Author Topic: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)  (Read 11110 times)

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 25143
Previous Thread

Comodo is constantly improving its whitelist. This makes CIS more user friendly but does, in some circumstances, have some downsides. Some malware may sometimes be trusted because it is signed by a trusted certificate or perhaps the vendor was trustworthy, but then changed their ways. This is rare, but it does happen.

Regardless of how it happens it's important to take action against this. If you find malware that is whitelisted, but seems suspicious, please report it here. The name of the trusted vendor, or any other information, is also useful.

Upload these files to one of the following services and post a link to the results:


DO NOT attach or link any malware or malicious links to your post.

When coming across a malware signed by Comodo please follow the steps as described in How to report fraudulent or malicious use of certificates issued by Comodo:
Quote
Code Signing Certificates

If you have come across malware signed with a Comodo issued Code Signing certificate please send as much detail as possible to:

signedmalwarealert[at]comodo.com

Helpful details include:
link to the signed malware
screenshots of the certificate details showing the signer organization or certificate serial number or other details which will help us identify the certificate
a copy of the actual certificate if possible
This article also describes how to report fraudulent and phishing emails using Comodo SSL/TLS certificates (but this is not pertinent for this topic).


P.S. Comodo Instant Malware Analysis (CIMA) is no longer active and can no longer be used to submit files to Comodo.
« Last Edit: January 02, 2018, 07:47:04 PM by EricJH »

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 559
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #1 on: January 06, 2018, 10:28:51 PM »
File is unjustifiably FULLY trusted !!!

Riskware/Adware - Certificate "issued" by VeriSign  & "countersigned" by Symantec & Thawte
 
https://valkyrie.comodo.com/get_info?sha1=0e79bd6410392c6085749e057d59cac119b365a8

https://www.virustotal.com/de/file/50e02704f9d8341a72eccdac2472c5a9347e3671ecd889211b884dbd0bf2e76d/analysis/1515293621/

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Microsoft Visual  C++ 8.0 , Packer : aPLib Compresion , File has multiple PE Anomalies ( Digisig is expired: Feb 26 23:59:59 2015 GMT , File ignores DEP , File ignores Code Integrity , The file has 1 shared section , Foreign language identified in PE resource (Chinese) , Imports mutiple sensitve Libaries > Internet Extensions for Win32 , Remote Procedure Call Runtime , Microsoft Trust Verification APIs , Crypto API32 , Process Status Helper , Windows Socket 2.0 32-Bit DLL , Active Accessibility Core Component , IP Helper API ) , Contains ability to lookup the windows account name , Contains ability to download files from the internet , Contains ability to register a top-level exception handler , Contains ability to start/interact with device drivers , Found Anti-VM Strings ( Checks adapter adresses and the amount of Memory ) , Checks if a debugger is present ,  Creates guarded memory sections , Creates new processes ,  Reads the active computer name , Reads the cryptographic machine GUID , Reads the registry for installed applications , Reads Windows Trust Settings , References suspicious system modules ( "ntoskrnl.exe" ) , Modifies file/console tracing settings , Looks up many procedures within the same disassembly stream ( Found 20 calls to GetProcAddress[at]KERNEL32.DLL ) , Found dropped filename "l0pjnzj[at]hao123[1].txt" containing a spoofed Windows username , Writes data to a another process ( iexplorer.exe ) , Modifies Software Policy Settings , Modifies proxy settings , Queries sensitive IE security settings , Accesses System Certificates Settings , Opens the Kernel Security Device Driver , Found network releated activity , HTTP request contains Base64 encoded artifacts , File GET data from "103.235.46.64:80" (stat.client.ghk.hao123.com) >>> https://www.virustotal.com/de/ip-address/103.235.46.64/information/

Certificate Details :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network
Serial:                       114841094271573151353369286759355177018
Serial (Hex):            56659719569be07b775a1b2275e2d83a

Valid from:                  Feb 27 00:00:00 2012 GMT
Valid until:                  Feb 26 23:59:59 2015 GMT

C (countryName):                       CN [434E]
CN (commonName):                    Beijing baidu Netcom science and technology co.ltd
L (localityName):                         Beijing [4265696A696E67]
O (organizationName):               Beijing baidu Netcom science and technology co.ltd
OU (organizationalUnitName):    Digital ID Class 3 - Microsoft Software Validation v2
ST (stateOrProvinceName):        Beijing [4265696A696E67]


« Last Edit: January 06, 2018, 10:46:58 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2582
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #2 on: January 06, 2018, 11:18:01 PM »
Hi,pio

Thank you for your submission.
We'll check it and if found to be malware detection will be added.

Best regards
Chunli.chen

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 559
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #3 on: January 12, 2018, 11:42:15 AM »
Still fully trusted !!! Please take a look at this !!!

Some additional Infos about this Application >>> https://malwaretips.com/blogs/remove-hao123-virus

Just trust the Valkyrie Dynamic Analysis verdict !!!  ;)

File is unjustifiably FULLY trusted !!!

Riskware/Adware - Certificate "issued" by VeriSign  & "countersigned" by Symantec & Thawte
 
https://valkyrie.comodo.com/get_info?sha1=0e79bd6410392c6085749e057d59cac119b365a8

https://www.virustotal.com/de/file/50e02704f9d8341a72eccdac2472c5a9347e3671ecd889211b884dbd0bf2e76d/analysis/1515293621/

Thx ..... !!!
« Last Edit: January 12, 2018, 11:57:27 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 559
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #4 on: February 01, 2018, 09:52:28 PM »
File is unjustifiably FULLY trusted !!!

Riskware/Adware - Certificate "issued" by Symantec & VeriSign  & "countersigned" by Symantec & VeriSign
 
https://valkyrie.comodo.com/get_info?sha1=79a6647fbb64c2b843999606ebde42d430b2b8a4

https://www.virustotal.com/#/file/59095ca19bc09400f77840afc38bd2abc4039cc3a88471ee4a10634f867575b8/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Borland Delphi 6.0 - 7.0 , File Certificate is expired ( Valid to 06/03/2017 23:59:59 ) , File has multiple PE Anomalies ( PE file contains unusual section name , PE file contains zero-size sections , Entrypoint is outside of first section , File ignores Code Integrity , Contains unknown Resourses ,  Resources contains 4 different languages , PE file contains unusual section name , Imports sensitive Libaries >>> GDIEXT Client DLL , Shell Folder Service , Internet Extensions for Win32 , Active Accessibility Core Component , MCI API DLL , IP Helper API , Windows Socket 32-Bit DLL ) , Found Anti-VM Strings ( Contains references to WMI/WMIC ) , Found positive Yara Signature match ( Antisb_threatExpert - Anti-Sandbox checks for ThreatExpert , Maldoc_find_kernel32_base_method_1 , DebuggerCheck__QueryInfo , escalate_priv - Escalade priviledges , win_hook - Affect hook table ... ) , Contains ability to download files from the internet ,  Contains ability to retrieve keyboard strokes , Contains ability to register a top-level exception handler , Reads terminal service related keys , Creates a Child process , Reads the memory of another process , Writes bytes to another process , Modifies Windows Service Keys , Modifies windows polices

Certificate Details :

Algorithm:                  rsaEncryption
Version:                     3
Issuer:                      /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA
Serial:                      137081415256287324887931524850362711255
Serial (Hex):           720eb953fb3b3dd5351ff987a4d7cd7

Valid from:                 Feb 13 00:00:00 2015 GMT
Valid until:                 Mar  6 23:59:59 2017 GMT

C (countryName):                  FR [4652]
CN (commonName):              AVANQUEST SOFTWARE [4156414E515545535420534F465457415245]
L (localityName):                   Paris [5061726973]
O (organizationName):         AVANQUEST SOFTWARE [4156414E515545535420534F465457415245]
ST (stateOrProvinceName):  Ile de France [496C65206465204672616E6365]

This File has a correct Human Expert Verdict as PUA since 8 Days , but the signature is missing . Please create and add a Signature !!! !!! Thx !!!

https://valkyrie.comodo.com/get_info?sha1=c573bd82a5579bffd876c3fa44fa0b64aee87537

https://www.virustotal.com/#/file/77e0739b53c6462a374e135fe2dc1dbac474cb1bcf45b2ae43634026586d59c2/detection
« Last Edit: February 02, 2018, 01:22:38 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2098
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #5 on: February 01, 2018, 11:36:18 PM »
Hi pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Qiuhui.Wang

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 559
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #6 on: February 04, 2018, 08:42:45 PM »
File is unjustifiably FULLY trusted !!!

Riskware/Adware.Downloader.Variant.Hao123 - Certificate "issued" by Symantec & VeriSign  & "countersigned" by Symantec & Thawte

https://valkyrie.comodo.com/get_info?sha1=b563ae3b1a6b0d9fc8fe4b1115d07ffc9432d358+

https://www.virustotal.com/#/file/b3d630fa8080dc347b7944d3c8db1637ebfc11c19ebe3589781414a95e3f4a1a/detection

Some suspicious/malicious Indicators : Compiler/Packer/Crypter Signature > Compiler : Microsoft Visual C++ 6.0 & 8.0 ,  Packer/Cyptor: aPLib compression , File has multiple PE Anomalies ( File ignores Code Integrity , PE file has unusual entropy sections , CRC value set in PE header does not match actual value , The size of the resource is bigger than the max 512000 bytes threshold , The file embeds another file ( type: PKZIP, location: resources ) , Contains unknown resources ,  Foreign language identified in PE resource (Chinese) ) , Checks if a debugger is present , Contains ability to query CPU information ,  Found multiple Anti-VM Strings ( Found VM detection artifact "VMware trick" in Offset : "1021906" , Executes multiple WMI queries known to be used for VM detection ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads configuration files ,  Reads the registry for installed applications , Contains ability to lookup the windows account name , Checks for an ADS ,  Drops system driver , References suspicious system modules ( "ntoskrnl.exe" ) , Drops multiple executable files , Runs shell commands , Tries to delay the anaylsis , Creates a hidden Window , Creates a windows hook to log keyboard input , Creates or sets a registry key to a long series of bytes , possibly to store a binary or malware config , Deletes its orginal binary form disk , Opens the Kernel Security Device Driver , File queried details from the computer were then used in a network or crypto API call indicative of command and control communications/preperations , Modifies proxy settings , Queries sensitive IE security settings , The file references a URL pattern ( h***s://www.hao123.com ) , Found network releated activity , HTTP request contains Base64 encoded artifacts , File GET data from "123.125.114.215:80" (opensoft.hao123.com) , "103.235.46.234:80" (orange.hao123.com) , "103.235.46.111:80" (update.123juzi.net) , "47.89.58.141:80" (tongji.juzi1234567.com >>> https://www.virustotal.com/en/url/94bab0fdbc7041196d23850bd4367a2106ef84e09ac915f34e150fc54bc9e453/analysis/1517794747/

Certificate Details :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA
Serial:                       42300730919024834505941748264773407599
Serial (Hex):            1fd2d30e260fc289cfaf11518f2cd36f

Valid from:                  Dec 15 00:00:00 2015 GMT
Valid until:                  Feb  06 23:59:59 2018 GMT

C (countryName):                        CN [434E]
CN (commonName):                     BeiJing Baidu Netcom Science Technology Co., Ltd
L (localityName):                          Beijing [4265696A696E67]
O (organizationName):                BeiJing Baidu Netcom Science Technology Co., Ltd
OU (organizationalUnitName):     Engineering Excellence [20456E67696E656572696E6720457863656C6C656E6365]
ST (stateOrProvinceName):          Beijing [4265696A696E67]

***EDIT*** :

This File was recognized via signature detection from CAV on VT and also from Valkyrie ! But there is NO signature detection with CIS ! I´ve checked it with TVL ON and OFF .

File is unjustifiably FULLY trusted !!!

Riskware/Adware - Certificate "issued" by Symantec & VeriSign  & "countersigned" by Symantec & VeriSign
 
https://valkyrie.comodo.com/get_info?sha1=79a6647fbb64c2b843999606ebde42d430b2b8a4

https://www.virustotal.com/#/file/59095ca19bc09400f77840afc38bd2abc4039cc3a88471ee4a10634f867575b8/detection
« Last Edit: February 04, 2018, 11:26:29 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2582
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #7 on: February 05, 2018, 12:15:02 AM »
Hi,pio

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 559
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #8 on: February 09, 2018, 02:52:22 AM »
Unfinished and still no signature recognition via CIS ! Please take a look at this ! Thank you !

File is unjustifiably FULLY trusted !!!

Riskware/Adware.Downloader.Variant.Hao123 - Certificate "issued" by Symantec & VeriSign  & "countersigned" by Symantec & Thawte

https://valkyrie.comodo.com/get_info?sha1=b563ae3b1a6b0d9fc8fe4b1115d07ffc9432d358+

https://www.virustotal.com/#/file/b3d630fa8080dc347b7944d3c8db1637ebfc11c19ebe3589781414a95e3f4a1a/detection


***EDIT*** :

This File was recognized via signature detection from CAV on VT and also from Valkyrie ! But there is NO signature detection with CIS ! I´ve checked it with TVL ON and OFF .

File is unjustifiably FULLY trusted !!!

Riskware/Adware - Certificate "issued" by Symantec & VeriSign  & "countersigned" by Symantec & VeriSign
 
https://valkyrie.comodo.com/get_info?sha1=79a6647fbb64c2b843999606ebde42d430b2b8a4

https://www.virustotal.com/#/file/59095ca19bc09400f77840afc38bd2abc4039cc3a88471ee4a10634f867575b8/detection
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Deepak PV

  • Comodo Staff
  • Comodo Member
  • *****
  • Posts: 37
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #9 on: February 09, 2018, 03:20:47 AM »
Hi,pio

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Deepak PV

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 559
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #10 on: March 12, 2018, 12:59:23 PM »
File is unjustifiably FULLY trusted !!!

PUA.Adware.Variant.OpenCandy - Certificate "issued" by VeriSign  & "countersigned" by Symantec & Thawte

https://valkyrie.comodo.com/get_info?sha1=5aff1256fa475b6e24e0658b50b4e5dd571404a8

https://www.virustotal.com/#/file/9b107f25cfb5c77f13cec0b3ff3e38bf51b301044f349d39b7a079f6b845baa1/detection

Some suspicious/malicious Indicators : Compiler/Packer/Crypter/Scrambler Signature >  Packer/Scrambler : UPX Compressor 3.0 , File has multiple binary anomalies ( File ignores Code Integrity , PE file has unusual entropy sections , PE file is packed with UPX , CRC value set in PE header does not match actual value , Entrypoint in PE header is within an uncommon section , Contains zero-size sections , The file has "2" writable and executable sections ) , Spawns a file that was identified as malicious at VT ( 33/73 Antivirus vendors marked dropped file "uttC133.tmp" as "Adware.OpenCandy" ) , Uses Windows APIs to generate a cryptographic key , Found a dropped file containing the Windows username , Uses a User Agent typical for browsers, although no browser was ever launched  ( Found user agents : Mozilla/4.0 ) , Found  potentially Anti-VM Strings ( Queries the Disk Size , Checks adapter Addresses , Detects the presence of Wine emulator via Registry ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads configuration files , Reads Windows Trust Settings , Scanning for window names , Reads the registry for installed applications , Queries volume information of an entire harddrive , Writes data to another process (  "rundll32.exe") , Creates or modifies windows services ,  Opens the Kernel Security Device Driver , Modifies Software Policy Settings , Modifies proxy settings , Queries sensitive IE security settings , Accesses and Modifies System Certificates Settings , Found malicious network releated activity , Sends UDP traffic to various IP´s , POSTs files to a webserver , HTTP request contains Base64 encoded artifacts , Contacts 32 domains and 143 hosts

Certificate Details :

Algorithm:                  rsaEncryption
Version:                     3
Issuer:                       /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/CN=VeriSign Class 3 Code Signing 2010 CA
Serial:                       115906371898387214641412410377105632520
Serial (Hex):            5732c1574e6af828e1b4f93abb34ed08

Valid from:                 Jun  5 00:00:00 2013 GMT
Valid until:                 Sep  3 23:59:59 2016 GMT
 
C (countryName):                     US [5553]
CN (commonName):                  BitTorrent Inc
L (localityName):                       San Francisco
O (organizationName):             BitTorrent Inc
OU (organizationalUnitName):  Digital ID Class 3 - Microsoft Software Validation v2
ST (stateOrProvinceName):      California
« Last Edit: March 12, 2018, 01:04:15 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline andrei.savin

  • Comodo Staff
  • Comodo Loves me
  • *****
  • Posts: 197
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #11 on: March 12, 2018, 03:06:35 PM »
Hello pio,
Thanks for your submission, we'll check the files and take appropriate measures.

Best regards,
Andrei Savin
If possible please post your malware submissions as SHA1 lists (created with HashMyFiles or any other software). Always make sure first you have submitted the samples through CIS.

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 559
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #12 on: March 13, 2018, 07:21:05 PM »
File is unjustifiably FULLY trusted !!!

Generic.PUA - Certificate "issued" by VeriSign & Symantec  & "countersigned" by WoSign

https://valkyrie.comodo.com/get_info?sha1=24a52651efa04312d480ea30edd9739c8edd0c89

https://www.virustotal.com/#/file/a288399dd90c65b71633a1bc9f803415cf6e143494b6f214646af64a32e9e05c/detection

Some suspicious/malicious Indicators : Compiler/Packer/Crypter/Scrambler Signature >  Compiler : Microsoft Visual C++ 6.0 , Packer : aPLib Compresion , File has multiple binary anomalies ( File ignores DEP , File ignores Code Integrity , PE file has unusual entropy sections , Contains unknown resources , Imports sensitive Libaries (Windows Socket 2.0 32-Bit DLL , Internet Extensions for Win32 , Active Accessibility Core Component , IP Helper API ) , Checks if a Debugger is present , Tries to delay the Analysis , Found  potentially Anti-VM Strings ( Queries the Disk Size , Checks adapter Addresses ) , Uses a User Agent typical for browsers, although no browser was ever launched ( Found user agent: Mozilla/4.0 ) , Found strings in conjunction with a procedure lookup that resolve to a known API export symbol ( Found reference to API InitCommonControls[at]COMCTL32.DLL ) , Makes a code branch decision directly after an API that is environment aware ( Found API call GetVersionExA[at]KERNEL32.dll ), Reads the active computer name , Reads the cryptographic machine GUID , Modifies file/console tracing settings , Queries volume information of an entire harddrive , Queries kernel debugger information ,  Queries the internet cache settings , Opens the Kernel Security Device Driver , Found a Windows Hook ( spawned process "netsh.exe" wrote bytes to "MPRMSG.DLL" ) , Accesses sensitive information from local browsers ( LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\index.dat" , %APPDATA%\Microsoft\Windows\Cookies\index.dat") , Modifies proxy settings , Queries sensitive IE security settings ( "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK" ) , Found malicious network releated activity >>> HTTP request contains Base64 encoded artifacts >>> Found Info Generic Suspicious POST to Dotted Quad with Fake Browser to Host > "121.207.250.58"

Certificate Details :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA
Serial:                       116568472950842497590935532675032082742
Serial (Hex):            57b2457179c8ef440e31be225a26e936

Valid from:                  May 24 00:00:00 2016 GMT
Valid until:                  Jul 23 23:59:59 2019 GMT

C (countryName):                     CN [434E]
CN (commonName):                  Fujian NetDragon Computer Network Information Technology Co.,Ltd
L (localityName):                       Fuzhou
O (organizationName):             Fujian NetDragon Computer Network Information Technology Co.,Ltd
OU (organizationalUnitName):  Research and development department
ST (stateOrProvinceName):      Fujian [46756A69616E]
« Last Edit: March 13, 2018, 07:49:06 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2582
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #13 on: March 13, 2018, 09:34:37 PM »
Hi,pio

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 559
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #14 on: March 14, 2018, 05:25:39 PM »
File is unjustifiably FULLY trusted !!!

PUA.Adware.Variant.InstallCore - Certificate "issued" by Thawte & "countersigned" by Comodo & USERTrust

https://valkyrie.comodo.com/get_info?sha1=bfa372c778d40be998f4ec2cfc77c3fc9d46a34d

https://www.virustotal.com/#/file/bc657ebd6bf63fe477a808e99b6b6feba7f678a5c2e43f1c085e5f7461c4f4fd/detection

Some suspicious/malicious Indicators : Compiler/Packer/Crypter/Scrambler Signature >  Compiler : Nullsoft PiMP Stub , File has multiple binary anomalies ( Embeds another file ( type : Nullsoft , location : overlay ) , File ignores DEP , File ignores Code Integrity , CRC value set in PE header does not match actual value ,  Imports a anonymous function ) , Tries to delay the Analysis , Contains ability to open the clipboard , Found  potentially Anti-VM Strings ( Checks amount of System Memory , Queries the Disk Size , Checks Adapter Addresses ) ,  References Windows built-in privileges , Creates guarded memory sections , Sets the process error mode to suppress error box , Writes a PE file header to Disc , Opens a file in a system directory , Reads system information using WMIC , Reads the active computer name , Reads the cryptographic machine GUID , Reads configuration files , Spawns a lot of processes , Runs shell commands , Duplicates the process handle of an other process to obtain access rights to that process , Makes a code branch decision directly after an API that is environment aware  ( Found API call GetVersionExA[at]KERNEL32.DLL ) , Opens the MountPointManager , Opens the Kernel Security Device Driver , Modifies proxy settings , Queries sensitive IE security settings , Accesses sensitive information from local browsers , Found malicious network releated activity >>> HTTP request contains Base64 encoded artifacts , File GETS Data from >>> "148.251.68.18:80 (fetch.jdcdn.org) " > https://www.virustotal.com/#/ip-address/148.251.68.18 & "85.131.130.148:80" (installer.jdownloader.org) > https://www.virustotal.com/#/ip-address/85.131.130.148

Certificate Details :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=US/O=Thawte, Inc./CN=Thawte Code Signing CA - G2
Serial:                       754879579763311850463317485396909484
Serial (Hex):            91626fd168636edd78a174e8b75dac

Valid from:                  Aug 15 00:00:00 2014 GMT
Valid until:                 Aug 15 23:59:59 2015 GMT

C (countryName):                 DE
CN (commonName):              Appwork GmbH
L (localityName):                   Fuerth
O (organizationName):         Appwork GmbH
ST (stateOrProvinceName):   Bayern
« Last Edit: March 14, 2018, 05:58:40 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek