Author Topic: Post Valkyrie Links in Which You Believe That The Manual Analysis Is Wrong  (Read 53060 times)

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 563
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Thank you pio,

883b9a573b62ff7a82b96ffd96e859f1a592dd09 has been reviewed and marked as Malware.

https://valkyrie.comodo.com/get_info?sha1=883b9a573b62ff7a82b96ffd96e859f1a592dd09

 :-TU  :P0l
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 563
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Adware.OneClick

https://valkyrie.comodo.com/get_info?sha1=+2e25cf5200b9f199cce9ac2d17f71711ffead403+

https://www.virustotal.com/#/file/9230cf26f6d2e44e4da6814cc38b9895ad4ce90aa1526d7b31cedc370762b4a4/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer/Crypter signature > Compiler : Borland Delphi , File has multiple binary anomalies ( File ignores Code Integrity , Entrypoint is outside of first section , Has "2" executable sections , Contains zero-size sections , Digisig is expired: Dec 18 23:59:59 2017 , Imports sensitive Libaries ( Multiple Provider Router DLL ) ) , Contains ability to start/interact with device drivers , Contains ability to lookup the windows account name , Contains ability to reboot/shutdown the operating system , Contains ability to retrieve keyboard strokes , Contains ability to elevate privileges , Reads the keyboard layout followed by a significant code branch decision ( Found API call GetKeyboardLayout[at]USER32.DLL directly followed by "cmp ebx, dword ptr [00503A9Ch]" and "je 00452916h" from _iu14D2N.tmp.exe ) , Creates named pipes , Hooks/Patches the running process ( "Input Sample" wrote bytes to "MSIMG32.DLL" ) , Opens the Kernel Security Device Driver

« Last Edit: May 23, 2018, 12:59:17 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline ceyhun.b

  • Newbie
  • *
  • Posts: 18
Thank you Pio,

2e25cf5200b9f199cce9ac2d17f71711ffead403 has been reviewed and marked as PUA.

https://valkyrie.comodo.com/get_info?sha1=2e25cf5200b9f199cce9ac2d17f71711ffead403

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 563
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Thank you Pio,

2e25cf5200b9f199cce9ac2d17f71711ffead403 has been reviewed and marked as PUA.

https://valkyrie.comodo.com/get_info?sha1=2e25cf5200b9f199cce9ac2d17f71711ffead403

Thank you for the information !

Best Regards!
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***



Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 563
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Trojan.Generic

https://valkyrie.comodo.com/get_info?sha1=b7a9cd974ba0d72d4396b63da70ff6d572b828a3

https://www.virustotal.com/#/file/e4c1ee64dcaf9a73b92cdc8bafe8d6ba9870124de51a9a4f5d4e4cda8dd28634/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Borland Delphi , Packer: BobSoft Mini Delphi , File has multiple binary anomalies ( File ignores Code Integrity , The resource directory is invalid , The file has "2" executable sections , Checksum mismatches the PE header value , Entrypoint is outside of first section , The file is resource-less , The count "3" of libraries is suspicious , Contains zero-size sections , The file doesn't register any VersionInfo ) , Found Anti-VM Strings ( Checks amount of system memory ) , Checks if a debugger is present , Tries to delay the analysis , Found strings in conjunction with a procedure lookup that resolve to a known API export symbol , Reads the cryptographic machine GUID , Reads the windows installation date ,  Reads the active computer name , Reads terminal service related keys , Reads the registry for installed applications , Scanning for window names , Creates guarded memory sections , Drops cabinet archive files , Creates new processes ( "Input Sample" is creating a new process > "iexplorer.exe" & "iexplore.exe" is creating a new process > "iexplorer.exe" ) , Writes data to another  process ( "iexplorer.exe" ) , Process launched with changed environment ( "iexplorer.exe" ) , Installs hooks/patches the running processes ( "USER32.DLL" ,  "COMCTL32.DLL" , "ADVAPI32.DLL" , "IEFRAME.DLL", "OLEAUT32.DLL", "OLE32.DLL", "SHELL32.DLL" ) , Duplicates the process handle of an other process to obtain access rights to that process ( 37 events ) , Touches multiple files in the Windows directory , Makes a code branch decision directly after an API that is environment aware , Accesses sensitive information from local browsers , Queries sensitive IE security settings , Attempts to modify system certificates , Opens the MountPointManager , Opens the Kernel Security Device Driver, Found possibly malicious network releated activity > Connects to an IP address that is no longer responding to requests ( "51.143.22.239" ) , Found an instant messenger related domain ( (Indicator: "skype.com"; File: "network.pcap" )
« Last Edit: June 26, 2018, 11:04:54 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2582
Hi, pio

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 563
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Doesn´t seem to be processed yet ! Please take a look at this and create a classification ! Thanks !

Trojan.Generic

https://valkyrie.comodo.com/get_info?sha1=b7a9cd974ba0d72d4396b63da70ff6d572b828a3

https://www.virustotal.com/#/file/e4c1ee64dcaf9a73b92cdc8bafe8d6ba9870124de51a9a4f5d4e4cda8dd28634/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Borland Delphi , Packer: BobSoft Mini Delphi , File has multiple binary anomalies ( File ignores Code Integrity , The resource directory is invalid , The file has "2" executable sections , Checksum mismatches the PE header value , Entrypoint is outside of first section , The file is resource-less , The count "3" of libraries is suspicious , Contains zero-size sections , The file doesn't register any VersionInfo ) , Found Anti-VM Strings ( Checks amount of system memory ) , Checks if a debugger is present , Tries to delay the analysis , Found strings in conjunction with a procedure lookup that resolve to a known API export symbol , Reads the cryptographic machine GUID , Reads the windows installation date ,  Reads the active computer name , Reads terminal service related keys , Reads the registry for installed applications , Scanning for window names , Creates guarded memory sections , Drops cabinet archive files , Creates new processes ( "Input Sample" is creating a new process > "iexplorer.exe" & "iexplore.exe" is creating a new process > "iexplorer.exe" ) , Writes data to another  process ( "iexplorer.exe" ) , Process launched with changed environment ( "iexplorer.exe" ) , Installs hooks/patches the running processes ( "USER32.DLL" ,  "COMCTL32.DLL" , "ADVAPI32.DLL" , "IEFRAME.DLL", "OLEAUT32.DLL", "OLE32.DLL", "SHELL32.DLL" ) , Duplicates the process handle of an other process to obtain access rights to that process ( 37 events ) , Touches multiple files in the Windows directory , Makes a code branch decision directly after an API that is environment aware , Accesses sensitive information from local browsers , Queries sensitive IE security settings , Attempts to modify system certificates , Opens the MountPointManager , Opens the Kernel Security Device Driver, Found possibly malicious network releated activity > Connects to an IP address that is no longer responding to requests ( "51.143.22.239" ) , Found an instant messenger related domain ( (Indicator: "skype.com"; File: "network.pcap" )
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 563
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
PUA.Adware

https://valkyrie.comodo.com/get_info?sha1=b16db01b23d7666c3147a9fbfed6d89398d6083d

https://www.virustotal.com/#/file/91e445748413847111655772ca27d82e96794d5467c1be9fd9b3df2910f72a50/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Nullsoft PiMP Stub , Packer: NSIS, appended, Unicode, UPX, UTF-8 , File has multiple binary anomalies ( File ignores Code Integrity , Digisig is expired: Jul 20 21:05:12 2017, Contains another file ( type: Nullsoft, location: overlay, file-offset: "0x00018A08" , 20x00113333" , "0x0063B90D" ) , PE file has unusual entropy sections , CRC value set in PE header does not match actual value , PE file contains zero-size sections ) , Found possibly Anti-VM Strings ( Checks amount of system memory , Querries the disk size ) ,  Contains ability to open the clipboard , Contains ability to retrieve keyboard strokes , Contains ability to reboot/shutdown the operating system , Contains references to WMI/WMIC , References "1" Windows built-in privilege , Scanning for window names , References suspicious system modules ( "lsass.exe" ) , Drops executable files , Reads the active computer name , Creates guarded Memory sections , Opens the MountPointManager , Opens the Kernel Security Device Driver , Touches multiple files in the Windows directory
« Last Edit: July 16, 2018, 07:33:14 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2582
Hi, pio

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 563
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Post Valkyrie Links in Which You Believe That The Manual Analysis Is Wrong
« Reply #71 on: November 28, 2018, 09:02:23 PM »
Adware.Riskware.Freemake

https://valkyrie.comodo.com/get_info?sha1=b3d9a05fd8298ff4962f7cf5ee9a14c788fac74a+

https://www.virustotal.com/#/file/30c33999c066d95e6cf39e476fe6afa46d93e8b5b76bd796e0d1720b97d0aced/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Borland Delphi , Packer: Inno Setup Installer "5.50" , File has multiple binary anomalies ( File ignores DEP , File ignores Code Integrity , Entrypoint is outside of first section , PE file contains zero-size sections , Has "2" executable sections , Contains unknown resources , Contains another file ( type: InnoSetup , location: overlay, file-offset: "0x00062400" ) , Found possibly Anti-VM Strings ( Checks system memory , Checks adapter addresses ) , Found more than one unique User-Agent ( Mozilla/4.0 ) , Scanning for window names , Reads the active computer name , Reads the cryptographic machine GUID , Reads the registry for installed applications , Checks if a debugger is present , Checks for the Locally Unique Identifier on the system for a suspicious privilege ( "SeDebugPrivilege" ) , Opened the service control manager , Modifies auto-execute functionality , Queries kernel debugger information , Queries process information , Creates a slightly modified copy of itself , Creates guardes memory sections , Opens the Kernel Security Device Driver , Writes data to another processes ( "rundll32.exe" , "netsh.exe" and itself ) , Created a process named as a common system process ( "explorer.exe" ) , Creates windows service ( "FreemakeVideoConverterSetup.tmp" & "netsh.exe" ) , Process launched with changed environment ( "netsh.exe" ) , Modifies "WPAD" proxy autoconfiguration file for traffic interception , Queries sensitive IE security settings , Queries the internet cache settings , Accesses sensitive information from local browsers , Sends traffic on typical HTTP outbound port, but without HTTP header ( on port "80" ) , HTTP request contains Base64 encoded artifacts , Connects to multiple dead IP´s , Generates some ICMP traffic
« Last Edit: November 28, 2018, 11:26:52 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2098
Re: Post Valkyrie Links in Which You Believe That The Manual Analysis Is Wrong
« Reply #72 on: November 28, 2018, 11:03:06 PM »
Hi  pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Qiuhui.Wang

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 563
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Post Valkyrie Links in Which You Believe That The Manual Analysis Is Wrong
« Reply #73 on: February 07, 2019, 11:16:36 PM »
PUA.Adware.Variant.InstallCore

https://valkyrie.comodo.com/get_info?sha1=c142f7a9f26946942668f6f6baf0b087c5c72f17

https://www.virustotal.com/#/file/f2802965ea0381323f51cb1fa06f4aa3071347441a1811c464339de26fad433c/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Borland Delphi , Packer: Inno Setup Installer 5.67, File has multiple binary anomalies ( File ignores DEP, File ignores Code Integrity, Checksum mismatches the PE header value, Time Stamp is suspicious 06/20/1992, PE timestamp using the buggy magic timestamp "0x2A425E19", Contains zero-size sections, Contains unknwon resources, Contains multiple "15" another files (location: Overlay), The file-ratio of the overlay is "89.56"%), Contains ability to reboot/shutdown the operating system, Reads data out of its own binary image, Found strings in conjunction with a procedure lookup that resolve to a known API export symbol, Get TickCount value, Creates guarded memory sections, References a Windows built-in privilege, Touches files in the Windows directory ("WINDIR%\SysWOW64\en-US\KernelBase.dll.mui" & "WINDIR%\SysWOW64\netmsg.dll"), Set special directory property (C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files, C:\Documents and Settings\Administrator\Local Settings\History, C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5, C:\Documents and Settings\Administrator\Cookies, C:\Documents and Settings\Administrator\Local Settings\History\History.IE5), Hooks/patches the running process ("USER32.DLL"), Generates some ICMP traffic
« Last Edit: February 07, 2019, 11:52:09 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Ananthalakshmi

  • First Response Group
  • Newbie
  • *****
  • Posts: 23
Re: Post Valkyrie Links in Which You Believe That The Manual Analysis Is Wrong
« Reply #74 on: February 08, 2019, 12:47:58 AM »
Hi pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Ananthalakshmi M

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek