Author Topic: Post Valkyrie Links in Which You Believe That The Manual Analysis Is Wrong  (Read 69630 times)

Offline Umamaheshwari

  • Newbie
  • *
  • Posts: 23
Re: Post Valkyrie Links in Which You Believe That The Manual Analysis Is Wrong
« Reply #90 on: September 24, 2019, 01:09:48 AM »
Hi pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Regards,
Umamaheshwari M

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Post Valkyrie Links in Which You Believe That The Manual Analysis Is Wrong
« Reply #91 on: October 30, 2019, 04:43:15 AM »
Variant.Trojan.Spyware.Banker.TRICKBOT

>>> https://valkyrie.comodo.com/get_info?sha1=e74e2b72d85e12d6e6215f9a4e8ea491a79e765e

>>> https://www.virustotal.com/gui/file/ec39fabb2cacb975a4377d56023ec85f46f208f7bb434c8ce6b30aa91a189a53/detection

Some suspicious/malicious Indicators : Compiler/Packer/Crypter signature: Compiler:  Microsoft Visual C++ 7.0, Packer/Crypter: Armadillo v1.71, Armadillo v2.xx (CopyMem II), File has multiple binary anomalies (File ignores Code Integrity, File ignores DEP, ASLR is disabled, Contains another file (type: executable, location: resources, offset: "0x00055EEC"), Imports sensitive Libraries (Windows Socket 2.0 32-Bit DLL), References a string with a suspicious size > "226648" bytes > "0x000730EX"), Found known privilege escalation attack > "DllHost.exe", Creates guarded memory sections, Reads the active computer name, Reads the cryptographic machine GUID, Reads terminal service related keys, Reads the registry for installed applications, Queries kernel debugger information, Queries volume information of an entire harddrive, Queries sensitive IE security settings, Creates a ADS file, Creates a hidden file, Creates a copy of itself,   Writes data to antoher process  > "%WINDIR%\System32\sc.exe" &  "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe", Opened the service control manager, Tries to disable/delete the windows firewall using PowerShell, Found strings in conjunction with a procedure lookup that resolve to a known API export symbol, Opens the MountPointManager, Opens the Kernel Security Device Driver, Queries sensitive IE security settings, Modifies proxy settings, Contacting an IP that is known to spread or support harmful content  ("192.3.179.203" > https://www.virustotal.com/gui/ip-address/192.3.179.203/relations)
« Last Edit: October 30, 2019, 06:01:22 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline kowsalya

  • Comodo Family Member
  • ***
  • Posts: 51
Re: Post Valkyrie Links in Which You Believe That The Manual Analysis Is Wrong
« Reply #92 on: October 30, 2019, 05:51:20 AM »
Hi pio,

Thank you for reporting.
We'll check it.

Regards,
Kowsalya R

Offline Mageshwaran

  • Comodo Member
  • **
  • Posts: 45
Re: Post Valkyrie Links in Which You Believe That The Manual Analysis Is Wrong
« Reply #93 on: November 15, 2019, 04:01:06 AM »
Hi pio,

Thank you for reporting.
We'll check it.

Regards,
Mageshwaran B

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Post Valkyrie Links in Which You Believe That The Manual Analysis Is Wrong
« Reply #94 on: February 17, 2020, 10:01:45 PM »
Adware.Riskware.SearchSuite

>>> https://valkyrie.comodo.com/get_info?sha1=73604f4d50787446c687ab8cf419ad693beceeaa

>>> https://www.virustotal.com/gui/file/cd0544899f2485f33607063455fdbfc72e4bd8149551eee8e8b61c3cc8a1d859/details


This file was published one day after the official and latest version was released and was signed with the same certificate. This new version was subsequently created with the "Private Exe Protector V2.30-V2.3" in order to reduce the relatively high detection rates on VT. Furthermore, various anti-debugging and anti-VM techniques were implemented to make execution in a virtual machine more difficult or even impossible. Both projects were successfully implemented! The installer released first is also detected by CAV. >>> https://www.virustotal.com/gui/file/567401f1edee57ad7361f3eba2401c2d785ec768cccb5322b8ae2a367e4cbdc1/detection

Some suspicious/malicious Indicators : Compiler/Packer/Crypter signature: Compiler: Microsoft Visual C++ v.14 - 2015 ( E8 ), Crypter: Private Exe Protector V2.30-V2.3,  File has multiple binary anomalies (File ignores Code Integrity, File calls a TLS callback at "0x45BF60" [.text:0x372576], Imports sensitive libraries (MCI API DLL, Process Status Helper, Windows HTTP Services and delayed > Windows Image Helper, Power Profile Helper DLL), A directory is invalid (type: export-table), The file references an unknown resource (resource: GOOGLEUPDATEAPPLICATIONCOMMANDS), Implements various mechanisms to prevent debugging and execution in a virtual environment (DebuggerCheck__QueryInfo, DebuggerHiding__Thread, DebuggerException__SetConsoleCtrl, Check_OutputDebugStringA_iat, anti_dbg - Checks if being debugged, antisb_threatExpert - Anti-Sandbox checks for ThreatExpert, Found VM detection artifact "CPUID trick" (Offset: 782593), Uses "SwitchToThread" function), Contains ability to create a remote thread, Contains ability to write to a remote process, Contains ability to elevate privileges, Contains ability to create named pipes, Tries to hide a process launching it with different user credentials, Creates guarded memory sections, Changes object ACLs, Has code injection capabilities (CreateRemoteThread, OpenProcess, VirtualAlloc, VirtualAllocEx, WriteProcessMemory), Has code mapping injection capabilities (CreateFileMapping, CreateRemoteThread, MapViewOfFile), Manipulates other processes (OpenProcess, ReadProcessMemory, WriteProcessMemory)
« Last Edit: February 17, 2020, 10:23:00 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Ionel

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3580
Re: Post Valkyrie Links in Which You Believe That The Manual Analysis Is Wrong
« Reply #95 on: February 19, 2020, 09:10:30 AM »
Hi pio,

Verdict has been updated.

Regards,
Ionel

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Hi pio,

Verdict has been updated.

Regards,
Ionel

Hi Ionel,

I just saw your answer and thank you for it.

Unfortunately, the file does not yet have a signature recognition. I ask you to add these.

Thanks and Best Regards
pio
« Last Edit: March 11, 2020, 11:23:35 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***


Offline Ionel

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3580
Hi futuretech,

Thank you for your notification, we will verify this.

Regards,
Ionel

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek