Author Topic: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)  (Read 23890 times)

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 577
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #240 on: October 15, 2017, 07:39:35 PM »
Adware.Riskware - Certificate "issued" by Comodo

Valkyrie wasn't ready to receive Files ! File was submited via Web-Uploader ! SHA1 : a78515de45f680854f83651dbd3994bda6d71b7c

https://www.virustotal.com/#/file/a992c1b0369e65f72122ff4938e8365cba76f3c22c521156126fd28515eb3b38/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer signature > Compiler : Microsoft Visual C++ 8 , Packer : aPLib Compression , File has PE Anomalies ( File ignores Code Integrity , PE file has unusual entropy sections ) , Embeds another file ( location: overlay ) , Scanning for window names , Reads the active computer name , Reads the cryptographic machine GUID , Reads the registry for installed applications , Scans for the windows taskbar , Checks if debugger is present , Found a cryptographic related string  ( Indicator: "des"; File: "screen_11.png" ) , Dropped very many files  ( "1230"  ) , Creates guarded memory sections , Creates a windows hook that monitors keyboard input ( Hook identifier : "WH_KEYBOARD_LL" ) , File wrotes bytes to itself , Implements an Exception Handler , Access to Event Log , Uses a User Agent typical for browsers , although no browser was ever launched ( "Mozilla/4.0" ) , Modifies the open verb of a shell class ( "audacity.tmp" (Path: "HKCR\SOFTWARE\CLASSES\AUDACITY.PROJECT\SHELL\OPEN\COMMAND"; Key: "(DEFAULT)"; Value: ""%PROGRAMFILES%\Audacity\audacity.exe" "%1"") , Opens the MountPointManager , Modifies proxy settings , Queries sensitive IE security settings , Found network releated activity ,  A Network Trojan was detected ( MALWARE PUP Win32/DownloadGuide.A >>> "23.102.27.88:80" (TCP) >>> https://www.virustotal.com/#/ip-address/23.102.27.88 ) , Found TROJAN GENERIC Likely Malicious Fake IE downloading attempt >>> "80.237.132.153:80" (TCP)  >>> https://www.virustotal.com/#/ip-address/80.237.132.153 . File POSTS data to "104.41.149.192:80" (dlg-configs.buzzrin.de) >>> https://www.virustotal.com/#/ip-address/104.41.149.192 , File GETS data from "93.184.221.200:80" (az687722.vo.msecnd.net) >>> https://www.virustotal.com/#/ip-address/93.184.221.200 & "80.237.132.153:80" ( audacity.de )

Certificate Details :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial:                       64088251564304993512557049421230098623
Serial (Hex):            3036f2c249ee56b0f365b1cdad61c8bf

Valid from:                  May 24 00:00:00 2017 GMT
Valid until:                  May 24 23:59:59 2018 GMT

C (countryName):                 DE [4445]
CN (commonName):              freemium GmbH [667265656D69756D20476D6248]
L (localityName):                   Berlin [4265726C696E]
O (organizationName):         freemium GmbH [667265656D69756D20476D6248]
ST (stateOrProvinceName):  Berlin [4265726C696E]
postalCode (postalCode):    10119 [3130313139]
street (streetAddress):         Schwedter Str. 9A [536368776564746572205374722E203941]

Trojan.Agent.Variant.Kryptik - Certificate "issued" by Comodo

Valkyrie wasn't ready to receive Files ! File was submited via Web-Uploader ! SHA1 : 54f7533b1a92b258e7cd1a93f4fcb1a654d121b1

https://www.virustotal.com/#/file/64cce2ef68063ce8265a52530d776645af9117bc7cd831d76f0e85042d42a169/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer signature > Compiler : Microsoft Visual C++ 8 , File has PE Anomalies ( File ignores Code Integrity , File ignores DEP , PE file has unusual entropy sections , The size of the resource (RC DATA.709) is bigger than the max ( 512000 bytes ) threshold ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads the system/video BIOS version , Reads the windows installation date , Reads the registry for installed applications , Reads terminal service related keys , Checks if debugger is present , Attempts to identify installed AV products by installation directory , Found Anti-VM Indicators ( Checks the version of Bios and querries Information about Disks ) , Tries to obtain the highest possible privilege level without UAC dialog , Modifies file/console tracing settings , Interacts with the primary disk partition , Creates an ADS , Opens the MountPointManager , Hooks API calls ,  Access to Event Log ,  Inplements an Exception Handler , Sent a control code to a service(s) ( "CryptSvc" , "Wsearch" ) , Modifies proxy settings , Queries sensitive IE security settings , Found network releated activity , A Network Trojan was detected ( Found Load Money Checkin 5  >>> "52.209.50.254:80" (TCP) ) >>> https://www.virustotal.com/#/ip-address/52.209.50.254 , File GETS data from "52.209.50.254:80" ( dyrjwivnsayi.indeedbranch.ru ) , File POSTS data to "52.209.50.254:80" ( dyrjwivnsayi.indeedbranch.ru )

Certificate Details :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial:                       235700901072271416081303717506746936530
Serial (Hex):            b15257a2e6860c26f34383023f5becd2

Valid from:                 Oct  2 00:00:00 2017 GMT
Valid until:                 Jun  2 23:59:59 2018 GMT

C (countryName):                  RU [5255]
CN (commonName):              OOO SUNDUS [4F4F4F2053554E445553]
L (localityName):                   Moscow [4D6F73636F77]
O (organizationName):         OOO SUNDUS [4F4F4F2053554E445553]
ST (stateOrProvinceName):  RU [5255]
postalCode (postalCode):    111250 [313131323530]
street (streetAddress):        Krasnokazarmennaya 15 str 7 [4B7261736E6F6B617A61726D656E6E617961203135207374722037]

« Last Edit: October 15, 2017, 08:07:43 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2584
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #241 on: October 16, 2017, 12:22:04 AM »
Hi, pio

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 577
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
« Last Edit: October 20, 2017, 08:55:06 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2099
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #243 on: October 21, 2017, 12:04:18 AM »
Hi pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Qiuhui.Wang

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 577
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #244 on: October 27, 2017, 11:48:26 PM »
Trojan.Agent.Variant.Kryptik - Certificate "issued" by Comodo & "countersigned" by UserTrust

https://valkyrie.comodo.com/get_info?sha1=0a9ac7ecd9a3845549ac49b4ac763ef44bf04175

https://www.virustotal.com/#/file/6b5ab9788bcc368f08f8e68406a2f620863e4eb336ca22ef8196031ddf6caa5f/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer signature > Compiler : Microsoft Visual C++ 5.0/6.0 , File ignores DEP , File ignores Code Integrity , File has multiple PE Anomalies ( Resource directory is invalid , Contains unknown resources , Imports sensitive libaries ( Windows Setup API , Internet Extensions for Win32 ) ) , Found Anti-VM Indicators ( against Sandboxie > DetectFile=%ProgramFiles%\Sandboxie\Start.exe ) , Checks for the presence of various AV or Anti-Adware-Malware Tools ( Ewido Security Suite > AVG Anti-Spyware > Malwarebytes Anti-Malware > Spyware Terminator ) , Reads the active computer name  , Reads terminal service related keys , Installs an Exception Handler , Requested access to a system service  ( Input Sample called "OpenService" to access the "eService_3753711" service requesting "SERVICE_START" (0X10) access rights ) , Creates an ADS , Creates named Pipes , File acces to ( WinINet library , Global Atom Table , Sysytem Information API , Authorization API , Setup API , Process and Thread API , Memory Managment API , Console API , Error Handling API , Directory Managment API ) , Tries to steal FTP credentials from various FTP Client Software ( Core FTP , FileZilla , Smart FTP , ClamWin )

Certificate Details :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial:                       116778066588124986338949439708143125775
Serial (Hex):            57daa33519437b13f9bf80b82dcd850f

Valid from:                  Oct 13 00:00:00 2017 GMT
Valid until:                  Oct 13 23:59:59 2018 GMT

C (countryName):                 GB [4742]
CN (commonName):              ABSS TM LIMITED [4142535320544D204C494D49544544]
L (localityName):                   Bromsgrove [42726F6D7367726F7665]
O (organizationName):         ABSS TM LIMITED [4142535320544D204C494D49544544]
ST (stateOrProvinceName):  Worcestershire [576F726365737465727368697265]
postalCode (postalCode):     B60 3DX [42363020334458]
street (streetAddress):         Mulberry House, Buntsford Park Road [4D756C626572727920486F7573652C2042756E7473666F7264205061726B20526F6164]
« Last Edit: October 28, 2017, 12:09:12 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2584
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #245 on: October 28, 2017, 01:08:52 AM »
Hi,pio

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Offline sainath

  • Comodo Member
  • **
  • Posts: 35
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #246 on: October 30, 2017, 09:33:09 AM »
system details: win8.1 x64, cis 6294
detecting ccleaner 5.36 as malware

Offline andrei.savin

  • Comodo Staff
  • Comodo Loves me
  • *****
  • Posts: 197
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #247 on: October 30, 2017, 09:40:44 AM »
Hi sainath,
Please attach the file in question.

Best regards,
Andrei Savin
If possible please post your malware submissions as SHA1 lists (created with HashMyFiles or any other software). Always make sure first you have submitted the samples through CIS.

Offline sainath

  • Comodo Member
  • **
  • Posts: 35
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #248 on: October 31, 2017, 05:23:14 AM »
cant able to submit through cis also cant able to view logs in cis 6294.i submitted the sample through comodo malware submission site.
uninstalled cis 6294 installed comodo fw 6294 and had no issues. below is a screenshot from virustotal site.

Offline Aravindhraj J

  • Comodo Staff
  • Comodo Family Member
  • *****
  • Posts: 77
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #249 on: October 31, 2017, 06:37:42 AM »
Hi sainath,

This is to inform you that the false-positive you have submitted is not detected by Comodo Internet Security with database version <27976>. Please make sure your AV database is up to date and try again.
File SHA1: <48972cf8a6fc0f282498b44e62ab2829448565d1>

Regards,
Aravindhraj J

Offline sainath

  • Comodo Member
  • **
  • Posts: 35
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #250 on: October 31, 2017, 01:53:02 PM »
installing cis 6294 again updated database 27978. no issues thank you :). the application is not crashing while viewing logs may be because of clean install.

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 577
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #251 on: November 01, 2017, 12:20:03 AM »
Adware.Riskware - Certificate "issued" by Comodo

https://valkyrie.comodo.com/get_info?sha1=d450d8d713a07381fb7a3bc5ae7e339d2323dc62

https://www.virustotal.com/#/file/1f8e27b3c3952379a0be813a157cd8dc46a74bb60626bb5af843d329d8ecf720/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer signature > Compiler : Borland Delphi 6.0 - 7.0  , Packer : UPolyX 0.3 , File has multiple PE AnomaliesPE file is packed with UPX , Contains unknown resouces , File ignores Code Integrity , File calls a TLS callback at 0x40A729 [CODE:0x38697] , PE file has unusual entropy sections ,  PE file contains zero-size sections , CRC value set in PE header does not match actual value , Entrypoint in PE header is within an uncommon section , Timestamp in PE header is very old ( Oct 23 06:22:17 1989) ) , Reads the active computer name , Reads the registry for installed applications  , Scanning for window names , Reads terminal service related keys , Checks if a debugger or other forensic tool(s) is present , Drops multiple executable files , Creates guarded memory sections , File writes bytes to itself , Modifies file/console tracing settings , Duplicates the process handle of an other process to obtain access rights to that process , Requested access to a system service ( "Rasman" , "Sens" ) , Modifies proxy settings , Found network releated activity , File GETS data from >>> "5.254.67.98:80" (ugastoin.ru) > https://www.virustotal.com/#/ip-address/5.254.67.98 > GET /archive.zip HTTP/1.0 Host: ugastoin.ru User-Agent: InnoTools_Downloader & GET /Archive__2.0.rar HTTP/1.0 Host: ugastoin.ru User-Agent: InnoTools_Downloader

Certificate Details :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial:                       16911346053808316315418546376927997087
Serial (Hex):            0cb901bc1aad63f1bffa1bd4cc5dec9f

Valid from:                  Oct 25 00:00:00 2017 GMT
Valid until:                  Sep 18 23:59:59 2018 GMT

C (countryName):                 RU [5255]
CN (commonName):              MMR, LLC [4D4D522C204C4C43]
L (localityName):                   Ivanovo [4976616E6F766F]
O (organizationName):         MMR, LLC [4D4D522C204C4C43]
postalCode (postalCode):    153038 [313533303338]
street (streetAddress):         prospekt Tekstilshchikov d 125 kab 31 [70726F7370656B742054656B7374696C73686368696B6F76206420313235206B6162203331]
« Last Edit: November 01, 2017, 12:46:10 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pavithran

  • Comodo Staff
  • Comodo Family Member
  • *****
  • Posts: 97
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #252 on: November 01, 2017, 12:24:07 AM »
Hi pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Regards,
Pavithran G

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 577
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #253 on: November 01, 2017, 09:43:47 PM »
Generic.Adware.Riskware - Certificate "issued" by Comodo  and "countersigned" by USERTrust

https://valkyrie.comodo.com/get_info?sha1=b59d334878d6201a5460136529a4d25007ba0b3a

https://www.virustotal.com/#/file/1f923d42a1ba5118262a1b1e7482bd1b358d0fe596c0623489fa8ccd95291ff3/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer signature > Compiler : Microsoft Visual C++ 5.0 - 6.0 , Packer : Armadillo v1.71 , File has mutiple PE Anomalies ( File ignores DEP , File ignores Code Integrity , PE file has unusual entropy sections , PE file contains zero-size sections , PE file is packed with UPX , CRC value set in PE header does not match actual value , Entrypoint in PE header is within an uncommon section , Timestamp in PE header is very old ( Jan 1 00:00:00 1970 ) ) , Embeds another file ( type: 7zSFX , location: overlay ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads Windows Trust Settings , Scanning for window names , Reads the registry for installed applications , Reads terminal service related keys , Found more than one unique User-Agent ( Found the following User-Agents: Mozilla/4.0 )  ,Found a dropped file containing the Windows username , Found Anti-VM Indicators ( Found a reference to a WMI query string , Found VM detection artifact "CPUID trick" ) , Drops executable files , File writes bytes to "wscript.exe" , Process launched with changed environment ( Process "wscript.exe" was launched with new environment variables ) ,  Accesses System Certificates Settings , Modifies Software Policy Settings , Modifies proxy settings , Queries sensitive IE security settings , Tries to GET non-existent files from a webserver , HTTP request contains Base64 encoded artifacts , Found network releated activity ( File POST data to "78.46.83.124:80" (installpack.net) >  https://www.virustotal.com/#/ip-address/78.46.83.124 , File GETS data from "78.46.83.124:80"(img.installpack.net) & 192.35.177.195:80 (isrg.trustid.ocsp.identrust.com)

Certificate Details :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial:                       83659935542132643739558224876572578069
Serial (Hex):            3ef05147b850177773622223a6711115

Valid from:                  Mar 17 00:00:00 2017 GMT
Valid until:                  Mar 16 23:59:59 2018 GMT 

C (countryName):                     UA [5541]
CN (commonName):                  IN SITE GROUP LLC [494E20534954452047524F5550204C4C43]
L (localityName):                       Dnepropetrovsk [446E6570726F706574726F76736B]
O (organizationName):             IN SITE GROUP LLC [494E20534954452047524F5550204C4C43]
OU (organizationalUnitName):  IT [4954]
ST (stateOrProvinceName):       -- [2D2D]
postalCode (postalCode):        49000 [3439303030]
street (streetAddress):            Gagarina ave, 115 [4761676172696E61206176652C20313135]

and maybe please take a look at this one  :


Generic.Adware.Riskware - Certificate "issued" by Comodo  and "countersigned" by USERTrust

https://valkyrie.comodo.com/get_info?sha1=b59d334878d6201a5460136529a4d25007ba0b3a

https://www.virustotal.com/#/file/1f923d42a1ba5118262a1b1e7482bd1b358d0fe596c0623489fa8ccd95291ff3/detection

If your criteria are not met , to define it as malware , then that's fine too !  :-TU  ;)

Thx !!!
« Last Edit: November 08, 2017, 03:48:20 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2584
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #254 on: November 01, 2017, 10:41:47 PM »
Hi,pio

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek