Author Topic: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)  (Read 11813 times)

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 577
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #30 on: May 10, 2018, 08:18:08 PM »
File is unjustifiably FULLY trusted !!! The File certificate was not recognized !

PUA.InstallRex. - Certificate "issued" by Comodo & UserTrust & "countersigned" by Comodo & UserTrust
 
https://valkyrie.comodo.com/get_info?sha1=5915c85fb286a8ef00a03e276eb63bf6b6394943+

https://www.virustotal.com/de/file/5ae0ca7a52b35aec87bcadd31fff0dc37ed40178cbc8fee163c4ca52c5255355/analysis/

YARA signature "PUP_InstallRex_AntiFWb" matched file "OpalConvert-CSV-JSON_Setup.exe.bin" as "Malware InstallRex / AntiFW" based on indicators: "Error %u while loading TSU.DLL %ls,GetModuleFileName() failed => %u,5400530055004c006f0061006400650072002e00650078006500,5c0053007400720069006e006700460069006c00650049006e0066006f005c00250030003400780025003000340078005c0041007200670075006d0065006e0074007300,5400730075002500300038006c0058002e0064006c006c00"

YARA signature "PUP_InstallRex_AntiFWb" matched file "all.bstring" as "Malware InstallRex / AntiFW" based on indicators: "Error %u while loading TSU.DLL %ls,GetModuleFileName() failed => %u,TSULoader.exe,\StringFileInfo\%04x%04x\Arguments,Tsu%08lX.dll"

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : MS Visual C++ , File has multiple binary anomalies ( Digisig is expired: Jul 17 23:59:59 2016 , File ignores Code Integrity , PE file has unusual entropy sections , CRC value set in PE header does not match actual value , Contains zero-size sections ) , Contains ability to open/control a service , Contains ability to download files from the internet , Contains ability to query CPU information , Found cryptographic related strings , Has no visible windows , Tries to detect the presence of a debugger , Expects Administrative permission , Reads the active computer name , Reads the cryptographic machine GUID , Reads the registry for installed applications , Queries volume information of an entire harddrive , Tries to sleep a long time , Duplicates the process handle of an other process to obtain access rights to that process , Creates a windows hook that monitors keyboard input , Opens the MountPointManager , Touches multiple files in the Windows directory

Certificate Details :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Code Signing CA 2
Serial:                       331637911641072385803597201282442856423
Serial (Hex):            f97f2372ecad1fa435b0ad02c8b607e7

Valid from:                 Jul 18 00:00:00 2013 GMT
Valid until:                 Jul 17 23:59:59 2016 GMT

C (countryName):                  GB [4742]
CN (commonName):              Daniel White [44616E69656C205768697465]
L (localityName):                   Bedford [426564666F7264]
O (organizationName):         Daniel White [44616E69656C205768697465]
ST (stateOrProvinceName):  Bedfordshire [426564666F72647368697265]
postalCode (postalCode):    MK44 3NG [4D4B343420334E47]
street (streetAddress):        18 The Hill [3138205468652048696C6



« Last Edit: May 10, 2018, 08:39:08 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2099
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #31 on: May 10, 2018, 09:19:29 PM »
Hi Pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Qiuhui.Wang

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 577
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #32 on: May 12, 2018, 11:55:36 AM »
File is unjustifiably FULLY trusted !!!

PUA.Riskware.Asparnet - Certificate "issued" by UserTrust & "countersigned" by Comodo & UserTrust
 
https://valkyrie.comodo.com/get_info?sha1=72e48b7de5ef8711ec821b4fcf009d1cf88117b7+

https://www.virustotal.com/#/file/79426e98c8c952eaf2ed7e6f5a54dbe9e02139a1721ea8aaebf575e7e62f0486/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Borland Delphi , Packer: Inno Setup Installer , Morphine v1.2 , File has multiple binary anomalies ( File ignores DEP , File ignores Code Integrity , Embeds another file ( type: InnoSetup , location: overlay ) , Contains zero size sections , CRC value set in PE header does not match actual value , The file has "3" shared sections , Contains unknown resourses , The certificate issuer (UTN-USERFirst-Object) has expired (10/05/2015) , The certificate subject (COMODO Time Stamping Signer) has expired (10/05/2015) ) , Contains ability to query CPU information , Contains ability to download files from the internet , Contains ability to lookup the windows account name , Found more than one unique User-Agent , Queries volume information of an entire harddrive , Reads terminal service related keys , Reads the active computer name , Reads the cryptographic machine GUID , Found strings in conjunction with a procedure lookup that resolve to a known API export symbol , Reads the registry for installed applications , Reads Windows Trust Settings , Scanning for window names , Creates windows services ( "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS") , Deletes its original binary from disk , A process created a hidden window ,   Duplicates the process handle of an other process to obtain access rights to that process , Opens the Kernel Security Device Driver , Accesses sensitive information from local browsers , Modifies Software Policy Settings , Modifies proxy settings , Queries sensitive IE security settings , Found malicious network releated activity , HTTP request contains Base64 encoded artifacts , GETs data from various hosts , Found malicious artifacts related to "199.36.102.106" (websearch.ask.com)  & "74.113.233.61" (img.apnanalytics.com)

Certificate Details : 

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Object
Serial:                       120323648035794777459439591763436950514
Serial (Hex):            5a857dde8b4fa115416d87781fc4d3f2

Valid from:                  Feb 10 00:00:00 2011 GMT
Valid until:                  Feb  9 23:59:59 2014 GMT

C (countryName):                  AU [4155]
CN (commonName):               Auslogics Software Pty Ltd [4175736C6F6769637320536F66747761726520507479204C7464]
L (localityName):                    Crows Nest [43726F7773204E657374]
O (organizationName):          Auslogics Software Pty Ltd [4175736C6F6769637320536F66747761726520507479204C7464]
ST (stateOrProvinceName):   NSW [4E5357]
postalCode (postalCode):     1585 [31353835]
street (streetAddress):          PO Box 1644 [504F20426F782031363434]
« Last Edit: May 12, 2018, 12:23:43 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline meldan

  • First Response Group
  • Comodo's Hero
  • *****
  • Posts: 3243
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #33 on: May 12, 2018, 02:49:14 PM »
Hi Pio,

Thank you for your submission.
We'll check it.

Kind Regards,
Erik M.

Offline Felipe Oliveira

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 485
  • Brazilian / Medicine Student / Love Technology

Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2099
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #35 on: May 16, 2018, 12:05:53 AM »
Hi Felipe Oliveira,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Qiuhui.Wang

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 577
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #36 on: May 16, 2018, 02:44:06 PM »
File is unjustifiably FULLY trusted !!!

PUA.Adware.Variant.InstallCore - Certificate "issued" by Symantec & VeriSign & "countersigned" by Symantec & Thawte
 
https://valkyrie.comodo.com/get_info?sha1=248c3ae7d28dbf324d376660a94f7dc446801d5f

https://www.virustotal.com/en/file/50c83bbfd1517264f34fe872139287c8be0f59ca57fac2d2c53782aaa03b1793/analysis/1526495319/

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Borland Delphi 6.0 - 7.0 , Packer: Inno Setup Installer , File has multiple binary anomalies ( File ignores DEP , File ignores Code Integrity , Contains another file ( type: InnoSetup, location: overlay ) , CRC value set in PE header does not match actual value , Contains zero-size sections , The count "5" of libraries is suspicious , The file has "3" shared sections ) , Found Delphi 4 - Delphi 2006 artifact ( has a PE timestamp using the buggy magic timestamp "0x2A425E19" ) , File has no visible windows , Creates guarded memory sections , References Windows built-in privileges , File modifies the filesystem , Touches multiple files in the Windows system directory

Certificate Details :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA
Serial:                       118202670773406737515473305365598042868
Serial (Hex):            58ed019dda867257493e61e5f18dfaf4

Valid from:                  May 17 00:00:00 2017 GMT
Valid until:                  Aug 15 23:59:59 2020 GMT

C (countryName):                  HK [484B]
CN (commonName):              Power Software Limited
L (localityName):                   North Point
O (organizationName):         Power Software Limited
ST (stateOrProvinceName):  Hong Kong
« Last Edit: May 16, 2018, 02:56:00 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline andrei.savin

  • Comodo Staff
  • Comodo Loves me
  • *****
  • Posts: 197
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #37 on: May 16, 2018, 02:45:16 PM »
Hello pio,
We'll check the file and take appropiate measures.

Best regards,
Andrei Savin
If possible please post your malware submissions as SHA1 lists (created with HashMyFiles or any other software). Always make sure first you have submitted the samples through CIS.

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 577
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #38 on: May 16, 2018, 04:15:08 PM »
File is unjustifiably FULLY trusted !!!

PUA.Adware.FusionCore - Certificate "issued" by GlobalSign & "countersigned" by GlobalSign
 
https://valkyrie.comodo.com/get_info?sha1=de0b6921ae150abf25641c0d3d63e00ff9f3a9c4

https://www.virustotal.com/#/file/1d8aabd9b7075c33d66d3ddda0a9ae0a2af5abbba299a6ed96b9a2e87a4c0bc5/detection

Some suspicious/malicious Indicators : Compiler/Packer/Protector signature > Compiler : MS Visual 10.0 , Packer: Nullsoft Scriptable Installer - UPX , Protector: "VMProtect v1.70.4" , File has multiple binary anomalies ( File ignores Code Integrity , The file contains another file ( type: Nullsoft, location: overlay, file-offset: 0x00010408 ) , CRC value set in PE header does not match actual value , Entrypoint in PE header is within an uncommon section , PE file has unusual entropy sections , Contains zero-size sections ) , Checks if a debugger is present , Found Anti-VM Strings ( Checks a device property , Queries volume information of an entire harddrive ) , Contains native function calls ( NtOpenThreadToken[at]ntdll.dl ) , Contains ability to measure performance , Contains ability to open the clipboard , Contains ability to retrieve keyboard strokes , Found Delphi 4 - Delphi 2006 artifact ( has a PE timestamp using the buggy magic timestamp "0x2A425E19" ) , References Windows built-in privileges , Expects Administrative permission , Creates guarded Memory sections ,  Reads the active computer name , Reads the cryptographic machine GUID , Scanning for window names , Reads the registry for installed applications , Reads terminal service related keys , Writes Data to iteself and to "C:\Program Files\Internet Explorer\iexplore.exe", Creates windows services ( Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS") , Opens the Kernel Security Device Driver , Accesses sensitive information from local browsers , Modifies proxy settings , Process launched with changed environment (  "iexplore.exe" )

Certificate Details :


Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=BE/O=GlobalSign nv-sa/CN=GlobalSign CodeSigning CA - SHA256 - G3
Serial:                       14866108405781186065315592385
Serial (Hex):            3008f4e77f65ed777552f8c1

Valid from:                  Dec  2 10:26:31 2016 GMT
Valid until:                  Dec  3 10:26:31 2018 GMT

C (countryName):                  KR
CN (commonName):              3DP
L (localityName):                   Gimhae-si
O (organizationName):         3DP
ST (stateOrProvinceName):  Gyeongsangnam-do
« Last Edit: May 16, 2018, 04:18:28 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2099
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #39 on: May 16, 2018, 11:10:27 PM »
Hi pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Qiuhui.Wang

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 577
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #40 on: May 23, 2018, 02:46:39 PM »
Doesn´t seem to be processed yet ! Please take a look at this ! Thanks !

File is unjustifiably FULLY trusted !!!

PUA.Riskware.Asparnet - Certificate "issued" by UserTrust & "countersigned" by Comodo & UserTrust
 
https://valkyrie.comodo.com/get_info?sha1=72e48b7de5ef8711ec821b4fcf009d1cf88117b7+

https://www.virustotal.com/#/file/79426e98c8c952eaf2ed7e6f5a54dbe9e02139a1721ea8aaebf575e7e62f0486/detection
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline andrei.savin

  • Comodo Staff
  • Comodo Loves me
  • *****
  • Posts: 197
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #41 on: May 23, 2018, 02:48:17 PM »
Hello,
Thanks for your submission, I'll have a look and add detection if necesarry.

Best regards,
Andrei Savin
If possible please post your malware submissions as SHA1 lists (created with HashMyFiles or any other software). Always make sure first you have submitted the samples through CIS.

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 577
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #42 on: May 27, 2018, 02:42:43 AM »
PUA.Variant.InstallCore - Certificate "issued" by Comodo - The File certificate was not successfully recognized by Valkyrie !!!
 
https://valkyrie.comodo.com/get_info?sha1=4bec373400a05d58a97f1e7f395bc53064940f93

https://www.virustotal.com/#/file/49dc87dc7dfaef236893c51cb4029f71701d3e45a2f3045c79792643e399de7d/detection

Some suspicious/malicious Indicators : Compiler/Packer/Protector/Crypter Signature > Compiler : Borland Delphi , Packer: Inno Setup Installer 5.50 ,  File has multiple binary anomalies ( File ignores Code Integrity , File ignores DEP , Entrypoint is outside of first section , Checksum mismatches the PE header value , Contains zero-size sections , Contains another file ( type: InnoSetup, location: overlay, file-offset: 0x00033C00 ) , Has "2" executable sections ) , Contains ability to start/interact with device drivers , Contains ability to retrieve keyboard strokes , References Windows built-in privileges , Drops multiple executable files , Creates guarded memory sections , Process deletes itself , Reads the active computer name , Scanning for window names , Reads the registry for installed applications ,  Duplicates the process handle of an other process , Hooks/patches the running process ( "MSIMG32.DLL" ) , Makes a code branch decision directly after an API that is environment aware ( Found API call GetDiskFreeSpaceW[at]kernel32.dll directly followed by "cmp byte ptr [ebp-02h], 00h" and "je 004B0181h" ) , Touches files in the Windows system directory , Opens the Kernel Security Device Driver

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial:                       17435140106306245640973187730099565231
Serial (Hex):            0d1de2c682ba42a48358f001a37a72af

Valid from:                  Nov  7 00:00:00 2017 GMT
Valid until:                  Nov  7 23:59:59 2018 GMT

C (countryName):                     MX [4D58]
CN (commonName):                  DS NET CORP SA DE CV
L (localityName):                       BENITO JUAREZ
O (organizationName):             DS NET CORP SA DE CV
OU (organizationalUnitName):  IT [4954]
ST (stateOrProvinceName):      MEXICO CITY
postOfficeBox (postOfficeBox): 03020 [3033303230]
postalCode (postalCode):        03020 [3033303230]
street (streetAddress):            XOCHICALCO 392 INT 3
« Last Edit: May 27, 2018, 03:42:08 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline abinaya

  • Comodo Staff
  • Newbie
  • *****
  • Posts: 24
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #43 on: May 27, 2018, 02:48:43 AM »
Hi pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Regards,
Abinaya R

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 577
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #44 on: May 27, 2018, 02:52:24 AM »
Hi pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Regards,
Abinaya R

Hi abinaya ,

thank you and welcome to Comodo!  ;)
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek