Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Qiuhui.■■■■
Trojan.Variant.Kryptik - Certificate “issued” by Comodo
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Microsoft visual C++ v6.0 ) , PE file has unusual entropy sections , Reads the active computer name , Reads the cryptographic machine GUID , Possibly tries to implement anti-virtualization techniques ( against vmware ) , Interacts with the primary disk partition , Queries kernel debugger information , Opens the Kernel Security Device Driver , Writes data to a remote process ( “Input Sample” wrote bytes to a remote process “%WINDIR%\System32\cmd.exe” ) , Drops executable files , Contains ability to elevate privileges , Accesses Software Policy Settings , Accesses System Certificates Settings , Modifies Software Policy Settings , Modifies proxy settings , Queries sensitive IE security settings , Found potential IP address in binary/memory ( Heuristic match: “cmd.exe /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del “%s”” ) , Contacts 2 domains and 3 hosts , HTTP request contains Base64 encoded artifacts , Multiple malicious artifacts seen in the context of different hosts
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Qiuhui.■■■■
This file uses the same digital certificate as the file in my post before !!!
Trojan.Variant.Kryptik - Certificate “issued” by Comodo
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Microsoft visual C++ v6.0 ) , PE file has unusual entropy sections , Reads the active computer name , Reads the cryptographic machine GUID , Accesses potentially sensitive information from local browsers , Drops executable files , Queries kernel debugger information , Opens the Kernel Security Device Driver , Contains ability to elevate privileges ( MakeAbsoluteSD[at]KERNELBASE.DLL at PID 00003472 ) , Modifies proxy settings , Queries sensitive IE security settings , Found strings in conjunction with a procedure lookup that resolve to a known API export symbol ( Found reference to API TaskDialogIndirect[at]COMCTL32.DLL at PID 00003472 ) , Interacts with the primary disk partition , Installs hooks/patches the running process , Writes data to a remote process ( “Input Sample” wrote bytes to a remote process “%WINDIR%\System32\cmd.exe” ) , Found potential IP address in binary/memory ( Heuristic match: “cmd.exe /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del “%s”” ) , Contacts 2 domains and 2 hosts , HTTP request contains Base64 encoded artifacts , Multiple malicious artifacts seen in the context of different hosts
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Aravindhraj J
PUA.Agent.GT32SupportGeeks - Antimalware Program - Certificate “issued” by Comodo
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Borland Delphi 4.0 ) , PE file contains zero-size sections , Reads the active computer name , Reads the cryptographic machine GUID , Reads the windows installation date , Reads the registry for installed applications , Scanning for window names , Scans for the windows taskbar , Possibly tries to implement anti-virtualization techniques , Tries to sleep for a long time (2 minutes + ) , Checks for a resource fork-ADS file , Accesses potentially sensitive information from local browsers , Accesses Software Policy Settings , Accesses System Certificates Settings , Accessed IE Quick Launch directory , Modifies Software Policy Settings , Modifies proxy settings , Queries sensitive IE security settings ( “mcrmainsite.tmp” (Path: “HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY”; Key: “DISABLESECURITYSETTINGSCHECK”)“iexplore.exe” (Path: “HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY”; Key: “DISABLESECURITYSETTINGSCHECK”) , Drops multiple executable files , Opens the Kernel Security Device Driver , Makes a code branch decision directly after an API that is environment aware , Loads the task scheduler COM API , Writes data to various remote processes , Installs hooks/patches the running processes , Tries to GET non-existent files from a webserver , Contacts 3 domains and 3 hosts , Contacts Random Domain Names , Multiple malicious artifacts seen in the context of different hosts
Hi,pio
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Chunli.chen
PUA-Adware - Certificate “issued” by Comodo
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Microsoft visual C++ 8 ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads the windows installation date , Reads the registry for installed applications , Opens the MountPointManager , Modifies proxy settings , Queries sensitive IE security settings , Touches files in the Windows directory , Writes data to a remote process ( Input Sample wrote bytes to a remote process “%WINDIR%\System32\cmd.exe” ) , Runs shell commands ( “/c start iexplore.exe -new “h**ps://www1.wg.agmate.net/User/G002.aspx?winny=0&nyp=0&share=0&pd=0&cabos=0&lime=0&p=0&host=%OSUSER%%2dPC&user=kKhOEBm&sid=&vi=0&bit=0&emule=0&winmx=0&utorrent=0&azureus=0&admin=1&maddr=0A%3a00%3a27%3a45%3aAB%3aDE&wsaver=1%2e0&res=0&anti=”” ) , (Launches a browser ( Internet Explorer ) , Process launched with changed environment ( Process “iexplore.exe” was launched with new environment variables: “PATH=”%PROGRAMFILES%\Internet Explorer;“” ) , Found potential URL in binary/memory ( 202.12.27.33 )
Hi pio,
Thanks for the submission, we will check the file and add detection if necesarry.
Best regards,
Andrei Savin
Trojan.Variant.Kryptik - Certificate “issued” by Comodo
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Microsoft visual C++ 5.0 ) , PE file has unusual entropy sections , Reads the active computer name , Reads the cryptographic machine GUID , Reads the system/video BIOS version , Reads the windows installation date , Reads the registry for installed applications , Queries volume information of an entire harddrive , Found a dropped file containing the Windows username , Interacts with the primary disk partition , Hooks API calls ( “NtCreateUserProcess[at]NTDLL.DLL” in “Input Sample ) , Modifies proxy settings , Queries sensitive IE security settings , Touches files in the Windows directory , Process launched with changed environment ( Process “iexplore.exe” (UID: 00016111-00003624) was launched with new environment variables: “PATH=”%PROGRAMFILES%\Internet Explorer;”" and Process “cmd.exe” (UID: 00016160-00003648) was launched with missing environment variables: “PATH” ) , Checks network status using ping , Runs shell commands ( “/c for /l %x in (1,1,10) do ping localhost -n 6 -w 1 & del /q /f “C:\virus.exe” & if not exist “C:\virus.exe” exit”" ) , Contacts 1 domain and 1 host , Found MALWARE LoadMoney Checkin 5 , Malicious artifacts seen in the context of a contacted host ( Found malicious artifacts related to “52.210.87.14” (ASN: , Owner: ) )
Hi,pio
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Chunli.chen
Trojan.Variant.Kryptik - Certificate “issued” by Comodo
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Microsoft visual C++ 5.0 ) , PE file has unusual entropy sections , Reads the active computer name , Reads the cryptographic machine GUID , Reads the system/video BIOS version , Reads the windows installation date , Reads the registry for installed applications , Opens the Kernel Security Device Driver , Interacts with the primary disk partition , Modifies proxy settings , Queries sensitive IE security settings , Hooks API calls ( “NtCreateUserProcess@NTDLL.DLL” in “Input Sample” , Requested access to various system service , Sent a control code to a service ( “Input Sample” called “ControlService” and sent control code “0X400” and “0X24” to the service “CryptSvc”, iexplore.exe" called “ControlService” and sent control code “0X24” and “0XDC” to the service “WSearch” ) , Installs hooks/patches the running process , Found an IP/URL artifact that was identified as malicious by at least one reputation engine ( 4/66 reputation engines marked “h**p://s2.file-space.org” as malicious ) , Checks network status using ping ( Process “PING.EXE” with commandline “ping localhost -n 6 -w 1” ) , Contacts 2 domains and 2 hosts , Multiple malicious artifacts seen in the context of different hosts , Found MALWARE LoadMoney Checkin
Hi,pio
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Chunli.chen
PUA-Adware - Certificate “issued” by Comodo
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Nullsoft PiMP Stub → SFX ) , PE file contains zero-size sections , Reads the active computer name , Reads the cryptographic machine GUID , Reads Windows Trust Settings , Scanning for window names , Accesses potentially sensitive information from local browsers , Accesses Software Policy Settings , Accesses System Certificates Settings , Contains ability to open the clipboard , Opens the Kernel Security Device Driver , Queries kernel debugger information , Drops executable files , Found a dropped file containing the Windows username , Installs hooks/patches the running process ( “Input Sample” wrote bytes to “WSHIP6.DLL”, “NSI.DLL” , “SHFOLDER.DLL” ) , Writes data to a remote process ( writes bytes to itself ) , Process launched with changed environment ( Process “Input Sample” was launched with new environment variables ) , Requested access to various system services , Sent a control code to a service ( “Input Sample” called “ControlService” and sent control code “0X24” and “0XFC” to the service “gpsvc” , “Input Sample” called “ControlService” and sent control code “0X400” and “0X24” to the service ““CryptSvc”” ) , Contacts 3 domains and 1 host , Malicious artifacts seen in the context of a contacted host
Hi pio ,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards,
Pavithran G
21097472cec2e5d544db199fe2d9ef3e356f9516
5726642e3d9af4acb7800d57d5d5f124dc552750
Hi, ya.q1
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Chunli.chen
Hi,
Thanks for your submission. We’ll check the files and add detection where necesarry.
Best regards,
Andrei Savin
Trojan.Variant.Kryptik - Certificate “issued” by Comodo UPDATE
ATM i can´t upload files to valkyrie ! Send to Comodo via CIS
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( C++ 5.0 ) , PE file has unusual entropy sections , Reads the active computer name , Reads the cryptographic machine GUID , Reads the system/video BIOS version , Reads the windows installation date , Reads the registry for installed applications , Tries to obtain the highest possible privilege level without UAC dialog , Queries volume information of an entire harddrive , Interacts with the primary disk partition , Modifies proxy settings , Queries sensitive IE security settings , Opens the Kernel Security Device Driver , Hooks API calls ( “NtCreateUserProcess[at]NTDLL.DLL” in “Input Sample” ) , Sent a control codes to services ( CryptSvc , WSearch ) , Process launched with changed environment ( Process “iexplore.exe” ( new variables ) > (UID: 00020766-00003412) & Process “cmd.exe” ( missing variables ) > (UID: 00020931-00003448) , Runs shell commands ( Ping check ) ( “/c for /l %x in (1,1,10) do ping localhost -n 6 -w 1 & del /q /f “C:\upatre.exe” & if not exist “C:\upatre.exe” exit”, Contacts 1 domain and 1 host. , Malicious artifacts seen in the context of a contacted host ( Found malicious artifacts related to “52.210.87.14” )
and please take a look at this :
thank you !!!
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Aravindhraj J