Author Topic: Report Undetected Malware for Valkyrie Service Here  (Read 45760 times)

Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2099
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #360 on: July 18, 2018, 08:39:20 PM »
Hi Felipe Oliveira,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Qiuhui.Wang

Offline Felipe Oliveira

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 485
  • Brazilian / Medicine Student / Love Technology

Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2099
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #362 on: August 06, 2018, 05:56:22 PM »
Hi Felipe Oliveira,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Qiuhui.Wang

Offline Volum

  • Comodo Family Member
  • ***
  • Posts: 87
  • COMODO is the best!
Please, forgive me my bad English.

Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2099
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #364 on: October 24, 2018, 08:43:46 PM »
Hi Volum,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Qiuhui.Wang

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 577
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #365 on: November 28, 2018, 07:22:12 PM »
Ransomware.Trojan.GandGrab ( 5.0.4. )

https://valkyrie.comodo.com/get_info?sha1=00dff6871b36c36828b5e2fcd1e3ac6a886025ad

https://www.virustotal.com/#/file/3e71e188e91521dfe6b679264592598593a662fc1e3ef3ec0d9718831455a750/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Microsoft visual C# v7.0 , Basic .NET , File has multiple binary anomalies ( File ignores DEP , Checksum mismatches the PE header value , PE file has unusual entropy sections , The signature of the resource "Rcdata:11111" is unknown, The value "0x00000000" of 'BaseOfData' is suspicious, Imports count "1" is very low , Timestamp in PE header is very old > from Sun Apr 24 20:53:20 1983 ) , Found more than one unique User-Agent ( Mozilla/5.0 ) , Attempts to remove evidence of file being downloaded from the Internet , Opens the Kernel Security Device Driver , Checks for the Locally Unique Identifier on the system for a suspicious privilege , Creates guarded memory regions , Tries to sleep for a long time , Writes bytes to itself , Process deletes itself , "WMIC.exe" launched with changed environment , Reads system information using WMIC , Reads the active computer name , Reads the cryptographic machine GUID ,  Queries kernel debugger information , Queries process information , Deletes volume snapshots files "WMIC.exe" with commandline "shadowcopy delete" , Renames user files ( Extension: "jbthvkfhuq" ) , Dropped file contain instructions of ransomware ( C:\Users\admin\Desktop\JBTHVKFHUQ-DECRYPT.txt ) , Reads Internet Cache Settings , Reads the cookies of Mozilla Firefox , References a URL pattern (h**ps://secure.comodo.net/CPS0C) , Contacts very many different hosts ( "46" domains and "55" hosts ) , Sends traffic on typical HTTP outbound port, but without HTTP header ( Found TCP traffic to multiple IP´s on port "80" ) , Connects to C&C Server "217.26.53.161" & "136.243.13.215" , POSTs data to multiple IP´s , GETs data from multiple IP´s
« Last Edit: November 28, 2018, 07:28:26 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2099
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #366 on: November 28, 2018, 07:37:02 PM »
Hi  pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Qiuhui.Wang

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 577
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #367 on: December 10, 2018, 11:28:36 PM »
PUA.Adware.OpenCandy

Valkyrie Final Verdict: CLEAN 

https://valkyrie.comodo.com/get_info?sha1=0d08b150836ba8c568efd4654c89b19e633a2a66

https://www.virustotal.com/#/file/6ce49f5ff498a68dfe406f12e62ad0df37a4abcd78c2578a604908c1902d9d5f/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler: Borland Deplhi , Packer: Inno Setup Installer v5.42 , File has multiple binary anomalies ( Contains multiple Files in the Overlay ( Type: Flash, Spoon, Pkzip ) , The file-ratio of the overlay is 99.23 % , File ignores DEP , File ignores Code Integrity , Entrypoint is outside of first section , Digisig is expired: Jul 16 06:34:16 2013 , Has "2" executable sections ) , Contains ability to query CPU information , Checks if a debugger is present , Tries to locate where the browsers are installed , Reads terminal service related keys , Reads the active computer name , Reads the cryptographic machine GUID , Reads the registry for installed applications , Scanning for window names , Reads Windows Trust Settings , Reads configuration files , Uses Windows APIs to generate a cryptographic key , Creates guarded memory scetions , Drops executable files ( found dropped File "OCSetupHlp.dll" has type "PE32 executable (DLL) detected as "OpenCandy" on VT (28/67) >>>>>>> https://www.virustotal.com/#/file/aebed3102186906003d2d9c56fbed174ea0a5af531e41c8fe78613fd23a6e2da/detection , A process created a hidden window , Tries to delay the Analysis ,  Duplicates the process handle of an other process to obtain access rights to that process , Opens the Kernel Security Device Driver , Modifies Software Policy Settings , Modifies proxy settings , Queries sensitive IE security settings , Steals private information from local Internet browsers ( Chrome , Firefox ) , Creates windows services ( "rundll32.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS") , Generates some ICMP traffic , Connects to IP addresses that are no longer responding to requests ( "40.67.186.102" & 195.78.120.115 ) , Found DNS requests to "api.opencandy.com"
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Ananthalakshmi

  • First Response Group
  • Newbie
  • *****
  • Posts: 23
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #368 on: December 10, 2018, 11:36:18 PM »
Hi pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Ananthalakshmi M

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 25406
Re: Report Undetected Malware for Valkyrie Service Here
« Reply #369 on: December 31, 2018, 12:44:38 PM »
I have opened Report Undetected Malware for Valkyrie Service Here - 2019.

Please start making submissions there. This topic will stay op to handle open submission.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek