Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)

Trojan.Variant.Kryptik - Certificate “issued” by Comodo

Variant of Kryptik from always the same “trojan-builder-kit” Kiddy ! He always uses the SAME stolen Certificate from Comodo !

Is it not possible to revoke the validity of this certificate ?

Sample was NOT shared !!! So please mark this via filehash !!!

Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( visual C++ v6.0 ) , Reads the active computer name , Reads the cryptographic machine GUID , Possibly tries to implement anti-virtualization techniques ( against vmware & virtualbox ) , Interacts with the primary disk partition , Opens the Kernel Security Device Driver , Queries kernel debugger information , Modifies proxy settings , Queries sensitive IE security settings , Found strings in conjunction with a procedure lookup that resolve to a known API export symbol ( Found reference to API TaskDialogIndirect[at]COMCTL32.DLL at PID 00003188 ) , Runs shell commands ( "/C timeout 3 > Nul & Del “C:\cbac8436a159980b5abccdc17a0e0b13ac44f1a3c58b0d81c49c0652d42c8e4a.exe” ) , Contacts 2 domains and 2 hosts , HTTP request contains Base64 encoded artifacts , Multiple malicious artifacts seen in the context of different hosts ( Found malicious artifacts related to “34.225.189.247”)

Hi pio ,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards,
Pavithran G

PUA.Variant.Installcore - Certificate “issued” by Comodo & Global Sign ( Counter Signer)

Vendor is GRAY listed on Valkyrie !!! Please add signature detection !!!

Hi pio,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Aravindhraj J

very , very fast Guys !!! nearly 30 minutes after uploaded this to valkyrie , the fille was marked as malicious !!! :-TU :-TU :-TU

Note : This File comes from the Guy who droped the whole Kryptik Variants that i had posted ! ALWAYS signed with the SAME Certificate from Comodo !!! Guys , please close this attack vector ! This Guy tries to making Money with the credibility from Comodo !

Status Valid
Issuer COMODO RSA Certification Authority
Valid from 1:00 AM 5/9/2013
Valid to 12:59 AM 5/9/2028
Valid usage Code Signing
Algorithm sha384RSA
Thumbprint B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Serial number 2E 7C 87 CC 0E 93 4A 52 FE 94 FD 1C B7 CD 34 AF

PUA.Variant - Certificate “issued” by Comodo

Sample was not shared so i can´t upload it to Valkyrie ! Please mark it via Filehash !

Some suspicious/malicious Indicators : PE file contains zero-size sections , Reads the active computer name , Reads the cryptographic machine GUID , Reads the windows installation date , Reads the registry for installed applications , Possibly tries to implement anti-virtualization techniques , Contains ability to elevate privileges , Queries volume information of an entire harddrive , Opens the Kernel Security Device Driver , Drops multiples executable files , Accesses potentially sensitive information from local browsers , Modifies proxy settings , Process “iexplorer.exe” was launched with changed environment variables , Tries to GET non-existent files from a webserver , Contacts 4 domains and 3 hosts , Multiple malicious artifacts seen in the context of different hosts ( Found malicious artifacts related to “64.185.181.238” (ASN: 40009, Owner: BitGravity, Inc.) and Found malicious artifacts related to “67.219.144.82” (ASN: 54455, Owner: MadeIT inc.) ) Extracted malicous file : “ascsetup.exe” detected as [b]“RiskTool.SystemCare” /b >>> VirusTotal

EDIT : Please mark the extracted File too !!! Also signed wthe the same certificate !

Hi,pio

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

FILE IS FULLY TRUSTED !!!

PUA.Generic - Certificate issued" by Comodo

Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Borland Delphi 4.0 ) , PE file contains zero-size sections , Reads the active computer name , Reads the cryptographic machine GUID , Reads the windows installation date , Scanning for window names , Checks for the presence of a forensics/monitoring tool ( wireshark ) , Contains ability to open the clipboard , Contains ability to retrieve keyboard strokes , Checks for the presence of an Antivirus engine ( 7 AV Vendors ) , Checks for known debuggers/analysis tools ( sysinternals ) , Contains ability to elevate privileges , Possibly tries to implement anti-virtualization techniques ( against sandboxie & virtualbox ) , Drops executable files , Opens the Kernel Security Device Driver , Accesses potentially sensitive information from local browsers , Modifies proxy settings , Process launched with changed environment (launched itself with missing and iexplorer.exe with changed environment variables ) , Contacts 2 domains and 2 hosts , HTTP request contains Base64 encoded artifacts , Multiple malicious artifacts seen in the context of different hosts ( Found malicious artifacts related to “185.7.248.1” (ASN: 26496, Owner: GoDaddy.com, LLC) & Found malicious artifacts related to “213.186.33.69” (ASN: 16276, Owner: OVH SAS)
[i][b]

Sorry Guys , i make an mistake ! Now both Files have the same name (“sumo.exe”) on VT ! That confused me a bit ! So no problems with valkyrie ! Please mark the FULLY trusted File ! Thx !!!

Please apologize for causing unnecessary work !!!

Please remove Defender Security Limited from Trusted Vendors List if detection is made.

Another one which is trusted by vendor list: VirusTotal

:-TU :-TU :-TU

:-TU :-TU I will hunt for these more. Found these on google search ads, they are a good place for PUPs. also can find them on websites with a lot of popup ads.
in my VM i will test malware samples to see if i can find a whitelisted dangerous malware. I have found one few months ago which was whitelisted by cloud lookup → it was a banking trojan/ datastealer which can be very bad.

yeah … !!! I strongly support that ! :-TU

Hi pio & Yousername,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Qiuhui.■■■■

Heuristic.suspicious - Certificate “issued” by DigiCert

Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Netopsystems FEAD Optimizer 1 ) , File is using a Packer (UPX) to obfuscate its code , PE file contains zero-size sections , CRC value set in PE header does not match actual value , Entrypoint in PE header is within an uncommon section , Reads the windows installation date , Reads the cryptographic machine GUID , Contains ability to elevate privileges , Reads the registry for installed applications , Checks for a resource fork (ADS) file , Checks for the presence of 4 Antivirus engines , Tries to implement anti-virtualization techniques ( );}};Settings.SettingsTab=class extends UI.VBox{constructor(name,id){super();this.element.classList.add(‘settings-tab-container’);if(id)this.element.id=id;var header=this.element.createChild(‘header’);header.createChild(‘h3’).createTextChild(name);this.cont" ) , Drops multiple executable files , Tries to hide a process launching it with different user credentials , Modifies Software Policy Settings , Modifies proxy settings , Queries sensitive IE security settings , Input sample write bytes to itself , Process launched with changed environment ( “input sample” was launched with new environment variables: "__COMPAT_LAYER=“ElevateCreateProcess” ) , Contacts 491 domains and 466 hosts , HTTP request contains Base64 encoded artifacts , Multiple malicious artifacts seen in the context of different hosts

Edit: After further analysis , i would say the file is clean ! But in some cases it has a VERY suspicious behaviour and has additionally HEAVY PE Anomalies ! If the file was not opera then I would rate it as malicious . >:-D Furthermore I would like to ask the coder a few things.

Hi pio ,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Qiuhui.■■■■

No “maybe” malicious ! 100 % malicious !!!

Trojan/Adware.Variant.Kryptik - Certificate “issued” by Comodo

Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Microsoft visual C++ 5.0 ) , PE file has unusual entropy sections , Reads the active computer name , Reads the cryptographic machine GUID , Reads the system/video BIOS version , Reads the windows installation date , Interacts with the primary disk partition , Found a dropped file containing the Windows username , Executes WMI queries , Hooks API calls ( NtCreateUserProcess[at]NTDLL.DLL" in Input Sample ) , Modifies proxy settings , Queries sensitive IE security settings , Process launched with changed environment ( iexplorer.exe & cmd.exe ) , Checks network status using ping , Runs shell commands ( “/c for /l %x in (1,1,10) do ping localhost -n 6 -w 1 & del /q /f “C:\0176f01338aa44a35102ad88c33a4f82cd35390b39fcf6bb4d73c84d8e038096.exe” & if not exist “C:\0176f01338aa44a35102ad88c33a4f82cd35390b39fcf6bb4d73c84d8e038096.exe” exit”) , Contacts 1 domain and 1 host , Found LoadMoney Checkin 5" , Found malicious artifacts related to “52.210.87.14” (ASN: , Owner: )

p.s. Maybe if someone from the COMODO RSA Certification Authority want to take a look at the certificate details .

================== Signature #0
Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 153937462019651010976837154219307055768
Serial (Hex): 73cf46da2e115b21ac81cbb3ba843a98
Valid from: Jul 5 00:00:00 2017 GMT
Valid until: Sep 20 23:59:59 2017 GMT

================== Certificate #0
C (countryName): RU [5255]
CN (commonName): LLC, Vet-Faktor [4C4C432C205665742D46616B746F72]
L (localityName): Moscow [4D6F73636F77]
O (organizationName): LLC, Vet-Faktor [4C4C432C205665742D46616B746F72]
ST (stateOrProvinceName): Troitsk [54726F6974736B]
postalCode (postalCode): 142191 [313432313931]
street (streetAddress): street Promishlennaya 2 [7374726565742050726F6D6973686C656E6E6179612032]

================== Certificate #1
C (countryName): GB [4742]
CN (commonName): COMODO RSA Code Signing CA [434F4D4F444F2052534120436F6465205369676E696E67204341]
L (localityName): Salford [53616C666F7264]
O (organizationName): COMODO CA Limited [434F4D4F444F204341204C696D69746564]
ST (stateOrProvinceName): Greater Manchester [47726561746572204D616E63686573746572]

================== Certificate #2
C (countryName): GB [4742]
CN (commonName): COMODO RSA Certification Authority [434F4D4F444F205253412043657274696669636174696F6E20417574686F72697479]
L (localityName): Salford [53616C666F7264]
O (organizationName): COMODO CA Limited [434F4D4F444F204341204C696D69746564]
ST (stateOrProvinceName): Greater Manchester [47726561746572204D616E63686573746572]

Hi pio ,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards,
Pavithran G

Trojan/Adware.Variant.Kryptik - Certificate “issued” by Comodo

https://valkyrie.comodo.com/get_info?sha1=32b17f58509ad8bc02a1e2207499248b2f9f5dfe

Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Microsoft visual C++ v6.0 ) , File has PE Anomalies ( The first section (name:.text) is writable , Found non-ascii or empty section names ) , Reads the active computer name , Reads the cryptographic machine GUID , Input sample expects Administrative permission , Input sample contains self-modifying code , Interacts with the primary disk partition , Found a dropped file containing the Windows username , Queries kernel debugger information , Opens the Kernel Security Device Driver , Modifies proxy settings , Queries sensitive IE security settings , Contacts 3 domains and 1 host , HTTP request contains Base64 encoded artifacts , Found malicious artifacts related to “34.225.189.247” (ASN: , Owner: )

Certificate Details :
================== Signature #0
Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 142720532074052728407838614411883874548
Serial (Hex): 6b5ef982024cf81e6873615a46d888f4
Valid from: Apr 20 00:00:00 2017 GMT
Valid until: Aug 24 23:59:59 2017 GMT

================== Certificate #0
C (countryName): RU [5255]
CN (commonName): PRAISBORD, LLC [5052414953424F52442C204C4C43]
L (localityName): Gus-Hrustalnyj [4775732D4872757374616C6E796A]
O (organizationName): PRAISBORD, LLC [5052414953424F52442C204C4C43]
ST (stateOrProvinceName): RU [5255]
postalCode (postalCode): 601500 [363031353030]
street (streetAddress): Oktjabrskaja, 57 [4F6B746A616272736B616A612C203537]

================== Certificate #1
C (countryName): GB [4742]
CN (commonName): COMODO RSA Code Signing CA [434F4D4F444F2052534120436F6465205369676E696E67204341]
L (localityName): Salford [53616C666F7264]
O (organizationName): COMODO CA Limited [434F4D4F444F204341204C696D69746564]
ST (stateOrProvinceName): Greater Manchester [47726561746572204D616E63686573746572]

================== Certificate #2
C (countryName): GB [4742]
CN (commonName): COMODO RSA Certification Authority [434F4D4F444F205253412043657274696669636174696F6E20417574686F72697479]
L (localityName): Salford [53616C666F7264]
O (organizationName): COMODO CA Limited [434F4D4F444F204341204C696D69746564]
ST (stateOrProvinceName): Greater Manchester [47726561746572204D616E63686573746572]