Author Topic: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)  (Read 25054 times)

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 598
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #255 on: November 08, 2017, 03:37:54 AM »
PUA.Variant.InstallCore - Certificate "issued" by Comodo 

It seems that Valkyrie has received the File , but the Analysis wont start ! File was sended also via Comodo Web Interface .

SHA-1 : 40ec1df09fba7debc3acc84b9cbcb496656f85a9

https://www.virustotal.com/#/file/a5fc9f8c75195f81fbbbc2d6015e592f40e35525b5612aa68847b0537725b9b8/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer signature > Compiler : Borland Delphi , Packer : Inno Setup , File has mutiple PE Anomalies ( File ignores DEP , File ignores Code Integrity , Contains 3 shared sections , Contains unknown resources , PE file has unusual entropy sections , Checksum mismatches the PE header value , PE file contains zero-size sections ) , File embeds another File ( location : Overlay , type : Inno Setup ) , Reads the registry for installed applications , Reads the active computer name , Queries the Disk Size , Allocates read-write-execute memory , File creates guarded memory sections , Tries to sleep "180" seconds ,  Drops executable files , File wrote bytes to itself , Creates a shortcut to an executable file , File access to >>>  Authorization API > System Information API > Process and Thread API > Structured Exception Handling API > Console API .....

Certificate Details :


Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial:                       26728555436595685309739969089466270525
Serial (Hex):            141bbb86fdccc6ebe2f0f236333c033d

Valid from:                  Jun 19 00:00:00 2017 GMT
Valid until:                  Jun 19 23:59:59 2018 GMT

C (countryName):                  IL [494C]
CN (commonName):              Source Beam (Alpha Criteria Ltd.) [536F75726365204265616D2028416C706861204372697465726961204C74642E29]
L (localityName):                   Tel Aviv [54656C2041766976]
O (organizationName):         Source Beam (Alpha Criteria Ltd.) [536F75726365204265616D2028416C706861204372697465726961204C74642E29]
ST (stateOrProvinceName):  Tel Aviv [54656C2041766976]
postalCode (postalCode):     651307 [363531333037]
street (streetAddress):         28A Lilinblum St. [323841204C696C696E626C756D2053742E]


Maybe somebody would like to take another look at ithis ?! If it don't meet your criteria to classify it as malware , that's ok too! ;)


Generic.Adware.Riskware - Certificate "issued" by Comodo  and "countersigned" by USERTrust

https://valkyrie.comodo.com/get_info?sha1=b59d334878d6201a5460136529a4d25007ba0b3a

https://www.virustotal.com/#/file/1f923d42a1ba5118262a1b1e7482bd1b358d0fe596c0623489fa8ccd95291ff3/detection
« Last Edit: November 08, 2017, 04:35:40 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pavithran

  • Comodo Staff
  • Comodo Family Member
  • *****
  • Posts: 97
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #256 on: November 08, 2017, 03:49:12 AM »
Hi pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Regards,
Pavithran G


Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 598
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #257 on: November 14, 2017, 01:01:54 PM »
Trojan.Downloader.Variant.Adload - Certificate "issued" by Comodo & "countersigned" Symantec and Thawte

https://valkyrie.comodo.com/get_info?sha1=f03808503d329b4b91c4434e659ec6b7a91a4a64

https://www.virustotal.com/#/file/cc4efd8f1592f7ef0896786c8e27b38efa593e895bc234fc45db3122baec9a37/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Micrcosoft Visual C++ 6.0 , Packer : Input sample ( Nullsoft PiMP Stub  ) , Dropped Files ( Microsoft visual C++ 5.0 , Morphine v1.2 (DLL) , Visual C++ 2005 DLL , Microsoft visual C++ 6.0 DLL ) , File has PE Anomalies , File ignores DEP , File ignores Code Integrity , CRC value set in PE header does not match actual value , PE file contains zero-size sections ) , Embeds another file ( type: Nullsoft , location: overlay ) , Expects Administrative permission , Uses a decompressor with a password ( process "7za.exe" with commandline "x -ppassword -y 303748.zip" ) , Found Anti-VM Strings , Uses a User Agent typical for browsers, although no browser was ever launched ( NSIS_Inetc (Mozilla) ) , Reads the active computer name , Reads the cryptographic machine GUID , Scanning for window names , Reads terminal service related keys , Tries to delay the analysis ( "youtubesaved2_303748.exe" tried to sleep 1153 seconds , "explorer.exe" tried to sleep 120 seconds ) , Drops multiple Files , Writes bytes to itself , Duplicates the process handle of an other process to obtain access rights to that process , Modifies file/console tracing settings , Requested access to a system service ( "Rasman" , "Sens" ) , Modifies proxy settings , Queries sensitive IE security settings , Found network releated activity , HTTP request contains Base64 encoded artifacts , File receives data from "107.23.34.157" ( "smart.gmtrack.com" ) >>> https://www.virustotal.com/#/ip-address/107.23.34.157

Certificate Details :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial:                       230306087787296338227562826861071902186
Serial (Hex):            ad4356ce3c9b26afae3cc388d12925ea

Valid from:                  Feb  4 00:00:00 2016 GMT
Valid until:                  Feb  3 23:59:59 2017 GMT

C (countryName):                     US [5553]
CN (commonName):                  GUPPY GAMES INC [47555050592047414D455320494E43]
L (localityName):                       Bellevue [42656C6C65767565]
O (organizationName):             GUPPY GAMES INC [47555050592047414D455320494E43]
OU (organizationalUnitName):  Game Department [47616D65204465706172746D656E74]
ST (stateOrProvinceName):      Washington [57617368696E67746F6E]
postOfficeBox (postOfficeBox): 98005 [3938303035]
postalCode (postalCode):        98005 [3938303035]
street (streetAddress):            12443 Bel-Red Rd Suite 320 [31323434332042656C2D52656420526420537569746520333230]
« Last Edit: November 14, 2017, 01:12:14 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline andrei.savin

  • Comodo Staff
  • Comodo Loves me
  • *****
  • Posts: 197
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #258 on: November 14, 2017, 01:03:57 PM »
Hi,
Thanks for the submission, we'll check the file and add detection if necessary.

Best regards,
Andrei Savin
If possible please post your malware submissions as SHA1 lists (created with HashMyFiles or any other software). Always make sure first you have submitted the samples through CIS.

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 598
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #259 on: November 15, 2017, 03:16:41 PM »
Trojan.Agent.Variant.Kryptik - Certificate "issued" by Comodo

https://valkyrie.comodo.com/get_info?sha1=89c0d3c4f1b0d988898e05bb79a67e56848a6b5a

https://www.virustotal.com/#/file/49b1601b48cb1558aaefc2c9219294e3bfcb3e3bef36a3aea28ad57f7c894bbb/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Micrcosoft Visual C++ 6.0 , Packer : Armadillo v1.71 , File has multiple PE Anomalies ( File ignores DEP , File ignores Code Integrity , Imports sensitive Libaries ( Windows Socket 2.0 32-Bit DLL , Microsoft Smart Card API ) ) , Tries to obtain the highest possible privilege level without UAC dialog , Found a dropped file containing the Windows username , Found Anti-VM Strings , Scans for AV Software ( Avast , Avira ) , Creates an ADS , Modifies file/console tracing settings , Interacts with the primary disk partition , Uses more than one unique useragent ( Downloader 26.1 , Mozilla/4.0 ) , Allocates read-write-execute memory , Duplicates the process handle of an other process to obtain access rights to that process , Creates guarded memory sections , Creates a suspicious process ( C:\Windows\system32\cmd.exe" /c for /l %x in (1,1,10) do ping localhost -n 6 -w 1 & del /q /f "C:\Users\Administrator\AppData\Local\Temp\dio-562-rukovodstvo-po-ekspluatatsii_6d4-06d___.exe" & if not exist "C:\Users\Administrator\AppData\Local\Temp\dio-562-rukovodstvo-po-ekspluatatsii_6d4-06d___.exe" exit ) , Creates an hidden Window , Reads the active computer name , Reads the cryptographic machine GUID , Reads the system/video BIOS version , Reads the windows installation date , Reads the registry for installed applications , Reads terminal service related keys , Hooks API calls , Sent a control code to a service ( "CryptSvc" , WSearch" ) , Opens the MountPointManager , Modifies proxy settings , Queries sensitive IE security settings , Process launched with changed environment ( Process "iexplore.exe" was launched with new environment variables , Process "cmd.exe" was launched with missing environment variables ) ,  Tries to collect credentials from local email clients ( Outlock ) , Found network releated activity , File POSTS data to 34.241.199.8:80 ( vtfhmtgqjmnp.awfultoworse.ru ) , File GETS data from 34.241.199.8:80 ( vtfhmtgqjmnp.awfultoworse.ru ) , Found  LoadMoney Checkin 5 >>> 34.241.199.8:80 (TCP)

Certificate Details :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial:                       105899548493065330165793475496419660812
Serial (Hex):            4fab82dafcded6b0d22ff95e14c6140c

Valid from:                  Nov  7 00:00:00 2017 GMT
Valid until:                  Jul 18 23:59:59 2018 GMT

 (countryName):                    RU [5255]
CN (commonName):              OOO, Gorko [4F4F4F2C20476F726B6F]
L (localityName):                   Novosibirsk [4E6F766F7369626972736B]
O (organizationName):         OOO, Gorko [4F4F4F2C20476F726B6F]
ST (stateOrProvinceName):   Novosibirskaya [4E6F766F7369626972736B617961]
postalCode (postalCode):     630005 [363330303035]
street (streetAddress):         d. 48 ofis 908, ul. Nekrasova [642E203438206F666973203930382C20756C2E204E656B7261736F7661]
« Last Edit: November 16, 2017, 07:54:40 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2100
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #260 on: November 15, 2017, 07:52:59 PM »
Hi pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Qiuhui.Wang

Offline Felipe Oliveira

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 485
  • Brazilian / Medicine Student / Love Technology

Offline Aravindhraj J

  • Comodo Staff
  • Comodo Family Member
  • *****
  • Posts: 77
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #262 on: November 21, 2017, 04:22:17 AM »
Hi Felipe Oliveira,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Regards,
Aravindhraj J

Offline sainath

  • Comodo Member
  • **
  • Posts: 35
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #263 on: November 23, 2017, 04:08:34 AM »
guys again having the same issue CIS 6408, database-28084,windows 8.1 detecting ccleaner 3.36 as malware. also cant able to submit through CIS.
below i provided CIS screenshot please have a look.

Offline Aravindhraj J

  • Comodo Staff
  • Comodo Family Member
  • *****
  • Posts: 77
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #264 on: November 23, 2017, 04:19:19 AM »
Hi sainath,

Thank you for reporting this.
We'll check it and get back to you soon.

Best regards
Aravindhraj J

Offline Aravindhraj J

  • Comodo Staff
  • Comodo Family Member
  • *****
  • Posts: 77
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #265 on: November 23, 2017, 06:50:05 AM »
Hi sainath,

This is to inform you that the file you have submitted has been checked and it is not a false-positive.
It was found to be a Potentially Unwanted Application (PUA).
If you plan to further use this application, you can add it to your "Exclusions" list.

File SHA1: <48972cf8a6fc0f282498b44e62ab2829448565d1>

Best regards
Aravindhraj J

Offline Wisdom

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1050
  • Default-Deny Protection
    • CFI
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #266 on: November 24, 2017, 02:37:12 AM »
Gen:Variant.Razy
https://valkyrie.comodo.com/get_info?sha1=b4a83ad3a11d220f01851a4d2030ab4a59d4b49e

Human Expert Analysis Result:   Clean :o
Heuristics: detecting tomorrow’s threats today

Offline Aravindhraj J

  • Comodo Staff
  • Comodo Family Member
  • *****
  • Posts: 77
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #267 on: November 24, 2017, 02:42:41 AM »
Hi Wisdom,

Thank you for reporting this.
We'll check it and get back to you soon.

Best regards
Aravindhraj J

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 598
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #268 on: November 27, 2017, 08:37:28 PM »
Trojan.Agent.Variant.Kryptik - Certificate "issued" by Comodo

https://valkyrie.comodo.com/get_info?sha1=3720f20539c5a660d2b1930a4779079b16b6491d

https://www.virustotal.com/#/file/60c4c31523cf8457a8430d04382dd99fcd3c4adc773232117ccbc0b606d4b2e3/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Micrcosoft Visual C++ 5.0 - 6.0 , Packer : Armadillo v1.71 , File has multiple PE Anomalies ( File ignores DEP , File ignores Code Integrity , File imports sensitive Libaries ( Windows Socket 2.0 32-Bit DLL ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads the system/video BIOS version , Reads the windows installation date , Reads terminal service related keys , File has no visible windows , Found Anti-Vm Strings , Dropped mutiple Files , Creates guarded memory sections , Tries to obtain the highest possible privilege level without UAC dialog , Tries to delay the analysis process , Duplicates the process handle of an other process to obtain access rights to that process , Creates an ADS , Interacts with the primary disk partition ,  Opens the MountPointManager , Modifies file/console tracing settings , Hooks API calls ( NtCreateUserProcess[at]NTDLL.DLL ) , Sent a control code to a service ( "CryptSvc" , "WSearch" ) , Modifys system certificates , Modifies proxy settings , Queries sensitive IE security settings , Collects Credentials from local Email Clients ( MS Outlook ) , Uses more than one unique User-Agent ( Downloader 26.1 , Mozilla 4.0 ) , Found network releated activity >>> Found LoadMoney Checkin 5 > "52.212.55.106:80" (TCP) , File GETS data from > "52.212.55.106:80" ( "vmakgjnsgem.attachpress.ru" ) , File POSTS data to > 52.212.55.106:80 ( "vmakgjnsgem.attachpress.ru" ) >>> https://www.virustotal.com/#/ip-address/52.212.55.106

Certificate Details :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial:                       95884718891752524414308232843557069138
Serial (Hex):            4822b9a244dab7d19958322ba78be152

Valid from:                  Nov 20 00:00:00 2017 GMT
Valid until:                  Jun 22 23:59:59 2018 GMT

C (countryName):                 RU [5255]
CN (commonName):              RED TABURET, "LLC" [52454420544142555245542C20224C4C4322]
L (localityName):                   Krasnodar [4B7261736E6F646172]
O (organizationName):         RED TABURET, "LLC" [52454420544142555245542C20224C4C4322]
ST (stateOrProvinceName):  Krasnodarskiy [4B7261736E6F646172736B6979]
postalCode (postalCode):    350000 [333530303030]
street (streetAddress):        ul. Krasnaya, d. 93, kv. 1 [756C2E204B7261736E6179612C20642E2039332C206B762E2031]
« Last Edit: November 28, 2017, 01:06:44 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2584
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #269 on: November 28, 2017, 12:36:53 AM »
Hi,pio

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek