14 security vendors and no sandboxes flagged this file as malicious & Comodo did not detect it also

mrtrout · September 2, 2023, 11:11pm

VirusTotal 14 security vendors and no sandboxes flagged this file as malicious
Reanalyze
552f9c111bdf18479b2195933649b8dbf80d65113b6d8743ecc9562a4e065a77
NVStTest
Size
2.61 MB
Last Analysis Date
5 hours ago Popular threat label
trojan.genericfca/agentb
Threat categories
trojan Security vendors’ analysis
Do you want to automate checks?
ALYac
Trojan.GenericFCA.Agent.102334
Arcabit
Trojan.GenericFCA.Agent.D18FBE
BitDefender
Trojan.GenericFCA.Agent.102334
Bkav Pro
W32.AIDetectMalware
CrowdStrike Falcon
Win/malicious_confidence_100% (W)
DeepInstinct
MALICIOUS
Emsisoft
Trojan.GenericFCA.Agent.102334 (B)
eScan
Trojan.GenericFCA.Agent.102334
GData
Trojan.GenericFCA.Agent.102334
Kaspersky
HEUR:Trojan.Win32.Agentb.gen
MAX
Malware (ai Score=88)
Trellix (FireEye)
Trojan.GenericFCA.Agent.102334
VIPRE
Trojan.GenericFCA.Agent.102334
ZoneAlarm by Check Point
HEUR:Trojan.Win32.Agentb.gen Xcitium
Undetected As for why it’s so hard to detect:
• the installer is signed
• the payload is encoded and encrypted
• it uses a legitimate NVIDIA program to load the malware (although it appears to be modified)
• it installs a legitimate music player and runs it (Nulloy.exe is not malicious, it’s the same exe from the release on GitHub)

I found the same version of NvStTest.exe online and it’s signed by NVIDIA.
You can look at the differences.
Legitimate exe saw this on malwaretips Question - Steamunlocked malware? | Page 3 | MalwareTips Forums

EricCryptid · September 3, 2023, 1:05am

That’s signature detection with AV product base AV scanners. Valkerie Verdict signature base determines it’s clean but unknow with the other vectors. File will be put in Containment if it is put on a file with CIS/CF installed.
Valkyrie Verdict

Melih · September 3, 2023, 12:18pm

You can watch this video to understand how Comodo can protect you even when detection fails. Thats the power of Comodo!

mrtrout · September 4, 2023, 8:01pm

THANK A LOT FOR THE REPLYS GUYS

Melih · September 4, 2023, 8:04pm

anytime!
just curios, was the video helpful in explaining how Comodo protected you even though it didn’t detect?

mrtrout · September 4, 2023, 9:17pm

yes it did thanks Melih

Melih · September 4, 2023, 10:39pm

again curios,
were you aware that’s how Comodo did the protection before watching this video?

mrtrout · September 5, 2023, 7:42pm

originally no i did not

Melih · September 5, 2023, 7:56pm

happy that this video helped!
thank you!

Adrian-avlab · September 12, 2023, 7:47am

Hi,

Antivirus engines implemented on VirusTotal operate from the command line. In this connection, they may not be able to access the functionality which form part of real security suites. For example, malware which will be blocked by a firewall module, it will not be blocked by an antivirus engine on VirusTotal in a realistic scenario.

As we read in the official document:

“antivirus engines on VirusTotal are binary versions, operating from the command line.”

They will not behave exactly the same as versions which we install on computers. In other words, engines implemented on VirusTotal usually do not have a firewall, scanning in the cloud, sandbox, HIPS, DLP, blocking script viruses, and other modules.

And then:

“We are tired of repeating that VirusTotal was not designed as a tool to perform antivirus comparative analyses, but as a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by sending them the malware they have failed to detect. Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors in their methodology.”

source: https://support.virustotal.com/hc/en-us/articles/115002094589-Why-do-not-you-include-statistics-comparing-antivirus-performance

mrtrout · September 12, 2023, 10:15pm

Thank You For The Reply Adrian-avlab