Author Topic: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)  (Read 11812 times)

Offline abinaya

  • Comodo Staff
  • Newbie
  • *****
  • Posts: 24
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #60 on: June 29, 2018, 12:37:04 AM »
Hi pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Abinaya R

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 577
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #61 on: July 01, 2018, 09:06:02 PM »
File is unjustifiably FULLY trusted !!!

PUA.Adware.Variant.InstallCore - Certificate "issued" by Symantec & "countersigned" by Symantec & Thawte
 
https://valkyrie.comodo.com/get_info?sha1=4cbc8fbaaef14d8e8ab603c510b1b40b21c0104f

https://www.virustotal.com/#/file/e356165343915a12bc3b72435dfdce158b52c1d7d1db238b99f457675364bd5c/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : MS Visual 10.0 , Packer: NSIS , File has multiple binary anomalies ( File ignores Code Integrity , The file contains another files ( type: Nullsoft, location: overlay, file-offset: 0x00014208 & type: Flash, location: overlay, file-offset: 0x003CF598 ,  PE file has unusual entropy sections , The count "8" of libraries is suspicious , Contains zero-size sections , CRC value set in PE header does not match actual value , Found PE timestamp using the buggy magic timestamp "0x2A425E19" ) , Found possibly Anti-VM Strings ( Checks amount of system memory , Queries the disk size ) , Found a cryptographic related string ( Indicator: "rc6"; File: "PowerISO.exe.2600991351" ) , Contains ability to check the local/global descriptor table , Contains ability to start/interact with device drivers , Contains native function calls , Contains ability to download files from the internet , Contains ability to open the clipboard , Modifies auto-execute functionality , Checks if a debugger is present , Expects Administrative permission , Reads the active computer name , Reads the cryptographic machine GUID , Reads the registry for installed applications , Reads Windows Trust Settings , Queries the internet cache settings , Scanning for window names , Drops multiple executable files , Drops system driver , Duplicates the process handle of an other process to obtain access rights to that process ( 21 events ) , Writes data to a "another" process ( "regsvr32.exe" & "itself" ) , Creates a suspicious process ( regsvr32.exe /s /u "C:\Program Files\PowerISO\PWRISOSH.DLL" ) , Installs hooks/patches multiple running processes , Opens the Kernel Security Device Driver , Modifies proxy settings , Queries sensitive IE security settings , Accesses Software Policy Settings , Accesses System Certificates Settings , Found possibly suspicious/malicious network releated activity >>> GETs data from "50.62.134.113 ( "poweriso.com" ) , Found malicious artifacts related to "50.62.134.113" >>> https://www.virustotal.com/#/ip-address/50.62.134.113

Certificate Details :


Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA
Serial:                       118202670773406737515473305365598042868
Serial (Hex):            58ed019dda867257493e61e5f18dfaf4

Valid from:                  May 17 00:00:00 2017 GMT
Valid until:                  Aug 15 23:59:59 2020 GMT

C (countryName):                 HK [484B]
CN (commonName):              Power Software Limited [506F77657220536F667477617265204C696D69746564]
L (localityName):                   North Point [4E6F72746820506F696E74]
O (organizationName):         Power Software Limited [506F77657220536F667477617265204C696D69746564]
ST (stateOrProvinceName):  Hong Kong [486F6E67204B6F6E67]
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2584
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #62 on: July 02, 2018, 01:25:31 AM »
Hi,pio

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 577
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #63 on: July 16, 2018, 06:32:09 PM »
Doesn´t seem to be processed yet ! Please take a look at this ! Thanks !

File is unjustifiably FULLY trusted !!!

PUA.Adware.Variant.InstallCore - Certificate "issued" by Symantec & "countersigned" by Symantec & Thawte
 
https://valkyrie.comodo.com/get_info?sha1=4cbc8fbaaef14d8e8ab603c510b1b40b21c0104f

https://www.virustotal.com/#/file/e356165343915a12bc3b72435dfdce158b52c1d7d1db238b99f457675364bd5c/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : MS Visual 10.0 , Packer: NSIS , File has multiple binary anomalies ( File ignores Code Integrity , The file contains another files ( type: Nullsoft, location: overlay, file-offset: 0x00014208 & type: Flash, location: overlay, file-offset: 0x003CF598 ,  PE file has unusual entropy sections , The count "8" of libraries is suspicious , Contains zero-size sections , CRC value set in PE header does not match actual value , Found PE timestamp using the buggy magic timestamp "0x2A425E19" ) , Found possibly Anti-VM Strings ( Checks amount of system memory , Queries the disk size ) , Found a cryptographic related string ( Indicator: "rc6"; File: "PowerISO.exe.2600991351" ) , Contains ability to check the local/global descriptor table , Contains ability to start/interact with device drivers , Contains native function calls , Contains ability to download files from the internet , Contains ability to open the clipboard , Modifies auto-execute functionality , Checks if a debugger is present , Expects Administrative permission , Reads the active computer name , Reads the cryptographic machine GUID , Reads the registry for installed applications , Reads Windows Trust Settings , Queries the internet cache settings , Scanning for window names , Drops multiple executable files , Drops system driver , Duplicates the process handle of an other process to obtain access rights to that process ( 21 events ) , Writes data to a "another" process ( "regsvr32.exe" & "itself" ) , Creates a suspicious process ( regsvr32.exe /s /u "C:\Program Files\PowerISO\PWRISOSH.DLL" ) , Installs hooks/patches multiple running processes , Opens the Kernel Security Device Driver , Modifies proxy settings , Queries sensitive IE security settings , Accesses Software Policy Settings , Accesses System Certificates Settings , Found possibly suspicious/malicious network releated activity >>> GETs data from "50.62.134.113 ( "poweriso.com" ) , Found malicious artifacts related to "50.62.134.113" >>> https://www.virustotal.com/#/ip-address/50.62.134.113

Certificate Details :


Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA
Serial:                       118202670773406737515473305365598042868
Serial (Hex):            58ed019dda867257493e61e5f18dfaf4

Valid from:                  May 17 00:00:00 2017 GMT
Valid until:                  Aug 15 23:59:59 2020 GMT

C (countryName):                 HK [484B]
CN (commonName):              Power Software Limited [506F77657220536F667477617265204C696D69746564]
L (localityName):                   North Point [4E6F72746820506F696E74]
O (organizationName):         Power Software Limited [506F77657220536F667477617265204C696D69746564]
ST (stateOrProvinceName):  Hong Kong [486F6E67204B6F6E67]
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2584
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #64 on: July 16, 2018, 11:55:00 PM »
Hi, pio

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 577
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #65 on: July 18, 2018, 05:50:11 AM »
File is unjustifiably FULLY trusted !!!

MSIL.PUA.Downloader.Variant.WebCompanion - Certificate "issued" by GlobalSign
 
https://valkyrie.comodo.com/get_info?sha1=deebd168b598c633fb7510fd2d3023d18a30d484

https://www.virustotal.com/#/file/2a3110e7e158344192ba7fabf3809289a5b3511ade60d5f4acd0dc75c11970e0/detection

https://analyze.intezer.com/#/analyses/7c67e127-47ec-485e-9267-fccf16df8908/sub/7bfa5ac2-5f7f-4a1f-8dac-f7d8e9935f38

Some suspicious/malicious Indicators : Compiler/Packer/Crypter signature > Compiler : MS Visual C++ 5.0 - 6.0 , Packer/Crypter : 7Z , Armadillo 1.71 , File has multiple binary anomalies ( File ignores Code Integrity , File ignores DEP , Contains unknown resources , CRC value set in PE header does not match actual value , Contains another file ( type: 7zSFX, location: overlay, file-offset: "0x000284BA" ) , Found possibly Anti-VM Strings ( Checks amount of system memory , Found VM detection artifact "CPUID trick", Detect VM environment via file property > GetFileAttributesEx: FileName = C:\WINDOWS\system32\VBoxDisp.dll  ) , Found cryptographic related strings , Tries to sleep a long time ( "WebCompanionInstaller.exe" tried to sleep 2076 seconds ) , Attempts to identify installed AV products by installation directory (5 events) , Reads the active computer name , Reads the cryptographic machine GUID , Reads terminal service related keys , Drops executable files , Creates guarded memory sections , Executes WMI queries ( SELECT * FROM Win32_OperatingSystem ) , Looks for the Windows Idle Time to determine the uptime , Allocates virtual memory in a remote process , Installs hooks/patches the running process ( "WSHIP6.DLL" , "WSHTCPIP.DLL" , "USER32.DLL" , "SHFOLDER.DLL" , "MSCORWKS.DLL" , "NSI.DLL" , "WEBCOMPANIONINSTALLER.EXE" ) , Opens the Kernel Security Device Driver , Reads sensitive internet explorer settings , Reads Internet Cache Settings , Changes internet zones settings , Modifies System certificates , Found possibly suspicious/malicious network releated activity >>> Creates windows services ( "WebCompanionInstaller.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS") , POSTs data to > "72.55.154.82" ("wc-tracking.lavasoft.com") >>> https://www.virustotal.com/#/ip-address/72.55.154.82

Certificate Details :


Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=BE/O=GlobalSign nv-sa/CN=GlobalSign CodeSigning CA - G3
Serial:                       34009650070827778648131810261
Serial (Hex):            6de41f889cf84643f324b3d5

Valid from:                  Jul 20 14:12:37 2016 GMT
Valid until:                  Jul 21 14:12:37 2018 GMT

C (countryName):                    CA [4341]
CN (commonName):                 Lavasoft Software Canada
L (localityName):                      Saint-Laurent
O (organizationName):            Lavasoft Software Canada
ST (stateOrProvinceName):     Quebec
emailAddress (emailAddress): itcontracts[at]lavasoft.com
« Last Edit: July 26, 2018, 07:21:26 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Ananthalakshmi

  • First Response Group
  • Newbie
  • *****
  • Posts: 23
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #66 on: July 18, 2018, 05:53:56 AM »
Hi pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Ananthalakshmi M

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 577
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #67 on: July 18, 2018, 05:56:46 AM »
Hi pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Ananthalakshmi M

Hi Ananthalakshmi M ,

the Valkyrie and the VT links has been corrected !

Thank you!
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***


Offline meldan

  • First Response Group
  • Comodo's Hero
  • *****
  • Posts: 3243
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #69 on: August 12, 2018, 03:10:37 PM »
Hi,

Thank you for your submission.
We'll check it.

Kind Regards,
Erik M.

Offline GOA

  • Comodo's Hero
  • *****
  • Posts: 722
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #70 on: August 25, 2018, 09:21:43 AM »
From a fake virus site

SHA1:   a6d7af8ce2ae317d2fe637d0aca5fd971315cb7b

no signature by Comodo

CF 10
Windows 10

Offline meldan

  • First Response Group
  • Comodo's Hero
  • *****
  • Posts: 3243
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #71 on: August 25, 2018, 09:56:14 AM »
Hi,

Thank you for your submission.
We'll check it.

Kind Regards,
Erik M.

Offline morphiusz

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3082
    • Suspicious file?
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #72 on: August 25, 2018, 03:17:36 PM »
7c9e99c81c628eb2d9722d1ccf07f71e203d12c2

This is probably trusted malicious/PUP file.

https://verdict.valkyrie.comodo.com/file/result?s=7c9e99c81c628eb2d9722d1ccf07f71e203d12c2

Offline meldan

  • First Response Group
  • Comodo's Hero
  • *****
  • Posts: 3243
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #73 on: August 25, 2018, 03:44:21 PM »
Hi,

Thank you for your submission.
We'll check it.

Kind Regards,
Erik M.

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 5691
  • COMODO Rocks!
    • Free Comodo Products!
COMODO Cloud Antivirus
Firefox Quantum
Encrypt the web! Use HTTPS Everywhere..
Block spying ads and invisible trackers! Use Privacy Badger..

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek