Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)

Adware.Variant.FileTour - Certificate “issued” by Comodo and “countersigned” by Symantec & Thawte

Some suspicious/malicious Indicators : File code is packed and obfuscated > Matched Compiler/Packer signature > Packer : UPolyX 0.3 , Compiler : Borland Delphi 2 , File has mutiple PE Anomalies ( Timestamp in PE header is very old ( Jun 1 15:39:05 1988 ) , File sections .rdata & .reloc are shareable , PE file has unusual entropy sections , CRC value set in PE header does not match actual value , Entrypoint in PE header is within an uncommon section , PE file contains zero-size sections , File calls a TLS callback at 0x40A728 [CODE:0x38696] ) , File embeds another file ( type: InnoSetup, location: overlay ) , Reads the active computer name , Reads the registry for installed applications , File get access to Windows built-in privileges ( SetSecurityDescriptorDacl[at]ADVAPI32.DLL ) , File creates guarded memory sections , Looks up many procedures within the same disassembly stream ( Kernel32.dll ) , Drops executable files , File wrotes bytes to the dropped executables , Requested access to a system service ( rasman service ) , Modifies proxy settings , Accesses potentially sensitive information from local browsers , Found more than one unique User-Agent (Inno Downloader) , Contacts 2 domains and 2 hosts , Found malicious artifacts related to “5.254.67.98” and to “35.176.106.236” , File GETs Data from “5.254.67.98:80” (ugastoin.ru) and “35.176.106.236:80” (ec2-35-176-106-236.eu-west-2.compute.amazonaws.com)

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 199697925695890096781161112996197271758
Serial (Hex): 963c6be6f6a7602b8b24b242951d88ce
Valid from: Aug 17 00:00:00 2017 GMT
Valid until: Jul 9 23:59:59 2018 GMT

C (countryName): RU [5255]
CN (commonName): OOO,PRIVET [4F4F4F2C505249564554]
L (localityName): Ryazan [5279617A616E]
O (organizationName): OOO,PRIVET [4F4F4F2C505249564554]
ST (stateOrProvinceName): RU [5255]
postalCode (postalCode): 390013 [333930303133]
street (streetAddress): ul Vokzalnaya 26 [756C2020566F6B7A616C6E617961203236]

Hi pio,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Qiuhui.■■■■

Riskware.Variant.Findiz - Certificate “issued” by Comodo and “countersigned” by Symantec & Thawte

Some suspicious/malicious Indicators : File code is packed and obfuscated > Matched Compiler/Packer signature > Packer : Inno Setup Installer , Compiler : Borland Delphi ( Generic ) , File has multiple PE Anomalies ( CRC value set in PE header does not match actual value , PE file contains a suspicious section name , PE file contains zero-size sections ) , File embeds another File ( type: InnoSetup , Location : Overlay ) , Contains ability to query CPU information , Reads the active computer name , Reads the cryptographic machine GUID , Reads the windows installation date , Reads the registry for installed applications , File creates guarded Memory sections , Found a dropped file containing the Windows username , Opens the Kernel Security Device Driver , Queries kernel debugger information , Looks up many procedures within the same disassembly stream ( Kernel32.dll ) , Drops executable files to the Windows system directory , Scans for the windows taskbar , The Input sample wrotes bytes to a dropped excutable , The dropped executable wrotes bytes to “taskkill.exe” & “regsvr32.exe” , Terminates other processes using taskkill ( Process “taskkill.exe” with commandline “/f /im iexplore.exe” ) , Launches a browser ( Process “iexplore.exe” was launched with new environment variables ) , Accesses potentially sensitive information from local browsers , Modifies proxy settings , Queries sensitive IE security settings , Contacts 1 domain and 1 host , Found malicious artifacts related to “46.105.118.183” , File POSTs data to “46.105.118.183:80” ( findizer.fr )

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 95874021734687627467722093240503193751
Serial (Hex): 4820aa392a35335d047744f413335097
Valid from: Jan 12 00:00:00 2016 GMT
Valid until: Jan 11 23:59:59 2018 GMT

C (countryName): FR [4652]
CN (commonName): Prestafind [50726573746166696E64]
L (localityName): TIGNIEU JAMEYZIEU [5449474E494555204A414D45595A494555]
O (organizationName): Prestafind [50726573746166696E64]
ST (stateOrProvinceName): ISERE [4953455245]
postalCode (postalCode): 38230 [3338323330]
street (streetAddress): 4 Allee des Muguets [3420416C6C656520646573204D756775657473]

Hi,pio

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Generic.Adware - Certificate “issued” by Comodo & “countersigned” by USERTrust

Some suspicious/malicious Indicators : Found Compiler/Packer signature > Dropped Executable “inetc.dll” was detected as "Microsoft visual C++ 6.0 DLL , File has multiple PE Anomalies ( CRC value set in PE header does not match actual value , PE file contains unusual section name ( .ndata ) , PE file contains zero-size sections ) , Found a dropped filename which containing a spoofed Windows username , Reads the active computer name , Reads the cryptographic machine GUID , Reads Windows Trust Settings , Scanning for window names , Drops multiple Executables , Drops cabinet archive files , File modifies file/console tracing settings , “Input Sample” (Path: “HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32”; Key: “ENABLEFILETRACING”; Value: “00000000”) , “Input Sample” (Path: “HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32”; Key: “ENABLECONSOLETRACING”; Value: “00000000”) , “Input Sample” (Path: “HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32”; Key: “FILETRACINGMASK”; Value: “0000FFFF”) , “Input Sample” (Path: “HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32”; Key: “CONSOLETRACINGMASK”; Value: “0000FFFF”) , Sent a control code to a service ( “CryptSvc” , “gpsvc” ) , Touches various files in the Windows directory , Modifies Software Policy Settings , Modifies proxy settings , Queries sensitive IE security settings , Accesses Software Policy Settings , Accesses System Certificates Settings , Contacts 3 domains and 2 hosts , File GETs data from > “178.255.83.1:80” (ocsp.trust-provider.com) & 78.255.83.1:80 (ocsp.comodoca4.com)

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 132258408427749458203240294504821894453
Serial (Hex): 63800afcb9fa50911c61e18b44ef2d35
Valid from: May 18 00:00:00 2017 GMT
Valid until: May 18 23:59:59 2018 GMT

C (countryName): US [5553]
CN (commonName): SoftwareX Corp [536F6674776172655820436F7270]
L (localityName): Hollywood [486F6C6C79776F6F64]
O (organizationName): SoftwareX Corp [536F6674776172655820436F7270]
ST (stateOrProvinceName): FL [464C]
postalCode (postalCode): 33021 [3333303231]
street (streetAddress): 4000 Hollywood Blvd [3430303020486F6C6C79776F6F6420426C7664]

Hi,pio

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Generic.Adware.Variant.Kryptik - Certificate “issued” by Comodo

Some suspicious/malicious Indicators : Found Compiler/Packer signature > Packer ( Armadillo ) , Compiler : Microsoft Visual C++ 6.0 , File has multiple PE Anomalies ( PE file has unusual entropy sections , PE file contains suspicious section names , The first section ( name: .text ) is writable , File calls a TLS callback at 0x4224C0 [.text:0x70848] & 0x422650 [.text:0x71248] ) , Sample translates to unusual binary language ( Russian ) , Reads the active computer name , Reads the cryptographic machine GUID , Found dropped filename containing a spoofed Windows username , Modifies file/console tracing setting , Queries physical drive , Interacts with the primary disk partition , Requested access to a system service ( rasman service ) , Reads terminal service related keys , Modifies proxy settings , Queries sensitive IE security settings , Contacts 3 domains and 3 hosts , HTTP request contains Base64 encoded artifacts , File GETs data from “104.28.13.68:80” (cpgweb.net) & “104.28.4.73:80” (download-en2.audiovalle.com) , File POSTs data to “35.158.154.175:80” (ec2-35-158-154-175.eu-central-1.compute.amazonaws.com)

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 288255761788328247363679017965794136152
Serial (Hex): d8dc0a52df48fce1daab4024d6709058
Valid from: Aug 22 00:00:00 2017 GMT
Valid until: Sep 14 23:59:59 2017 GMT

C (countryName): UA [5541]
CN (commonName): TOV Vizard SOFT [544F562056697A61726420534F4654]
L (localityName): Chernihiv [436865726E69686976]
O (organizationName): TOV Vizard SOFT [544F562056697A61726420534F4654]
OU (organizationalUnitName): IT [4954]
ST (stateOrProvinceName): Chernihivska [436865726E69686976736B61]
postalCode (postalCode): 14000 [3134303030]
street (streetAddress): vul. Instrumentalna, 34-V [76756C2E20496E737472756D656E74616C6E612C2033342D56]

And please take a look at this !!! : My Verdict : MALWARE - VT Verdict : 44/64 MALWARE

Hi,pio

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Hello Siketa,

Thank you for reporting this, we’re checking it.

Best regards,
FlorinG

Generic.Adware.Variant.Kryptik - Certificate “issued” by Comodo

Some suspicious/malicious Indicators : File code is packed and obfuscated > Matched Compiler/Packer signature > Packer : VC8 > Compiler : Microsoft Visual C++ 6.0 DLL (Debug), Microsoft Visual C++ 8, Microsoft Visual C++ 8.0, MSVC++ v.8 (procedure 1 recognized - h) , Sample translates to unusual binary language ( Russian ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads the system/video BIOS version , Reads the windows installation date , Reads the registry for installed applications , Found a dropped filename containing a spoofed Windows username , Interacts with the primary disk partition , Queries physical drive , Reads terminal service related keys , Modifies file/console tracing settings , Hooks API calls ( NtCreateUserProcess[at]NTDLL.DLL ) , Requested access to system services ( “Rasman” , “CryptSvc” , “WSearch” ) , Sent control codes to system services ( “CryptSvc” , “WSearch” ) , Modifies proxy settings , Queries sensitive IE security settings , Checks network status using ping , Process “iexplore.exe” was launched with new environment variables , Process “cmd.exe” was launched with missing environment variables , Found an IP/URL artifact that was identified as malicious ( Found LoadMoney Checkin 5 at "aeqledvieqxqxp.shellcooksister.ru > VirusTotal ) , Contacts 1 domain. , File GETS and POSTS data to 52.17.205.233:80 ( aeqledvieqxqxp.shellcooksister.ru )

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 310103427364244165394864005726971126250
Serial (Hex): e94bbf66c35cd02448cc7edfb90c61ea
Valid from: Aug 29 00:00:00 2017 GMT
Valid until: Jul 27 23:59:59 2018 GMT

C (countryName): RU [5255]
CN (commonName): LLC, LOMBARD BRIG [4C4C432C204C4F4D424152442042524947]
L (localityName): Krasnoyarsk [4B7261736E6F796172736B]
O (organizationName): LLC, LOMBARD BRIG [4C4C432C204C4F4D424152442042524947]
ST (stateOrProvinceName): Krasnoyarskiy krai [4B7261736E6F796172736B6979206B726169]
postalCode (postalCode): 660069 [363630303639]
street (streetAddress): d. 11 kv. 28, ul. Michurina [642E203131206B762E2032382C20756C2E204D6963687572696E61]

Hi pio,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Qiuhui.■■■■

Generic.Adware.Downloader - Certificate “issued” by Comodo and countersigned by Symantec & Thawte

Some suspicious/malicious Indicators : File code is packed and obfuscated > Matched Compiler/Packer signature > Packer : BobSoft Mini Delphi - > Compiler : Borland Delphi v6.0 - v7.0 , File has multiple PE Anomalies ( PE file has unusual entropy sections , CRC value set in PE header does not match actual value , PE file contains unusual section name , PE file contains zero-size sections , File embeds another File ( location: resources ) ) , The input sample contains an embedded RTF document ( Line: 2203; Offset: 2831 ) , Sample translates to unusual binary language ( russian ) , Found cryptographic related strings ( “des” , “blowfish” , “rc4” ) , Reads the registry for installed applications , Reads the active computer name , Reads the cryptographic machine GUID , Reads the windows product ID , File modifies it´s own code , File collects information about monitors and accesses the desktop , File modifies the open verb of a shell class ( VKontakteDJ.exe" (Path: “HKCU\VKDJFILE\SHELL\OPEN\COMMAND”; Key: “(DEFAULT)”; Value: “”%ALLUSERSPROFILE%\VkontakteDJ\VkontakteDJ.exe" “%l”“) , File search and collects user passwords , Drops executable files , Reads terminal service related keys , Hooks internet related APIs ( InternetConnectA[at]WININET.DLL” , “HttpOpenRequestA[at]WININET.DLL” , “InternetOpenA[at]WININET.DLL” in “VKontakteDJ.exe” ) , Accesses Software Policy Settings , Accesses System Certificates Settings , Modifies Software Policy Settings , Modifies proxy settings , Queries sensitive IE security settings , Contacts 28 domains. , HTTP request contains Base64 encoded artifacts , File receives data from various Host´s

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 44876615015606489652819815110200970531
Serial (Hex): 21c2ebf24fbbc6959c39dad0d156cd23
Valid from: Apr 5 00:00:00 2016 GMT
Valid until: Feb 16 23:59:59 2018 GMT

C (countryName): RU [5255]
CN (commonName): RECORD LLC [5245434F5244204C4C43]
L (localityName): Saint-Petersburg [5361696E742D50657465727362757267]
O (organizationName): RECORD LLC [5245434F5244204C4C43]
ST (stateOrProvinceName): Saint-Petersburg [5361696E742D50657465727362757267]
postalCode (postalCode): 197341 [313937333431]
street (streetAddress): Kolomyazhsky 33, liter A [4B6F6C6F6D79617A68736B792033332C206C697465722041]

Hi,pio

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

'*EDIT : Valkyrie Link was added !!!

Valkyrie Precise Detector 1 detected the File correctly as Application.Win32.SpeedupMyPC and the Vendor was gray listed , but the Signature detection was negative , respectively clean .

Generic.Adware.Riskware - Certificate “issued” by Comodo & USERTrust , countersigned by Symantec & Thawte

Some suspicious/malicious Indicators : Digisig is expired : Jul 30 23:59:59 2015 GMT , File code is packed and obfuscated > Matched Compiler/Packer signature > Packer : BobSoft Mini Delphi - > Compiler : Borland Delphi v6.0 - v7.0 , File has multiple PE Anomalies ( PE file contains zero-size sections , CRC value set in PE header does not match actual value , PE file contains unusual section names , sections : .rdata & .reloc are shareable ) , Reads the active computer name , Scanning for window names , File checks if a debugger is present , Reads terminal service related keys , File collects User keystrokes , File looks for Display Monitors , File references a Directory Notification watcher , File hooks windows APIs , File installs an Exeption Handler , File access to Event Log , Global Atom Table , System Information API , Windows Mail API , Multiple Provider Router API , Touches files in the Windows directory , Found potential URL in binary/memory ( “pcutilitiespro.com” )

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Code Signing CA 2
Serial: 275321175493384400234415956788825708549
Serial (Hex): cf20edfb9e9d56f429a44e79c3465805
Valid from: Jul 30 00:00:00 2014 GMT
Valid until: Jul 30 23:59:59 2015 GMT

C (countryName): GB [4742]
CN (commonName): PC Utilities Software Limited [5043205574696C697469657320536F667477617265204C696D69746564]
L (localityName): London [4C6F6E646F6E]
O (organizationName): PC Utilities Software Limited [5043205574696C697469657320536F667477617265204C696D69746564]
OU (organizationalUnitName): IT Department [4954204465706172746D656E74]
ST (stateOrProvinceName): England [456E676C616E64]
postalCode (postalCode): W1H 1DP [57314820314450]
street (streetAddress): 78 York Street [373820596F726B20537472656574]

Hi,pio

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Generic.MSIL.Trojan - Certificate “issued” by Comodo and countersigned by USERTrust

File is fully trusted !!!

Some suspicious/malicious Indicators : Matched Compiler/Packer signature > Compiler : Microsoft Visual C++ v.11 - 2012 ( E8 MZ-PE ) - > Packer : aPLib compresion , File embeds another File ( typ : executable , location : resources ) , File has multiple PE Anomalies ( PE file has unusual entropy sections , CRC value set in PE header does not match actual value ) , Found Anti-VM Strings , Checks if a debugger is present (API) , Reads the active computer name , Reads the cryptographic machine GUID , Reads the registry for installed applications , The File installs an Exception Handler , The file demands Windows built-in privilege(s) , File creates named pipes , Drops executable files , File hooks Windows APIs , File creates guarded memory sections , File tries to sleep for a long time , Creates new processes ( “msiexec.exe” ) , Writes data to another process ( “Input Sample” wrote bytes to process “%WINDIR%\System32\msiexec.exe” ) , File accces to Microsoft Office , Modifies proxy settings , Queries sensitive IE security settings , File loads the .NET runtime environment , File access to the Microsoft the Setup Interface , Security Descriptor Definition Language , Remote Desktop API

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 6148931672692327288252648518066416154
Serial (Hex): 04a03dbce32c5a34420a419fb740aa1a
Valid from: Feb 2 00:00:00 2016 GMT
Valid until: Feb 1 23:59:59 2019 GMT

C (countryName): US [5553]
CN (commonName): ScreenConnect Software [53637265656E436F6E6E65637420536F667477617265]
L (localityName): Tampa [54616D7061]
O (organizationName): ScreenConnect Software [53637265656E436F6E6E65637420536F667477617265]
ST (stateOrProvinceName): Florida [466C6F72696461]
postOfficeBox (postOfficeBox): 33634 [3333363334]
postalCode (postalCode): 33634 [3333363334]
street (streetAddress): 4110 George Road, Suite 200 [343131302047656F72676520526F61642C20537569746520323030]

Hi pio,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Qiuhui.■■■■

Generic.Application.Bundler - Certificate “issued” by Symantec & VeriSign and countersigned by Symantec & Thawte

File is fully trusted !!!

Some suspicious/malicious Indicators : Matched Compiler/Packer signature > Compiler : Microsoft Visual C++ 6.0 - > Packer : Armadillo v1.71 , The File embeds another file (type : 7zSFX , location: overlay ) , File has multiple PE Anomalies ( CRC value set in PE header does not match actual value , PE file contains unusual section name , Timestamp in PE header is very old ( Thu Jan 1 00:00:00 1970 ) , PE file contains zero-size sections , Found TLS callbacks ( 0x401a90 , 0x401a40 ) , Drops a text file that contains suspicious strings ( “drp[1].js” contains indicator “ActiveXObject” (Line: 245; Offset: 49) ) , Contains references to WMI/WMIC , Found dropped filename containing a spoofed Windows username , Found an indicator for a scheduled task trigger , Scans for the windows taskbar , Reads terminal service related keys , Found multiple Anti-VM Strings ( Found VM detection artifact “CPUID trick” → (Offset: 125444) , Found a reference to a WMI query string known to be used for VM detection , Tries to implement anti-virtualization techniques against Virtualbox and others ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads the windows installation date , Reads the registry for installed applications , Reads Windows Trust Settings , Scanning for window names , Drops executable files , Sent a control code to a critical system service ( Sent control code “SERVICE_CONTROL_INTERROGATE” (0X4) to the service “WSCSVC” ) , Writes bytes to other processes ( “%WINDIR%\System32\wscript.exe” & “%WINDIR%\System32\mshta.exe” ) , Modifies internet zones , Accesses System Certificates Settings , Modifies proxy settings , Queries sensitive IE security settings , Contacts 3 domains and 2 hosts , Found DNS Query for .su TLD (Soviet Union) → 8.8.8.8:53 (UDP) , Found malicious artifacts related to “104.25.107.107” & “93.158.134.119”, File POSTs data to “104.25.107.107:80”( auth.drp.su )

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA
Serial: 28596409692002687539598491320546735051
Serial (Hex): 158377da2bd81edc1f1df9b7e343b3cb
Valid from: Feb 1 00:00:00 2016 GMT
Valid until: Apr 1 23:59:59 2018 GMT

C (countryName): RU [5255]
CN (commonName): Kuzyakov Artur Vyacheslavovich IP [4B757A79616B6F7620417274757220567961636865736C61766F76696368204950]
L (localityName): Moscow [4D6F73636F77]
O (organizationName): Kuzyakov Artur Vyacheslavovich IP [4B757A79616B6F7620417274757220567961636865736C61766F76696368204950]
ST (stateOrProvinceName): Moscow [4D6F73636F77]

Hi,pio

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Chunli.chen