Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)

I don´t know if there is a special reason for it, but the file has only a CAV detection and NO Valkyrie or VT detection !

Hi,

Thank you for sharing this, we’ll check it.

Kind Regards,
Erik M.

Trojan.Spy.Banker - Certificate “issued” by Comodo

Advanced File Analysis System | Valkyrie >>> Valkyrie classified this File as PUA , “because” the Vendor was “GRAY” listed ! A more appropriate , general designation would be “Malware” ! Not every “malicious” application that comes from a “Gray” listed vendor is necessarily a PUA right ? A more general verdict would be more sensible !

Some suspicious/malicious Indicators : File code is packed and obfuscated > Matched Compiler/Packer signature > Packer : “PolyEnE 0.01” , File code is self modifying , PE File has multiple Anomalies ( Entrypoint is outside of first section , File contains more than 8 sections (13) , File contains zero size sections ) , Contains ability to open the clipboard , Contains ability to retrieve keyboard strokes , File collects informations about running Threads , Modules and Processes , File creates guardes memory sectiions , File modifies the regisrty , File touches files in the Windows directory , ( touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls ) , File hooks windows APIs , File access to the Desktop , File reads terminal service related keys

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 49721516627819616371484452844780094337
Serial (Hex): 80409db11619820aa20903d778381
Valid from: May 16 00:00:00 2017 GMT
Valid until: Mar 6 23:59:59 2018 GMT

C (countryName): BR [4252]
CN (commonName): Sonic Eletronic [536F6E696320456C6574726F6E6963]
L (localityName): Sao Paulo [53616F205061756C6F]
O (organizationName): Sonic Eletronic [536F6E696320456C6574726F6E6963]
ST (stateOrProvinceName): Sao Paulo [53616F205061756C6F]
postalCode (postalCode): 08.490-000 [30382E3439302D303030]
street (streetAddress): R Inacio Monteiro, 600 [5220496E6163696F204D6F6E746569726F2C20363030]

Hi,pio

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

PUA.Adware.Variant.Softcnapp - Certificate “issued” by VeriSign and “counter signed” by Comodo

Some suspicious/malicious Indicators : File has a unconventional binary language > Simplified Chinese , File code is packed and obfuscated > Matched Compiler/Packer signature > Packer : UPolyX 0.3 by delikon, VC8 Compiler : Microsoft Visual C++ 6.0 DLL (Debug), Microsoft Visual C++ 7.0 - 8.0, Microsoft Visual C++ 8.0, MSVC++ v.8 , The file embeds another file (type: PKZIP > (md5: 681733E29356D2C9EAC671A2DFB95A21) , location: resources) , File debug file name contains unprintable characters , Found known bank URL artifacts , File collects Information about running threats , processes and modules , File reads terminal service related keys , File creates guarded memory sections , File watches for Displays Devices and Display Monitors , File installs Windows Hooks , Contains ability to register a top-level exception handler ( SetUnhandledExceptionFilter[at]KERNEL32.dll ) , Contains ability to write to a remote process ( File WriteProcessMemory[at]KERNEL32.DL ) , Contains ability to download files from the internet (InternetReadFile[at]WININET.dll )

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at verisign.com/rpa (c)10/CN=VeriSign Class 3 Code Signing 2010 CA
Serial: 119699876336049990329483135538043805430
Serial (Hex): 5a0d5b8cd21f7e325ae36d08aabbdef6
Valid from: Oct 13 00:00:00 2014 GMT
Valid until: Oct 12 23:59:59 2017 GMT

C (countryName): GB [4742]
CN (commonName): COMODO SHA-1 Time Stamping Signer [434F4D4F444F205348412D312054696D65205374616D70696E67205369676E6572]
L (localityName): Salford [53616C666F7264]
O (organizationName): COMODO CA Limited [434F4D4F444F204341204C696D69746564]
ST (stateOrProvinceName): Greater Manchester [47726561746572204D616E63686573746572]

C (countryName): CN [434E]
CN (commonName): Shanghai Oriental Webcasting Co. Ltd. [5368616E67686169204F7269656E74616C2057656263617374696E6720436F2E204C74642E]
L (localityName): Shanghai [5368616E67686169]
O (organizationName): Shanghai Oriental Webcasting Co. Ltd. [5368616E67686169204F7269656E74616C2057656263617374696E6720436F2E204C74642E]
OU (organizationalUnitName): IT dept. [495420646570742E]
ST (stateOrProvinceName): Shanghai [5368616E67686169]

Hi,pio

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Trojware.Adware.Variant.Kryptik - Certificate “issued” by Comodo

Some suspicious/malicious Indicators : File code is packed and obfuscated > Matched Compiler/Packer signature > Packer : Armadillo v1.71 , Compiler : Microsoft Visual C++ v6.0 , File has PE Anomalies ( The first section (name:.text) is writable , File calls a TLS callback at 0x4713D0 [.text:0x459728] ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads terminal service related keys , Queries physical drive , Opens the Kernel Security Device Driver , Queries kernel debugger information , File access to the RPC Network Data Representation Engine , to the Winsock API , to the WinINet , Modifies proxy settings , Queries sensitive IE security settings , Accesses potentially sensitive information from local browsers , Contacts 2 domains and 2 hosts , HTTP request contains Base64 encoded artifacts , Found malicious artifacts related to “35.157.67.12” & “5.35.171.11” , File Posts Data to a Webserver > POST /request/autok?user=youllupuki&ver=9&key=80784fb5bbf8032b8530b4c355ba180f HTTP/1.1 Accept: / , User-Agent: Christmas Mystery 5.5.4 , Content-Type: application/x-www-form-urlencoded , Host: ec2-35-157-67-12.eu-central-1.compute.amazonaws.com , Content-Length: 0 , Cache-Control: no-cache" with no payload >>> POST /request/conditions?user=youllupuki&ver=9&Key=8060e375013c0357551e3f357858a327&token=7dba0a0aa29cf3e0131836ff9afa3db1 HTTP/1.1 Accept: / , User-Agent: Christmas Mystery 5.5.4 , Content-Type: application/x-www-form-urlencoded , Host: ec2-35-157-67-12.eu-central-1.compute.amazonaws.com , Content-Length: 955

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 323066213030523610570268798791434404820
Serial (Hex): f30c4a141f0f7395181aa2d9286883d4
Valid from: Jul 19 00:00:00 2017 GMT
Valid until: Aug 19 23:59:59 2017 GMT

C (countryName): RU [5255]
CN (commonName): OOO_MASTERKOD [4F4F4F5F4D41535445524B4F44]
L (localityName): Brjansk [42726A616E736B]
O (organizationName): OOO_MASTERKOD [4F4F4F5F4D41535445524B4F44]
ST (stateOrProvinceName): RU [5255]
postalCode (postalCode): 241027 [323431303237]
street (streetAddress): 50 Armii, 6 [35302041726D69692C2036]

Hi pio,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Qiuhui.■■■■

Trojan.Variant.Kasidet - Certificate “issued” by Comodo

Some suspicious/malicious Indicators : File code is packed and obfuscated > Matched Compiler/Packer signature > Packer : VC8 , Compiler : Microsoft Visual C++ 6.0 DLL (Debug), Microsoft Visual C++ 8 , Reads the active computer name , Reads the cryptographic machine GUID , Scans for artifacts that may help identify the target , Reads the registry for installed applications , Scanning for window names , Tries to identify its external IP address , Opens the Kernel Security Device Driver , Changes memory access rights in a remote process to write/execute > ( “clfs10_1.exe” changed protection rights in “%WINDIR%\explorer.exe” (Handle: 204) (Protection: “execute/read/write”) > “clfs10_1.exe” changed protection rights in “%WINDIR%\explorer.exe” (Handle: 204) (Protection: “execute/read”) , Modifies proxy settings , Queries sensitive IE security settings , Touched instant messenger related registry keys , Injects into explorer > Writes data to a process ( “clfs10_1.exe” wrote 4 bytes to process “%WINDIR%\explorer.exe” > “clfs10_1.exe” wrote 792 bytes to process “%WINDIR%\explorer.exe” , Process launched with changed environment , Process “explorer.exe” was launched with new environment variables: “SESSIONNAME=“Console” > Process “explorer.exe” was launched with missing environment variables: “PROMPT, MpConfig_ProductUserAppDataPath, MpConfig_ProductAppDataPath, MpConfig_ProductPath, MpConfig_ProductCodeName, MpConfig_ReportingGUID” > Process “nslookup.exe” was launched with new environment variables: “PROMPT=”$P$G”> Process “cmd.exe” was launched with missing environment variables: “PROMPT”, Contacts 4 domains and 92 hosts , Sends UDP traffic to “208.67.222.222”, Found possible TOR SSL traffic with “45.62.235.29”> Response on port 63624 , Found a Network Trojan ( [PTsecurity] Gozi/Ursnif Payload v12 over port 63612 (TCP) , Found malicious artifacts related to multiple Hosts > GET /small/T9.at HTTP/1.1 , Cache-Control: no-cache ,Connection: Keep-Alive , Pragma: no-cache , User-Agent: Mozilla/5.0 , (Windows NT 6.1; rv:40.0.0) Gecko/20100101 Firefox/40.0.0 , Host: promoshopgiochi.altervista.org" , GET /chat/AT.zip HTTP/1.1 ,Cache-Control: no-cache , Connection: Keep-Alive , Pragma: no-cache , User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:40.0.0) Gecko/20100101 Firefox/40.0.0 , Host: psymaster.wz.cz"

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 206537487422423107809808191493929670079
Serial (Hex): 9b61ac54a45b31fe22eed5d6f90f95bf
Valid from: Nov 9 00:00:00 2016 GMT
Valid until: Nov 9 23:59:59 2017 GMT

C (countryName): RU [5255]
CN (commonName): AiTi Shag [416954692053686167]
L (localityName): Moscow [4D6F73636F77]
O (organizationName): AiTi Shag [416954692053686167]
ST (stateOrProvinceName): Moscow [4D6F73636F77]
postalCode (postalCode): 121059 [313231303539]
street (streetAddress): ul. Kievskaya, d. 7 [756C2E204B696576736B6179612C20642E2037]

Hi, pio

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

CCleaner Setup with bad Content !!!

Adware.Riskware.Downloader - Certificate “issued” by Comodo and “counter signed” by Symantec & Thawte

Some suspicious/malicious Indicators : File code is packed and obfuscated > Matched Compiler/Packer signature > Packer : Pe123 v2006.4.4-4.12, UPolyX 0.3 by delikon , File has multiple PE Anomalies ( Entrypoint is outside of first section , File contains zero size sections ) , File embeds another file ( type: InnoSetup , location: overlay ) , Scanning for window names , Reads the active computer name , Reads the cryptographic machine GUID , Reads the registry for installed applications , Contains ability to elevate privileges , Contains ability to reboot/shutdown the operating system , Queries volume information of an entire harddrive , Scans for the windows taskbar , File creates guarded memory sections , File access to the Windows default safe DLL search path , Opens the Kernel Security Device Driver , Drops multiple executable files , File writes bytes to itself , Accesses Software Policy Settings , Accesses System Certificates Settings , File steals private Informations from Browsers , Found more than one unique User-Agent ( Found the following User-Agents: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5 ) , Contacts 5 domains and 5 hosts , HTTP request contains Base64 encoded artifacts , Found malicious artifacts related to “151.101.0.64” , “217.107.34.242” , “94.102.53.208” , Found DNS Query to a *.pw domain - Likely Hostile" > Potentially Bad Traffic over 8.8.8.8:53 (UDP) , Found INFO HTTP Request to a *.pw domain" , 217.107.34.242:80 (repnytimes.pw) > GET /log2/dump.php?chrome=code:888 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: repnytimes.pw 200 OK , 94.102.53.208:80 (s.pb1lib.pw) > GET /install/3859cf89c963081ac779ab1b6f9af622976cb48ded73fc172debd0ac5e4ecf0b/fail HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: s.pb1lib.pw 200 OK

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 151167281726650387215769697168910092760
Serial (Hex): 71b9c26b3e32c63af4c002ab5c5e89d8
Valid from: Jul 27 00:00:00 2017 GMT
Valid until: Oct 3 23:59:59 2017 GMT

C (countryName): UA [5541]
CN (commonName): LLC “Vizard” [4C4C43202256697A61726422]
L (localityName): Odesa [4F64657361]
O (organizationName): LLC “Vizard” [4C4C43202256697A61726422]
OU (organizationalUnitName): IT [4954]
ST (stateOrProvinceName): Odeska [4F6465736B61]
postalCode (postalCode): 65000 [3635303030]
street (streetAddress): vul. Sadova, 5 [76756C2E205361646F76612C2035]

Hi,pio

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Generic.Adware.Riskware.Downloader - Certificate “issued” by Comodo

Some suspicious/malicious Indicators : File code is packed and obfuscated > Matched Compiler/Packer signature > Packer : Armadillo v1.71 Compiler : Microsoft Visual C++ v6.0 , File code is self modifying , the first file section (name:.text) is writable , file contains supicious named sections , File calls a TLS callback at 0x449D50 [.text:0x298320] , Reads the active computer name ,
Reads the cryptographic machine GUID , Reads the registry for installed applications , Scanning for window names , Found more than one unique User-Agent ( Christmas Mystery 5.5.4 ) , File tries to implement anti-virtualization techniques (vmware vbox ) , File Interacts with the primary disk partition , Opens the Kernel Security Device Driver , Queries kernel debugger information , File contains ability to download files from the internet , Accesses potentially sensitive information from local browsers , Modifies proxy settings , Queries sensitive IE security settings , Contacts 2 domains and 2 hosts , HTTP request contains Base64 encoded artifacts , Found malicious artifacts related to “188.42.251.118” > File “GET” Data from >>> “188.42.251.118” (loadcube.biz) > and “POST” Data to >>> 35.158.154.175:80 (ec2-35-158-154-175.eu-central-1.compute.amazonaws.com)

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 88258742170237837335409119185105716137
Serial (Hex): 426603f3df9111c6f5d09bbdbd0203a9
Valid from: Jul 18 00:00:00 2017 GMT
Valid until: Sep 24 23:59:59 2017 GMT

C (countryName): RU [5255]
CN (commonName): LLC_GOROD IT [4C4C435F474F524F44204954]
L (localityName): Tomsk [546F6D736B]
O (organizationName): LLC_GOROD IT [4C4C435F474F524F44204954]
ST (stateOrProvinceName): RU [5255]
postalCode (postalCode): 634062 [363334303632]
street (streetAddress): Gerasimenko, 1, 16, 178 [4765726173696D656E6B6F2C20312C2031362C20313738]

Hi pio,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Regards,
Aravindhraj J

Generic.Adware.Riskware.Downloader - Certificate “issued” by Comodo

Some suspicious/malicious Indicators : File code is packed and obfuscated > Matched Compiler/Packer signature > Packer : Armadillo v1.71, UPolyX 0.3 by delikon Compiler : Microsoft Visual C++ v6.0 , File Code is self modifying , First File section (name:.text) is writable , File calls a TLS callback at 0x459D50 [.text:0x298320] , Reads the active computer name , Reads the cryptographic machine GUID , Contains ability to lookup the windows account name , Changes memory access rights in a remote process to write/execute , File tries to implement anti-virtualization techniques (vmware&vbox) , Interacts with the primary disk partition , File touches files in the Windows directory , Opens the Kernel Security Device Driver , Queries kernel debugger information , Runs shell commands ( "/C timeout 3 > Nul & Del ) , Accesses potentially sensitive information from local browsers , Modifies proxy settings , Queries sensitive IE security settings , Contacts 3 domains and 4 hosts , HTTP request contains Base64 encoded artifacts , File posts Data to > “35.158.154.175:80” (ec2-35-158-154-175.eu-central-1.compute.amazonaws.com) and receives Data from > “104.28.12.68:80” (cpgweb.net) & “104.28.5.73:80” (download-en2.audiovalle.com)

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 289799259268710006889633237629856222296
Serial (Hex): da054e9ffc4939fabed742dc9a018c58
Valid from: Jul 20 00:00:00 2017 GMT
Valid until: Jul 20 23:59:59 2018 GMT

C (countryName): RU [5255]
CN (commonName): BONZHUR-TUR, OOO [424F4E5A4855522D5455522C204F4F4F]
L (localityName): St. Petersburg [53742E2050657465727362757267]
O (organizationName): BONZHUR-TUR, OOO [424F4E5A4855522D5455522C204F4F4F]
ST (stateOrProvinceName): RU [5255]
postalCode (postalCode): 191123 [313931313233]
street (streetAddress): d. 40 litera B pom. 23-N, ul. Furshtatskaya [642E203430206C6974657261204220706F6D2E2032332D4E2C20756C2E204675727368746174736B617961]

UPDATE : Fully trusted PUA !!!

Generic.PUA.DriverPack - Certificate “issued” by Comodo and “counter signed” by Symantec & Thawte

Some suspicious/malicious Indicators : File code is packed and obfuscated > Matched Compiler/Packer signature > Packer : Armadillo v1.71 Compiler : Microsoft Visual C++, Microsoft Visual C++ 5.0, Microsoft Visual C++ 6.0 DLL (Debug), Microsoft Visual C++ v6.0 , File embeds another File (type: 7zSFX , location: overlay ) , File has PE Anomalies ( CRC value set in PE header does not match actual value , Entrypoint in PE header is within an uncommon section , Timestamp in PE header is very old or in the future , PE file contains zero-size sections ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads the registry for installed applications , Reads Windows Trust Settings , Scanning for window names , File tries to implement anti-virtualization techniques (Vmware,Vbox) , Contains ability to start/interact with device drivers , Contains ability to elevate privileges ( SetSecurityDescriptorDacl[at]ADVAPI32.dll ) , Drops multiple executable files , Changes memory access rights in a remote process to write/execute ( “Input Sample” changed protection rights in “C:\c8ab84eded95c542caccf2c4755496fd69889de987f2ac83e5a0fd2754d0a0da.exe” (Protection: “read/write”) “Input Sample” changed protection rights in “C:\c8ab84eded95c542caccf2c4755496fd69889de987f2ac83e5a0fd2754d0a0da.exe” (Protection: “execute/read”) , Writes data to another process ( wscript.exe ) , Process launched with changed environment (wscript.exe was launched with new environment variables ) , Logged script engine calls ( “wscript.exe” called “WScript.Arguments” with result: “IDispatch” , “wscript.exe” called “WScript(“Arguments”).Item” with result: "%TEMP%\7ZipSfx.000\DriverPack.exe --sfx “8ab84eded95c542caccf2c4755496fd69889de987f2ac83e5a0fd2754d0a0da.exe” , Modifies proxy settings , Queries sensitive IE security settings

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 161609833735454004813062163557278393401
Serial (Hex): 7994ebfbbb0dcce61c0a286cfea1a439
Valid from: Sep 22 00:00:00 2016 GMT
Valid until: Sep 22 23:59:59 2017 GMT

C (countryName): RU [5255]
CN (commonName): Kuzyakov Artur Vyacheslavovich IP [4B757A79616B6F7620417274757220567961636865736C61766F76696368204950]
L (localityName): Moscow [4D6F73636F77]
O (organizationName): Kuzyakov Artur Vyacheslavovich IP [4B757A79616B6F7620417274757220567961636865736C61766F76696368204950]
ST (stateOrProvinceName): Moscow [4D6F73636F77]
postalCode (postalCode): 109472 [313039343732]
street (streetAddress): kv.29, 24K1 Tashkentskaya ul [6B762E32392C2032344B3120546173686B656E74736B61796120756C]

Hi pio,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Qiuhui.■■■■

Trojan.Variant.Razy - Certificate “issued” by Comodo

Some suspicious/malicious Indicators : File looks to be a fake Microsoft executable , File code is packed and obfuscated > Matched Compiler/Packer signature > Packer : Morphine v1.2 , Compiler : Microsoft Visual C/C++(2010 SP1) , Protector : VMProtect 3.0.647 , File has multiple PE Anomalies ( PE file has unusual entropy sections , Entrypoint in PE header is within an uncommon section , PE file contains zero-size sections , Some exports are duplicated , Export table, invalid ordinal (1621) ) , File references the Reflective DLL Library injection technique , File hooks “rundll32.exe” , File queries process information , File access to the Remote Desktop Session Host Server > Remote Desktop API > Service Control Manager > System Information API , Contacts 2 hosts , Found malicious artifacts related to “216.58.213.132” ( 15169 Google Inc. )

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 259471712257560591265978333794548715403
Serial (Hex): c3346f1cf8cfe8c3a2f02e3969ba0f8b
Valid from: Jul 21 00:00:00 2017 GMT
Valid until: Jul 21 23:59:59 2018 GMT

C (countryName): GB [4742]
CN (commonName): Anclar LTD [416E636C6172204C5444]
L (localityName): London [4C6F6E646F6E]
O (organizationName): Anclar LTD [416E636C6172204C5444]
ST (stateOrProvinceName): London [4C6F6E646F6E]
postalCode (postalCode): N1 7GU [4E3120374755]
street (streetAddress): 20-22 Wenlock Road [32302D32322057656E6C6F636B20526F6164]

Hi pio,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Qiuhui.■■■■

Generic.Variant.Adware.Downloader.Kryptik - Certificate “issued” by Comodo

Some suspicious/malicious Indicators : File code is packed and obfuscated > Matched Compiler/Packer signature > Packer : Armadillo v1.71 , Compiler : Microsoft Visual C++ v6.0 , File has multiple PE Anomalies ( CRC value set in PE header does not match actual value , PE file has unusual entropy sections , The first section ( name: .text ) is writable , Contains suspicious named sections , PE file contains zero-size sections , File calls a TLS callback at 0x422410 [.text:0x70672] & 0x422820 [.text:0x71712] ) , File tries to implement anti-virtualization techniques ( Vmware & Virtualbox ) , Reads the active computer name , Reads the cryptographic machine GUID , Contains ability to start/interact with device drivers , Interacts with the primary disk partition , File enumerate processes/modules/threads , Drops executable files , Opens the Kernel Security Device Driver , Queries kernel debugger information , Accesses potentially sensitive information from local browsers , Modifies proxy settings , Queries sensitive IE security settings , The file access to the RPC Network Data Representation Engine , Contacts 2 domains and 2 hosts , HTTP request contains Base64 encoded artifacts , Found malicious artifacts related to “67.215.238.66” , File GETs Data from “67.215.238.66:80” (download-new.utorrent.com) , File POSTs Data to “35.158.154.175:80” (ec2-35-158-154-175.eu-central-1.compute.amazonaws.com)

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 252416175768471817824884222286868362697
Serial (Hex): bde5964e8bd93827ddc3f1476cc5b5c9
Valid from: Jul 20 00:00:00 2017 GMT
Valid until: Jul 20 23:59:59 2018 GMT

C (countryName): RU [5255]
CN (commonName): YABLOKO, OOO [5941424C4F4B4F2C204F4F4F]
L (localityName): Izhevsk [497A686576736B]
O (organizationName): YABLOKO, OOO [5941424C4F4B4F2C204F4F4F]
ST (stateOrProvinceName): RU [5255]
postalCode (postalCode): 426028 [343236303238]
street (streetAddress): Poima 55 [506F696D61203535]

Hi pio,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Qiuhui.■■■■