Author Topic: Report trusted and whitelisted malware here - 2022 (NO LIVE MALWARE!)  (Read 41722 times)

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #30 on: October 23, 2019, 12:03:41 AM »
Trojan.Agent.Dropper - Certificate issued by DigiCert

The certificate was stolen with great certainty! 

>>> https://valkyrie.comodo.com/get_info?sha1=8af07437424b145e7b4c3bd07c64168628d9d1d9

>>> https://www.virustotal.com/gui/file/d78259dace96f50b298e1be72165831806a0bc4212ba740fae6f8b8a791ae7fc/detection

Some suspicious/malicious Indicators : Compiler/Packer Signature: Compiler: Microsoft Visual C++ 8, Packer: APLib Compression, File has multiple binary anomalies ( File ignores Code Integrity, File ignores DEP, The export table has a  invalid RVA at "19f70", The file contains a suspicious section (name:Winzip), PE file has unusual entropy sections, The file doesn't register any VersionInfo), Spawns a "doc" file contains VBA Macros (Obfuscation method: VBA Macro String Functions > Suspicious Macro Strings: "WinHttpRequest", "CreateObject", "Shell"...), Contains native function calls (NtdllDefWindowProc_A[at]NTDLL.DLL), Contains ability to query CPU information, Contains ability to lookup its own filename, Tries to detect if debugger is attached, Reads data out of its own binary image, Spawns a child process, The initial file deletes itself, Writes data to a new created process, Reads terminal service related keys, Checks for an ADS, Creates an ADS, Makes a code branch decision directly after an API that is environment aware, Found strings in conjunction with a procedure lookup that resolve to a known API export symbol, Opens the Kernel Security Device Driver

Yara rules matches:

#openxml_remote_content
#DIE_libavcodec_ff_mjpeg_val_ac_chrominance
#DIE_libavcodec_ff_mjpeg_val_ac_luminance
#DIE_lzari_StartModel_LE
#VBA_suspicious_strings
#mraptor_oletools
#VBA_external_connections
#DIE_RNG_original_numbers_LE
#DIE_PKCS_DigestDecoration_MD5
#DIE_Boucher_randgen5_LE
#DIE_SSL3_define_BE
#DIE_Boucher_randgen1_LE
#misc_pe_signature
#DIE_Zip_Crypto_LE
#DIE_function_where_is_handled_the_ZipCrypto_password_LE
#DIE_SSH_RSA_id_sha1_OBJ_ID_oiw_14_secsig_3_algorithms_2_26
#DIE_unlzx_table_three_LE
#DIE_zinflate_distanceStarts_LE
#DIE_zinflate_lengthStarts_LE
#DIE_zinflate_distanceExtraBits_LE

Certificate Details:

Algorithm:                   sha256WithRSAEncryption
Version:                      3
Issuer:                       /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2)
Serial:                       18197605158510993702346925233214526630
Serial (Hex):             0db0bb34737f4292896e7b3c163714a6

Valid from:                  Oct 26 00:00:00 2017 GMT
Valid until:                  Oct 30 12:00:00 2020 GMT

C (countryName):                 US
CN (commonName):              Endres Actuarial Consulting LLC
L (localityName):                   Eden Prairie
O (organizationName):          Endres Actuarial Consulting LLC
ST (stateOrProvinceName):   Minnesota
businessCategory :               Private Organization
jurisdictionC:                          US
jurisdictionST:                        Minnesota
serialNumber:                        709967500025
« Last Edit: October 23, 2019, 12:52:50 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Mageshwaran

  • Comodo Member
  • **
  • Posts: 45
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #31 on: October 23, 2019, 07:48:22 AM »
Hi pio,

Thank you for reporting.
We'll check it

Regards,
Mageshwaran B

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Ionel

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3580
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #33 on: November 12, 2019, 09:23:19 AM »
Hi pio,

PUA.Variant.FusionCore - Certificate issued by Sectigo & countersigned by DigiCert, AddTrust & USERTrust

>>> https://valkyrie.comodo.com/get_info?sha1=76288415866556b46611ec696317b73eb5292d1e

>>> https://www.virustotal.com/gui/file/39b2f480b78dd8b3f5a6f06bcb692275a88e738d894f2b57206c75d9efef2aba/detection

This is a well-known application highly used by people. Installer contains a plugin which prompts user during installation with offers to install other known applications. It is not harmful for users, but for some can be nagging. However, there are two use-cases here, users who want to be able to install this without issues, without being sandboxed by CIS (therefore clean verdict needs to be held) and users who are very strict about what they install on their systems, therefore offer has to be blocked. So, for this case the following measure has been put in place: maintain the vendor in trusted vendor list and safe verdict for installer (in order not to break functionality, being a highly used application), but add detection for the plugin which is responsible for displaying the 3rd party offer, so upon installation CIS will block it.

Trojan.Agent.Dropper - Certificate issued by DigiCert

The certificate was stolen with great certainty! 

>>> https://valkyrie.comodo.com/get_info?sha1=8af07437424b145e7b4c3bd07c64168628d9d1d9

>>> https://www.virustotal.com/gui/file/d78259dace96f50b298e1be72165831806a0bc4212ba740fae6f8b8a791ae7fc/detection

This is a case of false-positive from other vendors, no reason to report the certificate.

Regards,
Ionel

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #34 on: November 12, 2019, 11:09:45 PM »
Hi pio,

This is a well-known application highly used by people. Installer contains a plugin which prompts user during installation with offers to install other known applications. It is not harmful for users, but for some can be nagging. However, there are two use-cases here, users who want to be able to install this without issues, without being sandboxed by CIS (therefore clean verdict needs to be held) and users who are very strict about what they install on their systems, therefore offer has to be blocked. So, for this case the following measure has been put in place: maintain the vendor in trusted vendor list and safe verdict for installer (in order not to break functionality, being a highly used application), but add detection for the plugin which is responsible for displaying the 3rd party offer, so upon installation CIS will block it.

This is a case of false-positive from other vendors, no reason to report the certificate.

Regards,
Ionel

Hi Ionel,

Thank you for detailed information.  :-TU I am very grateful for this, because it gives me the opportunity to better understand which criteria are crucial for your particular classification.

Regarding the first file, I have already noticed that the "fusion.dll" is now captured via signature recognition. This file has been uploaded separately by myself some time ago on Valkyrie and VT and provided with the reference to its harmfulness. I should have included the presence of FusionCore components in my classification, but I will do so in the next case of this kind.

>>> https://www.virustotal.com/gui/file/9682d735a6158c1438e56f7db7da3fb918b17573d77464958cd7749b0888529e/detection

As for the second file, after closer examination of the dropped file "eac_pv.xlam" (https://www.virustotal.com/gui/file/f62e7fb7c7c6dcb103556111e75a82248f967048ee080c556a813871ef28181b/detection) i can confirm that it is a false positive. Responsible for the wrong evaluations are the macros that are recognized as strong indicators of potentially harmful behavior. I've changed and adapted my Yara detection rules accordingly.

Best Regards,
pio

For those who are interested here are the reasons for detection by numerous antivirus software manufacturers and sandboxes

Dropped file "eac_pv.xlam" >>> (https://www.virustotal.com/gui/file/f62e7fb7c7c6dcb103556111e75a82248f967048ee080c556a813871ef28181b/detection)

Commonly Abused Properties:

May execute code from Dynamically Linked Libraries.
May try to run other files, shell commands or applications.
Makes use of macros
Contains code to deceive researchers and automatic analysis systems.
Automatically runs commands or instructions when the file is opened.
May attempt to create directories.
May create OLE objects.
May enumerate open windows.
May perform operations with other files.
Contains deobfuscation code.

Found encoded VBA Macros/Strings:

Chr: May attempt to obfuscate specific strings (use option --deobf to deobfuscate)
Open: May open a file
Output: May write to a file (if combined with Open)
Print #: May write to a file (if combined with Open)
run: May run an executable file or a system command
Windows: May enumerate application windows (if combined with Shell.Application object)
Kill: May delete a file
Binary: May read or write a binary file (if combined with Open)
Environ: May read system environment variables
Put: May write to a file (if combined with Open)
ChrW: May attempt to obfuscate specific strings (use option --deobf to deobfuscate)
Xor: May attempt to obfuscate specific strings (use option --deobf to deobfuscate)
Shell: May run an executable file or a system command
vbNormalFocus: May run an executable file or a system command
CreateObject: May create an OLE object
GetVolumeInformationA: May detect Anubis Sandbox
GetVolumeInformation: May detect Anubis Sandbox
Lib: May run code from a DLL
Run: May run an executable file or a system command
put: May write to a file (if combined with Open)
MkDir: May create a directory
binary: May read or write a binary file (if combined with Open)

E-mail address: Email = chris.endres[at]ICLOUD.com
E-mail address: OpenWebPage mailto://info[at]endresactuarial.com
URL: X = <customUI xmlns='hxxp://schemas.microsoft.com/office/2009/07/customui' onLoad='OnRibbonLoad'><ribbon><tabs><tab id='tab1' label='PV Tools'>
E-mail address: frmUnlock.txtEmail = chris.endres[at]icloud.com
E-mail address: t = 'reginald.andre[at]gs.com','2329','eacpv','9/2/2019','9/3/2018 12:00:00 AM','0.00','Reg Andre','5'
URL: FileName = hxxps://endresactuarial.com/eac/eac_users.csv?aparam=Now() 'now needed to refesh cache
URL: OpenWebPage hxxps://mort.soa.org
URL: OpenWebPage hxxps://www.irs.gov/Retirement-Plans/Minimum-Present-Value-Segment-Rates
URL: X = XvbCrLfhxxps://www.irs.gov/retirement-plans/minimum-present-value-segment-rates.
URL: Public Const EAC_URL = hxxps://endresactuarial.com/eac/
URL: OpenWebPage hxxps://www.irs.gov/Retirement-Plans/Minimum-Present-Value-Segment-Rates
URL: t = GetURLText(hxxps://www.irs.gov/Retirement-Plans/Minimum-Present-Value-Segment-Rates)
URL: t = GetURLText(hxxps://www.ssa.gov/OACT/COLA/cbb.html)
URL: t = GetURLText(hxxps://www.ssa.gov/OACT/COLA/colaseries.html)
URL: t = GetURLText(hxxps://www.ssa.gov/OACT/COLA/AWI.html)
« Last Edit: November 13, 2019, 02:06:06 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #35 on: November 12, 2019, 11:19:15 PM »
Various InstallCore variants - All fully trustworthy!

>>> https://valkyrie.comodo.com/get_info?sha1=a6734d1d049a26fdc538ed587748480dbea2b19d
>>> https://www.virustotal.com/gui/file/9d5f657d1cadad51b7ecb37138e81a2b514f755eb94da0fa12c23ab937165cdb/detection

>>> https://valkyrie.comodo.com/get_info?sha1=0742252f79f9d6f84cc59b93ea3ddf91166b4ca5
>>> https://www.virustotal.com/gui/file/4f5cff39b8e3570e9f346813a1d56b1df853122f44e6d81ab2eaee3848291b33/detection

>>> https://valkyrie.comodo.com/get_info?sha1=e88cb1e65591eadf0213d841aa50ade53d39893b
>>> https://www.virustotal.com/gui/file/d6d0615e1a257457b0b90ba16edba3e52254805798ad3b52dfa5c5886aefbc6d/detection

All 3 files use the same certificate:


Issuer: Thawte

Name: Atomiq Technologies Inc.
Status: Valid
Valid From: 12:00 AM 12/10/2018
Valid: To11:59 PM 12/10/2019
Valid Usage: Code Signing
Algorithm: sha256RSA
Thumbprint: 81A58F3450CA8CFAAB4095D6B842A6898B47928A
Serial Number: 44 D2 81 9E 36 C4 06 2B 82 31 E0 54 5E D5 D6 3A

« Last Edit: November 13, 2019, 01:11:48 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Mageshwaran

  • Comodo Member
  • **
  • Posts: 45
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #36 on: November 13, 2019, 01:48:48 AM »
Hi pio,

Thank you for reporting.
We'll check it

Regards,
Mageshwaran B

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #37 on: November 14, 2019, 09:08:19 PM »
Various InstallCore variants - All fully trustworthy!

>>> https://valkyrie.comodo.com/get_info?sha1=a6734d1d049a26fdc538ed587748480dbea2b19d
>>> https://www.virustotal.com/gui/file/9d5f657d1cadad51b7ecb37138e81a2b514f755eb94da0fa12c23ab937165cdb/detection

>>> https://valkyrie.comodo.com/get_info?sha1=0742252f79f9d6f84cc59b93ea3ddf91166b4ca5
>>> https://www.virustotal.com/gui/file/4f5cff39b8e3570e9f346813a1d56b1df853122f44e6d81ab2eaee3848291b33/detection

>>> https://valkyrie.comodo.com/get_info?sha1=e88cb1e65591eadf0213d841aa50ade53d39893b
>>> https://www.virustotal.com/gui/file/d6d0615e1a257457b0b90ba16edba3e52254805798ad3b52dfa5c5886aefbc6d/detection

All 3 files use the same certificate:


Issuer: Thawte

Name: Atomiq Technologies Inc.
Status: Valid
Valid From: 12:00 AM 12/10/2018
Valid: To11:59 PM 12/10/2019
Valid Usage: Code Signing
Algorithm: sha256RSA
Thumbprint: 81A58F3450CA8CFAAB4095D6B842A6898B47928A
Serial Number: 44 D2 81 9E 36 C4 06 2B 82 31 E0 54 5E D5 D6 3A


Due to time limitations, I have not been able to give more details about the last files I've posted. I would like to make up for it now.

>>> https://valkyrie.comodo.com/get_info?sha1=0742252f79f9d6f84cc59b93ea3ddf91166b4ca5 > Signature detection was added

PUA.Variant.InstallCore

>>> https://valkyrie.comodo.com/get_info?sha1=a6734d1d049a26fdc538ed587748480dbea2b19d
>>> https://www.virustotal.com/gui/file/9d5f657d1cadad51b7ecb37138e81a2b514f755eb94da0fa12c23ab937165cdb/detection

>>> https://valkyrie.comodo.com/get_info?sha1=e88cb1e65591eadf0213d841aa50ade53d39893b
>>> https://www.virustotal.com/gui/file/d6d0615e1a257457b0b90ba16edba3e52254805798ad3b52dfa5c5886aefbc6d/detection

Both files belong to the same variant of "InstallCore" and therefore have the same indicators.

Some suspicious/malicious Indicators: Compiler/Packer Signature: Compiler: Embarcadero Delphi (2009-2010), Packer: Inno Setup Module 5 [SFX] - ver. (5.5.0) Borl.Delphi 2009, File has multiple binary anomalies ( File ignores Code Integrity, File ignores DEP, ALSR is disabled, The location of the entry-point is suspicious ("section: .itext:0x000113BC"), Contains another file, type: InnoSetup, location: overlay, offset: "0x0001D200"), The file-ratio of the overlay is suspicious,ratio: "94.70 %", Contains unknown resources, References a string with a suspicious size,size: "1594 bytes", Contains several executable sections, Contains a virtualized section, Contains zero-size sections ), Contains ability to reboot/shutdown the operating system, Tries to delay the analysis, Reads Environment values, Reads internet explorer settings, Reads settings of System Certificates, Escalades priviledges, Runs a Keylogger, Reads data out of its own binary image, Creates guarded memory sections, Found strings in conjunction with a procedure lookup that resolve to a known API export symbol (Found reference to API GetLongPathNameW[at]"KERNEL32.DLL"), Hooks running process ("user32.dll"), POSTs data to IP´s who are part of the InstallCore Network ( ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1 > "52.16.29.135", ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M3 > "52.212.215.62", ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M4 > "52.51.217.55"

MITRE ATT&CK Techniques:

Execution: "T1059" (Command-Line Interface) >  Starts CMD.EXE for commands execution
Execution: "T1106" (Execution through API) > Application launched itself
Defense Evasion: "T1107" (File Deletion) > Starts CMD.EXE for self-deleting
Discovery: "T1012" (Query Registry) > Searches for installed software,  Reads internet explorer settings, Reads Environment values, Reads settings of System Certificates
Discovery: "T1082" (System Information Discovery) > Reads Environment values
« Last Edit: November 14, 2019, 09:18:47 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2020 (NO LIVE MALWARE!)
« Reply #38 on: February 29, 2020, 03:44:21 PM »
Riskware.PUP.ExelAddin.Bluematrix - Certificate issued by GoDaddy

>>> https://valkyrie.comodo.com/get_info?sha1=69110dbcd3941e2d4206faa68370876bf778d7e5

>>> https://www.virustotal.com/gui/file/826f2d0e6ab092fc7f21198a4636abb84048e13db4626a8f1a86fd52d4b2d578/detection

Some suspicious/malicious Indicators : Compiler/Packer Signature: Compiler: Microsoft Visual C/C++(2008-2010)[EXE32], File has multiple binary anomalies (File ignores Code Integrity, Contains another file (type: executable, location: resources, offset: "0x0008A900"), Buffers contains embedded PE files (sha1: bc75d4e61747fd8cb61c7e83c08fb43b417c7a59 & sha1: d26a366e8c5ce4c756ee62e0fe51798eeb33f588), CRC value set in PE header does not match actual value, Imports sensitive libraries (Shell Folder Service, Windows Installer, Internet Extensions for Win32, OLE32 Extensions for Win32, Process Status Helper), Contains ability to create named pipes, Contains ability to elevate privileges, Contains ability to open the clipboard, Expresses interest in specific running processes ("msiexec.exe"), Creates RWX memory, A process created a hidden window (Setup_6_6.exe -> "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Local\ExcelAddin_2020228944\Setup_6_6.msi"), Creates a windows hook that monitors keyboard input, Tries to detect if debugger is attached, Checks adapter addresses, Queries volume information of an entire harddrive, Queries kernel debugger information, Queries process information, Queries sensitive IE security settings, Queries the internet cache settings, Reads the active computer name, Reads the cryptographic machine GUID, Queries the installation properties of user installed products, Reads Windows Trust Settings, Scanning for window names, Opens the MountPointManager, Modifies System Certificates Settings, Modifies Software Policy Settings, Modifies auto-execute functionality, Modifies "WPAD" proxy autoconfiguration file, Mimics the system's user agent string for its own requests, Opens the Kernel Security Device Driver, Performs Access Token Manipulation, Communicates with host for which no DNS query was performed ("192.124.249.23", "192.124.249.41", "38.109.109.199")

Certificate Details:

Algorithm:                   sha256WithRSAEncryption
Version:                      3
Issuer:                       /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
Serial:                        16618953072637513010
Serial (Hex):             e6a261c4c1720d32

Valid from:                  Jul 17 20:17:47 2018 GMT
Valid until:                  Jul 17 20:17:47 2021 GMT

C (countryName):                   US
CN (commonName):               Blue Matrix I LLC
L (localityName):                    New York
O (organizationName):          Blue Matrix I LLC
ST (stateOrProvinceName):   New York
« Last Edit: March 02, 2020, 09:43:16 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Mageshwaran

  • Comodo Member
  • **
  • Posts: 45
Re: Report trusted and whitelisted malware here- 2020 (NO LIVE MALWARE!)
« Reply #39 on: March 01, 2020, 02:34:24 AM »
Hi pio,

Thank you for reporting.
We'll check and verify it

Regards,
Mageshwaran B

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2020 (NO LIVE MALWARE!)
« Reply #40 on: March 02, 2020, 06:22:17 AM »
PUA.Variant.OpenCandy - Certificate issued by Thawte and countersigned by Symantec & VeriSign

>>> https://valkyrie.comodo.com/get_info?sha1=3f40e60d7bb4d2d8b5d8dbc5bf06fa7fbf2e1790

>>> https://www.virustotal.com/gui/file/3c90e7730174d6f321e6858d49a15a26ad014fa2b7d4a6eea6e60723405064f2/detection

Some suspicious/malicious Indicators: Compiler/Packer Signature: Compiler: Borland Delphi (2), Packer: Inno Setup Module 5.50 [SFX] - ver. (5.5.0) Borl.Delphi, File has multiple binary anomalies ( File ignores Code Integrity, File ignores DEP, ALSR is disabled, Contains zero-size sections, CRC value set in PE header does not match actual value ), Contains ability to open the clipboard, Found more than one unique User-Agent (InnoTools_Downloader), Checks if process is being debugged, Queries kernel debugger information, Queries process information, Queries sensitive IE security settings, Queries the internet cache settings, Reads the active computer name, Reads the cryptographic machine GUID, Reads terminal service related keys, Reads the registry for installed applications, Checks for a ADS file, Checks for the presence of an Antivirus engine ( Executes one or more WMI queries wmi SELECT * FROM AntiVirusProduct), Creates guarded memomry sections, Runs a Keylogger, Tries to sleep for a long time, Modifies auto-execute functionality, Modifies proxy settings, Queries sensitive IE security settings, Opens the Kernel Security Device Driver, Creates and modifies windows services, Writes data to a remote process ("C:\Windows\System32\rundll32.exe" & "C:\Windows\System32\regsvr32.exe"), Raised Suricata alerts > ETPRO POLICY InnoTools Downloader User-Agent (InnoTools Downloader) > ETPRO ADWARE_PUP Observed Suspicious UA (InnoTools_Downloader) > ETPRO HUNTING Suspicious User-Agent containing Loader Observed

Certificate Details:

Algorithm:                    sha1WithRSAEncryption
Version:                       3
Issuer:                        /C=US/O=Thawte, Inc./CN=Thawte Code Signing CA - G2
Serial:                       134716351233678962206661072085851957985
Serial (Hex):             65596cec842f63b39f082afbd5d9eae1

Valid from:                  May 30 00:00:00 2012 GMT
Valid until:                  May 30 23:59:59 2013 GMT

C (countryName):                  DE [4445]
CN (commonName):              Chinery & Heindoerfer GbR
L (localityName):                   Hamburg
O (organizationName):         Chinery & Heindoerfer GbR
ST (stateOrProvinceName):   Hamburg
« Last Edit: March 02, 2020, 06:32:24 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Mageshwaran

  • Comodo Member
  • **
  • Posts: 45
Re: Report trusted and whitelisted malware here- 2020 (NO LIVE MALWARE!)
« Reply #41 on: March 02, 2020, 06:35:45 AM »
Hi pio,

Thank you for reporting.
We'll check and verify it

Regards,
Mageshwaran B

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2020 (NO LIVE MALWARE!)
« Reply #42 on: March 02, 2020, 06:41:23 AM »
Hi pio,

Thank you for reporting.
We'll check and verify it

Regards,
Mageshwaran B

Thank you very much, but please don't leave my previous find unprocessed.  :a0

Riskware.PUP.ExelAddin.Bluematrix - Certificate issued by GoDaddy

>>> https://valkyrie.comodo.com/get_info?sha1=69110dbcd3941e2d4206faa68370876bf778d7e5

>>> https://www.virustotal.com/gui/file/826f2d0e6ab092fc7f21198a4636abb84048e13db4626a8f1a86fd52d4b2d578/detection
« Last Edit: March 02, 2020, 09:44:06 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2020 (NO LIVE MALWARE!)
« Reply #43 on: March 02, 2020, 09:39:34 PM »
Riskware.PUP.ExelAddin.Bluematrix - Certificate issued by GoDaddy

>>> https://valkyrie.comodo.com/get_info?sha1=69110dbcd3941e2d4206faa68370876bf778d7e5

>>> https://www.virustotal.com/gui/file/826f2d0e6ab092fc7f21198a4636abb84048e13db4626a8f1a86fd52d4b2d578/detection

Regarding this file and based on its actual function and what it actually does, I rate this file as Riskware/PUP. The classification of various antivirus companies as "Trojan.Dropper.Dapato" is a false positive.
« Last Edit: March 02, 2020, 09:44:23 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***


 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek