Author Topic: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)  (Read 22138 times)

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 556
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #270 on: December 05, 2017, 06:47:21 PM »
File is FULLY trusted !!!

PUA/Riskware.Variant.Installcore - Certificate "issued" by VeriSign  & "countersigned" by Symantec & Thawte
 
https://valkyrie.comodo.com/get_info?sha1=f623d6ab8d80683e6dc99a31d9757e8b2f29c027

https://www.virustotal.com/#/file/eedae8b6871e5016d1ce2d6b743d09d657e29ed67a4fb7eca4ca9844a0311f74/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Borland Delphi 4.0 , Packer : Inno Setup Module 5.x [SFX] , Digisig is expired >>> May 16 23:59:59 2016 , File has multiple PE Anomalies (  File ignores DEP , File ignores Code Integrity , CRC value set in PE header does not match actual value , PE file contains zero-size sections , The File sections " .rdata , .reloc , .rsrc " are shareable , Contains unknown resources ) , Embeds an other file ( Type: Inno Setup , Location : Overlay )  ,Has no visible windows , Drops executables , Creates new processes , File wrote bytes to itself , Creates guarded memory sections , Accesses to the Windows default safe DLL search path , File accesses to > Authorization API ,  Error Handling API , System Information API , Structured Exception Handling API , Console API ...

Certificate Details :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU - /CN=VeriSign Class 3 Code Signing 2010 CA
Serial:                         98365989605199104652559069604092146726
Serial (Hex):               4a0099b9a58d592947df50cc37517426
Valid from:                  Feb 15 00:00:00 2014 GMT
Valid until:                  May 16 23:59:59 2016 GMT
 
C (countryName):                       US [5553]
CN (commonName):                   WinZip Computing [57696E5A697020436F6D707574696E67]
L (localityName):                        Mansfield [4D616E736669656C64]
O (organizationName):              WinZip Computing [57696E5A697020436F6D707574696E67]
OU (organizationalUnitName):   IT [4954]
ST (stateOrProvinceName):       Connecticut [436F6E6E65637469637574]
« Last Edit: December 05, 2017, 07:07:31 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2582
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #271 on: December 05, 2017, 08:40:03 PM »
Hi,pio

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 556
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #272 on: December 19, 2017, 02:41:38 AM »
I´ve uploaded a slightly modified version ( added a Visual Basic Fake Sign ) from this file to valkyrie and it was correctly classified as malware/PUA .  >>> https://valkyrie.comodo.com/get_info?sha1=3e2b1deff52c9cc532a9bb044944789d5d4863ac  & https://www.virustotal.com/#/file/4a909416f1c3c4bd16e4b0063595416c2cda45430e8aba9c48ab220a4c2337de/details

The File from my quoted Link is the "same" File !!! Same file code , same functions , same behaviour !!! As i say , just a little bit modified ... !!!  ;)

File is FULLY trusted !!!

PUA/Riskware.Variant.Installcore - Certificate "issued" by VeriSign  & "countersigned" by Symantec & Thawte
 
https://valkyrie.comodo.com/get_info?sha1=f623d6ab8d80683e6dc99a31d9757e8b2f29c027

https://www.virustotal.com/#/file/eedae8b6871e5016d1ce2d6b743d09d657e29ed67a4fb7eca4ca9844a0311f74/detection
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Aravindhraj J

  • Comodo Staff
  • Comodo Family Member
  • *****
  • Posts: 77
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #273 on: December 19, 2017, 02:55:13 AM »
Hi pio ,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Aravindhraj J

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 25118
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #274 on: January 01, 2018, 11:49:30 AM »
Please continue in Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!).

This topic stays open to handle open submissions.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek