Author Topic: Report Undetected Malware for Valkyrie Service Here  (Read 28669 times)


Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2543
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #256 on: October 29, 2017, 12:22:34 AM »
https://valkyrie.comodo.com/file/analysis/a9bd8edb-3f3f-4ee7-a05a-7613067f2a33
https://www.virustotal.com/#/file/f20eaa8110626c89c60cbe9942a2a10f57be2246b105ef3fa10badbff53b59a0/detection

This marks the majority as suspicious in the dynamic analysis (red.)

When valkyria will be ready :( or connected to a total virus, many malware are sent to a total virus .. It would help to improve the AI.
Hi,klaken

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Offline NCE

  • Newbie
  • *
  • Posts: 4
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #257 on: November 01, 2017, 12:03:44 PM »
Děkuji za Vaši péči, ale pořád mě vyskakuje malware.
S pozdravem NCE.
https://valkyrie.comodo.com/get_info?
sha1 = 0e40862badb40b4e72bd5e9980a635a4a7d72792
sha1 = cb12e179899cba316bfc337da1c0795b8457662d
sha1 = fe8936807b86bbf61aa9b512bca3b4b0099f710fb
sha1 = 2b47cb4cf9e34fe167257d4812c30678e7348dbf
sha1 = ed16f11155f255c47fc84e3b355b1372fcf535c7
sha1 = ebfcd97095212fd4c88603300b46b10099c10969
sha1 = bb8df834c331faf75312b610e56ee9d6cb7cbf
sha1 = 88accdb4ff8bf2f9290d5cdc49e9d589547b38
sha1 = a96ccb3fea5d4cbea7bec4f8350462aaf450b12
« Last Edit: November 17, 2017, 05:37:07 AM by NCE »
Comodo mobile security. v. 3.5
LENOVO A 5000 ANDROID

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2543
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #258 on: November 01, 2017, 10:46:14 PM »
Hi,NCE

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 478
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #259 on: November 10, 2017, 09:01:08 PM »
A few files that have long been on valkyrie and not yet recognized or not processed

Highlighted indicators describe similar behavior ! ( of two or more files )

Trojan.Variant.Rozena

https://valkyrie.comodo.com/get_info?sha1=9c9b5ab168441afc5d52ee7adda7e8d5a59bf8fc+

https://www.virustotal.com/#/file/5827ddc42b8c52a0fd4c102fa59094f1fa5ef9056bda3e216af8a0c1af4a9dcb/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer ("obfuscator") signature > Compiler : GCC MINGW-64w compiler for 32 / 64 bit Windows , File has multiple PE Anomalies ( File ignores Code Integrity , File calls a TLS callback at 0x4018C0 [.text:0x2240] & 0x401870 [.text:0x2160] , PE file contains zero-size sections , Contains 16 sections , Conains unknown section names , The value ( "0x002C7400" ) of Pointer-To-Symbol-Table' is suspicious , The value ( "1264" ) of  Number-Of-Symbols is suspicious , Count of Libaries ( "2" ) is suspicious , Imports sensitive Libaries ( "Windows NT BASE API Client DLL" & "Windows NT CRT DLL" ) , Embeds another file ( location: overlay ) , Reads terminal service related keys , Creates guarded memory sections , Installs an exception handler , Access to >>>  Service API > System Information API > Process and Thread API > Dynamic-Link Library API


Generic.Trojan

https://valkyrie.comodo.com/get_info?sha1=294f2b0d916cbadc20faba72f7de57b289e09445

https://www.virustotal.com/#/file/bd3feeacb434ed7b69bad57297d9328b2fa91233846dea6e51db952c680b966b/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer ("obfuscator") signature > Compiler : Microsoft visual C# v7.0 / Basic .NET , Packer/Crypter : Enigma Protector , Checks File has multiple PE Anomalies ( File ignores Code Integrity , Checksum mismatches the PE header value , PE file has unusual entropy sections , File calls a TLS callback at 0x44F770 [.enigma2:0x202608] , Imports sensitive Libaries ( "NT Layer DLL" & "Shell Folder Service" ) , The GUID ( "0000-00-00-00-000000" ) and the Path of the debug symbols is suspicious , Contains self-modifying sections , Contains unknown section names ,  Section ".enigma1" data of raw size ( "114688" ) overlaps next section ) , Contains ability to start/interact with device drivers , Contains native function calls , Contains ability to access the loader directly , Contains ability to create a remote thread , Contains ability to write to a remote process , Reads the active computer name , Checks if a debugger is present , Found multiple Anti-VM Strings ( against "Virtualbox" ) , Allocates read-write-execute memory , Creates guarded memory sections , Makes a code branch decision directly after an API that is environment aware , Uses low level APIs , Hooks file system APIs ( "NtQueryDirectoryFile[at]NTDLL.DLL" in "<Input Sample>"
"NtQueryAttributesFile[at]NTDLL.DLL" in "Input Sample")  , Opens the Kernel Security Device Driver

Generic.Trojan

https://valkyrie.comodo.com/get_info?sha1=16A405A9A594260AA931A7A4EB2B503945E0D2D6

https://www.virustotal.com/#/file/546fc3a75bd2d259df48df5903057288ab7a27088775ed4d6ea7317c64f4f1b2/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer ("obfuscator") signature > Compiler : Microsoft Visual C++ DLL , Packer/Crypter :  Confuser - .NET Obfuscator , File has multiple PE Anomalies ( File ignores Code Integrity , Entrypoint is outside of first section , PE file has unusual entropy sections , Checksum mismatches the PE header value , Contains unknown section names , Contains nameless sections , The first section is is writable and the last section is executable ) , Files has no visible windows , The File code is self modifying , Reads the active computer name , Loads the .NET runtime environment ,  Allocates read-write-execute memory , Creates guarded memory sections , Creates named pipes , Tried to sleep 210 seconds , Touches sensitive Files in the Windows directory
« Last Edit: November 13, 2017, 02:07:08 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2543
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #260 on: November 10, 2017, 09:05:34 PM »
Hi,pio

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 478
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #261 on: December 05, 2017, 08:28:46 PM »
Riskware.Variant.Hacktool

https://valkyrie.comodo.com/get_info?sha1=ba021aae374a4ba0c635138b921a1381b58819fa

https://www.virustotal.com/#/file/391c989d2103dd488d9d4c2c8e1776bc6264f613656bb5bebcd7722db22160e7/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer signature > Compiler : Microsoft Visual C# v7.0 / Basic .NET , Packer : Mpress v1.x-2.19 [ 2.19 ] , File has PE Anomalies ( The dos-stub message is missing , File ignores Code Integrity , Imports count (1) is very low ) , Embeds another file (  Location: Overlay ) , Tries to delay the analysis , Tries to obtain the highest possible privilege level without UAC dialog , Reads the active computer name , Reads the cryptographic machine GUID , Reads the registry for installed applications , Reads the windows product ID , Dropped files , Touches files in the Windows directory , Modifies proxy settings , Queries sensitive IE security settings

Generic.Adware

https://valkyrie.comodo.com/get_info?sha1=40f350df0f31398c3074c260850197dd83365785

https://www.virustotal.com/#/file/2eed61eae34dde347cd75b3c9ee7837a207f78717326e6376da04f5f9f4492ab/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer signature > Compiler : Borland Delphi , Packer : Inno Setup Installer 5.50 , File has multiple PE Anomalies ( File ignores DEP , File ignores Code Integrity , Entrypoint is outside of first section , Contains zero-size sections , Has unusual entropy sections , CRC value set in PE header does not match actual value ) , Contains ability to open the clipboard , Contains ability to retrieve keyboard strokes , Loads the task scheduler COM API , Schedules a task to be executed at a specific time and date , Found Anti-VM Strings , Checks for the presence of IDE drives , Found more than one unique User-Agent ( Mozilla/4.0 , Mozilla/3.0 ) , Tries to delay the analysis , Expects Administrative permission ( "cmdline" >    Schtasks /Create /TN "Super Updater Schedule" /TR "\"C:\Program Files (x86)\Super Updater\SUTray.exe\"" /SC ONLOGON /RL HIGHEST /F , Creates guarded memory sections , Reads the active computer name , Reads terminal service related keys , Reads the registry for installed applications , Scanning for window names , Drops executable files , Spawns new processes ,  Duplicates the process handle of an other process to obtain access rights to that process , Requested access to a system service ( "ServiceActive" , "Rasman" , "Sens" ) , Modifies proxy settings , Queries sensitive IE security settings , HTTP request contains Base64 encoded artifacts , Found network releated activity >>> File GETS data from "104.28.18.88:80 (isuperopt.com)" , "104.28.19.5:80" (bi.superpcdownload.net) , "176.9.2.105:80" (service.smartpcupdate.com) , "94.130.13.99:80" (d2.smartpcupdate.com) , "104.28.19.5:80" (bi.superpcdownload.net)
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2543
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #262 on: December 05, 2017, 08:36:45 PM »
Hi,pio

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 478
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #263 on: December 19, 2017, 02:48:53 AM »
I hope comodo dont't want to be the last one that classifies the files as harmful ?  ;)  Both are malicious !!! So please can anybody create a signature for these Files ? Thank you !!!

Riskware.Variant.Hacktool

https://valkyrie.comodo.com/get_info?sha1=ba021aae374a4ba0c635138b921a1381b58819fa

https://www.virustotal.com/#/file/391c989d2103dd488d9d4c2c8e1776bc6264f613656bb5bebcd7722db22160e7/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer signature > Compiler : Microsoft Visual C# v7.0 / Basic .NET , Packer : Mpress v1.x-2.19 [ 2.19 ] , File has PE Anomalies ( The dos-stub message is missing , File ignores Code Integrity , Imports count (1) is very low ) , Embeds another file (  Location: Overlay ) , Tries to delay the analysis , Tries to obtain the highest possible privilege level without UAC dialog , Reads the active computer name , Reads the cryptographic machine GUID , Reads the registry for installed applications , Reads the windows product ID , Dropped files , Touches files in the Windows directory , Modifies proxy settings , Queries sensitive IE security settings

Generic.Adware

https://valkyrie.comodo.com/get_info?sha1=40f350df0f31398c3074c260850197dd83365785

https://www.virustotal.com/#/file/2eed61eae34dde347cd75b3c9ee7837a207f78717326e6376da04f5f9f4492ab/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer signature > Compiler : Borland Delphi , Packer : Inno Setup Installer 5.50 , File has multiple PE Anomalies ( File ignores DEP , File ignores Code Integrity , Entrypoint is outside of first section , Contains zero-size sections , Has unusual entropy sections , CRC value set in PE header does not match actual value ) , Contains ability to open the clipboard , Contains ability to retrieve keyboard strokes , Loads the task scheduler COM API , Schedules a task to be executed at a specific time and date , Found Anti-VM Strings , Checks for the presence of IDE drives , Found more than one unique User-Agent ( Mozilla/4.0 , Mozilla/3.0 ) , Tries to delay the analysis , Expects Administrative permission ( "cmdline" >    Schtasks /Create /TN "Super Updater Schedule" /TR "\"C:\Program Files (x86)\Super Updater\SUTray.exe\"" /SC ONLOGON /RL HIGHEST /F , Creates guarded memory sections , Reads the active computer name , Reads terminal service related keys , Reads the registry for installed applications , Scanning for window names , Drops executable files , Spawns new processes ,  Duplicates the process handle of an other process to obtain access rights to that process , Requested access to a system service ( "ServiceActive" , "Rasman" , "Sens" ) , Modifies proxy settings , Queries sensitive IE security settings , HTTP request contains Base64 encoded artifacts , Found network releated activity >>> File GETS data from "104.28.18.88:80 (isuperopt.com)" , "104.28.19.5:80" (bi.superpcdownload.net) , "176.9.2.105:80" (service.smartpcupdate.com) , "94.130.13.99:80" (d2.smartpcupdate.com) , "104.28.19.5:80" (bi.superpcdownload.net)

*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Online Aravindhraj J

  • Comodo Staff
  • Comodo Family Member
  • *****
  • Posts: 73
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #264 on: December 19, 2017, 02:53:19 AM »
Hi pio ,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Aravindhraj J

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 478
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #265 on: February 09, 2018, 02:24:07 AM »
PUA/Riskware.Auslogics.BoostSpeed

https://valkyrie.comodo.com/get_info?sha1=94683287c3a2f2cbdc0b0d77d7752cc3eed6a134

https://www.virustotal.com/#/file/21ad62e4a9003c5692782f1357d26c3bc2b061a20152e820725ac0464f0df88d/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer signature > Compiler : Borland Delphi , Packer : Inno Setup Installer , File has multiple PE Anomalies ( PE file has unusual entropy sections , CRC value set in PE header does not match actual value , PE file contains zero-size sections ) , Contains ability to retrieve keyboard strokes , Found Anti-VM Strings ( Checks amount of system memory , Queries the Disk Size , Checks for network adapter addresses , Checks the version of bios , Executes wmi queries >  ( select Model, PNPDeviceID, InterfaceType from Win32_DiskDrive where Index = 0 ) ) , Tries to obtain the highest possible privilege level without UAC dialog , Reads the active computer name , Reads the cryptographic machine GUID , Reads the system/video BIOS version , Reads the windows product ID , Reads Windows Trust Settings , Reads the registry for installed applications , Tries to delay the analysis , Creates guarded memory sections , Creates named pipes , Drops system driver , Modifies file/console tracing settings , Creates suspicious processes , Creates a hidden window , Deletes its original binary from disk , Writes data to another process ( File writes bytes to itself and to  "C:\Windows\System32\regsvr32.exe" ) , Duplicates the process handle of an other process to obtain access rights to that process , Installs an exception handler , Hooks API calls , Opens the Kernel Security Device Driver , Queries sensitive IE security settings ( (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK") , Steals private information from local Internet browsers ( Firefox , Chrome , Yandex ) , Modifies system certificates , Modifies Software Policy Settings , Modifies proxy settings 
« Last Edit: February 09, 2018, 02:31:55 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Online Deepak PV

  • Comodo Staff
  • Newbie
  • *****
  • Posts: 7
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #266 on: February 09, 2018, 02:43:57 AM »
Hi pio ,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Deepak PV



Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2066
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #268 on: February 24, 2018, 05:32:38 PM »
Hi Felipe Oliveira,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Qiuhui.Wang


 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek