Author Topic: Report Problems With Valkyrie File Verdict Service  (Read 98120 times)

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 502
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Problems With Valkyrie File Verdict Service
« Reply #195 on: July 23, 2017, 12:09:52 AM »
***EDIT*** The first point was already solved !!!

Hi guys ,

i have a problem with valkyrie !!!

1. When I upload a file , nothing happens after the static analysis was started . However, the files ( maybe not all !? ) are hours later in the Recent Analysis Requests list . (works fine again)

2.My Account is expired and can´t request a new licence . Whenever I request a new one , nothing happens too . What types of licenses are available ? And what is the difference between different licenses? 

Thank you in advance !!!
« Last Edit: July 24, 2017, 01:48:28 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 502
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Problems With Valkyrie File Verdict Service
« Reply #196 on: October 11, 2017, 12:54:32 PM »
Hey Guys ,

i have problems to analyze the following Malicious File ! All analysis parts have failed !!! The file is bigger than "usual" ( 29 MB ) , maybe it has something to do with it?

https://valkyrie.comodo.com/get_info?sha1=72bad682eee739c83ce63ba0af66d878b95da187

https://www.virustotal.com/de/file/d27f77b02383cad3b6622c34a5d0fd704ad26bb03e0aff3c0e5b2a7243dbc4ad/analysis/1507741050/

Maybe someone would like to investigate ?

Regards !!!
« Last Edit: October 11, 2017, 01:00:54 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 502
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Problems With Valkyrie File Verdict Service
« Reply #197 on: December 06, 2017, 04:18:13 PM »
Hi ,

I just wanted to inform , that with some files , the certificate are not recognized correctly .  So sometimes , no one is found . But if I re-analyze the file , then it is recognized !

Maybe someone would like to check this ?!

Regards !!!
« Last Edit: December 06, 2017, 04:20:47 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 502
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Problems With Valkyrie File Verdict Service
« Reply #198 on: December 19, 2017, 03:16:54 AM »
Hi ,

I just wanted to inform , that with some files , the certificate are not recognized correctly .  So sometimes , no one is found . But if I re-analyze the file , then it is recognized !

Maybe someone would like to check this ?!

Regards !!!

As a Example , Vendor and Certificate are both not recognized by valkyrie !!! In this case a re-analysis wont help ! File is malicious !!!

https://valkyrie.comodo.com/get_info?sha1=767aced039df5d01c9fb2f5fca285f5b4686aede+

Certificate Details :

Algorithm:                  rsaEncryption
Version:                     3
Issuer:                      /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA
Serial:                       55771972026995833307300943196878010900
Serial (Hex):             29f54a856d44bce8f565eb4ab207fa14
Valid from:                Jul 31 00:00:00 2017 GMT
Valid until:                Jul 31 23:59:59 2019 GMT

C (countryName):                  CY [4359]
CN (commonName):              SpringTech Ltd [537072696E6754656368204C7464]
L (localityName):                   Limassol [4C696D6173736F6C]
O (organizationName):         SpringTech Ltd [537072696E6754656368204C7464]
ST (stateOrProvinceName):   Limassol [4C696D6173736F6C]

« Last Edit: December 19, 2017, 03:18:36 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***


Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 502
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Problems With Valkyrie File Verdict Service
« Reply #200 on: May 09, 2018, 08:39:20 AM »
I post this file here because the certificate is not recognized from Valkyrie ! With a correct recognition of the certificate , I think that the file is classified as completely trustworthy and it would therefore also have to be rated as malware.

PUA.ASK.Toolbar - Certificate "issued" by Comodo & Usertrust & "countersigned" by Comodo & Usertrust
 
https://valkyrie.comodo.com/get_info?sha1=15f206847ed96baff20511d16acfd9b73c4e8b5a

https://verdict.valkyrie.comodo.com/file/result?s=15f206847ed96baff20511d16acfd9b73c4e8b5a

https://www.virustotal.com/#/file/4538e421bcf6242123328c6e38ec1951faa3111d73752716f50f607509b036fc/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : MS Visual , Packer : UPX , File has multiple binary anomalies ( File ignores DEP , File ignores Code Integrity , CRC value set in PE header does not match actual value , Digisig is expired: Oct 11 23:59:59 2014 )  Contains ability to query CPU information , Contains ability to download files from the internet , Found more than one unique User-Agent ( Found the following User-Agents: ic Windows NT 6.1 MSIE 8.0 Firefox/ WOW64 Def132 SLCC2 .NET CLR 2.0.50727 .NET CLR 3.5.30729 .NET CLR 3.0.30729 Media Center PC 6.0 .NET4.0C .NET4.0E ) , Checks if a debugger is present , Checks adapter addresses , Reads Windows Trust Settings , Reads the active computer name , Reads the cryptographic machine GUID , Reads the registry for installed applications , Filecode is self-modifying , Accesses potentially sensitive information from local browsers , Queries sensitive IE security settings , Modifies Software Policy Settings , Modifies proxy settings , Found possibly malicious network releated activity , HTTP request contains Base64 encoded artifacts , Flie GETs data from >>> "199.36.102.106:80" (websearch.ask.com) & 74.113.233.61:80 (img.apnanalytics.com)

Certificate Details :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Code Signing CA 2
Serial:                       76720131627995202149268659758924984747
Serial (Hex):            39b7c287c179fbd0f13185d66a9e71ab

Valid from:                  Oct 12 00:00:00 2011 GMT
Valid until:                  Oct 11 23:59:59 2014 GMT

C (countryName):                  GB [4742]
CN (commonName):              Cole Williams [436F6C652057696C6C69616D73]
L (localityName):                   Grimsby [4772696D736279]
O (organizationName):         Cole Williams [436F6C652057696C6C69616D73]
ST (stateOrProvinceName):   South Humberside [536F7574682048756D62657273696465]
postalCode (postalCode):     DN32 9LQ [444E333220394C51]
street (streetAddress):         156 Hainton Avenue [313536204861696E746F6E204176656E7565

*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline ceyhun.b

  • Newbie
  • *
  • Posts: 17
Re: Report Problems With Valkyrie File Verdict Service
« Reply #201 on: May 10, 2018, 04:17:01 AM »

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 502
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline ceyhun.b

  • Newbie
  • *
  • Posts: 17
Re: Report Problems With Valkyrie File Verdict Service
« Reply #203 on: May 14, 2018, 02:30:52 AM »
Hi Pio, thank you for informing us about the following 3 hashes. Our team is actively looking into them to understand the issue. We will let you know when our analysis is finished.

15f206847ed96baff20511d16acfd9b73c4e8b5a
f2266f7628ab338d7c7d0fe143334e67d815d729
9d86ed87df16564ad35304e6a39ec9657c5103d3

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 502
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Problems With Valkyrie File Verdict Service
« Reply #204 on: May 14, 2018, 01:23:31 PM »
Hi Pio, thank you for informing us about the following 3 hashes. Our team is actively looking into them to understand the issue. We will let you know when our analysis is finished.

15f206847ed96baff20511d16acfd9b73c4e8b5a
f2266f7628ab338d7c7d0fe143334e67d815d729
9d86ed87df16564ad35304e6a39ec9657c5103d3

Hi Cehun.B ,

thanks for the Message ! I am looking forward to further information as soon as it is available.

Best Regards!
pio
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline ceyhun.b

  • Newbie
  • *
  • Posts: 17
Re: Report Problems With Valkyrie File Verdict Service
« Reply #205 on: May 21, 2018, 11:59:18 AM »
Hi Pio,

The certificate extraction problem that had affected only a very limited number of analysis have been addressed. Thank you again for notifying us.

Please find details below;

https://valkyrie.comodo.com/get_info?sha1=15f206847ed96baff20511d16acfd9b73c4e8b5a
https://valkyrie.comodo.com/get_info?sha1=f2266f7628ab338d7c7d0fe143334e67d815d729
https://valkyrie.comodo.com/get_info?sha1=9d86ed87df16564ad35304e6a39ec9657c5103d3

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 502
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Problems With Valkyrie File Verdict Service
« Reply #206 on: May 22, 2018, 11:20:27 PM »


Hi Pio,

The certificate extraction problem that had affected only a very limited number of analysis have been addressed. Thank you again for notifying us.

Please find details below;

https://valkyrie.comodo.com/get_info?sha1=15f206847ed96baff20511d16acfd9b73c4e8b5a
https://valkyrie.comodo.com/get_info?sha1=f2266f7628ab338d7c7d0fe143334e67d815d729
https://valkyrie.comodo.com/get_info?sha1=9d86ed87df16564ad35304e6a39ec9657c5103d3

Hi Cehun.B ,

Thank you again for the further information !

Kind Regards!
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 502
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Problems With Valkyrie File Verdict Service
« Reply #207 on: May 24, 2018, 09:59:02 PM »
The certificates could also not be recognized from Valkyrie . Both files signed by Comodo and uses the same certificate! Surely the certificate was stolen and the files should be also classificated as malware!

Application.Win32.Variant.Kryptik

https://valkyrie.comodo.com/get_info?sha1=1e8ebee6ec01e007918cf87dceb44917e73f4990

https://www.virustotal.com/#/file/61c88864eb4e67f7d4251254215101e6fdd09d6ac6b46972d89e27b61a50c115/detection

Certificate Details :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial:                       22149324860672131680307730801343612359
Serial (Hex):            10a9ce075a9ec73ae3ae020b1a0845c7

Valid from:                  May 15 00:00:00 2018 GMT
Valid until:                  Jul 19 23:59:59 2018 GMT
 
C (countryName):                  RU [5255]
CN (commonName):              OKNO V MIR, TOV
L (localityName):                   Kirovo-Chepetsk
O (organizationName):       OKNO V MIR, TOV
postalCode (postalCode):     613050
street (streetAddress):         d. 5 korp. A, ul. Krasnoarmeiskaya

Application.Win32.Variant.Kryptik

https://valkyrie.comodo.com/get_info?sha1=bae41550c897036c76db42e89d8fc25cd134a1d7

https://www.virustotal.com/#/file/87cf339cbb093566999d21cfcea036d92d8bc47fd844ce12707b28633904f27c/detection

Certificate Details :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial:                       22149324860672131680307730801343612359
Serial (Hex):            10a9ce075a9ec73ae3ae020b1a0845c7

Valid from:                  May 15 00:00:00 2018 GMT
Valid until:                  Jul 19 23:59:59 2018 GMT

C (countryName):                  RU [5255]
CN (commonName):              OKNO V MIR, TOV
L (localityName):                   Kirovo-Chepetsk
O (organizationName):       OKNO V MIR, TOV
postalCode (postalCode):     613050
street (streetAddress):         d. 5 korp. A, ul. Krasnoarmeiskaya
« Last Edit: May 24, 2018, 10:05:30 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek