Report trusted and whitelisted malware here- 2017 (NO LIVE MALWARE!)

Comodo Internet Security - CIS AV False Positive/Negative Detection Reporting
161

Trojan.Generic.Variant.Kryptik - Certificate “issued” by Comodo

Some suspicious/malicious Indicators : File code is packed and obfuscated ( Matched Compiler/Packer signature ( Armadillo v4.x ) , File calls a TLS callback at [.text:0x304160] , File code is self modifying , Tries to detects VM ( Queries physical drive ) , Reads the active computer name , Reads the cryptographic machine GUID , Interacts with the primary disk partition , Queries kernel debugger information , Opens the Kernel Security Device Driver , Input sample dropped files , Accesses potentially sensitive information from local browsers , Modifies proxy settings , Queries sensitive IE security settings , Installs hooks/patches the running process ( Input Sample wrote bytes to “WSHIP6.DLL” to “NSI.DLL” to “WSHTCPIP.DLL” ) , Get´s files from a webserver ( GET /download/e0aeac89ac7e98eeb766883ba0d89ad5/file965357.rar HTTP/1.1 , User-Agent: Christmas Mystery 5.5.4 , from semitico.ru ) , Runs shell commands ( /C timeout 3 > Nul & Del "C:\7e11bb217cc7940f9b7581fdca0c6536ebcc3908fd9faa0371604da8f45463d7.exe ) , Contacts 2 domains and 2 hosts , http request contains Base64 encoded artifacts , Found malicious artifacts related to “34.225.189.247”

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 300380148691980572746818459525692001930
Serial (Hex): e1fb1cc01f0a065d957e2554eed00e8a
Valid from: Jun 14 00:00:00 2017 GMT
Valid until: Jun 14 23:59:59 2018 GMT

C (countryName): RU [5255]
CN (commonName): VIPAL [564950414C]
L (localityName): Krasnogorsk [4B7261736E6F676F72736B]
O (organizationName): VIPAL [564950414C]
ST (stateOrProvinceName): RU [5255]
postalCode (postalCode): 143402 [313433343032]
street (streetAddress): Shkolnaya 2 [53686B6F6C6E617961202032]

162

Hi pio,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Regards,
Aravindhraj J

163

Adware.PUA.Variant.FileTour - Certificate “issued” by Comodo & countersigned by DigiCert

Some suspicious/malicious Indicators : File embeds another File ( Inno Setup ) , Drops executable files , Matched Compiler/Packer signature ( “uninstall.bin” was detected as “Borland Delphi 4.0” > “zpx.dat” was detected as “UPX v3.0 (DLL_LZMA) > e4b46f08445a2771dc41f5a5e9dda55c3f9167a7935123cba97fc60741de26c6.tmp” was detected as “Borland Delphi 3.0” ) , File has multiple PE Anomalies ( PE file contains zero-size sections , PE file is packed with UPX , CRC value set in PE header does not match actual value , Entrypoint in PE header is within an uncommon section ) , File code is packed and obfuscated , File calls a TLS callback at 0x40A722 [CODE:0x38690] , Reads the active computer name , Reads the registry for installed applications , Scanning for window names , Contains ability to elevate privileges , Contains ability to start/interact with device drivers , Creates protected memory sections , The file access the Windows default safe DLL search path , Accesses potentially sensitive information from local browsers , Modifies proxy settings , File wrote bytes to itself , Contacts 1 domain and 1 host , Found malicious artifacts related to “5.254.67.98”

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 252974853572181610134441735983820113989
Serial (Hex): be512f3fcb2daa5f651c2d7bfcb30845
Valid from: Jun 16 00:00:00 2017 GMT
Valid until: Jun 16 23:59:59 2018 GMT

C (countryName): RU [5255]
CN (commonName): LOG [4C4F47]
L (localityName): Irkutsk [49726B7574736B]
O (organizationName): LOG [4C4F47]
ST (stateOrProvinceName): RU [5255]
postalCode (postalCode): 664047 [363634303437]
street (streetAddress): proezd Trudovoi 40 pom 6 [70726F657A6420547275646F766F6920343020706F6D2036]

164

Hi pio,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Qiuhui.■■■■

165

Valkyrie link was corrected!!! valkyrie gives out an error message after the submission. atm i am not able to re-upload the file. I will do it in a few hours! I hate mobile surfing ! :a0

Adware.Generic - Certificate “issued” by Comodo

Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Armadillo v4.x ) , File code is self modifying , Reads the active computer name , Reads the cryptographic machine GUID , Scanning for window names , Reads the registry for installed applications , File calls a TLS callback at [.text:0x305184] , Interacts with the primary disk partition , Opens the Kernel Security Device Driver , Queries kernel debugger information , The file acccess the RPC Network Data Representation , Accesses potentially sensitive information from local browsers , Modifies proxy settings , Queries sensitive IE security settings , Contacts 2 domains and 2 hosts , HTTP request contains Base64 encoded artifacts , Gets Files from a Webserver

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 31987740442627768175209641976899458027
Serial (Hex): 18109d5e1ad0180917ae51789b7653eb
Valid from: Jul 12 00:00:00 2017 GMT
Valid until: Aug 16 23:59:59 2017 GMT

C (countryName): RU [5255]
CN (commonName): OOO MAKS-SERVIS [4F4F4F204D414B532D534552564953]
L (localityName): Samara [53616D617261]
O (organizationName): OOO MAKS-SERVIS [4F4F4F204D414B532D534552564953]
ST (stateOrProvinceName): RU [5255]
postalCode (postalCode): 443010 [343433303130]
street (streetAddress): Molodogvardejskaja, 146 [4D6F6C6F646F6776617264656A736B616A612C20313436]

:smiley:

166

Hello pio,

Thank you for sharing this, we’ll check it.

Best regards,
FlorinG

167

Trojan.Backdoor.Agent - Certificate “issued” by Comodo & “countersigned” by DigiCert

Some suspicious/malicious Indicators : File code is packed and obfuscated , Matched Compiler/Packer signature ( Input file and spawned files were packed with various packers ) , File has multiple PE Anomalies ( PE file has unusual entropy sections , CRC value set in PE header does not match actual value ) , The file embeds another file ( type: Registry , location: resources ) , Reads the active computer name , Reads the registry for installed applications , Queries volume information of an entire harddrive , Opens the Kernel Security Device Drive , Tries to identify its external IP address , Drops multiple executable files , Creates guarded memory regions , Writes data to a remote process ( File wrote bytes to itself and rundll32.exe ) , Looks up many procedures within the same disassembly stream ( Kernel32.dll ) , Modifies proxy settings , Queries sensitive IE security settings , Contacts 2 domains and 2 hosts , Found malicious artifacts related to : “rundl32.dll” connects to “37.139.53.3” & 66.171.248.178

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 169166159203151071689586708610652689389
Serial (Hex): 7f443797b54980e55b1cb2c56621d3ed
Valid from: Jul 23 00:00:00 2017 GMT
Valid until: Jul 3 23:59:59 2018 GMT

C (countryName): RU [5255]
CN (commonName): NAMOS, LLC [4E414D4F532C204C4C43]
L (localityName): Voronezh [566F726F6E657A68]
O (organizationName): NAMOS, LLC [4E414D4F532C204C4C43]
OU (organizationalUnitName): IT [4954]
ST (stateOrProvinceName): RU [5255]
postOfficeBox (postOfficeBox): 394036 [333934303336]
postalCode (postalCode): 394036 [333934303336]
street (streetAddress): prospekt Revolyutsii, d. 23 ofis 5 [70726F7370656B74205265766F6C7975747369692C20642E203233206F6669732035]

168

Hi pio,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Qiuhui.■■■■

169

PUA.Application.Downloader - Certificate “issued” by Comodo & “countersigned” by GlobalSign

Some suspicious/malicious Indicators : File code is packed and obfuscated , File embeds another file (type: InnoSetup in overlay ) , File has multiple PE Anomalies ( PE file contains zero-size sections , Entrypoint is outside of first section , PE file contains unusual section name ) , File sections are executable ( .text & .itext ) , File creates guarded memory sections , File access the Windows Event Log , File access the Windows default safe DLL search path , Queries sensitive IE security settings and informations , Contacts 1 domains and 1 hosts , Found malicious artifacts related to “165.193.78.234” > GET /packages/VR/PackageV.exe HTTP/1.0 , Host: post.securestudies.com - User-Agent: InnoTools_Downloader

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 249388035416367020843426933021942227300
Serial (Hex): bb9e6375eae2a1ea88885ec1758c2164
Valid from: Jun 6 00:00:00 2017 GMT
Valid until: Jun 6 23:59:59 2018 GMT

C (countryName): CN [434E]
CN (commonName): RuiQing Software Technology Beijing Inc [52756951696E6720536F66747761726520546563686E6F6C6F6779204265696A696E6720496E63]
L (localityName): Beijing [4265696A696E67]
O (organizationName): RuiQing Software Technology Beijing Inc [52756951696E6720536F66747761726520546563686E6F6C6F6779204265696A696E6720496E63]
ST (stateOrProvinceName): Beijing [4265696A696E67]
postalCode (postalCode): 100096 [313030303936]
street (streetAddress): No.A215,2/F,North Section,No.3,Xisanqi Building materials city,Haidian District [4E6F2E413231352C322F462C4E6F7274682053656374696F6E2C4E6F2E332C586973616E7169204275696C64696E67206D6174657269616C7320636974792C4861696469616E204469737472696374]

170

Hello pio,
Thanks for the submission, we’ll check the file and add detection if necesarry.

Best regards,
Andrei Savin

171

File uses the same stolen certificate and connects to the same IP as my post above !!!

Variant.PUA.Application.Downloader - Certificate “issued” by Comodo & “countersigned” by GlobalSign

Some suspicious/malicious Indicators : File code is packed and obfuscated > Matched Compiler/Packer signature ( Embarcadero Delphi (2009-2010) > File has multiple PE Anomalies ( PE file contains unusual section name , Entrypoint is outside of first section , PE file contains zero-size sections ) , The file embeds another file ( type: InnoSetup , location: overlay ) , File creats guarded meomory sections , File access the Windows default safe DLL search path , File access the Windows Setup API , Queries sensitive IE security settings and informations , Contacts 1 domains and 1 hosts , Found malicious artifacts related to “165.193.78.234” >>> GET /packages/VR/PackageV.exe HTTP/1.0 Host: post.securestudies.com User-Agent: InnoTools Downloader > GET /packages/IR/PackageI2.exe HTTP/1.0 Host: post.securestudies.com User-Agent: InnoTools Downloader

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 249388035416367020843426933021942227300
Serial (Hex): bb9e6375eae2a1ea88885ec1758c2164
Valid from: Jun 6 00:00:00 2017 GMT
Valid until: Jun 6 23:59:59 2018 GMT

C (countryName): CN [434E]
CN (commonName): RuiQing Software Technology Beijing Inc [52756951696E6720536F66747761726520546563686E6F6C6F6779204265696A696E6720496E63]
L (localityName): Beijing [4265696A696E67]
O (organizationName): RuiQing Software Technology Beijing Inc [52756951696E6720536F66747761726520546563686E6F6C6F6779204265696A696E6720496E63]
ST (stateOrProvinceName): Beijing [4265696A696E67]
postalCode (postalCode): 100096 [313030303936]
street (streetAddress): No.A215,2/F,North Section,No.3,Xisanqi Building materials city,Haidian District [4E6F2E413231352C322F462C4E6F7274682053656374696F6E2C4E6F2E332C586973616E7169204275696C64696E67206D6174657269616C7320636974792C4861696469616E204469737472696374]

172

Hi pio,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Regards,
Aravindhraj J

173

PUA.Application.Downloader - Certificate “issued” by Comodo

Advanced File Analysis System | Valkyrie - Valkyrie gives out a correct PUA verdict ! Please create and add signature detection for this File !

Some suspicious/malicious Indicators : File code is packed and obfuscated > Matched Compiler/Packer signature (UPX 3.91) , File has multiple PE Anomalies ( PE file is packed with UPX , Entrypoint is outside of first section , PE file contains zero-size sections ) , File embeds another file ( type: AutoIt , location: resources ) > ( type: Executable , location: resources ) , File code is self modifying , Found a reference to a WMI query string known to be used for VM detection , Contains ability to listen for incoming connections , Reads the active computer name , Reads the cryptographic machine GUID , Reads the windows installation language , Reads the registry for installed applications , Tries to sleep for a long time , File creates guarded memory sections , Opens the Kernel Security Device Driver , File tries to steal user passwords , File access to sensitive Browser Information , Modifies proxy settings , Contacts 2 domains and 3 hosts , HTTP request contains Base64 encoded artifacts , Found malicious artifacts related to “176.9.97.244” > Found malicious artifacts related to “5.9.175.19”

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 297583003291266744863436462781838522944
Serial (Hex): dfe066d5acffad39c60aea807a45fa40
Valid from: Feb 7 00:00:00 2017 GMT
Valid until: Feb 7 23:59:59 2018 GMT

C (countryName): DE [4445]
CN (commonName): CHIP Digital GmbH [43484950204469676974616C20476D6248]
L (localityName): Munich [4D756E696368]
O (organizationName): CHIP Digital GmbH [43484950204469676974616C20476D6248]
OU (organizationalUnitName): Download Development [446F776E6C6F616420446576656C6F706D656E74]
ST (stateOrProvinceName): Bayern [42617965726E]
postalCode (postalCode): 81541 [3831353431]
street (streetAddress): St.-Martin-Strasse 66 [53742E2D4D617274696E2D53747261737365203636]

174

Hi pio,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Qiuhui.■■■■

175

EDIT : Added Valkyrie Link

Trojan.Adware.Variant.Kryptik - Certificate “issued” by Comodo

Some suspicious/malicious Indicators : File code is packed and obfuscated > Matched Compiler/Packer signature > Input File : “Armadillo v4.x” , Overlay : “Visual C++6.0” , Dropped File : “Borland Delphi 4.0”, PE File has multiple Anomalies ( File calls a TLS callback at 0x4274D0 [.text:0x156880] , The first section (name:.text) is writable , CRC value set in PE header does not match actual value , PE file contains zero-size sections ) , Reads the active computer name , Reads the cryptographic machine GUID , Queries physical drive , File interacts with the primary disk partition ( Input Sample interacting with “\Device\Harddisk0\DR0” using IoControlCode 0x2d1400 ) , Opens the Kernel Security Device Driver , Queries kernel debugger information , Modifies proxy settings , Queries sensitive IE security settings , Contacts 2 domains and 2 hosts , HTTP request contains Base64 encoded artifacts , Found malicious artifacts related to “35.157.67.12” > “GET /endpoint/utorrent/os/windows/track/stable/ HTTP/1.1 User-Agent: Christmas Mystery 5.5.4 Host: download-new.utorrent.com

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 338087242113649284876078016467511237739
Serial (Hex): fe593bfdb81c30bfd2281e1a2d535c6b
Valid from: Jul 11 00:00:00 2017 GMT
Valid until: Aug 16 23:59:59 2017 GMT

C (countryName): RU [5255]
CN (commonName): OOO_START-SERVIS [4F4F4F5F53544152542D534552564953]
L (localityName): Samara [53616D617261]
O (organizationName): OOO_START-SERVIS [4F4F4F5F53544152542D534552564953]
ST (stateOrProvinceName): RU [5255]
postalCode (postalCode): 443099 [343433303939]
street (streetAddress): Frunze, 96 [4672756E7A652C203936]

176

Hi pio,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Regards,
Pavithran G

177

Trojan.Adware.Variant.Kryptik - Certificate “issued” by Comodo

Some suspicious/malicious Indicators : File code is packed and obfuscated > Matched Compiler/Packer signature (“Armadillo v4.x”) , PE File has mutiple Anomalies ( File calls a TLS callback at 0x426540 [.text:0x152896] , The first section (“text”) is writable , File contains a suspicious named section ) , Reads the active computer name , Reads the cryptographic machine GUID , Queries physical drive , File interacts with the primary disk partition , Input File opens the Kernel Security Device Driver , Queries kernel debugger information , Accesses potentially sensitive information from local browsers , Modifies proxy settings , Contacts 2 domains and 2 hosts , HTTP request contains Base64 encoded artifacts , Found malicious artifacts related to “35.157.67.12” & Found malicious artifacts related to “77.120.105.213” >>> "GET /download/0ec6a96fdeb9522051e1fb416be0f670/book605754.rar HTTP/1.1 , User-Agent: Christmas Mystery 5.5.4 , Host: esulare.ru , Connection: Keep-Alive

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 338087242113649284876078016467511237739
Serial (Hex): fe593bfdb81c30bfd2281e1a2d535c6b
Valid from: Jul 11 00:00:00 2017 GMT
Valid until: Aug 16 23:59:59 2017 GMT

C (countryName): RU [5255]
CN (commonName): OOO_START-SERVIS [4F4F4F5F53544152542D534552564953]
L (localityName): Samara [53616D617261]
O (organizationName): OOO_START-SERVIS [4F4F4F5F53544152542D534552564953]
ST (stateOrProvinceName): RU [5255]
postalCode (postalCode): 443099 [343433303939]
street (streetAddress): Frunze, 96 [4672756E7A652C203936]

178

Hi pio,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Qiuhui.■■■■

179

Trojan.PUA.Variant.Graftor - Certificate “issued” by Comodo

Some suspicious/malicious Indicators : File code is packed and obfuscated > Matched Compiler/Packer signature > Packer: Armadillo v1.71 , Compiler: Microsoft Visual C++, Microsoft Visual C++ 5.0, Microsoft Visual C++ v6.0 , PE File has Anomalies ( PE file has unusual entropy sections ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads the system/video BIOS version , Reads the windows installation date , Reads the registry for installed applications , Contains ability to elevate privileges ( Tries to obtain the highest possible privilege level without UAC dialog ) , Contains ability to enumerate processes/modules/threads , Tries to implement anti-virtualization techniques (Vbox,VMware,qemu) , Interacts with the primary disk partition , Queries volume information of an entire harddrive , Hooks API calls (“NtCreateUserProcess[at]NTDLL.DLL” in “Input Sample”) , Modifies proxy settings , Queries sensitive IE security settings , Checks network status using ping , Process launched with changed environment ( Process “iexplore.exe” & “cmd.exe” was launched with new environment variables , Contacts 1 domain and 1 host , Found malicious artifacts related to “52.16.166.98” > “GET” “…” HTTP/1.1 , User-Agent: Downloader 26.0 , Host: lafdajomyphyhzi.shouldlady.ru , Cache-Control: no-cache" , "POST " “…” HTTP/1.1 , Content-Type: multipart/form-data; boundary=FdEOYMVgRm4H4wsABYPuiwJQBatqu1 , User-Agent: Downloader 26.0 , Host: lafdajomyphyhzi.shouldlady.ru Content-Length: 1246 , Cache-Control: no-cache , Cookie: GSID=c4007c9fa645c8697f8a0e1b5c710329" with no payload , Found LoadMoney Checkin 5

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 287542394898146868748987480543630872469
Serial (Hex): d852a69edc3db4e60a8a35f4a26a4f95
Valid from: Aug 2 00:00:00 2017 GMT
Valid until: Jul 18 23:59:59 2018 GMT

C (countryName): RU [5255]
CN (commonName): GORKO, LLC [474F524B4F2C204C4C43]
L (localityName): Novosibirsk [4E6F766F7369626972736B]
O (organizationName): GORKO, LLC [474F524B4F2C204C4C43]
ST (stateOrProvinceName): Novosibirskaya [4E6F766F7369626972736B617961]
postalCode (postalCode): 630005 [363330303035]
street (streetAddress): d. 48 ofis 908, ul. Nekrasova [642E203438206F666973203930382C20756C2E204E656B7261736F7661]

180

Hi pio,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Qiuhui.■■■■