Author Topic: Post Valkyrie Links in Which You Believe That The Manual Analysis Is Wrong  (Read 45343 times)

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 500
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Post Valkyrie Links in Which You Believe That The Manual Analysis Is Wrong
« Reply #45 on: February 09, 2018, 11:35:17 PM »
Sorry Guys , but i`ve found another one !!!

PUA/Adware.Variant.InstallCore

https://valkyrie.comodo.com/get_info?sha1=c13b2fb19882eb8133f526c3b4a04195096d298c

https://www.virustotal.com/#/file/f7e2bca5ca0caaa30a08418d120743eb751f91ce969169d6bc0cc8256d09fa32/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer/Crypter signature > Compiler : Borland Delphi 6.0 - 7.0 , Packer : Inno Setup 5.50 , File has mutiple PE Anomalies ( Compiler Timestamp is suspicious ( 06/20/1992 ) , File ignores DEP , File ignores Code Integrity , Checksum mismatches the PE header value , PE file contains zero-size sections , File has 3 shared sections , Contains unknown resources ) , Checks if a debugger is present , Contains ability to start/interact with device drivers , Tries to delay the analysis , Creates guarded memeory sections , Drops executable files , Reads the active computer name , Reads the registry for installed applications , Scanning for window names ,  Scans for the windows taskbar , Queries process information , Found strings in conjunction with a procedure lookup that resolve to a known API export symbol , Makes a code branch decision directly after an API that is environment aware , Duplicates the process handle of an other process to obtain access rights to that process , Creates a windows hook that monitors keyboard input , Opens the Kernel Security Device Driver , Looks up many procedures within the same disassembly stream ( Found 57 calls to GetProcAddress[at]KERNEL32.DLL ) , Found Misc activity ( PE EXE or DLL Windows file download over HTTP on Port 49163 (TCP) )
« Last Edit: February 09, 2018, 11:46:34 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***


Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 500
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
PUA/Rogueware.ReimageRepair

https://valkyrie.comodo.com/get_info?sha1=a6d7af8ce2ae317d2fe637d0aca5fd971315cb7b

https://www.virustotal.com/#/file/315609f7d22aa3ca237afa9b33aac5f3bc7c44a07c5a6022f06fe653794f577f/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer/Crypter signature > Compiler : MS Visual C++ 10.0 , Packer : Nullsoft SFX , Armadillo v1.xx - v2.xx , File has multiple binary anomalies ( CRC value set in PE header does not match actual value , PE file contains zero-size sections ) , Contains ability to open the clipboard , Contains ability to retrieve keyboard strokes , Expects Administrative permission , References Windows built-in privileges , Found  potentially Anti-VM Strings ( Checks amount of system memory , Executes one or more WMI queries ) , Tries to delay the Analysis ( "tasklist.exe" tried to sleep "840" seconds ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads configuration files , Reads the registry for installed applications , Reads terminal service related keys , Drops multiple executable files ,  Runs shell commands , Opens the MountPointManager , Opens the Kernel Security Device Driver , Queries kernel debugger information , Touches multiple files in the Windows directory , Found Windows Hook ( "cmd.exe" wrote bytes  to "USER32.DLL")
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 500
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Thanks for reanalysis ! The Fiile has a correct Valkyrie Verdict and also a positive Human Expert Verdict as Malware (PUA)[ , but the signature is missing . Please take a Look at this . Thank you !!!

PUA/Rogueware.ReimageRepair

https://valkyrie.comodo.com/get_info?sha1=a6d7af8ce2ae317d2fe637d0aca5fd971315cb7b

https://www.virustotal.com/#/file/315609f7d22aa3ca237afa9b33aac5f3bc7c44a07c5a6022f06fe653794f577f/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer/Crypter signature > Compiler : MS Visual C++ 10.0 , Packer : Nullsoft SFX , Armadillo v1.xx - v2.xx , File has multiple binary anomalies ( CRC value set in PE header does not match actual value , PE file contains zero-size sections ) , Contains ability to open the clipboard , Contains ability to retrieve keyboard strokes , Expects Administrative permission , References Windows built-in privileges , Found  potentially Anti-VM Strings ( Checks amount of system memory , Executes one or more WMI queries ) , Tries to delay the Analysis ( "tasklist.exe" tried to sleep "840" seconds ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads configuration files , Reads the registry for installed applications , Reads terminal service related keys , Drops multiple executable files ,  Runs shell commands , Opens the MountPointManager , Opens the Kernel Security Device Driver , Queries kernel debugger information , Touches multiple files in the Windows directory , Found Windows Hook ( "cmd.exe" wrote bytes  to "USER32.DLL")
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 500
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
PUA/Adware.Variant.InstallCore

https://valkyrie.comodo.com/get_info?sha1=f9af39a0983b5878451d9d365da2ec8d51572e54

https://www.virustotal.com/#/file/a4676e3fb1d1514d631e1ccb0a82d374068a43c43bf5d4ebf48c5be1f46c7b0e/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer/Crypter signature > Compiler : Borland Delphi , Packer : Inno Setup Installer , Confuser : nSPack v.3.7 (NET) , File has multiple binary anomalies ( File ignores DEP , File ignores Code Integrity , PE file contains zero-size sections , The count of libraries is suspicious , The Compiler-stamp is suspicious ( from "Sat - Jun 20 - 00:22:17 - 1992" ) , Checks for known debuggers/analysis tools ( "sysinternals" ) , Checks for an ADS ,  Has the capability to lower Firefox security settings , Tries to delay the Analysis , Reads the system/video BIOS version , Reads the windows product ID ,  Reads the active computer name , Reads the cryptographic machine GUID , Reads terminal service related keys , Reads the registry for installed applications , Queries volume information of an entire harddrive , Spawns a lot of processes , Creates guarded memory sections , Modifies the access control lists of files , File Duplicates the process handle of an other process to obtain access rights to that process , Creates or modifies windows services , Creates a suspicious process ( C:\Windows\SysWOW64\ie4uinit.exe" -ShowQLIcon ) ,  Creates known "Dyreza Banking Trojan" files ( C:\Windows\System32\duser.dll ) , Accesses potentially sensitive information from local browsers , Queries sensitive IE security settings  , Modifies proxy settings  , Found possibly malicious network releated activity ( Detected increased number of ARP broadcast requests , Found instsant messenger related domains , HTTP request contains Base64 encoded artifacts ) ,  File POSTs data to >>> "54.72.212.121:80" ( "rp.ginihehen.com" ) >>> "107.21.227.8:80" ( "hokukoca.com" ) >>> "52.214.61.44:80" ( "lahuj.com" ) , Flie GETs data from >>> "185.59.222.146:80" ( "img.ginihehen.com" ) >>> "54.230.0.232:80" ( "d2d4tyqh0a47e0.cloudfront.net" ) >>> "104.20.174.30:80" ( "cheatengine.org" )  >>> "54.230.0.78:80" ( "ic-dc.cleanrepositorytowers.com ") >>> "212.124.115.196:80" ( "1-1ads.com" ) 
« Last Edit: April 05, 2018, 03:27:22 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline ceyhun.b

  • Newbie
  • *
  • Posts: 17

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 500
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
« Last Edit: April 11, 2018, 05:48:12 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline ceyhun.b

  • Newbie
  • *
  • Posts: 17
#malware #trojan #downloader #agent

https://infosec.cert-pa.it/analyze/c6830efb14d4f80e1ba6a9e56d05bce6.html

File connects to the malicious domain "bigbatman.bid" >>> https://www.virustotal.com/de/domain/bigbatman.bid/information/ >>> https://www.virustotal.com/de/url/07b1ddd39fa5af51e0c821507eb0e8cb779862b915bc9399f215a80d086e46d3/analysis/

Downloads a malicous program >>> GET /updated/xmrig.exe , IP: "198.251.90.113" , HTTP/1.1 , Host: bigbatman.bid >>> https://www.virustotal.com/de/file/f5a85c91de130430e6112952e9b50c244429df7fe6b3f969ceb58238813faf42/analysis/

Thanks Pio, now it's marked as malware by the human experts.

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 500
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Thanks Pio, now it's marked as malware by the human experts.

Hi Ceyhun.b ,

thanks for reviewing the file and also for notification !!!  :-TU

Best Regards !
Pio
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 500
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
PUA/Adware.Variant.InstallCore

https://valkyrie.comodo.com/get_info?sha1=be09bd449ca67fd5a64c1984c325fd87b8ceff46

https://www.virustotal.com/de/file/79b36e6929b7794607c4b3cac7c9916964d8a1c18e71127e35c20efc8736991c/analysis/

Some suspicious/malicious Indicators : Matched Compiler/Packer/Crypter signature > Compiler : Borland Delphi  , Packer : Inno Setup Installer - Morphine v1.2 (DLL) , File has multiple binary anomalies ( File ignores DEP , File ignores Code Integrity , PE file contains zero-size sections , Contains unknown resources , The File has 3 shared sections ) ,  Embeds another file ( type: InnoSetup , location: overlay ) , References Windows built-in privileges , Reads the active computer name , Scanning for window names , Reads the registry for installed applications , Queries process information , Creates guarded memory sections , Duplicates the process handle of an other process to obtain access rights to that process , Writes data to itself , Creates named pipes , Makes a code branch decision directly after an API that is environment aware , Touches multiple files in the Windows directory , Opens the Kernel Security Device Driver , Looks up many procedures within the same disassembly stream ( Found 57 calls to GetProcAddress[at]KERNEL32.DLL )
« Last Edit: May 07, 2018, 06:32:49 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 500
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
PUA.SpeedUpMyPc

https://valkyrie.comodo.com/get_info?sha1=f23567de537621e21a99a24e2844c44594f8deb5

https://www.virustotal.com/#/file/825e41e96ac67dc5f1f74e41854242a651f98c770e0e69c4451d7a12eb291cd3/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer/Crypter signature > Compiler : Borland Delphi 4.0 , File has multiple binary anomalies ( File ignores DEP , File ignores Code Integrity , Embeds another file ( type: Executable, location: resources) , The entry-point is outside the first section , Contains zero-size sections , The count "12" of libraries is suspicious , The file has "2" executable sections , Imports sensitive Libaries ( "5" Imports to "Multiple Provider Router DLL" ) , Contains ability to reboot/shutdown the operating system , Contains ability to lookup the windows account name , Contains ability to start/interact with device drivers , Contains ability to retrieve keyboard strokes , References "1" Windows built-in privilege , Has no visible windows , Tries to sleep , Creates guarded memory sections , Makes a code branch decision directly after an API that is environment aware , Runs shell commands , Operates on files in the system directory , Opens the Kernel Security Device Driver
« Last Edit: May 07, 2018, 08:39:37 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline ceyhun.b

  • Newbie
  • *
  • Posts: 17
Thank you [at]pio,

be09bd449ca67fd5a64c1984c325fd87b8ceff46 has been reviewed and marked as PUA.

https://valkyrie.comodo.com/get_info?sha1=be09bd449ca67fd5a64c1984c325fd87b8ceff46



f23567de537621e21a99a24e2844c44594f8deb5 has been reviewed and our experts classified this file as "clean" again.

https://valkyrie.comodo.com/get_info?sha1=f23567de537621e21a99a24e2844c44594f8deb5

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 500
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Thank you [at]pio,

be09bd449ca67fd5a64c1984c325fd87b8ceff46 has been reviewed and marked as PUA.

https://valkyrie.comodo.com/get_info?sha1=be09bd449ca67fd5a64c1984c325fd87b8ceff46



f23567de537621e21a99a24e2844c44594f8deb5 has been reviewed and our experts classified this file as "clean" again.

https://valkyrie.comodo.com/get_info?sha1=f23567de537621e21a99a24e2844c44594f8deb5

Hi Ceyhun.b ,

thanks for notification ! As far as the second file is concerned , that's just a question of definition! So no one is right or wrong and I can live with that .  ;)
« Last Edit: May 08, 2018, 01:00:06 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 500
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Trojan.Variant.SpyUrsnif

https://valkyrie.comodo.com/get_info?sha1=883b9a573b62ff7a82b96ffd96e859f1a592dd09+

https://www.virustotal.com/#/file/727bf1ac90b0b25a1ee36db38e4f51f542891b31d7d4fe4c28040497c010f389/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer/Crypter signature > Compiler : Mircosoft Visual C++ 6.0 , Packer: aPLib Compression , File has multiple binary anomalies ( File ignores DEP , File ignores Code Integrity , Debug timestamp (05/15/2018 13:36:14) mismatches compiler timestamp (05/15/2009 13:36:15) , Checksum mismatches the PE header value , Contains unknown resources ) , Queries process information , Scanning for process managers (  "ProgMan" ) , Contains native function calls ( NtdllDefWindowProc_W[at]NTDLL.DLL ) , Contains ability to query CPU information , Has the capability to lower Firefox security settings , Tries to identify its external IP address , Checks if a debugger is present , Tries to delay the analysis , Reads the active computer name , Reads the registry for installed applications , Scanning for window names , Creates guarded memory sections , Disables SPDY-connections , Installs system wide "WH_KEYBOARD_LL" hook , Creates windows services ( "nslookup.exe") > Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS") , Injects into explorer , Modifies the Memory of >>> "c:\windows\system32\control.exe" , "c:\windows\explorer.exe" , "c:\windows\system32\rundll32.exe" , "c:\windows\system32\runtimebroker.exe" , Modifies control flow of injected processes , Process launched with changed environment ( "explorer.exe" , rundll32.exe", "cmd.exe", "nslookup.exe" ) , Queries sensitive IE security settings , Modifies proxy settings , Found possibly malicious network releated activity >>> Contacts a external IP address lookup service ( (Indicator: "myip.opendns.com", ""resolver1.opendns.com" ; File: "nslookup.exe") , Contacts Random Domain Names ( "x84v184asdwq.net" ) , File contacts Host ( "188.241.68.116" > https://www.virustotal.com/#/url/e73c1a23b81af14912df8eb0beea8027883396bc4afddab6016ba9cd9a6a6900/detection )
« Last Edit: May 15, 2018, 09:03:06 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline ceyhun.b

  • Newbie
  • *
  • Posts: 17
Thank you pio,

883b9a573b62ff7a82b96ffd96e859f1a592dd09 has been reviewed and marked as Malware.

https://valkyrie.comodo.com/get_info?sha1=883b9a573b62ff7a82b96ffd96e859f1a592dd09

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek