Author Topic: Report Undetected Malware for Valkyrie Service Here - 2021  (Read 8421 times)

Offline Saravanapathi

  • Newbie
  • *
  • Posts: 11
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #15 on: September 03, 2019, 12:45:22 AM »
Hi pio,

Thank you for reporting this.
We'll check it.

Best regards
Saravanapathi V

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #16 on: September 22, 2019, 03:22:14 AM »
Variant.Trojan.Agent.Downloader.Chindo

The file has a valid certificate, but Valkyrie could not recognize it!

https://valkyrie.comodo.com/get_info?sha1=9ca9694297d90d6633b3d21c4641ea37598b7308

https://www.virustotal.com/gui/file/1f78c5ecf9f41ca85c67c6703b29c75808e1baf58a992fff3eeb88dba5f4fe6a/detection

Some suspicious/malicious Indicators: Compiler/Packer signature (Inno Setup Module [SFX] - ver. (5.6.2) Borland Delphi), File has multiple binary anomalies (File ignores Code Integrity, Contains zero-size sections, CRC value set in PE header does not match actual value, PE file has unusual entropy sections, Contains another file (type: InnoSetup, location: overlay, offset: "0x00016800"), Has a PE timestamp using the buggy magic timestamp "0x2A425E19"), The file-ratio of the overlay is suspicious (ratio: 94.67%), Contains resource in a language tagged as suspicious (Chinese), Contains shared sections, Contains a virtualized section), Contains ability to query CPU information, Contains ability to enumerate processes/modules/threads, Contains ability to open the clipboard, Contains ability to elevate privileges (admin), Reads data out of its own binary image, Creates guardes memory sections, Reads the active computer name, Queries volume information of an entire harddrive, Reads the registry for installed applications, Reads configuration files, Scanning for window names, Checks adapter addresses, Sets a registry key to a long series of bytes (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCache), Writes data to a remote process (C:\Windows\System32\taskkill.exe" &  "C:\Windows\System32\regsvr32.exe"), Modifies auto-execute functionality, Modifies the open verb of a shell class, Opens the Kernel Security Device Driver, Creates windows services (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS"), Modifies proxy settings, Queries the internet cache settings, Attempts to modify browser security settings, Network activity contains more than one unique useragent (Mozilla/5.0), HTTP request contains Base64 encoded artifacts, HTTP traffic contains multiple GET requests with no user-agent header to one or more malicious IPs/URLs (TCP traffic to "121.40.77.138" - "st.qswzayy.com" > https://www.virustotal.com/gui/url/0def2dd019f4941ba13cbac3eb2b0f8eb19b8c3d917190d32b54e4b4e40649b5/detection, "211.159.191.18" - "pv.sohu.com" > https://www.virustotal.com/gui/domain/pv.sohu.com/relations, "59.111.181.52" - "ip.ws.126.net" > https://www.virustotal.com/gui/domain/ip.ws.126.net/relations, "27.22.54.146" - "cfg.qswzayy.com" > https://www.virustotal.com/gui/url/07defeff447c37eadc98116c0a65513370fefe2dca249f11be32e5b39fb93c12/detection,
« Last Edit: September 22, 2019, 03:43:23 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Saravanapathi

  • Newbie
  • *
  • Posts: 11
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #17 on: September 22, 2019, 04:43:17 AM »
Hi pio,

Thank you for reporting this.
We'll check it.

Best regards
Saravanapathi V

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #18 on: November 18, 2019, 06:03:19 PM »
Variant.Trojan.Spyware.AgentTesla

https://valkyrie.comodo.com/get_info?sha1=39ddcbf069b164956d36b9749ade568f95129f4d

https://www.virustotal.com/gui/file/e40c9f16e430f01d791d74e79be435fbba9c54655bc981f0dd42d308ad67cd9b/detection

Some suspicious/malicious Indicators: Compiler: Microsoft Visual C# v7.0 / Basic .NET, File has multiple binary anomalies (File ignores Code Integrity, Checksum mismatches the PE header value, PE File has unusual entropy sections, References a string with a suspicious size,size: "2394" bytes), Reads Windows Product ID, Reads Environment values, Reads data out of its own binary image, Reading critical registry keys, Creates a copy of itself, Checks for external IP, Changes the autorun value in the registry, Creates RWX memory, Creates guarded memory sections, Creates files in the user directory, Attempts to remove evidence of file being downloaded from the Internet, Sniffs keystrokes, Stores a script command in the registry, Harvests credentials from various local FTP client softwares, Harvests information related to installed mail clients, Connects to SMTP port ("198.54.116.63" > mail.jiratane.com > https://www.virustotal.com/gui/url/49bbbc13555353af91786ae86101acc1441cadabf24a4a2b102fecb04f438449/detection

MITRE ATT&CK™ Techniques: T1106, T1060, T1081, T1012, T1082, T1071, T1045 >>> (https://attack.mitre.org/matrices/enterprise/windows/)
« Last Edit: November 18, 2019, 06:05:18 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline kowsalya

  • Comodo Family Member
  • ***
  • Posts: 51
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #19 on: November 19, 2019, 01:16:37 AM »
Hi pio,

Thank you for reporting.
We'll check it.

Regards,
Kowsalya R

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #20 on: December 04, 2019, 01:20:32 PM »
Because of hardware issues, I'm currently running very limited analytics, as I'm currently unable to create a secure analytics environment. Therefore, this time I can only offer incomplete information regarding the following file. The file implements various Anti-VM techniques and succeeds very well with that.  :-La

The file is not recognized by VT for several days! But despite my limited analysis capabilities, I'm pretty sure the file must be considered as malicious.

Trojan..Generic

>>> https://valkyrie.comodo.com/get_info?sha1=96a615da33c1ef185a1e9dea56c244a1e7c48107

>>> https://www.virustotal.com/gui/file/949c5f9c311410d654288dc37b97ecc1089a5972f3abca21822caaf368e06005/detection

Matched Yara Rules: crime_win_gamarue_andromeda_common_strings

Some suspicious/malicious Indicators:Compiler: Visual C/C++(19.00.24210), Packer: Overlay > zlib, File has multiple binary anomalies (The file doesn't register any VersionInfo, File ignores Code Integrity, The file checksum is invalid > checksum: "0x00000000", ImageBase is suspicious > Value in File > "5368709120", Imports sensitive Libraries > "Windows Socket 2.0 32-Bit DLL", Contains another files > type: Flash, location: overlay, offset: "0x00275E6F", type: Flash, location: overlay, offset: "0x004BA03B",  type: Flash, location: overlay, offset: "0x005EA293", The file-ratio of the overlay is suspicious > ratio: "95.98%"), The file may be hiding some of its imports (GetProcAddress, LoadLibraryExW, LoadLibraryA), Reads data out of its own binary image, Checks if being debugged, Calls the "sleep-function" many times, Uses low level APIs, Enumerates local disk drives, Leverages the raw socket API to access the Internet, File was downloaded from an IP/domain known to propagate malicious content > hxxp://92.63.192.128/attach/get/ass.exe > https://www.virustotal.com/gui/url/89bef45f22903ff17795bab476abc2e3e6de523a259f49439a129dabe3c2b6f6/detection

I am very curious about the classification by a Comodo expert and in a few days my entire hardware should be ready for use again.  :)
« Last Edit: December 04, 2019, 01:32:16 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Ionel

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3580
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #21 on: December 05, 2019, 10:30:36 AM »
Hi pio,

Detection will be added soon.

Regards,
Ionel

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #22 on: December 05, 2019, 02:42:56 PM »
Hi pio,

Detection will be added soon.

Regards,
Ionel

Hi Ionel,

I can already confirm the signature detection for CAV & Valkyrie and the detection on Virus Total will certainly follow soon!!?

For me this is the first malicious file that has absolutely NO detection on VT even after a few days and in which the additional analysis performed with AnyRun, CAPE, VxStream Sandbox and Tencent Habo was not feasible because it was not even started or then failed. Unfortunately, Cuckoo and Valkyrie were unable to provide any further meaningful indicators.

 :P0l

Thanks and Regards!
Pio
« Last Edit: December 05, 2019, 03:03:26 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #23 on: December 09, 2019, 03:11:28 PM »
The file still has a very low detection rate on VT after almost 20 days.

Trojan..RAT.Remcos

>>> https://valkyrie.comodo.com/get_info?sha1=4d9b0d397c2f1376d9160703368c39003139ccf6

>>> https://www.virustotal.com/gui/file/bb1fee6b5d7d37e95620576b6401d04728b642edd4c6744470ec15bc5db0990f/detection

Found Mitre Tactics: Defense Evasion, Discovery, Persistence, Execution

Found Mitre Techniques: Hooking, Execution through API, Query Registry, System Information Discovery, System Time Discovery, Access Token Manipulation, Modify Registry, Virtualization/Sandbox Evasion

Some suspicious/malicious Indicators:Compiler: Visual C/C++ 6.0, Crypter/Protector: Armadillo 1.71, File has multiple binary anomalies (File ignores DEP, File ignores Code Integrity, Checksum mismatches the PE header value, Contains zero size sections, The compiler time stamp is outside of the Certificate time stamp, References debug symbols, Contains various unknown resources), Found multiple Anti-VM/Evasion Strings ( Calls the "SleepEx" function, Querries the Disk Size, Checks adapter addresses, Checks amount of memory, Performs access token manipulation), Found more than one unique User-Agent (Mozilla/5.0), Contains ability to open/control a service (OpenServiceA[at]ADVAPI32.dll), Contains indicators of bot communication commands (useManualLogin = (Indicator: "login="), Creates guarded memory sections, Installs itself for autorun at Windows startup, Contains ability to lookup the windows account name, Queries kernel debugger information, Queries process information,  Queries sensitive IE security settings, Scanning for window names, Reads the active computer name,  Reads the cryptographic machine GUID, Reads the registry for installed applications, Logs keyboard strokes, Hooks windows functions, Opens the MountPointManager, Opens the Kernel Security Device Driver, Tries to hide a procedure lookup using single characters, Tries to steal FTP credentials, Steals private information from local Internet browsers, Installs a Browser Helper Object, Disables proxy, Outgoing Basic Auth Base64 HTTP Password detected (unencrypted), Sends traffic on typical HTTP outbound port, but without HTTP header > TCP traffic to "169.55.0.224" on port 80 & TCP traffic to "23.63.209.10" on port 443
« Last Edit: December 09, 2019, 03:32:45 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2111
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #24 on: December 09, 2019, 07:44:41 PM »
Hi pio,

Thank you for reporting this.
We'll check it.

Best regards
Qiuhui.Wang

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #25 on: December 10, 2019, 11:04:59 PM »

Trojan..RAT.Remcos

>>> https://valkyrie.comodo.com/get_info?sha1=4d9b0d397c2f1376d9160703368c39003139ccf6

>>> https://www.virustotal.com/gui/file/bb1fee6b5d7d37e95620576b6401d04728b642edd4c6744470ec15bc5db0990f/detection

I would like to give some more information regarding this file.

Simple skills of checking file reputation. Only for those who have time for such things.
  8) ;)

The file pretends to be the "Internet Download Manager" from the company "Tonec, Inc". >>> https://www.internetdownloadmanager.com/

Based on the information published on the developer's homepage, the specific version reported by the file was released on "20.11.19". The compiler and debugger-stamp refer to the "22.11.19"???  Including a possible time shift, this only leaves the conclusion that this can not be a legitimate version. I also looked at 5 different versions (older and newer ones like the file in question) for their size and the smallest version has 7.4 MB, the latest version 8.1 MB. The file I rated as harmful is almost half the size of all official installers of the Internet Download Manager. In addition, all 5 installers I reviewed have a valid certificate, but the suspect file does not.

There is also more up-to-date malware that tries to use exactly the same facade for its own purposes. "Execution Parents" from the last official "Internet Download Manager" installer and with very high detection rate on VT. >>> https://www.virustotal.com/gui/file/9f8230c54139399cd6eeff461584c292c24e7d9aaedc50d66ccf6a99609d73fc/detection (NOT detected from CAV)

Still for comparison, 2 screenshots of the inital analysis from the malicious file and the latest official installer version, carried out with "pestudio".

 :P0l
« Last Edit: December 10, 2019, 11:55:02 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #26 on: December 20, 2019, 04:37:03 AM »
APT.Document.VBA.Downloader.Agent.PredatorTheThief

>>> https://www.virustotal.com/gui/file/73057aa6ab03fc75be12ee33592348bf187ba086aa9a18d6eb7b26b9eb378daf/detection

>>> https://valkyrie.comodo.com/get_info?sha1=11fa3ac12d53d73f552d949a04ad3ab4f00cc0e1

Some suspicious/malicious Indicators: Found more than one unique User-Agent (Microsoft BITS/7.5, Mozilla/5.0, AppleWebKit/537.36, Chrome/72.0.281.121 Safari/537.36), Contains embedded VBA macros with keywords that indicate auto-execute behavior, Contains deobfuscation code, Checks for a "ADS" file, Creates guarded memory sections, Writes data to another processes ("C:\Windows\System32\certutil.exe", "C:\Windows\System32\PING.EXE"), Creates OLE objects, Checks network status using ping, Uses "C:\Windows\System32\certutil.exe" to decode a file (with commandline "-decode sfera redol"), Modifies proxy settings, Raised Suricata alerts (PE EXE or DLL Windows file download HTTP, Certificate with Unknown Content, Found "Win32/Predator The Thief" Initial CnC Checkin Request, Found MALWARE "MSIL/Predator The Thief" CnC Checkin), POSTs files to a malicious webserver > Host: "coinbase-promo.info" > https://www.virustotal.com/gui/url/6b54a5fcd7836df3f5862cac50cd40c4a6df0a662f791eda396678f95d65a7f3/detection

A short description of "Predator The Thief" malware: "Predator" is a feature-rich information stealer. It is sold on hacking forums as a bundle which includes: Payload builder and Command and Control web panel. It is able to grab passwords from browsers, replace cryptocurrency wallets, and take photos from the web-camera. It is developed by using a modular approach so that criminals may add more sophisticated tools on top of the it.

« Last Edit: December 20, 2019, 05:59:48 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Mageshwaran

  • Comodo Member
  • **
  • Posts: 45
Re: Report Undetected Malware for Valkyrie Service Here - 2019
« Reply #27 on: December 20, 2019, 05:34:03 AM »
Hi pio,

Thank you for reporting this.
We'll check it.

Best regards
Mageshwaran.B

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here - 2020
« Reply #28 on: March 11, 2020, 11:09:10 PM »
APT19.Backdoor.UAC.Exploit.CodosoGh0st

>>> https://www.virustotal.com/gui/file/6e5081bd42dc3070dba3097aafab6c7e1d7b900e6de71a0af0c992589e815c6a/detection

>>> https://valkyrie.comodo.com/get_info?sha1=f32c6b6b184625594a5fd90e369d706329de9a6e

Some suspicious/malicious Indicators: Compile/Crypter signature: Compiler: Microsoft Visual C/C++(2013)[DLL32], Crypter: XOR - 0x20, Xord Javascript, File has multiple binary anomalies (File ignores Code Integrity, The file contains another file (type: executable, location: .data, offset: "0x000DA710" & type: executable, location: .data, offset: "0x000DCB10"), Imports sensitive libraries (Windows Socket 2.0 32-Bit DLL), Checksum mismatches the PE header value, Cryptographic algorithms detected in the binary > Uses constants related to SHA1, SHA256, SHA512 ,AES, CRC32, MD5), Contains a known anti-VM trick (Found VM detection artifact "CPUID trick" in Offset: "898347"), Contains references to system tools ("rundll32.exe"), Contains ability to open the clipboard, Tries to detect the presence of a debugger, Enumerates local disk drives ("GetLogicalDriveStringsW", "GetVolumeInformationW", "GetDriveTypeW"), Launches other programs ("CreateProcessW", "ShellExecuteW"), Allocates read-write-execute memory, Creates guarded memory sections, Makes a code branch decision directly after an API that is environment aware (Found API call GetTimeZoneInformation[at]KERNEL32.dll, Found API call GetVersion[at]KERNEL32.dll, Found API call GetVersionExW[at]KERNEL32.dll), Listen for incoming communication, Leverages the raw socket API to access the Internet, Uses communication over "SMTP", Contains domain names (267-esmtp.gmail.com, esmtp.gmail.com, gmail.com, hxxp://www.openssl.org, hxxp://www.openssl.org/support/faq.html, openssl.org, smtp.gmail.com)
« Last Edit: March 11, 2020, 11:59:21 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline kowsalya

  • Comodo Family Member
  • ***
  • Posts: 51
Re: Report Undetected Malware for Valkyrie Service Here - 2020
« Reply #29 on: March 12, 2020, 12:15:39 AM »
Hi pio,

Thank you for reporting this.
We'll check it.

Best regards,
Kowsalya R

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek