Author Topic: Report Undetected Malware for Valkyrie Service Here  (Read 34897 times)


Offline abinaya

  • Comodo Staff
  • Newbie
  • *****
  • Posts: 12
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #346 on: June 11, 2018, 07:05:36 AM »
Hi,yigido

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Abinaya R

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 5689
  • COMODO Rocks!
    • Free Comodo Products!
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #347 on: June 11, 2018, 10:45:24 AM »
1b0efaca8d0625ed5b412a7affadbf812d6f94da
2a9f1eef0ea342340730bd3766e1a8067ee50258
0d92135b7265a2627ff36735d05bfcacd9a76d6b
160469188ce6fe4c11daf31b193c5633ffd62059
d8f19b789590dad7d5e00b87512769414fc59846
COMODO Cloud Antivirus
Firefox Quantum
Encrypt the web! Use HTTPS Everywhere..
Block spying ads and invisible trackers! Use Privacy Badger..


Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 5689
  • COMODO Rocks!
    • Free Comodo Products!
COMODO Cloud Antivirus
Firefox Quantum
Encrypt the web! Use HTTPS Everywhere..
Block spying ads and invisible trackers! Use Privacy Badger..



Offline Ananthalakshmi

  • First Response Group
  • Newbie
  • *****
  • Posts: 12
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #352 on: June 12, 2018, 07:47:08 AM »
Hi yigido,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Ananthalakshmi M

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 5689
  • COMODO Rocks!
    • Free Comodo Products!
COMODO Cloud Antivirus
Firefox Quantum
Encrypt the web! Use HTTPS Everywhere..
Block spying ads and invisible trackers! Use Privacy Badger..

Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2088
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #354 on: June 13, 2018, 12:01:32 AM »
Hi yigido,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Qiuhui.Wang

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 530
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #355 on: June 26, 2018, 08:23:22 AM »
Files that have remained under the radar for a long time!!!

Trojan.SmokeLoader

https://valkyrie.comodo.com/get_info?sha1=4870a20d4f5c47dde65cb64fbbb427d6e51354af

https://www.virustotal.com/#/file/eb856e4bc44a489e6f23f1b6c9cb81bc783f721ecbff1302ff6d1648189752c0/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Visual Basic 5.0 - 6.0 , File has multiple binary anomalies ( File ignores DEP , File ignores Code Integrity , Checksum mismatches the PE header value , The file runs in the Visual Basic Virtual Machine , Contains unknown resources , The count "1" of libraries is suspicious ) , Contains ability to query CPU information , Queries kernel debugger information , Queries process information , Queries volume information of an entire harddrive , Tries to delyay the analysis , Has no visible windows , One of the buffers contains an embedded PE file ( sha1: 2e8a5b6fc50cf3d429b0f955f1a1ae0a43550c67 ) , Creates an ADS , Reads the active computer name , Reads the cryptographic machine GUID , Reads terminal service related keys , Detects virtualization software with SCSI Disk Identifier trick , Deletes its original binary from disk , Installs itself for autorun at Windows startup , Executed a process and injected code into it , Writes to address space of another process ( "explorer.exe" ) , Installs hooks/patches the running process ( "USER32.DLL" , "NSI.DLL" ) , Opens the Kernel Security Device Driver , Modify system certificates , Modifies Software Policy Settings , Found malicious network releated activity >>> Creates windows services ( "explorer.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS") , Tries to hide tracks of having downloaded a file from the internet , Connects to an IRC server , Queried details from the computer were then used in a network or crypto API call indicative of command and control communications/preperations ,  Performes obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations , Found DNS requests to "baniqua.com" ( "46.17.57.166" >>> https://www.virustotal.com/#/url/85e18cc1a13776d93c842ec9f07bf7d3dcde5f35ef2196195ffa3f6fbd546351/detection ) > "unstopabless.com" ( "5.45.78.194" >>> https://www.virustotal.com/#/url/abde5818c34237d75630d6d3e1422fa975b4736d1e8bebae615c5d0e0083e57f/detection > "dangrys.com" ( "5.45.78.194" >>> https://www.virustotal.com/#/url/b2dd266f388f056b8a0e4cec939c32a87f6d9425cb70970de1ba2778bcc2851b/detection

Trojan.Spyware.Injector

https://valkyrie.comodo.com/get_info?sha1=4512c35e4ccc75bf297e26d468ed68a4765b15a7

https://www.virustotal.com/#/file/492ba1dca1f08b82db5b1de82a85c8dd30575bd7f359c00c170b2e146eafa9ac/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler: Borland Delphi , Packer: BobSoft Mini Delphi , File has multiple binary anomalies ( File ignores DEP , File ignores Code Integrity , Checksum mismatches the PE header value , PE file has unusual entropy sections , Contains zero-size sections , The time-stamp ( "1991" ) of the compiler is suspicious , Contains unknown resourcers , The file has "3" shared sections , The count "8" of libraries is suspicious ) Contains ability to download files from the internet , Contains a remote desktop related string ( (Indicator for product: Generic VNC ) , Contains ability to retrieve keyboard strokes , Contains ability to lookup the windows account name , Putty Files, Registry Keys and/or Mutexes Detected , Checks if a debugger is present , Queries volume information of an entire harddrive , Reads the active computer name , Reads the cryptographic machine GUID , Reads terminal service related keys , Scans for artifacts that may help identify the target , Sets thread context in a remote process ( "Input Sample" set thread context in remote process "C:\buildloki.exe" ) , Opens the Kernel Security Device Driver , Makes a code branch decision directly after an API that is environment aware , Looks up many procedures within the same disassembly stream ( Found "69" calls to GetProcAddress[at]KERNEL32.DLL from "buildloki.exe") , Harvests credentials from local FTP client softwares , Harvests information related to installed instant messenger clients , Harvests credentials from local email clients , Found malicious network releated activity >>> Creates windows services (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS") , Connects to the malicious domain "komputerowybank.pl" ( "199.116.250.170"  >>> https://www.virustotal.com/#/url/aa3ac2c0341770d1cc4dd6e173792c7f114d5470403b2866457b1fb80cd95750/detection )
« Last Edit: June 26, 2018, 08:36:35 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2578
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #356 on: June 27, 2018, 12:58:35 AM »
Hi,pio

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen


Offline abinaya

  • Comodo Staff
  • Newbie
  • *****
  • Posts: 12
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #358 on: June 30, 2018, 12:22:33 AM »
Hi Felipe Oliveira,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Abinaya R


 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek