Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)

[user5197]

File Name:   PalmInputService.exe
SHA1:   2fc4797f37798570609628e7e3d4b672440cedaa

https://valkyrie.comodo.com/get_info?sha1=2fc4797f37798570609628e7e3d4b672440cedaa

[andrei.savin]

Hi,
Thanks for your submission, we'll analyse it. Next time please post in the appropriate section.

Best regards,
Andrei Savin

[yigido]

Ransomware Test Tool (it must be stay as unknow. It is a test tool no need to blacklist or whitelist it)
https://valkyrie.comodo.com/get_info?sha1=fe273db8c80702a9e25ca947864f1b35ec4175c9

[Chunli]

Hi,yigido

Thank you for your submission.
We'll check it.

Best regards
Chunli.chen

[pio]

Trojan.Win.32

https://valkyrie.comodo.com/get_info?sha1=b89861ef8b569cd69abb916681072956442f3225

Some Malicious Indicators : Checks for the presence of Comodo Antivirus engine , Possibly tries to implement anti-virtualization techniques , Scanning for window names  , Reads the active computer name , Reads the cryptographic machine GUID , Contains ability to elevate privileges ,  Hooks API calls , Modifies proxy settings , Accesses Software Policy Settings , Accesses System Certificates Settings , Opened the service control manager , Requested access to system services (AutoHelpDeskService , rasman service , gpsvc service ...) , Sent a control code to a service (ControlService sent control code's "0X24" and "0XFC" to the gpsvc service) , Opens the Kernel Security Device Driver , Uses network protocols on unusual ports (TCP traffic over port 50492) , Contacts 1 domain and 2 hosts , Malicious artifacts seen in the context of a contacted host , Found malicious artifacts related to IP : "54.230.202.102" (ASN: 16509, Owner: Amazon.com, Inc.) >>>>>
Associated SHA's 256 :
"558951af4a97a2c378b54e70ff2d469f178b44a768b11f8365f633588aeb6723"
"32e812da3382384d5dc9e29456e6b268683013fcfc13c4c7b25af80fccce0b85"

[Chunli]

Hi,pio

Thank you for your submission.
We'll check it.

Best regards
Chunli.chen

[a77841s]

https://valkyrie.comodo.com/get_info?sha1=7ae426efeb459929aa30a478b8ff72335d7b3451

is not clean!!!!!!

[pavithran]

Hi a77841s,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Regards,
Pavithran G

[pio]

Hey guys,

i have already sent 5 mails with 2 of each comodo signed malicious files to the email address you specified . NEVER , NO ANSWER and the files are still untreated !!! The same applies here to my last submision ( https://valkyrie.comodo.com/get_info?sha1=b89861ef8b569cd69abb916681072956442f3225 ) .

I am a bit disappointed about that !  I also don't want or need any thanks, but I would be grateful for an appreciation !

Here is another such a file.  Please forward it to the relevant responsible persons !!! And if further submissions should be undesirable, please let me know !!! Thx !!!

Undefined.Malware

https://valkyrie.comodo.com/get_info?sha1=271aa85d541ad99f1dea5ea18eedcc30f80ac06c

Some suspicious indicators : Found Delphi 4 - Delphi 2006 artifact , PE file has unusual entropy sections , PE file is packed with UPX , Reads terminal service related keys , Looks up many procedures within the same disassembly stream (Found 11 calls to GetProcAddress[at]KERNEL32.DLL) , Contains ability to retrieve keyboard strokes , Contains ability to download files from the internet (recv[at]WSOCK32.DLL) , Contains ability to write to a remote process (WriteProcessMemory[at]KERNEL32.DLL) , Touches files in the Windows directory , Opens the Kernel Security Device Driver

[Chunli]

Hi,pio

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

[Jon79]

Hey guys,

i have already sent 5 mails with 2 of each comodo signed malicious files to the email address you specified . NEVER , NO ANSWER and the files are still untreated !!! The same applies here to my last submision ( https://valkyrie.comodo.com/get_info?sha1=b89861ef8b569cd69abb916681072956442f3225 ) .

I am a bit disappointed about that !  I also don't want or need any thanks, but I would be grateful for an appreciation !

Here is another such a file.  Please forward it to the relevant responsible persons !!! And if further submissions should be undesirable, please let me know !!! Thx !!!

Undefined.Malware

https://valkyrie.comodo.com/get_info?sha1=271aa85d541ad99f1dea5ea18eedcc30f80ac06c

Some suspicious indicators : Found Delphi 4 - Delphi 2006 artifact , PE file has unusual entropy sections , PE file is packed with UPX , Reads terminal service related keys , Looks up many procedures within the same disassembly stream (Found 11 calls to GetProcAddress[at]KERNEL32.DLL) , Contains ability to retrieve keyboard strokes , Contains ability to download files from the internet (recv[at]WSOCK32.DLL) , Contains ability to write to a remote process (WriteProcessMemory[at]KERNEL32.DLL) , Touches files in the Windows directory , Opens the Kernel Security Device Driver

sha1=b89861ef8b569cd69abb916681072956442f3225
is clean according to VirusTotal
https://www.virustotal.com/en/file/a7db8138cabaf346629efca1c01dd6f39c3afda03702da85691cb509b7a49fed/analysis/

sha1=271aa85d541ad99f1dea5ea18eedcc30f80ac06c
is already flagged as malicious in Valkyrie, even if Comodo doesn't detect it on VirusTotal
https://valkyrie.comodo.com/get_info?sha1=271aa85d541ad99f1dea5ea18eedcc30f80ac06c
https://www.virustotal.com/en/file/f61c38510fea8e38bb242b82a29d45e1b7e696fb804100be8ec22975e08808c9/analysis/

[pio]

sha1=b89861ef8b569cd69abb916681072956442f3225
is clean according to VirusTotal
https://www.virustotal.com/en/file/a7db8138cabaf346629efca1c01dd6f39c3afda03702da85691cb509b7a49fed/analysis/

You're right, but I believe that no other's AV vendors has analyzed the file, because it's digitally signed ! But not just Google know's and tells us , you should never trust certificates issued by Symantec !!! 

According to my definition of malware, this file is definitely not clean !!! For a "legit" banking software, this file makes very suspicious things! But I also like to talk about it if anybody wants that  ?! 

[Qiuhui.Wang]

Hi  Jon79 & pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Qiuhui.Wang

[fatih.orhan]

sha1=b89861ef8b569cd69abb916681072956442f3225
https://www.virustotal.com/en/file/a7db8138cabaf346629efca1c01dd6f39c3afda03702da85691cb509b7a49fed/analysis/

You're right, but I believe that no other's AV vendors has analyzed the file, because it's digitally signed ! But not just Google know's and tells us , you should never trust certificates issued by Symantec !!! 

According to my definition of malware, this file is definitely not clean !!! For a "legit" banking software, this file makes very suspicious things! But I also like to talk about it if anybody wants that  ?! 

Pio, that file needs detailed investigation. You are right to bring it to our attention. Thank you very much. We'll analyze the file deeply, and I'll try to inform here.

Thanks,

[Jon79]

Pio, that file needs detailed investigation. You are right to bring it to our attention. Thank you very much. We'll analyze the file deeply, and I'll try to inform here.

Thanks,

Other analyses:
https://malwr.com/analysis/MGNjNGRhZjk4YjViNDQzMDg0MDBjYWNmOTYyOGI3N2Y/
https://www.hybrid-analysis.com/sample/a7db8138cabaf346629efca1c01dd6f39c3afda03702da85691cb509b7a49fed?environmentId=100