Author Topic: Report Undetected Malware for Valkyrie Service Here - 2021  (Read 8412 times)

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26525
Report Undetected Malware for Valkyrie Service Here - 2021
« on: December 31, 2018, 12:42:10 PM »
Previous topic

Valkyrie is a very sophisticated detection service for detecting malware. It currently finds many different types of malware that comodo antivirus does not find but like anything it is not perfect. This is a place to report malware the Valkyrie does NOT detect. Reporting malware that Valkyrie does not detect helps comodo gather undetected samples so they can add the appropriate algorithms and heuristics to detect these malware in the future.

If you believe you have found a piece of malware that Valkyrie does not detect just post the Virustotal link and Valkyrie analysis link below.

Happy testing
https://valkyrie.comodo.com

NOTE: DO NOT post live malware
« Last Edit: December 31, 2020, 06:40:48 PM by EricJH »

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #1 on: January 06, 2019, 06:53:14 PM »
Generic.PUP/Hacktool

Valkyrie Final Verdict: CLEAN 

https://valkyrie.comodo.com/get_info?sha1=210a660c735cc5edf50a144955f5603820d4d680

https://www.virustotal.com/#/file/d69910f97bb6a19032297626a0cf1db5db56d00a4816791dc5e95e3e02587c4c/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler: Microsoft Visual C++ 8.0 , Packer: aPLib Compression , File has multiple binary anomalies ( File ignores Code Integrity , CRC value set in PE header does not match actual value , Imports sensitive Libarys ( Windows image helper ) , The file contains another files (type: Executable, location: resources, file-offset: 0x000CBB90, 0x000DACD0, 0x000E9C10, 0x000F8B50 ) , Found BlackBone Driver injector, Expects Administrative permission, References "2" Windows built-in privileges, Tries to detect the presence of a debugger, Contains known anti-VM tricks ( Found VM detection artifact "CPUID trick", Anti-Sandbox checks for ThreatExpert ) , Contains native function calls , Contains ability to create a remote thread , Contains ability to enumerate processes/modules/threads, Contains ability to register a top-level exception handler , Found strings in conjunction with a procedure lookup that resolve to a known API export symbol , Tries do delay/evade the analysis , Installs itself for autorun at Windows startup , Reads the active computer name , Drops system driver , Loads device driver, Installs hooks/patches the running process, Creates and modifies windows services, Opens the Kernel Security Device Driver, Generates some ICMP Traffic

Generic.Hacktool/Trojan

Valkyrie Final Verdict: No Threat Found 

https://valkyrie.comodo.com/get_info?sha1=f0ab296a1a1694e73d639a5b36444fb2f22c9f87

https://www.virustotal.com/#/file/7ef2daca3f382929fd0176b87f1be3bd3c3cb9322637169d59096bdbb4604f42/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler: Microsoft Visual C++ 5.0 , Packer: Armadillo v1.71 , File has multiple binary anomalies ( File ignores DEP , File ignores Code Integrity , Checksum mismatches the PE header value , Contains unknwon resources , Timestamp in PE header is very old ( Tue Nov 9 11:37:39 1999 , Foreign language identified in PE resource ( Chinese ) ) , Found a potential E-Mail address in binary/memory (  "laingml[at]163.net" ) , Tries to detect the presence of a debugger, Scanning for window names , Monitors specific registry key for changes , Reads terminal service related keys , Installs hooks/patches the running process (  "NSI.DLL" ) , Touches files in the Windows directory , Opens the Kernel Security Device Driver , Communicates with host for which no DNS query was performed ( "2.16.155.9" , "2.18.77.109" , "212.247.14.11" ) , Sends traffic on typical HTTP outbound port, but without HTTP header ( TCP traffic to "172.217.16.174" on port "443" )
« Last Edit: January 16, 2019, 09:39:01 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #2 on: January 12, 2019, 01:16:08 AM »
Trojan.Agent.SMHeist3

Valkyrie Final Verdict: No Threat Found 

https://valkyrie.comodo.com/get_info?sha1=6172fb25474ce1f0fed4ae64e71a5e618283a641

https://www.virustotal.com/#/file/e405f788f5445c7bdf9c5617604053fcec7a4860eea877b9441425d8f0310133/detection

Some suspicious/malicious Indicators : Compiler/Packer/Crypter signature > Compiler: Borland Delphi 6.0 - 7.0, Packer: BobSoft Mini Delphi, Crypter: VMProtect, Found Yara signature match ( "disable_antivirus" - Disable AntiVirus, "hijack_network" - Hijack network configuration ), File has multiple binary anomalies ( File ignores DEP, File ignores Code Integrity, PE file has unusual entropy sections, CRC value set in PE header does not match actual value, Entrypoint in PE header is within an uncommon section, Contains zero-size sections, Timestamp value suspicious ( "06/20/1992" ), File Has "3" shared sections, Contains "3" another files > location overlay > Type: "Smart Installer" ( "0x00071800" ), "Flash" ( "0x00183652" ), "Flash" ( "0x0034492B" ), Contains ability to reboot/shutdown the operating system, Contains ability to query CPU information, Contains ability to read monitor info, Contains ability to retrieve keyboard strokes, Contains ability to lookup the windows account name, Expects Administrative permission, Drops multiple executable files, Drops a text file that contains suspicious strings ( "Mirillis.vbs" > "WScript.Shell" ), Reads the active computer name, Reads the cryptographic machine GUID, Reads the registry for installed applications, Scanning for window names, Queries kernel debugger information, Queries process information, Reads terminal service related keys, References security related windows services ( "\windefendam.log" ), Open a windows service ( "ADVAPI32.dll" ), Allocates virtual memory in a remote process ( "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" & "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE" ), Writes data to another processes ( "C:\Windows\System32\wscript.exe" &  "C:\Program Files\Internet Explorer\iexplore.exe" ), Writes to the hosts file, Looks up many procedures within the same disassembly stream ( found "58" calls to "KERNEL32.DLL" ), Opens the MountPointManager, Makes a code branch decision directly after an API that is environment aware, Accesses sensitive information from local browsers, Queries sensitive IE security settings, Modifies proxy settings, Generates some ICMP traffic, Communicates with host for which no DNS query was performed ( "2.16.155.67", "2.16.155.9", "2.18.77.109", "212.247.20.9" ), Sends traffic on typical HTTP outbound port, but without HTTP header ( TCP traffic to "23.43.62.9" and "184.24.102.115" on port "80" )
« Last Edit: January 12, 2019, 04:41:40 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #3 on: January 16, 2019, 12:49:25 AM »
Hey Guys,

were these two files already checked?

Generic.PUP/Hacktool

Valkyrie Final Verdict: CLEAN 

https://valkyrie.comodo.com/get_info?sha1=210a660c735cc5edf50a144955f5603820d4d680

https://www.virustotal.com/#/file/d69910f97bb6a19032297626a0cf1db5db56d00a4816791dc5e95e3e02587c4c/detection

Generic.Hacktool/Trojan

Valkyrie Final Verdict: No Threat Found 

https://valkyrie.comodo.com/get_info?sha1=f0ab296a1a1694e73d639a5b36444fb2f22c9f87

https://www.virustotal.com/#/file/7ef2daca3f382929fd0176b87f1be3bd3c3cb9322637169d59096bdbb4604f42/detection

As decision support, Comodo detects the execution parents from the first file as:

TrojWare.Win32.KeyLogger.Ardamax.G >>> https://www.virustotal.com/#/file/d499a2b24946e013759518c5e560983ee5f3011900c23d88b3a07670e7f68cf3/detection

TrojWare.Win32.TrojanDropper.Binder.cls >>> https://www.virustotal.com/#/file/76d2eb3c05246e6e227063e0f98d0511d7e74c2058b689c1abb6c971e6bafa42/detection
 
Win32.Neshta.A >>> https://www.virustotal.com/#/file/41f61eeaee904b071315327d9b6147635d8386a31c92c6fb41cd4cd7cedae503/detection

Application.Win32.Ardamax.NBX >>> https://www.virustotal.com/#/file/9946f1a08ebc2ddb65077a474d7b54dcf868af6aec8d8db9b5f599275bc32968/detection

Backdoor.Win32.Agent.CEP13[at]11x22w >>> https://www.virustotal.com/#/file/b381aec0b09fd5721f81645e897b6902c578aa4bd0fb50644dec3df27cca9da2/detection

And also the PE Resource Parents as:

TrojWare.Win32.TrojanDropper.Binder.cls >>> https://www.virustotal.com/#/file/76d2eb3c05246e6e227063e0f98d0511d7e74c2058b689c1abb6c971e6bafa42/detection

Both files were previously used as part of malware and should therefore at least be classified as Riskware/Hacktool or PUP. The second file also has indicators or shows the behavior of a Trojan horse.

So i ask for a processing and classification. Thank you !!!
« Last Edit: January 16, 2019, 12:56:07 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Ionel

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3580
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #4 on: January 25, 2019, 10:07:53 AM »
Hi pio,

We are taking care of these. Thank you!

Regards,
Ionel

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #5 on: January 25, 2019, 10:36:02 AM »
Hi pio,

We are taking care of these. Thank you!

Regards,
Ionel

Thank you for taking note !!!  :-TU :)
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #6 on: May 06, 2019, 10:06:24 AM »
Trojan.CoinMiner.Stealer.Electrum

Valkyrie Final Verdict: No Threat Found *(valkyrie link has been corrected)

https://valkyrie.comodo.com/get_info?sha1=9e9d1030ffed180cbfd584264b3e0eabdfbc44ab

https://www.virustotal.com/gui/file/88cceb6d65d7e5ecd3a3dcb3bc02e6897c0a316ac0e83ea0aa2bf5ed7d3e47dd/detection

Some suspicious/malicious Indicators : File has multiple binary anomalies (Timestamp in PE header is very old, File ignores Code Integrity, Checksum mismatches the PE header value, Contains zero-size sections, Imports sensitive libaries ( Crypto API 32, Windows Socket 2.0 32-Bit DLL, Win32 LDAP API DLL), Found a Wine emulator related string (Indicator: "wine_get_version"), Contains ability to enumerate processes/modules/threads, Contains ability to query CPU information, Contains ability to download files from the internet, Dropped very many files (dropped "1641" files), Reads the active computer name, Reads the cryptographic machine GUID, Reads the registry for installed applications, Queries kernel debugger information, Queries process information, Allocates virtual memory in a remote process ("transactionservices.exe" allocated memory in "HKCU\Control Panel\Desktop\MuiCached"), Looks up many procedures within the same disassembly stream (found "80" calls to "GetProcAddress"[at]"KERNEL32.dll"), Modifies auto-execute functionality, Receives data from 3 IP´s who were classified as malicious ("194.63.143.226" > https://www.virustotal.com/gui/ip-address/194.63.143.226/relations, "217.147.169.179" > https://www.virustotal.com/gui/ip-address/217.147.169.179/relations, "188.214.135.174" > https://www.virustotal.com/gui/ip-address/188.214.135.174/relations)
« Last Edit: May 06, 2019, 10:15:34 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #7 on: May 19, 2019, 09:10:51 PM »
Trojan.MSIL.Agent

https://verdict.valkyrie.comodo.com/file/result?s=e43dcc4161da41893d7a3864981e8a238b74195b

https://www.virustotal.com/gui/file/bb045d349cd5a0456df456cec7ea64db8eb5871e910e8d00ba17515a1f86230d/detection

Some suspicious/malicious Indicators : File has multiple binary anomalies (File ignores Code Integrity, Checksum mismatches the PE header value, Imports count (1) is very low), Tries to implement anti-virtualization techniques ( against "vmware", "qemu", "vbox", Checks the version of Bios, Checks the CPU name from registry), Tries to delay the analysis ("sms.exe" called API "NtYieldExecution" 28954 times), Contains API references not part of its Import Address Table, Makes "BSOD" via debug property, Creates guarded memory sections, Queries kernel debugger information, Reads the active computer name, Reads the cryptographic machine GUID, Launches the WMI Provider Host, Opened the service control manager, Modifies windows services ("CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS"), Modifies Software Policy Settings, Modify system certificates, Opens the Kernel Security Device Driver, Touches files in the Windows directory ("C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config","C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch","C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config","C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch"), Contacts 2 domains and 2 hosts, Sends traffic on typical HTTP outbound port, but without HTTP header (TCP traffic to "104.20.209.21" on port "443"> https://www.virustotal.com/gui/ip-address/104.20.209.21/relations), Uses network protocols on unusual ports (TCP traffic to "186.212.36.104" on port "2000")
« Last Edit: May 19, 2019, 10:02:27 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Ionel

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3580
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #8 on: May 23, 2019, 09:49:19 AM »
Hi, Pio,

The files were taken care of.

Regards,
Ionel

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #9 on: May 24, 2019, 03:39:38 AM »
Hi Ionel,

All right and thanks for the notification!  :-TU

Best Regards!
pio
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #10 on: May 25, 2019, 02:48:13 PM »
Trojan.Generic

File has Indicators of Ransomware, but no Files were encrypted during my Analysis.

https://valkyrie.comodo.com/get_info?sha1=438b766f10c32aec931635669bebd283ad2f91a5

https://www.virustotal.com/gui/file/a729e2f1adc732e98f51245f0bbc581a755cb8a3eb85b460f141453b73bd70a6/detection

Some suspicious/malicious Indicators : Compiler: MASM32(8-11), File has multiple binary anomalies (File is resource-less, The dos-stub message is missing, File ignores DEP, File ignores Code Integrity, Entrypoint is outside of first section, Checksum mismatches the PE header value, Address Space Layout Randomization is disabled), Reads the active computer name, Reads terminal service related keys , Reads the registry for installed applications, Scanning for window names, Opened the service control manager, Creates or sets a registry key to a long series of bytes (regkeyval: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCache), Creates a hidden file (file: C:\Users\user\AppData\Roaming\Microsoft\Windows\IETldCache\Low), Attempts to modify proxy settings, One martian processes was created (""C:\Windows\SysWOW64\ie4uinit.exe" -ShowQLIcon"), Writes data to a remote process ("iexplore.exe"), Uses Windows utilities for basic functionality (command: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome & command: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2672 CREDAT:79873"), Process launched with changed environment ("iexplore.exe"), Writes a potential ransom message to disk (ransom_file: cryptl0ck.html),  Found TOR related URLs in process memory dump ("h**p://78a3zjw10ojm7sf6.onion/1aaea8e2f108af2fe1c2e72e35c27d94"), Attempts to connect to a dead IP:Port (IP: "204.79.197.200:80" - "United States")
« Last Edit: May 25, 2019, 03:03:26 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #11 on: May 26, 2019, 06:54:43 PM »
Adware.PUA.Downloader.Deceptpcclean

File is signed by Comodo, but the Certificate was not detected correctly!

https://valkyrie.comodo.com/get_info?sha1=6e338c791c592666fd31d1f783694a170602ddbe

https://www.virustotal.com/gui/file/b412a0081a2175cf88613929ec01275e58173e5ef21f06783c4ddddb5fe860f2/detection

Some suspicious/malicious Indicators : Compiler: Borland Delphi, Packer: Inno Installer 5.57, File has multiple binary anomalies ( The file contains another file (type: InnoSetup, location: overlay, file-offset: 0x0001D200), File ignores Code Integrity, Entrypoint is outside of first section, Contains zero-size sections, The dos-stub message is missing, Has "2" executable sections, The file-ratio of the overlay reaches 76.95 %), Contains ability to listen for incoming connections, Contains ability to open the clipboard, Contains ability to retrieve keyboard strokes, Contains ability to block user input, Contains ability to download files from the internet, Contains ability to enumerate processes/modules/threads, Contains ability to create named pipes, Found more than one unique User-Agent (IS Download DLL & Autoit), Sets a global windows hook to intercept mouse events, Tries to implement anti-virtualization techniques (VirtualBox), Tries to evade analysis by sleeping many times, Creates guarded memory sections, Reads the active computer name, Reads the cryptographic machine GUID, Reads the windows installation language, Scanning for window names, Modifies proxy settings, Accesses Software Policy Settings, Accesses System Certificates Settings, Creates a hidden window, Creates windows services ( (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS"), Process launched with changed environment (%WINDIR%\CSC.EXE"), Opens the Kernel Security Device Driver, Queries sensitive IE security settings, Queries the internet cache settings, HTTP request contains Base64 encoded artifacts, POSTs data to > "67.219.147.194:80" > "dusrv2.malwarecrusher.com" > https://www.virustotal.com/gui/ip-address/67.219.147.194/relations), Downloads and executes files who classified as PUA/Adware
« Last Edit: May 31, 2019, 06:00:40 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #12 on: May 31, 2019, 06:00:25 PM »
Adware.PUA.Downloader.Deceptpcclean

File is signed by Comodo, but the Certificate was not detected correctly!

https://valkyrie.comodo.com/get_info?sha1=6e338c791c592666fd31d1f783694a170602ddbe

https://www.virustotal.com/gui/file/b412a0081a2175cf88613929ec01275e58173e5ef21f06783c4ddddb5fe860f2/detection

Additional indicators:

Downloads files containing harmful content:

- "mlcstsetup.tmp" GET > h**p://bgtc.malwarecrusher.com/mlc/mlc_builds/apst/10111/mlcsetup.exe >>> https://www.virustotal.com/gui/file/730d16abe2354e22659febb7d6a323195e38e048d839b5baf01467b23941787e/detection
- "mlcst.exe" GET > h**p://bgtc.malwarecrusher.com/mlc/mlc_builds/apst/10111/mcrsetup.exe >>> https://www.virustotal.com/gui/file/3e8b4a560853857eb7ed09935567fc83e221f054de5fbb6c0b703a4cd515e216/detection

Get in touch with suspicious / malicious IPs:

- Found PUA.Win32/Freemake.A UserAgent >>> https://www.virustotal.com/gui/ip-address/87.248.202.1/relations
- Found PUA.Optional.WinTonic UserAgent >>> https://www.virustotal.com/gui/ip-address/216.245.208.194/relations
- Found PUA.Win32/GT32SupportGeeks.Q UserAgent >>> https://www.virustotal.com/gui/ip-address/67.219.147.194/relations
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Umamaheshwari

  • Newbie
  • *
  • Posts: 23
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #13 on: June 01, 2019, 02:12:31 AM »
Hi pio,

Thank you for reporting this.
We'll check it.

Best regards
Umamaheshwari M

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #14 on: September 02, 2019, 06:47:31 AM »
NanoCore.RAT.Agent.Downloader

Undetected for a long time!

https://valkyrie.comodo.com/get_info?sha1=832367ce7788da55c990a8dd892b900d2761a705

https://www.virustotal.com/gui/file/7afc88b9a62c9ab0ee786a75a5c5ba44901b15ea34e27143e54093711e15a723/detection

Some suspicious/malicious Indicators : Compiler: Microsoft visual C# v7.0 / Basic .NET, File has multiple binary anomalies (Checksum mismatches the PE header value, PE file has unusual entropy sections (.text with unusual entropies 7.57139459433), File ignores Code Integrity, Debug timestamp (1970/01/01 01:00:00) mismatches compiler timestamp (2062/12/24 19:47:21), The number of directories is suspicious "15"), Contains ability to query CPU information, Tries to sleep for a long time, Creates guarded memory sections, Reads data out of its own binary image, Reads the active computer name, Reads the cryptographic machine GUID, Reads configuration files, Reads the registry for installed applications , Queries kernel debugger information, Queries process information, Spawns new processes that are not known child processes ("explorer.exe"), Writes data to another process ("explorer.exe"), Opens the service control manager, Modifies proxy settings, Queries sensitive IE security settings, Opens the Kernel Security Device Driver, HTTP traffic contains a GET request with no user-agent header,  HTTP connection was made to an IP address rather than domain name, Creates windows services ((Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS"), Contacts an IP classified as malicious >>> "137.74.44.216" > https://www.virustotal.com/gui/url/67e8409fb77266e5918e40c0bdda4311548cdcc0567bc135fa1364b1593ccb0d/detection, Downloads and executes a file who is known as malicious (NanoCore Family) >>> https://www.virustotal.com/gui/file/a40e61bee45f8df21a4f0d40308d5d52b0166064786ca167154aa73eddda9845/detection
« Last Edit: September 02, 2019, 06:53:22 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek