Author Topic: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)  (Read 11479 times)

Offline morphiusz

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3081
    • Suspicious file?

Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2099
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #46 on: June 02, 2018, 12:21:50 AM »
Hi morphiusz,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Qiuhui.Wang

Offline Felipe Oliveira

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 485
  • Brazilian / Medicine Student / Love Technology

Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2099
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #48 on: June 04, 2018, 09:03:25 PM »
Hi, Felipe Oliveira

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Qiuhui.Wang

Offline Felipe Oliveira

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 485
  • Brazilian / Medicine Student / Love Technology
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #49 on: June 12, 2018, 10:25:49 AM »
Human Expert Analysis: Clean
Trusted Verdict

https://verdict.valkyrie.comodo.com/file/result?s=e144ce1a9735320faaedbbe5b40e4582833d57f4

Only 41/67 in VirusTotal

Offline FlorinG

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3550
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #50 on: June 12, 2018, 02:34:00 PM »
Hello Felipe Oliveira,

Thank you for sharing this. We'll check it and take the appropriate actions.

Best regards,
FlorinG
If possible please post your malware submissions as SHA1 lists (created with HashMyFiles or any other software). Always make sure first you have submitted the samples through CIS or CIMA.

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 577
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #51 on: June 13, 2018, 11:21:31 PM »
File is unjustifiably FULLY trusted !!!

MSIL.PUA.Variant.WebCompanion - Certificate "issued" by Entrust & "countersigned" by GlobalSign
 
https://valkyrie.comodo.com/get_info?sha1=ed7f68a3326516c2a3a30a84dec9319a1852c462

https://www.virustotal.com/#/file/8bef6fd8119d07983f7d2dcc9d7936dc799d314ce7ad84552c1ade57bd36a523/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : MS Visual 6.0 , Packer: Armadillo 1.71 , File has multiple binary anomalies ( File ignores DEP , File ignores Code Integrity , CRC value set in PE header does not match actual value , Embeds another file ( type: 7zSFX , location: overlay , file-offset: 0x00022C6B ) , Contains a known anti-VM trick ( "CPUID trick" in "op.exe.bin" ) , Executes WMI queries ( NetworkAdapterConfiguration WHERE IPEnabled=True , VideoController , DiskDrive , Bios , BaseBoard , Processor ) , Tries to implement anti-virtualization techniques ( against "virtualbox" ) , Checks if debugger is present , Found strings in conjunction with a procedure lookup that resolve to a known API export symbol , Looks for the Windows Idle Time to determine the uptime , Checks for an ADS , Creates guarded memory sections , Spawns a lot of processes , Reads the active computer name , Reads the cryptographic machine GUID , Reads terminal service related keys , Reads the registry for installed applications , Reads Windows Trust Settings , Opens the Kernel Security Device Driver , Accesses System Certificates Settings , Modifies Software Policy Settings , Modifies proxy settings , Queries sensitive IE security settings , Found possibly malicious network releated activity >>> HTTP request contains Base64 encoded artifacts , Executable Retrieved With Minimal HTTP Headers , Creates windows services ( Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS ") , POSTs data to "104.17.61.19:80" (flow.lavasoft.com) , "72.55.154.82:80" (wc-tracking.lavasoft.com) , "72.55.154.81:80" (wc-update-service.lavasoft.com) , GETs data from "104.17.61.19:80" (wcdownloadercdn.lavasoft.com) , "104.17.112.51:80" (webcompanion.com)

Certificate Details :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=US/O=Entrust, Inc./OU=See - entrust.net/legal-terms/OU=(c) 2015 Entrust, Inc. - for authorized use only/CN=Entrust Code Signing CA - OVCS1
Serial:                       339887834564985863534598956474935165154
Serial (Hex):            ffb4040d93a323a500000000556640e2

Valid from:                  Aug 21 14:25:44 2017 GMT
Valid until:                  Aug 21 14:55:34 2020 GMT

C (countryName):                 DE [4445]
CN (commonName):              pdfforge GmbH
L (localityName):                   Hamburg
O (organizationName):         pdfforge GmbH
ST (stateOrProvinceName):  Hamburg
« Last Edit: June 14, 2018, 12:13:45 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2099
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #52 on: June 14, 2018, 12:02:35 AM »
Hi pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Qiuhui.Wang

Offline prodex

  • Comodo's Hero
  • *****
  • Posts: 228
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #53 on: June 14, 2018, 03:39:44 AM »
Heise "says":

The program can install adware and other unwanted software without asking you.
« Last Edit: June 14, 2018, 03:42:27 AM by prodex »

Offline Ananthalakshmi

  • First Response Group
  • Newbie
  • *****
  • Posts: 23
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #54 on: June 14, 2018, 05:41:51 AM »
Hi prodex,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Ananthalakshmi M

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 577
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #55 on: June 20, 2018, 01:28:02 AM »
File is unjustifiably FULLY trusted !!!

Riskware.PUA.Generic - Certificate "issued" by VeriSign & "countersigned" by Symantec & Thawte
 
https://valkyrie.comodo.com/get_info?sha1=aa9d0182bc4af8a6595207b7f5bd7c8336617520

https://www.virustotal.com/#/file/9fc3678dac889a1e21cf66b395882339552bc879bd52302ea0d91f1f261da1cb/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : MS-VC 8.0 , Packer: UPX 3.08 , File has multiple binary anomalies ( File ignores Code Integrity , Entrypoint is outside of first section , The File code is  self-modifying , The file has "2" writable and executable sections , The file-ratio "76%" of the resources is suspicious , The count "16" of libraries is suspicious , Imports sensitive Libaries ( Process Status Helper , OLE32 Extensions for Win32 , Userenv , Internet Extensions for Win32 , Windows Socket 2.0 32-Bit DLL , Win32 LDAP API DLL ) , Contains ability to start/interact with device drivers , Contains ability to reboot/shutdown the operating system , Contains ability to write to memory of another process ( WriteProcessMemory[at]KERNEL32.dll ) , Contains ability to retrieve keyboard strokes , Contains ability to register hotkeys , Contains ability to lookup the windows account name , Contains ability to query the value of any user atom ( GetClipboardFormatNameA[at]USER32.DLL from frt_auto.exe ) , Checks if a debugger is present , Has no visible windows , Creates guarded memory sections , Opens a file in a system directory , Queries process information , Reads terminal service related keys , Scanning for window names , Scans for the windows taskbar , Reads the keyboard layout followed by a significant code branch decision , Opens a file in a system directory , Opens the Kernel Security Device Driver , File is hosted by a suspicious server ( "183.91.33.45" >>> https://www.virustotal.com/#/ip-address/183.91.33.45 )

Certificate Deatails :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=T 10/CN=VeriSign Class 3 Code Signing 2010 CA
Serial:                       128303042479937921492611790609463368101
Serial (Hex):            60864463bbbc2e4e67d42771e4cbd9a5

Valid from:                  Apr 21 00:00:00 2017 GMT
Valid until:                  Feb  4 23:59:59 2020 GMT

 (countryName):                        CN
CN (commonName):                  Zhuhai Kingsoft Office Software Co., Ltd.
L (localityName):                       Zhuhai
O (organizationName):             Zhuhai Kingsoft Office Software Co., Ltd.
OU (organizationalUnitName):  RD Department
ST (stateOrProvinceName):      Guangdong
« Last Edit: June 20, 2018, 02:54:48 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Ananthalakshmi

  • First Response Group
  • Newbie
  • *****
  • Posts: 23
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #56 on: June 20, 2018, 01:39:32 AM »
Hi pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Ananthalakshmi M

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 577
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #57 on: June 21, 2018, 07:04:59 PM »
Valkyrie Signature Detection and Final Verdict = CLEAN

PUA.Toolbar.Asparnet - Certificate "issued" by VeriSign & "countersigned" by Symantec , Thawte & VeriSign
 
https://valkyrie.comodo.com/get_info?sha1=7b72afe25646a2c7ec2cbc1c016c3a32c27800c6

https://www.virustotal.com/#/file/d08a8db8a62cc14ac3ef22ec4b438c6bd0411ef7f3e465c137138396acdfcb41/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : MS-VC 8.0 , Packer: Morphine v. 3.3 , File has multiple binary anomalies ( File ignores Code Integrity , Foreign language identified in PE resource ( Chinese ) , The certificate issuer ( VeriSign ) has expired (31/12/2012) , The certificate subject ( Symantec ) has expired (31/12/2012) , Imports sensitive Libaries ( Remote Procedure Call Runtime , Internet Extensions for Win32 , OLE32 Extensions for Win32 , Windows Installer , Crypto API32 , Microsoft Trust Verification APIs ) , References an Object Indentifier (2.5.4.11 & 1.3.6.1.4.1.311.2.1.12) , Has no visible windows , Checks if a debugger is present , Tries to dealy the analysis , Contains ability to read the monitor info , Expects Administrative permission , Reads the active computer name , Reads the cryptographic machine GUID , Checks adapter addresses , Scanning for window names , Reads the registry for installed applications , Opens the Kernel Security Device Driver , Touches multiple files in the Windows directory , Accesses potentially sensitive information from local browsers , Modifies proxy settings , Queries sensitive IE security settings , Found possibly malicious network releated activity >>> , Found more than one unique User-Agent ( Mozilla/4.0 ) , HTTP request contains Base64 encoded artifacts , Creates windows services ( Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS" ) , POSTs data to "199.36.100.103" (pipoffers.apnpartners.com) , GETs data from "23.43.122.119" (ak.pipoffers.apnpartners.com) & "199.36.100.103" (pipoffers.apnpartners.com)
« Last Edit: June 21, 2018, 07:37:49 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2099
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #58 on: June 21, 2018, 08:07:52 PM »
Hi pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Qiuhui.Wang

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 577
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #59 on: June 29, 2018, 12:27:27 AM »
Valkyrie Signature Detection and Final Verdict = CLEAN

PUA.myPCBackup
 
https://valkyrie.comodo.com/get_info?sha1=2feec32c856c038b8718fb5f3e9825bd69cdd152

https://www.virustotal.com/#/file/4040800ed37957cd1eff2cfc717d8aa322a7e83fae7491368ac76e83327722b7/detection

Some suspicious/malicious Indicators : Compiler/Packer/Crypter/Protector signature > Compiler: Microsoft Visual C v7.0 , Protector: ConfuserEx , File has multiple binary anomalies ( File ignores Code Integrity, Digisig is expired: Jun 21 12:00:00 2016 , The certificate was explicitly revoked by its issuer ( DigiCert ) , Imports count "1" is very low , Input file contains API references not part of its Import Address Table ( Found string "QueueUserWorkItem" ( Source: "mypcbackup.1.5.0.2.97.exe", API is part of module: "KERNEL32.DLL" ) , Found Anti-VM Strings ( Found VM detection artifact "RDTSCP trick" , Checks amount of system memory , Checks adapter addresses ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads Windows Trust Settings , Uses Windows APIs to generate a cryptographic key ( 2 events ) , Queries kernel debugger information , Creates guarded memory sections , Drops cabinet archive files , Creates new processes ( "Input Sample" is creating a new process ( Name: "%WINDIR%\System32\conhost.exe" ) , Duplicates the process handle of an other process to obtain access rights to that process ( 321 events ) , Writes data to a another process ( "Input Sample" wrote bytes to  process > "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\dw20.exe" ), Opened the service control manager , Touches multiple files in the Windows directory , Opens the Kernel Security Device Driver , Accesses System Certificates Settings , Modifies Software Policy Settings , Found possibly suspicious/malicious network releated activity >>> "Input Sample" & "dw20.exe" creates windows services ( Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS" ) , Connects to an IP address that is no longer responding to requests > "40.70.13.248:80"
« Last Edit: June 29, 2018, 08:59:52 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek