Author Topic: Report Undetected Malware for Valkyrie Service Here  (Read 24560 times)

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 408
  • I like CIS , Kali Linux and IDA Pro ! ;)
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #210 on: August 13, 2017, 10:10:24 PM »
Highlighted indicators describe similar behavior ! ( of two or more files )

Trojan.Spyware.Pony

https://valkyrie.comodo.com/get_info?sha1=8b162c6c48bda880725fb7fee1a47e9328de9f38+

https://www.virustotal.com/de/file/52e71d3ea8c384c75ff8a7ac8ff13c3fc38ab57aced68ca048e428b7981c405f/analysis/1495773055/

Some suspicious/malicious Indicators : Found YARA signature match ( YARA signature "pony" classified process "winsys.exe" as "trojan,pony" > YARA signature "pony" classified file "all.bstring" as "trojan,pony" ) , File has PE Anomalies ( Checksum mismatches the PE header value ) , Checks for the presence of an Antivirus engine ( Comodo ) ,  Tries to hide a process launching it with different user credentials ( ImpersonateLoggedOnUser[at]ADVAPI32.DLL ) , Reads the registry for installed applications , Scans for artifacts that may help identify the target ( "HKCU\SOFTWARE\MICROSOFT\WINDOWS LIVE MAIL > HKCU\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS > HKCU\IDENTITIES\{57AB3677-534E-4173-8F92-6566F6F82F10}\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS > HKCU\SOFTWARE\MICROSOFT\OFFICE\OUTLOOK\OMI ACCOUNT MANAGER\ACCOUNTS , Tries to steal FTP credentials ( "RushSite.xml" (Indicator: "rushsite.xml") >"Software\FlashPeak\BlazeFtp\Settings" (Indicator: "\blazeftp\") , File requested access to a system service > Sent a control code to a service ( "Input Sample" called "ControlService" and sent control code "0X400" to the service "ProtectedStorage") , Touched instant messenger related registry keys , Accesses System Certificates Settings , Modifies proxy settings , Queries sensitive IE security settings , Reads terminal service related keys , File contacts 1 host > "193.201.224.47" > GET /gxz/rubbish*.exe HTTP/1.0 Host: 193.201.224.47 Accept: */*Accept-Encoding: identity *;q=0 Connection: close , User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

Trojan.Backdoor.DarkKomet

https://valkyrie.comodo.com/get_info?sha1=8224bd7bac7a6d73045ed2204e94b0a3f1dc2b95

https://www.virustotal.com/de/file/97066adb7e795bf53a9c58f340072a038f4198bde4a6e6f50fb2d1bc4dbed79e/analysis/

Some suspicious/malicious Indicators : Found YARA signature match ( YARA signature "DarkComet_4" classified process "WinLocker v12.0.exe" as "rat,darkcomet" > YARA signature "DarkComet_4" classified process "msdcsc.exe" as "rat,darkcomet" > YARA signature "DarkComet_4" classified file "all.bstring" as "rat,darkcomet" , The file embeds another file (type: RAR , location: overlay) , File code is packed and obfuscated > Matched Compiler/Packer signature > Packer : VC8 , Compiler : Microsoft Visual C++ 6.0 DLL (Debug), Microsoft Visual C++ 7.0 - 8.0, Microsoft Visual C++ 8 , File has PE Anomalies ( PE parsing > Export table, invalid RVA at (37d70) ) , Contains ability to listen for incoming connections , Queries volume information of an entire harddrive , Reads the active computer name , Reads the cryptographic machine GUID , Reads the windows installation date , Reads the registry for installed applications , Scanning for window names , Reads terminal service related keys , File creates guarded memory sections , Opens the Kernel Security Device Driver , Drops executable files , Process launched with changed environment variables ( Process "cmd.exe" was launched with new environment variables: "sfxstime="2017-05-24-23-02-14-510", sfxname="C:\WinLocker Builder v12.0.exe", sfxcmd=""C:\WinLocker Builder v12.0.exe" > Process "WinLocker v12.0.exe" was launched with new environment variables: "sfxpar="-p1111 -d" > Process "WinLocker v12.0.exe" was launched with modified environment variables: "sfxstime, sfxname, sfxcmd" , Modifies proxy settings , Queries sensitive IE security settings , Found potential IP address in binary/memory  ( "ping 127.0.0.1 -n 4 > NUL && "", "127.0.0.1", "127.0.0.1:1604" ) , File launches a Browser ( IExplorer )


Trojan.Generic.Variant.Symmi

https://valkyrie.comodo.com/get_info?sha1=c579a919f45d3d52d736631b1cede70b231dedcb+

https://www.virustotal.com/de/file/21c1a357d001c9822c07d5ccc32f24199617ba3eeb9f02bd6f080ba1642cf145/analysis/

Some suspicious/malicious Indicators :  File code is packed and obfuscated > Matched Compiler/Packer signature > Packer : BobSoft Mini Delphi , Pe123 v2006.4.4-4.12 , Compiler : Borland Delphi v3.0, Borland Delphi v6.0 - v7.0 , File has multiple PE Anomalies ( Checksum mismatches the PE header value , File contains zero sized sections , File contains more than 8 sections (9) ) , Reads the active computer name , Reads the cryptographic machine GUID , File creates guarded memory sections , Opens the Kernel Security Device Driver , Queries kernel debugger information , Contains ability to write to a remote process ( WriteProcessMemory[at]KERNEL32.DLL ) , Looks up many procedures within the same disassembly stream ( Found 16 calls to GetProcAddress[at]KERNEL32.DLL ) , File requested access to a system service ( "Input Sample" called "OpenService" to access the "RASMAN" service > requesting "SERVICE_QUERY_STATUS" (0X4) access rights > "Input Sample" called "OpenService" to access the "WinHttpAutoProxySvc" service ) , Contacts 1 domain > "GET /authorization/pullerInfo.php HTTP/1.1 , Host: swiftpuller.com , Connection: Keep-Alive" , GET /Swift%20Puller.zip HTTP/1.1 , Host: swiftpuller.com"
« Last Edit: August 13, 2017, 10:27:15 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2528
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #211 on: August 13, 2017, 11:57:01 PM »
Hi, pio

Thank you for your submission.
We'll check these.

Best regards
Chunli.chen

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 408
  • I like CIS , Kali Linux and IDA Pro ! ;)
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #212 on: August 20, 2017, 08:16:57 AM »

Hi Guys ,

Unfortunately still unworked ! Please take a look at this .... !!!

Thank you !!!!!!!!!   ;)
« Last Edit: August 20, 2017, 08:18:35 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***


Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2528
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #214 on: September 03, 2017, 12:39:30 AM »
Hi, klaken

Thank you for your submission.
We'll check it.

Best regards
Chunli.chen

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 408
  • I like CIS , Kali Linux and IDA Pro ! ;)
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #215 on: September 06, 2017, 09:38:35 PM »
Highlighted indicators describe similar behavior ! ( of two or more files )

Ransomware.Variant.Locky

https://valkyrie.comodo.com/get_info?sha1=ede989233947943b5b6dcb498385af51dbb3dcea

https://www.virustotal.com/en/file/4152fa533a1ecc527edd8188297994ef8d7f747d82ee0c045a83b5a1a3f6e575/analysis/1504062283/

Some suspicious/malicious Indicators : File has multiple PE Anomalies ( file debug blob is invalid , file contains suspicious named sections , the section ( .text ) is not readable , Checksum mismatches the PE header value , PE file has unusual entropy sections ) , Contains ability to measure performance ( rdtsc at PID 00002580 ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads the windows installation date , Reads the registry for installed applications , Contains ability to elevate privileges , Contains ability to download files from the internet ( InternetReadFile[at]WININET.DLL ) , Modifies file/console tracing settings , Opens the Kernel Security Device Driver , Queries kernel debugger information , Detected text artifact in screenshot that indicate file is ransomware ( "decrypt" (Source: screen_2.png, Indicator: "decrypt") , "946mbrrzpfszonuk.onion/32COD883E1644DOA" (Source: screen_2.png, Indicator: "onion") , Changes the desktop background picture ( "Input Sample" (Access type: "SETVAL"; Path: "HKCU\CONTROL PANEL\DESKTOP"; Key: "WALLPAPERSTYLE"; Value: "30000000") , "Input Sample" (Access type: "SETVAL"; Path: "HKCU\CONTROL PANEL\DESKTOP"; Key: "TILEWALLPAPER"; Value: "30000000") , Modifies proxy settings , Queries sensitive IE security settings , Accesses potentially sensitive information from local browsers , Process "iexplore.exe"  was launched with new environment variables , Process "cmd.exe"was launched with missing environment variables, Contacts 1 host , Found Trojan Locky CnC checkin  > "146.120.110.46:80" , File POSTS data to "146.120.110.46:80"

Ransomware.Variant.Locky

https://valkyrie.comodo.com/get_info?sha1=+f9e451e800ba5d614a4c40fbba3757bd498c1829+

https://www.virustotal.com/en/file/17db7e6bb5b643fdc4bdb2c3ba7bc55784cf37932d818c30ad58316e5e998b5c/analysis/

Some suspicious/malicious Indicators : File has multiple PE Anomalies ( PE file has unusual entropy sections , file debug blob is invalid , The section ( .rsrc ) is not readable ) , Matched Compiler/Packer signature > Compiler : Microsoft Visual C++ 6.0 , Reads the active computer name , Reads the cryptographic machine GUID , Reads the windows installation date , Reads the registry for installed applications , Modifies file/console tracing settings , Reads terminal service related keys , Modifies proxy settings , Queries sensitive IE security settings , Detected text artifact in screenshot that indicate file could be ransomware ( "g46mbrrzpfszonuk.onion/32COD883E1644DOA" (Source: screen_1.png, Indicator: "onion") , "decrypt" (Source: screen_1.png, Indicator: "decrypt") , "/RsA_tcryptosystem)" (Source: screen_1.png, Indicator: "crypto") , Changes the desktop background picture ( "Input Sample" (Access type: "SETVAL"; Path: "HKCU\CONTROL PANEL\DESKTOP"; Key: "WALLPAPERSTYLE"; Value: "30000000") , "Input Sample" (Access type: "SETVAL"; Path: "HKCU\CONTROL PANEL\DESKTOP"; Key: "TILEWALLPAPER"; Value: "30000000") , Process "iexplore.exe"  was launched with new environment variables , Process "cmd.exe"was launched with missing environment variables , Contacts 1 host , Found Trojan Locky CnC checkin  > "91.230.211.76:80 " , File POSTS data to "91.230.211.76:80"

The following File has an correct Human Expert verdict as malware since nearly 7 days ! Please create and add a signature for this file . Thank you !!!

https://valkyrie.comodo.com/get_info?sha1=2A31C821A51E90EDDBB2F3D2D65259486BB2055F

https://www.virustotal.com/en/file/3b165affc00609b754497f45e6ec40288a8ad50cd4c58ec30f806a0354824fb0/analysis/
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2528
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #216 on: September 06, 2017, 10:55:57 PM »
Hi,pio

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Offline klaken

  • Comodo Member
  • **
  • Posts: 35
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #217 on: September 07, 2017, 07:15:59 PM »


-https://valkyrie.comodo.com/get_info?sha1=f30a7ab0ee09cb6e16f887c87558e83a4e17fcdc
-https://www.virustotal.com/es/file/1d8790d659dc24c2a67b56b6b4104b84eb5d33ce49249332479a26c834408065/analysis/


-https://valkyrie.comodo.com/get_info?sha1=d872b76a15c13e77aa3e70321020ed9d03edacce
-https://www.virustotal.com/es/file/05eb541be4bc41ad5adc4d4eeda9146d9a0efef4b56e36fe0436ab7cd0a85974/analysis/1504824493/

Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2053
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #218 on: September 07, 2017, 09:05:29 PM »
Hi klaken,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Qiuhui.Wang


Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2053
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #220 on: September 08, 2017, 10:44:56 PM »
Hi klaken,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Qiuhui.Wang


Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2528
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #222 on: September 13, 2017, 01:14:01 AM »
Hi,klaken

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 408
  • I like CIS , Kali Linux and IDA Pro ! ;)
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #223 on: September 22, 2017, 07:01:28 PM »
Highlighted indicators describe similar behavior ! ( of two or more files )

Some older undetected Stuff !!!

Riskware.MSIL.Hacktool.KMS

https://valkyrie.comodo.com/get_info?sha1=BA7FC2266223598B21CFFD46F0C0EF9E9AFBCBFC

https://www.virustotal.com/#/file/574d7b53a950e1f2afeca9fa954648c5b6360cdb6a9af802d44a0ea18e3038ea/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer signature >  Compiler : Microsoft Visual C# v7.0 / Basic .NET , Protector : .NET Crypter , File has multiple PE Anomalies ( Checksum mismatches the PE header value , PE file has unusual entropy sections ) , File expects Windows build-in Prvileges , File expects Administrative permission ,  Found an indicator for a scheduled task trigger , File modifies firewall settings , Found multiple references to WMI query strings known to be used for VM detection , Contains ability to listen for incoming connections , Reads the active computer name , Reads the cryptographic machine GUID , Tries to sleep for a long time , Runs shell commands ( "/C netsh advfirewall firewall delete rule name=all program=") , Sent a control code to a service ( "NapAgent" ) , Modifies proxy settings . Queries sensitive IE security settings

Generic.Trojan.Downloader

https://valkyrie.comodo.com/get_info?sha1=a15542549c8df7ef6e19fe8bc7d68a5161bc553b+

https://www.virustotal.com/#/file/329c75368f68d30a4fee7c7515918b5140bbf75381d62f6fb5919bd4a4bdf75d/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer signature >  Compiler : Microsoft Visual C++ 6.0 DLL , Packer : Nullsoft Scriptable Installer , Found Delphi 4 - Delphi 2006 artifact "5982272dbfe03_ua.exe" has a PE timestamp using the buggy magic timestamp "0x2A425E19", File has Multiple PE Anomalies ( PE file has unusual entropy sections , PE file is packed with UPX , CRC value set in PE header does not match actual value , PE file contains zero-size sections , Entrypoint in PE header is within an uncommon section ) , Contains ability to clear windows event logfiles , Contains references to WMI/WMIC , Contains indicators of bot communication commands ( "LogMessage('Add task for updater: u=' + u + ' cmd=' + cmd);" (Indicator: "cmd=") , "LogMessage('Failed to add task for updater: u=' + u + ' cmd=' + cmd);" (Indicator: "cmd=") , Modifies file/console tracing settings , Contains ability to start/interact with device drivers , Found more than one unique User-Agent ( NSIS_Inetc (Mozilla) , NSISDL/1.2 (Mozilla) , InstallCapital ,  Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0) , Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) , Interacts with the primary disk partition , File checks if a debugger is present , File implement anti-virtualization techniques (  vmware , qmue , virtualbox ) , File creates guarded memory sections , Drops multiple executable files , File write bytes to itself and to spawned processes , Reads the registry for installed applications , Reads the active computer name , Reads the cryptographic machine GUID , Reads the windows installation date , Reads the windows product ID , Accesses potentially sensitive information from local browsers , Modifies proxy settings , Queries sensitive IE security settings , Contacts 17 domains and 15 hosts , Multiple malicious artifacts seen in the context of different hosts , File POSTS data to 23.21.157.201:80 (selfdislikedfarfet.site) , File GETS data from various IP`s

Generic.Trojan.Backdoor

https://valkyrie.comodo.com/get_info?sha1=E3112602CB84E56B8B30EFC9AD49554298C92B02

https://www.virustotal.com/#/file/fd254b99d73d3283ae6223d859d1d70f148bbbe6801cc38bd2d3b82be8a36e2c/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer signature >  Compiler : Borland Delphi v6.0 - v7.0 , Packer : BobSoft Mini Delphi , File has multiple PE Anomalies ( File sections .rdata & -reloc are shareable , PE file has unusual entropy sections  , PE file contains zero-size sections , Timestamp in PE header is very old ( Thu Dec 12 17:56:30 1991 ) ) , PE file contains zero-size sections ) , Reads terminal service related keys , File installs an Execption Handler , File Touches files in the Windows directory ( "staticcache.dat" , "user32.dll.mui" , "sortdefault.nls" ) , File collects Informations about Display monitors , File collects Informations about the System , File references the Desktop Window , File Hooks windows APIs , File access to Event Log , Global Atom Table , Windows Mail API

« Last Edit: September 23, 2017, 09:47:07 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2053
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #224 on: September 23, 2017, 12:04:29 AM »
Hi  pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Qiuhui.Wang

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek