Hi,pio
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Chunli.chen
UPDATE Corrected Valkyrie and VT Link !!! I was a victim of copy / paste … . 88)
PUA/Adware.Variant.OpenCandy - Certificate “issued” by Comodo & countersigned by Symantec & Thawte
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( UPX v1.25 (Delphi) Stub ) , File has multiple PE Anomalies ( PE file has unusual entropy sections , PE file is packed with UPX , Entrypoint in PE header is within an uncommon section , PE file contains zero-size sections , First File section is writeable ) , Reads the active computer name , Reads the cryptographic machine GUID , The file has self-modifying code ( writes bytes to itself ) , File tries to create guarded memory regions , Opens the Kernel Security Device Driver , Modifies proxy settings , Queries sensitive IE security settings ( Input Sample (Path: “HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY”; Key: “DISABLESECURITYSETTINGSCHECK” ) , Accesses potentially sensitive information from local browsers ( Input Sample had access to “%APPDATA%\Microsoft\Windows\Cookies\index.dat” & “%APPDATA%\Microsoft\Windows\IETldCache\index.dat” )
Certificate Details :
Status: This certificate or one of the certificates in the certificate chain is not time valid.
Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 34964319277138010442304760758395501885
Serial (Hex): 1a4de208e2eaa73d520698e2d08c7d3d
Valid from: Aug 26 00:00:00 2014 GMT
Valid until: Aug 26 23:59:59 2015 GMT - EXPIRED but STILL Valid !!!
Hi,pio
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Chunli.chen
File has a CAV detection via Heuristics ( found double extensions ) but NO signature detection for CAV , Valkyrie and VT !!!
Adware.Generic - Certificate “issued” by Comodo & countersigned by Symantec & Thawte
Some suspicious/malicious Indicators : Found many suspicious strings in the file hex table , Matched Compiler/Packer signature ( BobSoft Mini Delphi ) , File has PE Anomalies (PE file has unusual entropy sections , PE Parsing in secton “bss” , “tls” ( physical size is 0 ) , File code is packed and obfuscated , Reads the active computer name , Reads the cryptographic machine GUID , Reads the windows product ID , Reads the registry for installed applications , Uses a User Agent typical for browsers, although no browser was ever launched , Modifies Software Policy Settings , Modifies proxy settings , Queries sensitive IE security settings , Accessed IE Quick Launch directory , Queries volume information of an entire harddrive , Looks up many procedures within the same disassembly stream ( Input Sample calls to GetProcAddress[at]KERNEL32.DLL ) , Hooks (write bytes) to the running processes ( WSHTCPIP.DLL , NSI.DLL , WSHIP6.DLL ) , Contacts 27 domains and 32 hosts , Uses network protocols on unusual ports , HTTP request contains Base64 encoded artifacts , Found curl User-Agent Outbound , Found malicious artifacts related to “136.243.51.228” (ASN: 24940, Owner: Hetzner Online AG)
Certficate Details :
Algorithm: rsaEncryption
Version: 3
Issuer: C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 44876615015606489652819815110200970531
Serial (Hex): 21c2ebf24fbbc6959c39dad0d156cd23
Valid from: Apr 5 00:00:00 2016 GMT
Valid until: Feb 16 23:59:59 2018 GMT
C (countryName): RU [5255]
CN (commonName): RECORD LLC [5245434F5244204C4C43]
L (localityName): Saint-Petersburg [5361696E742D50657465727362757267]
O (organizationName): RECORD LLC [5245434F5244204C4C43]
ST (stateOrProvinceName): Saint-Petersburg [5361696E742D50657465727362757267]
postalCode (postalCode): 197341 [313937333431]
street (streetAddress): Kolomyazhsky 33, liter A [4B6F6C6F6D79617A68736B792033332C206C697465722041]
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Qiuhui.■■■■
Trojan.Variant.Kryptik - Certificate “issued” by Comodo
Valkyrie is currently not able to receive files ! So please download the Sample from here >>> Link removed by Moderator ( NO PW - Upload is set to private )
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Borland Delphi 6.0 ) , The first section (.text) is writable , File calls a TLS callback at “0x449020” , File Code is obfuscated and packed , File Code is self modifying , Reads the active computer name , Reads the cryptographic machine GUID , Interacts with the primary disk partition , Queries kernel debugger information , Opens the Kernel Security Device Driver , Modifies proxy settings , Queries sensitive IE security settings , Runs shell commands ( "/C timeout 3 > Nul & Del "C:\937bad14675217e0527a8c03194f6c976d05f8756f788ae955feae4ae193079b.exe ) , Contacts 2 domains and 2 hosts , HTTP request contains Base64 encoded artifacts , Found malicious artifacts related to “34.225.189.247” & Found malicious artifacts related to “91.217.84.57” (ASN: 49313, Owner: Seva-Host Ltd)
Certificate Details :
Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 188410496326828071096717434424973797041
Serial (Hex): 8dbe8aaaf7e59d54b14c3dd2a21326b1
Valid from: Jun 13 00:00:00 2017 GMT
Valid until: Jun 13 23:59:59 2018 GMT
C (countryName): RU [5255]
CN (commonName): RILAIN, OOO [52494C41494E2C204F4F4F]
L (localityName): Ivanovo [4976616E6F766F]
O (organizationName): RILAIN, OOO [52494C41494E2C204F4F4F]
ST (stateOrProvinceName): RU [5255]
postalCode (postalCode): 153006 [313533303036]
street (streetAddress): 4 proezd 15-I [342070726F657A642031352D49]
Hi,pio
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Chunli.chen
Sorry guys , sometimes in the work process, I forget where I am … 
:-TU Although I must say, the file was clearly marked as malicious !!!
Adware.Filetour - Certificate “issued” by Comodo & countersigned by Symantec & Thawte
Valkyrie is currently not ready to receive my files ( Analysis does not start ) ! Sample download link was sended to Chunli , Qiuhui.■■■■ , pavithran & Aravindhraj J
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Borland Delphi 3.0) , File has multiple PE Anomalies ( Timestamp in PE header is very old or in the future ( from Oct 23 06:22:17 1989 ) , Entrypoint in PE header is within an uncommon section , PE Parsing in section BSS , tls , reloc , CRC value set in PE header does not match actual value ) , File calls an TLS callback at “0x21504”, File is packed and obfuscated , File contains another File in the overlay (Inno Setup) , File tries to increase administrative permissions , Scanning for window names , Reads the registry for installed applications , File writes bytes to itself , Drops executable files , Opens the Kernel Security Device Driver , Contains ability to create named pipes for inter-process communication ( CreateNamedPipeA[at]KERNEL32.DLL at PID 00002612 ) , Looks up many procedures within the same disassembly stream ( Found calls to GetProcAddress[at]KERNEL32.DLL ) , Modifies proxy settings , File stealing sensitive Informations from local Browsers (IE) , Found potential IP address in binary/memory ( “127.0.0.1” , “255.255.255.255” ) , Contacts 2 domains and 2 hosts. , Found malicious artifacts related to “5.254.67.98” (ASN: 39743, Owner: Voxility S.R.L.) & Found malicious artifacts related to “35.176.106.236” (ASN: 237, Owner: Merit Network Inc.)
Certificate Details :
Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 104760946870733951513442184690501404290
Serial (Hex): d039761588e5d414303fe57b37c682
Valid from: Jul 11 00:00:00 2017 GMT
Valid until: Aug 19 23:59:59 2017 GMT
C (countryName): RU [5255]
CN (commonName): OOO_APEKS SOFT [4F4F4F5F4150454B5320534F4654]
L (localityName): Brjansk [42726A616E736B]
O (organizationName): OOO_APEKS SOFT [4F4F4F5F4150454B5320534F4654]
ST (stateOrProvinceName): RU [5255]
postalCode (postalCode): 241050 [323431303530]
street (streetAddress): Gorkogo, 30 [476F726B6F676F2C203330]
File is FULLY trusted !!!
PUA.Adware.Variant.OpenCandy - Certificate “issued” by VeriSign & countersigned by Symantec & Thawte
Advanced File Analysis System | Valkyrie ( File was uploaded yesterday, when Valkyrie still works )
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( “03c4e9856552a5fa998c389a762a32541e9211977f3a1a6f305785e2775e02e5.exe.bin” was detected as "UPX v1.25 (Delphi) > “FS.dll” was detected as “Borland Delphi 4.0” > “uTorrent.exe” was detected as “UPX v1.25 (Delphi) Stub”) , File has multiple PE Anomalies ( PE file contains zero-size sections > PE file has unusual entropy sections > PE file is packed with UPX > Timestamp in PE header is very old or in the future ( from Jan 01 00:00:00 1970 ) > CRC value set in PE header does not match actual value > Entrypoint in PE header is within an uncommon section ) , File code is packed and obfuscated , Reads the active computer name , Reads the cryptographic machine GUID , Reads Windows Trust Settings , Scanning for windows names , Reads the registry for installed applications , File tries to implement anti-vm technics ( checks for wine emulator ) , Modifies Software Policy Settings , Modifies proxy settings , Accesses System Certificates Settings Queries sensitive IE security settings , Logged script engine calls , Contacts 12 domains and 12 hosts , Found malicious artifacts related to “107.20.217.71” (ASN: 14618, Owner: Amazon.com, Inc.) > Found malicious artifacts related to “67.215.238.66” (ASN: 29761, Owner: QuadraNet, Inc) > Found malicious artifacts related to “23.21.139.158” (ASN: 14618, Owner: Amazon.com, Inc.): > Found malicious artifacts related to “23.21.92.252” (ASN: 14618, Owner: Amazon.com, Inc.) > Found malicious artifacts related to “67.215.246.203” (ASN: 29761, Owner: QuadraNet, Inc) > Found malicious artifacts related to “52.222.231.159” > Found malicious artifacts related to “208.111.131.66” (ASN: 22822, Owner: Limelight Networks, Inc.) > Found malicious artifacts related to “69.164.56.131” (ASN: 22822, Owner: Limelight Networks, Inc.) > Found malicious artifacts related to “52.222.240.34” > Found malicious artifacts related to “98.143.146.7” (ASN: 29761, Owner: QuadraNet, Inc) > Found malicious artifacts related to “87.248.214.58” (ASN: 22822, Owner: Limelight Networks, Inc.)
Hi, pio
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Chunli.chen
EDIT: Valkyrie Link was added !!!
PUA - Certificate “issued” by Comodo & countersigned by Symantec
“My beloved valkyrie” is working again !!! :-TU 
>>> Advanced File Analysis System | Valkyrie
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( input sample and dropped executables are packed with various packers ) , File has multiple PE Anomalies ( PE file has unusual entropy sections , PE File has zero size sections , CRC value set in PE header does not match actual value ) , File code is packed and obfuscated , Contains ability to obtain privileges , Tries to implement anti-virtualization techniques ( isVirtualMachine>k__BackingField ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads the windows installation date , Reads the registry for installed applications , Scanning for window names , Contains ability to retrieve keyboard strokes , Queries volume information of an entire harddrive , Creates guarded memory sections , Accesses potentially sensitive information from local browsers , Modifies proxy settings , Queries sensitive IE security settings , Process launched with changed environment ( Process “iexplore.exe” was launched with new environment variables ) , Opens the Kernel Security Device Driver , Contains ability to create named pipes for inter-process communication ( CreateNamedPipeW[at]KERNEL32.DLL at PID 00002672 ) , Drops multiple executable files , Tries to GET non-existent files from a webserver , Contacts 3 domains and 2 hosts , Found malicious artifacts related to “67.219.144.82” (ASN: 54455, Owner: MadeIT inc.)
Certficate Details :
Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 282702875599676112045120799061241130200
Serial (Hex): d4ae97e5aa9277a34e888cf5bd0e6cd8
Valid from: May 23 00:00:00 2017 GMT
Valid until: Oct 12 23:59:59 2017 GMT
C (countryName): IN [494E]
CN (commonName): Tuneup PC Tools LLP [54756E65757020504320546F6F6C73204C4C50]
L (localityName): JAIPUR [4A4149505552]
O (organizationName): Tuneup PC Tools LLP [54756E65757020504320546F6F6C73204C4C50]
ST (stateOrProvinceName): RAJASTHAN [52414A41535448414E]
postalCode (postalCode): 302004 [333032303034]
street (streetAddress): HOUSE NO. A 54, SHANTI PATH, TILAK NAGAR, JAWAHAR NAGAR (484F555345204E4F2E20412035342C205348414E544920504154482C2054494C414B204E414741522C204A415741484152204E41474152]
EDIT: Valkyrie Link was added !!!
Hi, pio
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Chunli.chen
Generic.Variant.Adware.FileTour - Certificate “issued” by Comodo & countersigned by DigiCert
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Borland Delphi 3.0 ) , File has multiple PE Anomalies ( PE file contains zero-size sections , CRC value set in PE header does not match actual value ) , File calls a TLS callback at 0x406402 [CODE:0x21506] , File code is packed and obfuscated , Reads the active computer name , Reads the registry for installed applications , Scanning for window names , Contains ability to create named pipes for inter-process communication ( Kernel32.dll ) , Tries to obtain permissons rights , File tries to create guarded memory sections , File access the Windows default safe DLL search path , Opens the Kernel Security Device Driver , Drops multiple executable files , File write bytes to itself , Installs hooks/patches the running process ( Input sample wrote bytes to ( MSLS31.DLL , NSI.DLL , MSIMG32.DLL )
Certficate Details :
Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 107088200558186842098646444044731693211
Serial (Hex): 50906fed4b0a78e34d792e8dfdee389b
Valid from: Jul 13 00:00:00 2017 GMT
Valid until: Jul 13 23:59:59 2018 GMT
C (countryName): RU [5255]
CN (commonName): LOD-AVTO [4C4F442D4156544F]
L (localityName): Smolensk [536D6F6C656E736B]
O (organizationName): LOD-AVTO [4C4F442D4156544F]
ST (stateOrProvinceName): RU [5255]
postalCode (postalCode): 214031 [323134303331]
street (streetAddress): d. 6A ofis 304, prospekt Stroitelei [642E203641206F666973203330342C2070726F7370656B74205374726F6974656C6569]
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Qiuhui.■■■■
PUA.Variant.Installcore - Certificate “issued” by Comodo
Maybe Valkyrie receives some changes , I could not upload anything ! File was sended via CIS internal Uploader !
Some suspicious/malicious Indicators : File Certificate was expired ( Feb 19 23:59:59 2015 GMT ) , File has multiple PE Anomalies ( CRC value set in PE header does not match actual value , PE file contains zero-size sections Matched Compiler/Packer signature ( visual C++ v7.0" ) , Reads the active computer name , Reads the cryptographic machine GUI , Reads Windows Trust Settings , Scanning for window names , Reads the registry for installed applications , File tries to create guarded memory sections , Drops executable files , The file access the Authorization API , The File access the windows default safe dll path , Queries volume information of an entire harddrive , Accesses Software Policy Settings , Accesses System Certificates Settings , Modifies Software Policy Settings , Modifies proxy settings , Queries sensitive IE security settings , Uses a User Agent typical for browsers, although no browser was ever launched ( Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1 ) , Contacts 9 domains and 9 hosts , Found malicious artifacts related to “216.34.181.59” > Found malicious artifacts related to “52.213.197.187” > Found malicious artifacts related to “216.34.181.134” > Found malicious artifacts related to “78.35.24.46” > Found malicious artifacts related to “85.159.237.103” > Found malicious artifacts related to “199.201.110.78” > Found malicious artifacts related to “95.211.184.67” , Found InstallCore CnC Beacon >>> 52.213.197.187:80 (TCP)
Certificate Details :
Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Code Signing CA 2
Serial: 273672764520000588230577817929429532062
Serial (Hex): cde3750c0eae95e01ed2375a67d7bd9e
Valid from: Feb 19 00:00:00 2014 GMT
Valid until: Feb 19 23:59:59 2015 GMT
C (countryName): IL [494C]
CN (commonName): IC-Forge [49432D466F726765]
L (localityName): Tel-Aviv [54656C2D41766976]
O (organizationName): IC-Forge [49432D466F726765]
ST (stateOrProvinceName): Tel-Aviv [54656C2D41766976]
postalCode (postalCode): 6513307 [36353133333037]
street (streetAddress): 28 Lilinblum St. [3238204C696C696E626C756D2053742E]
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Qiuhui.■■■■
Please guys check this and give me an Verdict via Human Expert Analysis Verdict in Valkyrie ! My Verdict is NOT Clean ! The name itself is already a lie . The file advertises with the trustworthiness of the CCleaner and has NOTHING to do with the real CCleaner ! The analysis indicators also speak a clear language (anti.vm and iexplorer modifications , creates named pipes , creates guarded memory etc.) = NOT CLEAN !!! So please give your verdict ! No discussions ! I just want to know more about your definition of malware . But for that I need your result !
Thx !!!
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Regards,
Pavithran G
Generic.Adware - Certificate “issued” by Comodo
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Input File : Borland Delphi 4.0 > Extracted File : Armadillo v4.x ) , File has PE Anomalies ( PE file contains zero-size sections , CRC value set in PE header does not match actual value ) , File sections are writeable , File code is packed and obfuscated , File code is self modifying , File calls a TLS callback at 0x447C20 , Reads the active computer name , Reads the cryptographic machine GUID , File queries physical drive , Interacts with the primary disk partition , Queries kernel debugger information , Opens the Kernel Security Device Driver , Runs shell commands ( /C timeout 3 > Nul & Del"C:\37882f4d74abc8facb0806904878d5d01d13658728116e6a9a592dfcfafffda5.exe" ) , Drops executable files , Modifies proxy settings , Queries sensitive IE security settings , Accesses potentially sensitive information from local browsers , Contacts 2 domains and 2 hosts , HTTP request contains Base64 encoded artifacts , Found malicious artifacts related to “34.225.189.247” > Found malicious artifacts related to “67.215.238.66”
Certificate Details :
Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 318049958028586347278963618953902587764
Serial (Hex): ef46319cbc26cc096877dca339aa7f74
Valid from: Jun 14 00:00:00 2017 GMT
Valid until: Jun 14 23:59:59 2018 GMT
C (countryName): RU [5255]
CN (commonName): RULON [52554C4F4E]
L (localityName): St. Petersburg [53742E2050657465727362757267]
O (organizationName): RULON [52554C4F4E]
ST (stateOrProvinceName): RU [5255]
postalCode (postalCode): 91104 [313931313034]
street (streetAddress): Mayakovskogo 50 [4D6179616B6F76736B6F676F203530]
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Regards,
Pavithran G