Author Topic: Report Undetected Malware for Valkyrie Service Here  (Read 44170 times)

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 569
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #300 on: May 23, 2018, 06:22:06 PM »
I accidentally posted it in the wrong section. The valkyrie link has also been corrected!

PUA.Variant.Elemental - Certificate "issued" by Comodo & "countersigned" by Comodo & UserTrust
 
https://valkyrie.comodo.com/get_info?sha1=%098068ca12f380a2f1ad5a06f2c818697dc62d5779

https://www.virustotal.com/#/file/e0a8c71d1be0cab933fba33005d35f6cab9c7f3de8f853c90296081213ae9ce6/detection

Some suspicious/malicious Indicators : Compiler/Packer/Protector signature > Compiler : MS Visual 6.0 , Packer: aPLib Compression , Protector: "VMProtect v1.70.4" , File has multiple binary anomalies ( File ignores Code Integrity , File ignores Code Integrity , Checksum mismatches the PE header value , Imports sensitive Libaries ( Remote Procedure Call Runtime , Windows NT Image Helper , Internet Extensions for Win32 ) , Found potentially Anti-VM Strings ( Checks amount of memory in system , Checks adapter addresses ) , Contains ability to query CPU information , Contains ability to enumerate processes/modules/threads , Contains ability to download files from the internet , Checks if debugger is present , Tries to delay the analysis , References suspicious system modules ( "\ntoskrnl.exe" ) , Code classification distribution is known to appear in malware ( TrID distribution is very similar to the "CTB-Locker" family ( e.g. SHA256: "cbba56bd16222191f1468a1d93b63945394371cfb9ffe38f34a9575c5655e57a" ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads the registry for installed applications  , Reads Windows Trust Settings , Creates windows services ( (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS") , Makes a code branch decision directly after an API that is environment aware ( Found API call GetVersion[at]KERNEL32.DLL directly followed by "cmp ecx, 0Ah" and "jc 00DB2AE2h" from ElementsBrowserSetup.exe ) , Accesses potentially sensitive information from local browsers , Modifies Software Policy Settings , Modifies proxy settings , Queries sensitive IE security settings , Opens the Kernel Security Device Driver ,  Found malicious network releated activity > POSTs files to a webserver ( "88.208.7.90:80" (api.elementsbrowser.com)

Certificate Details :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial:                       179723649418726568291415893014874442843
Serial (Hex):            8735840c523fd6c738fcd35f37d44c5b

Valid from:                  Nov 27 00:00:00 2017 GMT
Valid until:                  Oct 11 23:59:59 2018 GMT
 
C (countryName):                     GB [4742]
CN (commonName):                  ELEMENTS BROWSER (Info Software lp)
L (localityName):                       Edinburgh
O (organizationName):             ELEMENTS BROWSER (Info Software lp)
OU (organizationalUnitName):  Elements Browser
ST (stateOrProvinceName):      Scotland
postalCode (postalCode):        EH3 6SW
street (streetAddress):            Suite 2, 5 St. Vincent street 
« Last Edit: May 23, 2018, 06:25:05 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2582

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2582
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #302 on: May 23, 2018, 11:24:16 PM »
I accidentally posted it in the wrong section. The valkyrie link has also been corrected!

PUA.Variant.Elemental - Certificate "issued" by Comodo & "countersigned" by Comodo & UserTrust
 
https://valkyrie.comodo.com/get_info?sha1=%098068ca12f380a2f1ad5a06f2c818697dc62d5779

https://www.virustotal.com/#/file/e0a8c71d1be0cab933fba33005d35f6cab9c7f3de8f853c90296081213ae9ce6/detection

Some suspicious/malicious Indicators : Compiler/Packer/Protector signature > Compiler : MS Visual 6.0 , Packer: aPLib Compression , Protector: "VMProtect v1.70.4" , File has multiple binary anomalies ( File ignores Code Integrity , File ignores Code Integrity , Checksum mismatches the PE header value , Imports sensitive Libaries ( Remote Procedure Call Runtime , Windows NT Image Helper , Internet Extensions for Win32 ) , Found potentially Anti-VM Strings ( Checks amount of memory in system , Checks adapter addresses ) , Contains ability to query CPU information , Contains ability to enumerate processes/modules/threads , Contains ability to download files from the internet , Checks if debugger is present , Tries to delay the analysis , References suspicious system modules ( "\ntoskrnl.exe" ) , Code classification distribution is known to appear in malware ( TrID distribution is very similar to the "CTB-Locker" family ( e.g. SHA256: "cbba56bd16222191f1468a1d93b63945394371cfb9ffe38f34a9575c5655e57a" ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads the registry for installed applications  , Reads Windows Trust Settings , Creates windows services ( (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS") , Makes a code branch decision directly after an API that is environment aware ( Found API call GetVersion[at]KERNEL32.DLL directly followed by "cmp ecx, 0Ah" and "jc 00DB2AE2h" from ElementsBrowserSetup.exe ) , Accesses potentially sensitive information from local browsers , Modifies Software Policy Settings , Modifies proxy settings , Queries sensitive IE security settings , Opens the Kernel Security Device Driver ,  Found malicious network releated activity > POSTs files to a webserver ( "88.208.7.90:80" (api.elementsbrowser.com)

Certificate Details :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial:                       179723649418726568291415893014874442843
Serial (Hex):            8735840c523fd6c738fcd35f37d44c5b

Valid from:                  Nov 27 00:00:00 2017 GMT
Valid until:                  Oct 11 23:59:59 2018 GMT
 
C (countryName):                     GB [4742]
CN (commonName):                  ELEMENTS BROWSER (Info Software lp)
L (localityName):                       Edinburgh
O (organizationName):             ELEMENTS BROWSER (Info Software lp)
OU (organizationalUnitName):  Elements Browser
ST (stateOrProvinceName):      Scotland
postalCode (postalCode):        EH3 6SW
street (streetAddress):            Suite 2, 5 St. Vincent street
Hi, pio

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Offline ceyhun.b

  • Newbie
  • *
  • Posts: 18
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #303 on: May 24, 2018, 03:26:20 AM »
Thank you again for your cooperation Yigido  :-TU

All of them now marked as malware and this data really helps us.

https://valkyrie.comodo.com/get_info?sha1=9929c7f5fa8b1cb8a032000d419878b1fc2b5df5
https://valkyrie.comodo.com/get_info?sha1=544d003274e5c717fcdf94552f62f9081efb3ebc
https://valkyrie.comodo.com/get_info?sha1=e42efc5140810703014f2b8fe2d251c1e73b407d
https://valkyrie.comodo.com/get_info?sha1=413042b936a06f93780429ef6dd2beee8c82c477
https://valkyrie.comodo.com/get_info?sha1=7d159ee6b8c2c214c32d0c1e1cec8bfb2679e7e8
https://valkyrie.comodo.com/get_info?sha1=9486c78c4e62ffda6542962429cd19a3d7611f17
https://valkyrie.comodo.com/get_info?sha1=065816f80979f3999ba8af0d9c8fb8a87cddf655
https://valkyrie.comodo.com/get_info?sha1=f9950170ae3f6402defdcbfa627ca9214340c166
https://valkyrie.comodo.com/get_info?sha1=b61c9abbd94c18914892b4dca00d788f0da61afd
https://valkyrie.comodo.com/get_info?sha1=408d4babe73c1b8729804dd3ee4c1a917dd4df3b
https://valkyrie.comodo.com/get_info?sha1=51c0171f94a93dcac9d1f6ee0e8aee7eb7093510
https://valkyrie.comodo.com/get_info?sha1=948482095bade1c1d72cda2a08b165a47ca128f3
https://valkyrie.comodo.com/get_info?sha1=4e64a6f1e81546cdfa51ebd5b39b3cc39d5eea71
https://valkyrie.comodo.com/get_info?sha1=3e42d5364c67e0fd923a09dc064f294614ce2d8d
https://valkyrie.comodo.com/get_info?sha1=e407a60798980249aef34c5005092f36e6c0fed7

https://valkyrie.comodo.com/get_info?sha1=110ec1d418e93b3e2db8687066e03b5e54764663

https://valkyrie.comodo.com/get_info?sha1=ef19c269a9571f574e8f2e719f512d4e923101a8
https://valkyrie.comodo.com/get_info?sha1=2866d3569a92ba386dd6ca77ecbc64ca72c8354d
https://valkyrie.comodo.com/get_info?sha1=ce0c03c4dd10b780d944b6778e969c8defa12e70

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 5691
  • COMODO Rocks!
    • Free Comodo Products!
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #304 on: May 24, 2018, 04:43:56 AM »
Thank you again for your cooperation Yigido  :-TU

All of them now marked as malware and this data really helps us.

Nice to hear that :) Please keep us informed about the improvements  :-TU
COMODO Cloud Antivirus
Firefox Quantum
Encrypt the web! Use HTTPS Everywhere..
Block spying ads and invisible trackers! Use Privacy Badger..


Offline Deepak PV

  • Comodo Staff
  • Comodo Member
  • *****
  • Posts: 37
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #306 on: May 24, 2018, 05:11:42 AM »
Hi yigido,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Deepak PV

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 5691
  • COMODO Rocks!
    • Free Comodo Products!
COMODO Cloud Antivirus
Firefox Quantum
Encrypt the web! Use HTTPS Everywhere..
Block spying ads and invisible trackers! Use Privacy Badger..

Offline Deepak PV

  • Comodo Staff
  • Comodo Member
  • *****
  • Posts: 37
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #308 on: May 24, 2018, 07:39:51 AM »
Hi yigido,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Deepak PV

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 5691
  • COMODO Rocks!
    • Free Comodo Products!
« Last Edit: May 24, 2018, 06:08:38 PM by yigido »
COMODO Cloud Antivirus
Firefox Quantum
Encrypt the web! Use HTTPS Everywhere..
Block spying ads and invisible trackers! Use Privacy Badger..

Offline Deepak PV

  • Comodo Staff
  • Comodo Member
  • *****
  • Posts: 37
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #310 on: May 25, 2018, 12:40:06 AM »
Hi yigido,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Deepak PV

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 5691
  • COMODO Rocks!
    • Free Comodo Products!
COMODO Cloud Antivirus
Firefox Quantum
Encrypt the web! Use HTTPS Everywhere..
Block spying ads and invisible trackers! Use Privacy Badger..

Offline Deepak PV

  • Comodo Staff
  • Comodo Member
  • *****
  • Posts: 37
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #312 on: May 25, 2018, 05:19:41 AM »
Hi yigido,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Deepak PV

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 5691
  • COMODO Rocks!
    • Free Comodo Products!
COMODO Cloud Antivirus
Firefox Quantum
Encrypt the web! Use HTTPS Everywhere..
Block spying ads and invisible trackers! Use Privacy Badger..

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2582
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #314 on: May 25, 2018, 11:38:26 PM »
Hi, yigido

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek