Author Topic: Post Valkyrie Links in Which You Believe That The Manual Analysis Is Wrong  (Read 43477 times)

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 448
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Post Valkyrie Links in Which You Believe That The Manual Analysis Is Wrong
« Reply #45 on: February 09, 2018, 11:35:17 PM »
Sorry Guys , but i`ve found another one !!!

PUA/Adware.Variant.InstallCore

https://valkyrie.comodo.com/get_info?sha1=c13b2fb19882eb8133f526c3b4a04195096d298c

https://www.virustotal.com/#/file/f7e2bca5ca0caaa30a08418d120743eb751f91ce969169d6bc0cc8256d09fa32/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer/Crypter signature > Compiler : Borland Delphi 6.0 - 7.0 , Packer : Inno Setup 5.50 , File has mutiple PE Anomalies ( Compiler Timestamp is suspicious ( 06/20/1992 ) , File ignores DEP , File ignores Code Integrity , Checksum mismatches the PE header value , PE file contains zero-size sections , File has 3 shared sections , Contains unknown resources ) , Checks if a debugger is present , Contains ability to start/interact with device drivers , Tries to delay the analysis , Creates guarded memeory sections , Drops executable files , Reads the active computer name , Reads the registry for installed applications , Scanning for window names ,  Scans for the windows taskbar , Queries process information , Found strings in conjunction with a procedure lookup that resolve to a known API export symbol , Makes a code branch decision directly after an API that is environment aware , Duplicates the process handle of an other process to obtain access rights to that process , Creates a windows hook that monitors keyboard input , Opens the Kernel Security Device Driver , Looks up many procedures within the same disassembly stream ( Found 57 calls to GetProcAddress[at]KERNEL32.DLL ) , Found Misc activity ( PE EXE or DLL Windows file download over HTTP on Port 49163 (TCP) )
« Last Edit: February 09, 2018, 11:46:34 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek