Author Topic: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)  (Read 6014 times)

Offline meldan

  • First Response Group
  • Comodo's Hero
  • *****
  • Posts: 3245
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #15 on: February 09, 2019, 11:03:33 AM »
Hi,

Thank you for your submission.
We'll check it.

Kind Regards,
Erik M.

Offline cDreamDancer

  • Comodo Member
  • **
  • Posts: 29
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #16 on: February 25, 2019, 06:22:26 PM »
False Positive:
https://valkyrie.comodo.com/file/analysis/e44e4dfa-f157-4c14-bc79-17cb33c37eee
File Name:   procexpnt.zip
File Type:  Zip archive data, at least v2.0 to extract
SHA1:   a3ffa3ef88f5abcd81123ae8309c5e1e857477b9
MD5:   4a506726e9e5d07105a72d6b281cb6aa

Offline cDreamDancer

  • Comodo Member
  • **
  • Posts: 29
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #17 on: February 25, 2019, 06:24:43 PM »
False Positive:
https://valkyrie.comodo.com/get_info?sha1=d92cbbbb415468c13ac9a72d7c8cec32aab64c15
File Name:   Up.zip
File Type:  Zip archive data, at least v1.0 to extract
SHA1:   d92cbbbb415468c13ac9a72d7c8cec32aab64c15
MD5:   3241c751e8ae1f929f44d4eaa0707b50

Offline cDreamDancer

  • Comodo Member
  • **
  • Posts: 29
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #18 on: February 25, 2019, 06:28:19 PM »
False Positive:
"procexp9x.zip"
Cannot upload, webpage claims this un-uploaded file is already uploaded, but attempting to validate the "existing" upload instead loads results for the following submission:
https://valkyrie.comodo.com/file/analysis/e44e4dfa-f157-4c14-bc79-17cb33c37eee



Offline FlorinG

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3557
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #21 on: April 24, 2019, 07:38:50 AM »
Hello guys,

Thank you for submitting these, we'll check them.

Best regards,
FlorinG
If possible please post your malware submissions as SHA1 lists (created with HashMyFiles or any other software). Always make sure first you have submitted the samples through CIS or CIMA.


Offline Saravanapathi

  • Newbie
  • *
  • Posts: 11
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #23 on: April 25, 2019, 02:08:01 AM »
Hi tg912,

Thank you for submitting these, we'll check them.

Best regards,
Saravanapathi V

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 625
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #24 on: September 23, 2019, 08:06:56 PM »
PUA.Variant.InstallCore - Certificate issued by VeriSign & countersigned by Symantec & Thawte

https://valkyrie.comodo.com/get_info?sha1=d4b3d057dd6a741e56761b6276a456d17ec38333

https://www.virustotal.com/gui/file/9ded4e92bc900dd89a814f57a8aeea81e5060044a77d1058a673a0e2fffd1e17/detection

Some suspicious/malicious Indicators : Compiler/Packer Signature > Compiler: Microsoft Visual C/C++ (2010 SP1), Packer: NSIS, File has multiple binary anomalies ( File ignores Code Integrity, PE file has unusual entropy sections, CRC value set in PE header does not match actual value, Contains zero-size sections, The file contains another file > type: Nullsoft, location: overlay, offset: "0x00014208" & type: Flash, location: overlay, offset: "0x003D634E", Contains a virtualized section), Contains ability to open the clipboard, Contains ability to retrieve keyboard strokes, Contains ability to query CPU information, Reads data out of its own binary image, Creates guarded memory sections, Checks for an ADS file, Queries kernel debugger information, Reads the active computer name, Reads the cryptographic machine GUID, Reads terminal service related keys, Scanning for window names, Queries volume information of an entire harddrive, Modifies auto-execute functionality, Allocates virtual memory in a remote process ("HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections"), Writes data to a remote process  ("iexplore.exe"), Makes a code branch decision directly after an API that is environment aware, Modifies proxy settings, Queries the internet cache settings, Queries sensitive IE security settings, Creates windows services (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS"), Network activity contains more than one unique useragent (Mozilla/4.0), Sends traffic on typical HTTP outbound port, but without HTTP header, POSTs files to malicious webservers (Host: "rp.powopibobu3.com" > https://www.virustotal.com/gui/url/c346c3ad84c464259e732626c6c98abbb1b2af700e92de856b601c336b70b34d/detection & (Host: os.powopibobu3.com > https://www.virustotal.com/gui/url/ae7be5732917f37824ba97c6168cbc9ee3dc45b70b5aae8a73ede962987d4562/detection), GETs files from a malicious webserver (Host: "rp.powopibobu3.com")

Algorithm:                sha1WithRSAEncryption
Version:                   3
Issuer:                     /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at hXXps://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Code Signing 2010 CA
Serial:                    75499940057207870675512860210071768171
Serial (Hex):         38ccc270ec2e13e9590e3dcf982e8c6b

Valid from:               Dec  6 00:00:00 2018 GMT
Valid until:               Feb  4 23:59:59 2020 GMT

C (countryName):                  HK
CN (commonName):              Power Software Limited
L (localityName):                   NORTH POINT
O (organizationName):         Power Software Limited
ST (stateOrProvinceName):  HONG KONG
« Last Edit: September 23, 2019, 08:20:49 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Umamaheshwari

  • Newbie
  • *
  • Posts: 23
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #25 on: September 24, 2019, 01:15:43 AM »

Hello pio,

Thank you for submitting these, we'll check them.

Best regards,
Umamaheshwari M

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 625
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #26 on: October 09, 2019, 02:24:21 PM »
Hi,

14 days have now passed since the indicated notice, i allow myself to point out that the file is still classified as completely trustworthy. It would therefore make sense to remove the manufacturer from the TVL and classify the file as harmful.

PUA.Variant.InstallCore - Certificate issued by VeriSign & countersigned by Symantec & Thawte

https://valkyrie.comodo.com/get_info?sha1=d4b3d057dd6a741e56761b6276a456d17ec38333

https://www.virustotal.com/gui/file/9ded4e92bc900dd89a814f57a8aeea81e5060044a77d1058a673a0e2fffd1e17/detection
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Ionel

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3543
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #27 on: October 10, 2019, 08:50:39 AM »
Hi pio,

We will look into it.

Thanks and regards,
Ionel

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 625
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #28 on: October 10, 2019, 01:45:05 PM »
Hi pio,

We will look into it.

Thanks and regards,
Ionel

 Thank you and i can confirm! :) :-TU
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 625
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #29 on: October 22, 2019, 10:15:44 PM »
PUA.Variant.FusionCore - Certificate issued by Sectigo & countersigned by DigiCert, AddTrust & USERTrust

>>> https://valkyrie.comodo.com/get_info?sha1=76288415866556b46611ec696317b73eb5292d1e

>>> https://www.virustotal.com/gui/file/39b2f480b78dd8b3f5a6f06bcb692275a88e738d894f2b57206c75d9efef2aba/detection

Some suspicious/malicious Indicators : Compiler/Packer Signature: NSIS, File has multiple binary anomalies ( File ignores Code Integrity, The file contains another file > (type: Nullsoft, location: overlay, offset: "0x00012808", type: Flash, location: overlay, offset: "0x0054698F", type: Flash, location: overlay, offset: "0x00579199") PE file has unusual entropy sections , CRC value set in PE header does not match actual value,  The file contains a virtualized section, Timestamp in PE header is very old (00:00:00 1970), Contains zero-size sections,), Contains ability to open the clipboard, Attempts to identify installed AV products by registry key (Avast & AVG), Reads the active computer name, Reads data out of its own binary image, Reads the cryptographic machine GUID, Reads the registry for installed applications, Reads Windows Trust Settings, Scanning for window names  Queries kernel debugger information, Queries process information, Queries sensitive IE security settings, Queries the internet cache settings, Checks for a ADS file, Creates guarded memory sections, Makes a code branch decision directly after an API that is environment aware, Opens the Kernel Security Device Driver, Opens the MountPointManager, Modifies System Certificates Settings, Modifies Software Policy Settings, Modifies proxy settings, Opened the service control manager, Creates windows services ((Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS"), Sends traffic on typical HTTP outbound port, but without HTTP header, Network activity contains more than one unique useragent (NSIS_Inetc & Mozilla/4.0)

Certificate Details:

Algorithm:                  sha256WithRSAEncryption
Version:                     3
Issuer:                      /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
Serial:                      123913368237704527069529292303013110410
Serial (Hex):            5d38d8bd64455068c2d1c74088c5e28a

Valid from:                 Feb 13 00:00:00 2019 GMT
Valid until:                 Feb 12 23:59:59 2022 GMT

C (countryName):                  DE
CN (commonName):              Tim Kosse
L (localityName):                   Köln
O (organizationName):         Tim Kosse
ST (stateOrProvinceName):   NRW
postalCode (postalCode):     50823
street (streetAddress):         Lukasstr. 10
« Last Edit: October 23, 2019, 12:17:14 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek