sha1=b89861ef8b569cd69abb916681072956442f3225
is clean according to VirusTotal
sha1=271aa85d541ad99f1dea5ea18eedcc30f80ac06c
is already flagged as malicious in Valkyrie, even if Comodo doesn’t detect it on VirusTotal
You’re right, but I believe that no other’s AV vendors has analyzed the file, because it’s digitally signed ! But not just Google know’s and tells us , you should never trust certificates issued by Symantec !!! 
According to my definition of malware, this file is definitely not clean !!! For a “legit” banking software, this file makes very suspicious things! But I also like to talk about it if anybody wants that ?! :P0l
Hi Jon79 & pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Qiuhui.■■■■
Pio, that file needs detailed investigation. You are right to bring it to our attention. Thank you very much. We’ll analyze the file deeply, and I’ll try to inform here.
Thanks,
That would be nice !!! I am very interested in your investigaton results !!! thx !!! :-TU
First i wanna say , the Hybrid Analysis link was my submission !!! :a0 But that does not matter ! 
For all who are now confused , in this case “whitelisted” does not mean that the file is clean ! This is just because the file is digitally signed and because no vendor has checked this file and classifice it as malicious . The guys from payload security dont make any further analyzes !
I have also looked at the analysis of cuckoo sandbox . Maybe the anti-virtualization techniques from this file , prevent a complete analysis . >>> (Error: Analysis failed ) . But a few malicious indicators were also found here .
So let us wait and see what the Comodo experts say ! :-TU
Hi pio,
The file you submitted is clean and has no malicious behavior. Even if, upon execution, it takes some steps that might look suspicious, its behavior is transparent, with known and unquestionable intentions.
As an example related to behavior you pointed (that the file takes some “malicious” steps), think to a password recovery application vs a password stealing trojan. They both access and read credentials from system, but one is safe to use and helps user to recover his lost credentials, while the other steals them and is harmful for the user.
Furthermore, some automated malware analysis systems employ heuristic rules that are not quite accurate or they point to possible malicious behavior and lets the submitter or human element draw the final conclusion.
Thanks and regards,
Ionel
Hi Ionel ,
thank you for your detailed informations !!! In relation to my found “false negative detection” >>>>> Comodo Experts : Pio 1:1 ;D We check each other but I think we can all just benefit from this.
“Furthermore, some automated malware analysis systems employ heuristic rules that are not quite accurate or they point to possible malicious behavior and lets the submitter or human element draw the final conclusion”.
I cant deny that , but currently I cant run tests with my private analysis workstation, because I’m just doing a hardware upgrade and i don’t have all the components together yet . These analytical platform is the only thing I can currently use .
But I have a further question : Uses network protocols on unusual ports (TCP traffic over port 50492) , Contacts 1 domain and 2 hosts , Malicious artifacts seen in the context of a contacted host , Found malicious artifacts related to IP : "54.230.202.102"
Can you give me an short explanation for this behaviour ? For what reason contacts a banking program a host that contains malware ?
Thank you in advance !!!
Best Regards !!!
Pio
Hi pio,
Respective IP address belongs to a CDN which mirrors multiple websites/internet resources for performance benefits. Among those mirrored websites, some might have been hosting malware or adware application without CDN owner’s knowledge in the past, thus getting respective IP flagged by some security monitoring services - even though use of CDNs is for good purpose and most of the hosted websites are not malicious.
Regards,
Ionel
alright ! personally “brain machine learning process” accomplished !!! 
thats all i wanna know ! thank you again !!! :-TU
… the show must go on !!! >:-D
Generic.Malware
Some Malicious/Suspicious Indicators : Reads configuration files , Monitors specific registry key for changes , Contains ability to enumerate processes/modules/threads , Contains ability to open the clipboard , Tries to obtain a handle with write access to the physical drive (“KGGouWo.exe” attempted to obtain write access to “PhysicalDrive0”) , Contains ability to elevate privileges , Modifies proxy settings , Queries sensitive IE security settings , Installs hooks/patches the running process , Makes a code branch decision directly after an API that is environment aware , Opens the Kernel Security Device Driver , HTTP request contains Base64 encoded artifacts
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Qiuhui.■■■■
PUA - Signed by Comodo
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Qiuhui.Wa
Trojan.Variant.Kryptik - Signed by Comodo
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( detected as "Microsoft visual C++ 5.0 ) , Reads the active computer name , Contains ability to lookup the windows account name , Contains ability to query CPU information , Possibly tries to implement anti-virtualization techniques , Contains ability to start/interact with device drivers , Queries physical drive , Interacts with the primary disk partition , Found strings in conjunction with a procedure lookup that resolve to a known API export symbol , Contacts 1 domain and 2 hosts , Multiple malicious artifacts seen in the context of different hosts , HTTP request contains Base64 encoded artifacts
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Qiuhui.Wa
[b]PUA/Trojan.Generic - “Signed by Comodo”
https://valkyrie.comodo.com/get_info?sha1=10d8addbefa39f91c91b249098c60d9406bd44a9
Some suspicious/malicious Indicators : Matched Compiler/Packer signature (Microsoft visual C++ 5.0) , Reads the active computer name , Contains ability to start/interact with device drivers , Contains ability to query CPU information , Possibly tries to implement anti-virtualization techniques , Queries sensitive IE security settings , Found strings in conjunction with a procedure lookup that resolve to a known API export symbol , Touches files in the Windows directory , Runs shell commands , Installs hooks/patches the running process , Posts files to a webserver , Contacts 1 domain and 2 hosts , Multiple malicious artifacts seen in the context of different hosts , PE EXE or DLL Windows file download , HTTP request contains Base64 encoded artifacts
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Pavithran G
Trojan.Dropper.Agent - “Signed by Thawte”
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( VC8 ) , Contains ability to elevate privileges , Reads the active computer name , Reads the cryptographic machine GUID , Reads the windows installation date , Found more than one unique User-Agent - Suspicious User-Agent (FULLSTUFF) , Installs hooks/patches the running process , Queries sensitive IE security settings , Modifies proxy settings , Contacts 6 domains and 4 hosts. , Multiple malicious artifacts seen in the context of different hosts , HTTP request contains Base64 encoded artifacts
Hello pio,
Thanks for the submission. We’ll check it and if found to be malware detection will be added.
Best regards,
Andrei Savin