Author Topic: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)  (Read 22104 times)

Offline user5197

  • Newbie
  • *
  • Posts: 11
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #30 on: April 12, 2017, 01:57:10 PM »
File Name:   PalmInputService.exe
SHA1:   2fc4797f37798570609628e7e3d4b672440cedaa

https://valkyrie.comodo.com/get_info?sha1=2fc4797f37798570609628e7e3d4b672440cedaa

Offline andrei.savin

  • Comodo Staff
  • Comodo Loves me
  • *****
  • Posts: 197
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #31 on: April 12, 2017, 02:02:14 PM »
Hi,
Thanks for your submission, we'll analyse it. Next time please post in the appropriate section.

Best regards,
Andrei Savin
If possible please post your malware submissions as SHA1 lists (created with HashMyFiles or any other software). Always make sure first you have submitted the samples through CIS.

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 5691
  • COMODO Rocks!
    • Free Comodo Products!
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #32 on: April 17, 2017, 05:08:40 PM »
Ransomware Test Tool (it must be stay as unknow. It is a test tool no need to blacklist or whitelist it)
https://valkyrie.comodo.com/get_info?sha1=fe273db8c80702a9e25ca947864f1b35ec4175c9
COMODO Cloud Antivirus
Firefox Quantum
Encrypt the web! Use HTTPS Everywhere..
Block spying ads and invisible trackers! Use Privacy Badger..

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2582
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #33 on: April 17, 2017, 09:35:52 PM »
Hi,yigido

Thank you for your submission.
We'll check it.

Best regards
Chunli.chen

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 556
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #34 on: April 26, 2017, 07:21:26 PM »
Trojan.Win.32

https://valkyrie.comodo.com/get_info?sha1=b89861ef8b569cd69abb916681072956442f3225

Some Malicious Indicators : Checks for the presence of Comodo Antivirus engine , Possibly tries to implement anti-virtualization techniques , Scanning for window names  , Reads the active computer name , Reads the cryptographic machine GUID , Contains ability to elevate privileges ,  Hooks API calls , Modifies proxy settings , Accesses Software Policy Settings , Accesses System Certificates Settings , Opened the service control manager , Requested access to system services (AutoHelpDeskService , rasman service , gpsvc service ...) , Sent a control code to a service (ControlService sent control code's "0X24" and "0XFC" to the gpsvc service) , Opens the Kernel Security Device Driver , Uses network protocols on unusual ports (TCP traffic over port 50492) , Contacts 1 domain and 2 hosts , Malicious artifacts seen in the context of a contacted host , Found malicious artifacts related to IP : "54.230.202.102" (ASN: 16509, Owner: Amazon.com, Inc.) >>>>>
Associated SHA's 256 :
"558951af4a97a2c378b54e70ff2d469f178b44a768b11f8365f633588aeb6723"
"32e812da3382384d5dc9e29456e6b268683013fcfc13c4c7b25af80fccce0b85"
« Last Edit: April 27, 2017, 03:50:44 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2582
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #35 on: April 26, 2017, 07:28:39 PM »
Hi,pio

Thank you for your submission.
We'll check it.

Best regards
Chunli.chen


Offline pavithran

  • Comodo Staff
  • Comodo Family Member
  • *****
  • Posts: 97
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #37 on: April 27, 2017, 04:17:50 AM »
Hi a77841s,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Regards,
Pavithran G

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 556
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #38 on: May 07, 2017, 11:25:52 PM »
Hey guys,

i have already sent 5 mails with 2 of each comodo signed malicious files to the email address you specified . NEVER , NO ANSWER and the files are still untreated !!! The same applies here to my last submision ( https://valkyrie.comodo.com/get_info?sha1=b89861ef8b569cd69abb916681072956442f3225 ) .

I am a bit disappointed about that !  :-\ I also don't want or need any thanks, but I would be grateful for an appreciation !

Here is another such a file.  Please forward it to the relevant responsible persons !!! And if further submissions should be undesirable, please let me know !!! Thx !!!

Undefined.Malware

https://valkyrie.comodo.com/get_info?sha1=271aa85d541ad99f1dea5ea18eedcc30f80ac06c

Some suspicious indicators : Found Delphi 4 - Delphi 2006 artifact , PE file has unusual entropy sections , PE file is packed with UPX , Reads terminal service related keys , Looks up many procedures within the same disassembly stream (Found 11 calls to GetProcAddress[at]KERNEL32.DLL) , Contains ability to retrieve keyboard strokes , Contains ability to download files from the internet (recv[at]WSOCK32.DLL) , Contains ability to write to a remote process (WriteProcessMemory[at]KERNEL32.DLL) , Touches files in the Windows directory , Opens the Kernel Security Device Driver
« Last Edit: May 07, 2017, 11:51:21 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2582
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #39 on: May 07, 2017, 11:38:04 PM »
Hi,pio

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Offline Jon79

  • Comodo's Hero
  • *****
  • Posts: 1073
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #40 on: May 08, 2017, 09:58:58 AM »
Hey guys,

i have already sent 5 mails with 2 of each comodo signed malicious files to the email address you specified . NEVER , NO ANSWER and the files are still untreated !!! The same applies here to my last submision ( https://valkyrie.comodo.com/get_info?sha1=b89861ef8b569cd69abb916681072956442f3225 ) .

I am a bit disappointed about that !  :-\ I also don't want or need any thanks, but I would be grateful for an appreciation !

Here is another such a file.  Please forward it to the relevant responsible persons !!! And if further submissions should be undesirable, please let me know !!! Thx !!!

Undefined.Malware

https://valkyrie.comodo.com/get_info?sha1=271aa85d541ad99f1dea5ea18eedcc30f80ac06c

Some suspicious indicators : Found Delphi 4 - Delphi 2006 artifact , PE file has unusual entropy sections , PE file is packed with UPX , Reads terminal service related keys , Looks up many procedures within the same disassembly stream (Found 11 calls to GetProcAddress[at]KERNEL32.DLL) , Contains ability to retrieve keyboard strokes , Contains ability to download files from the internet (recv[at]WSOCK32.DLL) , Contains ability to write to a remote process (WriteProcessMemory[at]KERNEL32.DLL) , Touches files in the Windows directory , Opens the Kernel Security Device Driver

sha1=b89861ef8b569cd69abb916681072956442f3225
is clean according to VirusTotal
https://www.virustotal.com/en/file/a7db8138cabaf346629efca1c01dd6f39c3afda03702da85691cb509b7a49fed/analysis/

sha1=271aa85d541ad99f1dea5ea18eedcc30f80ac06c
is already flagged as malicious in Valkyrie, even if Comodo doesn't detect it on VirusTotal
https://valkyrie.comodo.com/get_info?sha1=271aa85d541ad99f1dea5ea18eedcc30f80ac06c
https://www.virustotal.com/en/file/f61c38510fea8e38bb242b82a29d45e1b7e696fb804100be8ec22975e08808c9/analysis/

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 556
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #41 on: May 08, 2017, 04:07:03 PM »
sha1=b89861ef8b569cd69abb916681072956442f3225
is clean according to VirusTotal
https://www.virustotal.com/en/file/a7db8138cabaf346629efca1c01dd6f39c3afda03702da85691cb509b7a49fed/analysis/

You're right, but I believe that no other's AV vendors has analyzed the file, because it's digitally signed ! But not just Google know's and tells us , you should never trust certificates issued by Symantec !!!  ;)

According to my definition of malware, this file is definitely not clean !!! For a "legit" banking software, this file makes very suspicious things! But I also like to talk about it if anybody wants that  ?!  :P0l
« Last Edit: May 08, 2017, 06:45:56 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2098
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #42 on: May 08, 2017, 05:22:50 PM »
Hi  Jon79 & pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Qiuhui.Wang

Offline fatih.orhan

  • Global Moderator
  • Comodo Loves me
  • *****
  • Posts: 193
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #43 on: May 08, 2017, 09:59:58 PM »
sha1=b89861ef8b569cd69abb916681072956442f3225
https://www.virustotal.com/en/file/a7db8138cabaf346629efca1c01dd6f39c3afda03702da85691cb509b7a49fed/analysis/

You're right, but I believe that no other's AV vendors has analyzed the file, because it's digitally signed ! But not just Google know's and tells us , you should never trust certificates issued by Symantec !!!  ;)

According to my definition of malware, this file is definitely not clean !!! For a "legit" banking software, this file makes very suspicious things! But I also like to talk about it if anybody wants that  ?!  :P0l

Pio, that file needs detailed investigation. You are right to bring it to our attention. Thank you very much. We'll analyze the file deeply, and I'll try to inform here.

Thanks,

Offline Jon79

  • Comodo's Hero
  • *****
  • Posts: 1073
Re: Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)
« Reply #44 on: May 09, 2017, 04:41:41 AM »
Pio, that file needs detailed investigation. You are right to bring it to our attention. Thank you very much. We'll analyze the file deeply, and I'll try to inform here.

Thanks,

Other analyses:
https://malwr.com/analysis/MGNjNGRhZjk4YjViNDQzMDg0MDBjYWNmOTYyOGI3N2Y/
https://www.hybrid-analysis.com/sample/a7db8138cabaf346629efca1c01dd6f39c3afda03702da85691cb509b7a49fed?environmentId=100

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek