8_r2_1280.jpg)\r\nAdditionally when you close the window (or try to close the FakeAV program in any way) a fake Windows security\r\ncenter window will pop-up:\r\n![image]\r\n(https://36.media.tumblr.com/7fc154b56dbc552afa70b143064d9097/tumblr_nlm9l2sz5h1qflx2go9_r1_1280.jpg)\r\nIn the process of scaring the user the FakeAV copies itself to a new location and installs a registry startup key, the\r\nnormal persistence method seen. The FakeAV also monitors processes that are running and kills the ones it doesn’t like\r\nwhich includes system utilities like taskmgr but also tools like wireshark and alike. All of this to convince the user into\r\nbuying the ‘product’ to clean up the ‘infection’ that stops them from starting these processes.\r\nThe FakeAV also performs some C2 communication which includes information on the payment C2 service:\r\n![image]\r\n(https://41.media.tumblr.com/246f33ced9f8215f3b3857e4302028e7/tumblr_nlm9l2sz5h1qflx2go10_r1_1280.png)\r\nThe client performs a request to the C2 server located at gelun-posak[.]com, the path is an encoded and base64’d\r\nunique system ID. The response contains a small config, the partially readable text string ‘eo-moquales[.]Nom’ is in\r\nfact the payment wall which (after decoding) is golen-mortales[.]com.\r\nOveral this FakeAV is just alike any other I’ve written on in the past. Payment service runs on a seperate C2 server\r\nwhile the main C2 server is just for infection registration / statistics. Enough on the malware, lets move on to have a\r\nlook at this family’s history.\r\n## The Family\r\nThe Braviax/Fakerean FakeAV family has been around for quite some time, [@S!Ri](https://twitter.com/siri_urz) first\r\nspotted them 6 years ago.\r\nBack in around April 2009 samples started to appear for a FakeAV naming itself “Home Antivirus 2009″ and was the\r\nfirst of more to come:\r\nhttps://0x3asecurity.wordpress.com/2015/11/30/134260124544/\r\nPage 2 of 7\n\n![image]\r\n(https://41.media.tumblr.com/775bb9ebf3302ed8302f9c2c58c3d2d8/tumblr_nlm29udmth1qflx2go6_r2_540.png)\r\nAround the start of July it was followed by a 2nd version called “PC Security 2009″:\r\n![image]\r\n(https://40.media.tumblr.com/bba567b5e3a3b0f59160f30908cf41d4/tumblr_nlm2bkOQtZ1qflx2go7_r1_540.png)\r\nA 3rd version appeared at the end of July already, this time called “Home Antivirus 2010″ (even though still being\r\n2009… they were ahead of time it seems):\r\n![image]\r\n(https://40.media.tumblr.com/ac521b48dd614859c8893b1653685bab/tumblr_nlm29udmth1qflx2go7_r2_540.png)\r\nNear the end of August the 4th installment of the family appeared, this time it was called “PC Antispyware 2010”. This\r\none actually loaded an AV database, stolen from ClamAV (in fact an old one from 2007):\r\n![image]\r\n(https://40.media.tumblr.com/36579be2d29cb960d6eec7ca7ca02ac9/tumblr_nlm2bkOQtZ1qflx2go6_r1_540.png)\r\nThen in September the 5th version appeared, “Antivirus Pro 2010”:\r\n![image]\r\n(https://41.media.tumblr.com/0a7132ca437d2c5ca2b920dc304be799/tumblr_nlm29udmth1qflx2go2_r2_540.png)\r\nIn 2009 5 versions of the Braviax/Fakerean family hit, from September until the end of January 2010 it was quiet;\r\nnothing new appeared. At the end of January a completely changed version appeared, this one changed it appearances\r\ndepending on whether it ran on Windows XP, Vista or 7. Even under these platforms it had multiple names.\r\nUnder Windows XP it called itself one of the following names:\r\nAntivirus XP 2010\r\n![image]\r\n(https://40.media.tumblr.com/983284bcde5b875ee1f6a4c62157fcb6/tumblr_nlm29udmth1qflx2go3_r2_540.png)\r\nXP Guardian\r\n![image](https://41.media.tumblr.com/9276ab359f5ca9eff16226ffb4b21989/tumblr_nlm9jpDqdC1qflx2go4_540.png)\r\nXP Internet Security\r\n![image](https://41.media.tumblr.com/ef2125059523522a6f250817874b9289/tumblr_nlm9jpDqdC1qflx2go9_540.png)\r\nUnder Windows Vista it called itself one of the following names:\r\nVista Antivirus Pro 2010\r\n![image]\r\n(https://36.media.tumblr.com/53ca86e9e1c6aab06dc107bb33b2bc04/tumblr_nlm2bkOQtZ1qflx2go8_r1_540.png)\r\nVista Internet Security 2010\r\n![image]\r\n(https://36.media.tumblr.com/6c7771d5489358eb8d7cfd18b86a3405/tumblr_nlm2bkOQtZ1qflx2go9_r1_540.png)\r\nFinally, under Windows 7 it called itself one of the following names:\r\nhttps://0x3asecurity.wordpress.com/2015/11/30/134260124544/\r\nPage 3 of 7\n\nWin 7 Antispyware 2010\r\n![image]\r\n(https://40.media.tumblr.com/dd37d7d81d320526c5ec7986150a08eb/tumblr_nlm2bkOQtZ1qflx2go10_r1_540.png)\r\nWin 7 Internet Security 2010\r\n![image](https://41.media.tumblr.com/168028a0bbb1bf7de5febadf103054ad/tumblr_nlm9jpDqdC1qflx2go1_540.png)\r\nAn interesting move to have some name mangling dependent on the platform. After they pushed these it stayed quiet\r\nuntil November. In November they released a new version with similar names, only the year was bumped from 2010 to\r\n2011. The Windows XP variants for example:\r\nXP Security 2011\r\n![image](https://41.media.tumblr.com/39e8aa0325d377a24fbd96933b32efee/tumblr_nlm9l2sz5h1qflx2go1_540.png)\r\nXP Antispyware 2011\r\n![image](https://40.media.tumblr.com/71e6e4a7571d9474e956709e573a341b/tumblr_nlm9jpDqdC1qflx2go6_540.png)\r\nIn february 2011 a new version appeared with slightly updated names and GUI layout:\r\nXP Anti-Virus 2011\r\n![image](https://36.media.tumblr.com/ea60a11c422d1f2233789ff79339c48a/tumblr_nlm9jpDqdC1qflx2go7_540.png)\r\nXP Home Security 2011\r\n![image](https://40.media.tumblr.com/ab67d2347efbee4e2681aff2252b7f5b/tumblr_nlm9jpDqdC1qflx2go8_540.png)\r\nXP Anti-Spyware\r\n![image](https://36.media.tumblr.com/77c2d08a661d9eade02489f8481a0b56/tumblr_nlm9jpDqdC1qflx2go5_540.png)\r\nIn the end of June 2011 another updated version was released. Again some updated OS based name mangling changes\r\nand updated GUI:\r\nXP Internet Security 2012\r\n![image](https://41.media.tumblr.com/f6ccfca28167ff0be1c69b8a0c0fad7f/tumblr_nlm9jpDqdC1qflx2go10_540.png)\r\nWin7 Internet Security 2012\r\n![image](https://40.media.tumblr.com/69d2cdb2fb8045d640e8af24907c9f22/tumblr_nlm9jpDqdC1qflx2go3_540.png)\r\nAnother slightly updated version appeared in the end of November 2011, still based on the OS based name mangling:\r\n![image](https://40.media.tumblr.com/ccefe37c48d122181c49ae3d55ae3c87/tumblr_nlm9l2sz5h1qflx2go2_1280.png)\r\nJanuary 2012 a new updated version, GUI mostly, got pushed:\r\n![image]\r\n(https://40.media.tumblr.com/4ff19de42c53029791b1880d26e68b9e/tumblr_nlm29udmth1qflx2go5_r2_1280.png)\r\nIn the start of October 2012 another slightly updated version appeared. Mostly GUI changes and again still based on\r\nthe OS version name mangling:\r\n![image]\r\n(https://41.media.tumblr.com/3e2317efabcdcb6337bf24b8a852c27e/tumblr_nlm29udmth1qflx2go4_r2_1280.png)\r\nhttps://0x3asecurity.wordpress.com/2015/11/30/134260124544/\r\nPage 4 of 7\n\nThen almost a year later at the start of September 2014 the version from my analysis appeared. An entirely updated\r\nGUI and new names showed a big change. It appeared under the following names (with OS version names displayed,\r\nalthough not all use it):\r\n* Sirius (Win 7|Win 8|Vista) Protection 2014\r\n* Zorton (Win 7|Win 8|Vista) Protection 2014\r\n* Rango (Win 7|Win 8|Vista) Protection 2014\r\n* A-Secure 2015\r\n* AVbytes (Win 7|Win 8|Vista) Antivirus 2015\r\n* AVC Plus\r\nGUI wise it looks like this (name stripped as its templated in the GUI at runtime):\r\n![image]\r\n(https://40.media.tumblr.com/607c1b287180d19cb4af11305f968453/tumblr_nlm9l2sz5h1qflx2go3_r1_1280.png)\r\nHowever in the end of September 2011 a sort of offspring appeared as well named Advanced PC Shield 2012, another\r\none appeared in August 2012 called Win 8 Security System:\r\n![image]\r\n(https://40.media.tumblr.com/c82429e29a4ac13a317c7de16d66a01b/tumblr_nlm29udmth1qflx2go1_r2_540.png)\r\n![image]\r\n(https://40.media.tumblr.com/4e86a2d0b47ef0891329a41fd93a5e57/tumblr_nlm9jpDqdC1qflx2go2_1280.png)\r\nEventhough this version is also ranked in the Braviax/Fakerean family it looks somewhat different in setup.\r\n## Conclusion\r\nThe Braviax/Fakerean family has been around for a long time appearing as early as April 2009 and seems to be a\r\nsuccess as new reincarnations appear every year.\r\nWhile they aren’t as big as a threat as banking malware or ransomware it does pay well for these criminals. Because of\r\ntheir ‘low’ volume and simply being scareware not a lot of attention is given to them. I’ll be keeping an eye on them for\r\nfuture campaigns for sure though :)\r\n## IOC’s \u0026 Samples\r\nThe following is a list of samples for the last version spreading from September 2014 to December 2014. No new ones\r\nhave appeared as of writing this blog article.\r\n* [42f25bda3f8de7c99b1ebbab83f742e8f98528cb466511c3426ca59ba6a0d06c]\r\n(https://www.virustotal.com/en/file/42f25bda3f8de7c99b1ebbab83f742e8f98528cb466511c3426ca59ba6a0d06c/analysis/)\r\n* [f25bf1897ac640c8f9e4cf87897e94f717acffa825fedf772861c8ac68bcc913]\r\n(https://www.virustotal.com/en/file/f25bf1897ac640c8f9e4cf87897e94f717acffa825fedf772861c8ac68bcc913/analysis/)\r\n* [3b93570e402935d2b898c4f07851ea5f597a136d8b88a9e1ab2eb67bcd143f11]\r\n(https://www.virustotal.com/en/file/3b93570e402935d2b898c4f07851ea5f597a136d8b88a9e1ab2eb67bcd143f11/analysis/)\r\n* [55806f8d10acda611dd291fd7ef9205cc5e3845cbfbb44de298387724d979f9c]\r\n(https://www.virustotal.com/en/file/55806f8d10acda611dd291fd7ef9205cc5e3845cbfbb44de298387724d979f9c/analysis/)\r\n* [1d01611a1f88c7015c54efedacfcbc8fec55ad6de9a438087abff3be78c19901]\r\n(https://www.virustotal.com/en/file/1d01611a1f88c7015c54efedacfcbc8fec55ad6de9a438087abff3be78c19901/analysis/)\r\n* [376f1d7b49b8906ca06feef2291e25a5a205d1cd2e3c37effba4311634ef0b53]\r\nhttps://0x3asecurity.wordpress.com/2015/11/30/134260124544/\r\nPage 5 of 7\n\n(https://www.virustotal.com/en/file/376f1d7b49b8906ca06feef2291e25a5a205d1cd2e3c37effba4311634ef0b53/analysis/)\r\n* [49c609b289ab86dbb001cacec5ff638380f5a4c78dd7e8ffcd7187123349b5e6]\r\n(https://www.virustotal.com/en/file/49c609b289ab86dbb001cacec5ff638380f5a4c78dd7e8ffcd7187123349b5e6/analysis/)\r\n* [f2d67162f4a4af113977a33846b34d47b63160616e0520c7cc3f76eb52755448]\r\n(https://www.virustotal.com/en/file/f2d67162f4a4af113977a33846b34d47b63160616e0520c7cc3f76eb52755448/analysis/)\r\n* [66eb191716d08898f8cc6f2663ef594279a95ed2542c4086618199c040de67f2]\r\n(https://www.virustotal.com/en/file/66eb191716d08898f8cc6f2663ef594279a95ed2542c4086618199c040de67f2/analysis/)\r\n* [810b40d5b9cff4690eca167edd8765c8875172c2601656f8cd89cf8e66a72cc7]\r\n(https://www.virustotal.com/en/file/810b40d5b9cff4690eca167edd8765c8875172c2601656f8cd89cf8e66a72cc7/analysis/)\r\n* [a7175de9d14b29df0beb653982512e9cc0241ecf53ae91135dbae852724a284a]\r\n(https://www.virustotal.com/en/file/a7175de9d14b29df0beb653982512e9cc0241ecf53ae91135dbae852724a284a/analysis/)\r\n* [2c277f6d5f060192a73e2b918d7c210a876cb11d064fdab1f483947df4d1156f]\r\n(https://www.virustotal.com/en/file/2c277f6d5f060192a73e2b918d7c210a876cb11d064fdab1f483947df4d1156f/analysis/)\r\n* [5b7d7c79786b0461dfd0f6ac144ab03374ee5608062d547f21e3b4c2eb13f50f]\r\n(https://www.virustotal.com/en/file/5b7d7c79786b0461dfd0f6ac144ab03374ee5608062d547f21e3b4c2eb13f50f/analysis/)\r\n* [01a4e7e0297923a40d85b931c4715ddd0fc9b3881de12c4affcaa7595a95407f]\r\n(https://www.virustotal.com/en/file/01a4e7e0297923a40d85b931c4715ddd0fc9b3881de12c4affcaa7595a95407f/analysis/)\r\n* [1cfc14b9532e12a7cc02874d655796dbed6eff5c774b37670ec16b185efe72af]\r\n(https://www.virustotal.com/en/file/1cfc14b9532e12a7cc02874d655796dbed6eff5c774b37670ec16b185efe72af/analysis/)\r\nThe following domains and IP addresses were seen for those samples:\r\n| IP Address | Domain |\r\n| ————— |——–|\r\n| 146.185.239.110    |   evcash.net |\r\n| 146.185.239.110    |   softrango.com |\r\n| 146.185.239.111    |   ltsectur2.com |\r\n| 146.185.239.111    |   ltsectur9.com |\r\n| 146.185.239.111    |   fscurat20.com |\r\n| 146.185.239.111    |   fscurat21.com |\r\n| 146.185.239.112    |   fastprodst5.com |\r\n| 146.185.239.112    |   fflord25.com |\r\n| 146.185.239.112    |   fflord30.com |\r\n| 146.185.239.112    |   giron32.com |\r\n| 146.185.239.112    |   glorius11.com |\r\n| 146.185.239.112    |   golus27.com |\r\n| 146.185.239.112    |   gshsol4.com |\r\n| 146.185.239.112    |   holipolks12.com |\r\n| 146.185.239.112    |   scara123.com |\r\n| 146.185.239.112    |   scara124.com |\r\n| 146.185.239.112    |   smart-filins.com |\r\n| 146.185.239.112    |   srut12.com |\r\n| 146.185.239.112    |   srut19.com |\r\n| 146.185.239.113    |   gskskkksa4.com |\r\n| 146.185.239.113    |   jarr62737.com |\r\nhttps://0x3asecurity.wordpress.com/2015/11/30/134260124544/\r\nPage 6 of 7\n\n| 146.185.239.114    |   gislat2for8.com |\r\n| 146.185.239.114    |   gislat4se2.com |\r\n| 146.185.239.114    |   gladi-toriusa.com |\r\n| 146.185.239.114    |   holisak-tasek.com |\r\n| 146.185.239.114    |   hysotasl.com |\r\n| 146.185.239.114    |   kaaalosa-set.com |\r\n| 146.185.239.114    |   shatiko-mero.com |\r\n| 146.185.239.114    |   svars-sta.com |\r\n| 146.185.239.114    |   tauruk-felon.com |\r\n| 146.185.239.114    |   trader562.com |\r\n| 146.185.239.114    |   veret-sapan.com |\r\n| 146.185.239.114    |   vertus-adusa.com |\r\n| 146.185.239.114    |   vesm-arast.com |\r\n| 146.185.239.114    |   zemo-numeros.com |\r\n| 146.185.239.114    |   zumo-afetuk.com |\r\n| 146.185.239.114    |   zumo-alibabs.com |\r\n| 146.185.239.114    |   zumo-archib.com |\r\n| 146.185.239.114    |   tauruk-felon.com |\r\n| 146.185.239.248    |   gelun-posak.com |\r\n| 146.185.239.248    |   fulo-centums.com |\r\n| 62.122.74.111    |   golen-mortales.com |\r\nSource: https://0x3asecurity.wordpress.com/2015/11/30/134260124544/\r\nhttps://0x3asecurity.wordpress.com/2015/11/30/134260124544/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://0x3asecurity.wordpress.com/2015/11/30/134260124544/"
	],
	"report_names": [
		"134260124544"
	],
	"threat_actors": [],
	"ts_created_at": 1775434551,
	"ts_updated_at": 1775791277,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b6839109c0e322d557e8b7f15d14150dbede9d72.pdf",
		"text": "https://archive.orkl.eu/b6839109c0e322d557e8b7f15d14150dbede9d72.txt",
		"img": "https://archive.orkl.eu/b6839109c0e322d557e8b7f15d14150dbede9d72.jpg"
	}
}