:-TU :P0l
Adware.OneClick
Some suspicious/malicious Indicators : Matched Compiler/Packer/Crypter signature > Compiler : Borland Delphi , File has multiple binary anomalies ( File ignores Code Integrity , Entrypoint is outside of first section , Has “2” executable sections , Contains zero-size sections , Digisig is expired: Dec 18 23:59:59 2017 , Imports sensitive Libaries ( Multiple Provider Router DLL ) ) , Contains ability to start/interact with device drivers , Contains ability to lookup the windows account name , Contains ability to reboot/shutdown the operating system , Contains ability to retrieve keyboard strokes , Contains ability to elevate privileges , Reads the keyboard layout followed by a significant code branch decision ( Found API call GetKeyboardLayout[at]USER32.DLL directly followed by “cmp ebx, dword ptr [00503A9Ch]” and “je 00452916h” from _iu14D2N.tmp.exe ) , Creates named pipes , Hooks/Patches the running process ( “Input Sample” wrote bytes to “MSIMG32.DLL” ) , Opens the Kernel Security Device Driver
Thank you Pio,
2e25cf5200b9f199cce9ac2d17f71711ffead403 has been reviewed and marked as PUA.
Thank you for the information !
Best Regards!
Hi Felipe,
Thank you for bringing these to our attention! They were taken care of.
Regards,
Ionel
Trojan.Generic
Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Borland Delphi , Packer: BobSoft Mini Delphi , File has multiple binary anomalies ( File ignores Code Integrity , The resource directory is invalid , The file has “2” executable sections , Checksum mismatches the PE header value , Entrypoint is outside of first section , The file is resource-less , The count “3” of libraries is suspicious , Contains zero-size sections , The file doesn’t register any VersionInfo ) , Found Anti-VM Strings ( Checks amount of system memory ) , Checks if a debugger is present , Tries to delay the analysis , Found strings in conjunction with a procedure lookup that resolve to a known API export symbol , Reads the cryptographic machine GUID , Reads the windows installation date , Reads the active computer name , Reads terminal service related keys , Reads the registry for installed applications , Scanning for window names , Creates guarded memory sections , Drops cabinet archive files , Creates new processes ( “Input Sample” is creating a new process > “iexplorer.exe” & “iexplore.exe” is creating a new process > “iexplorer.exe” ) , Writes data to another process ( “iexplorer.exe” ) , Process launched with changed environment ( “iexplorer.exe” ) , Installs hooks/patches the running processes ( “USER32.DLL” , “COMCTL32.DLL” , “ADVAPI32.DLL” , “IEFRAME.DLL”, “OLEAUT32.DLL”, “OLE32.DLL”, “SHELL32.DLL” ) , Duplicates the process handle of an other process to obtain access rights to that process ( 37 events ) , Touches multiple files in the Windows directory , Makes a code branch decision directly after an API that is environment aware , Accesses sensitive information from local browsers , Queries sensitive IE security settings , Attempts to modify system certificates , Opens the MountPointManager , Opens the Kernel Security Device Driver, Found possibly malicious network releated activity > Connects to an IP address that is no longer responding to requests ( “51.143.22.239” ) , Found an instant messenger related domain ( (Indicator: “skype.com”; File: “network.pcap” )
Hi, pio
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Chunli.chen
Doesn´t seem to be processed yet ! Please take a look at this and create a classification ! Thanks !
PUA.Adware
Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Nullsoft PiMP Stub , Packer: NSIS, appended, Unicode, UPX, UTF-8 , File has multiple binary anomalies ( File ignores Code Integrity , Digisig is expired: Jul 20 21:05:12 2017, Contains another file ( type: Nullsoft, location: overlay, file-offset: “0x00018A08” , 20x00113333" , “0x0063B90D” ) , PE file has unusual entropy sections , CRC value set in PE header does not match actual value , PE file contains zero-size sections ) , Found possibly Anti-VM Strings ( Checks amount of system memory , Querries the disk size ) , Contains ability to open the clipboard , Contains ability to retrieve keyboard strokes , Contains ability to reboot/shutdown the operating system , Contains references to WMI/WMIC , References “1” Windows built-in privilege , Scanning for window names , References suspicious system modules ( “lsass.exe” ) , Drops executable files , Reads the active computer name , Creates guarded Memory sections , Opens the MountPointManager , Opens the Kernel Security Device Driver , Touches multiple files in the Windows directory
Hi, pio
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Chunli.chen
Adware.Riskware.Freemake
Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Borland Delphi , Packer: Inno Setup Installer “5.50” , File has multiple binary anomalies ( File ignores DEP , File ignores Code Integrity , Entrypoint is outside of first section , PE file contains zero-size sections , Has “2” executable sections , Contains unknown resources , Contains another file ( type: InnoSetup , location: overlay, file-offset: “0x00062400” ) , Found possibly Anti-VM Strings ( Checks system memory , Checks adapter addresses ) , Found more than one unique User-Agent ( Mozilla/4.0 ) , Scanning for window names , Reads the active computer name , Reads the cryptographic machine GUID , Reads the registry for installed applications , Checks if a debugger is present , Checks for the Locally Unique Identifier on the system for a suspicious privilege ( “SeDebugPrivilege” ) , Opened the service control manager , Modifies auto-execute functionality , Queries kernel debugger information , Queries process information , Creates a slightly modified copy of itself , Creates guardes memory sections , Opens the Kernel Security Device Driver , Writes data to another processes ( “rundll32.exe” , “netsh.exe” and itself ) , Created a process named as a common system process ( “explorer.exe” ) , Creates windows service ( “FreemakeVideoConverterSetup.tmp” & “netsh.exe” ) , Process launched with changed environment ( “netsh.exe” ) , Modifies “WPAD” proxy autoconfiguration file for traffic interception , Queries sensitive IE security settings , Queries the internet cache settings , Accesses sensitive information from local browsers , Sends traffic on typical HTTP outbound port, but without HTTP header ( on port “80” ) , HTTP request contains Base64 encoded artifacts , Connects to multiple dead IP´s , Generates some ICMP traffic
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Qiuhui.■■■■
PUA.Adware.Variant.InstallCore
Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Borland Delphi , Packer: Inno Setup Installer 5.67, File has multiple binary anomalies ( File ignores DEP, File ignores Code Integrity, Checksum mismatches the PE header value, Time Stamp is suspicious 06/20/1992, PE timestamp using the buggy magic timestamp “0x2A425E19”, Contains zero-size sections, Contains unknwon resources, Contains multiple “15” another files (location: Overlay), The file-ratio of the overlay is “89.56”%), Contains ability to reboot/shutdown the operating system, Reads data out of its own binary image, Found strings in conjunction with a procedure lookup that resolve to a known API export symbol, Get TickCount value, Creates guarded memory sections, References a Windows built-in privilege, Touches files in the Windows directory (“WINDIR%\SysWOW64\en-US\KernelBase.dll.mui” & “WINDIR%\SysWOW64\netmsg.dll”), Set special directory property (C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files, C:\Documents and Settings\Administrator\Local Settings\History, C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5, C:\Documents and Settings\Administrator\Cookies, C:\Documents and Settings\Administrator\Local Settings\History\History.IE5), Hooks/patches the running process (“USER32.DLL”), Generates some ICMP traffic
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Ananthalakshmi M
PUA.Adware.Downloader.Agent.RelevantKnowledge
Found suspected PUP/PUA User-Agent (OSSProxy)
Destination IP: “165.193.78.234” over port 80 >>> VirusTotal
Sends and receives data from a Domain that is classified as malicious.
“post.securestudies.com” >>> VirusTotal
*GET > "post.securestudies.com/packages/RI1034/ContentI3.exe" >>> VirusTotal
*GET > "post.securestudies.com/packages/RV0267/ContentV3.exe" >>> VirusTotal
The received data contains, spawns and executes files who known as Malware (files were also detected from CAV)
“rkinstaller.exe” (detected from CAV as “Malware[at]#20k6j4vte7hgo” >>> VirusTotal
“rkverify.exe” (detected from CAV as “Malware[at]#2dgxw6pynk2pn” >>> VirusTotal
“rlls.dll” (detected from CAV as "Application.Win32.RK.DFG[at]5uupfd" >>> VirusTotal
Hey dear Valkyrie Team,
For a file that downloads and executes already known adware/malware, there should not be any questions left. So can anyone take care of it or at least please say something about it?
Many thanks in advance!
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Umamaheshwari M
Hi Umamaheshwari,
Thanks for the re-examination and also for the new classification of the file. But I would like to inform you, that there is still no signature recognition with CAV, because evidently none was created. If there are any reasons that are not known to me, then please inform me.
Thanks and Best Regards
pio
Hi Pio,
Reported file detection has been fixed.
Please check.
Thank you
Regards,
Umamaheshwari M