Valkyrie Final Verdict: CLEAN
Hi Felipe,
Thanks for the submission, we’ll check the file and take appropriate measures.
Best regards,
Andrei Savin
File is unjustifiably FULLY trusted !!!
PUA.Variant.InastallCore - Certificate “issued” by VeriSign & Symantec & “countersigned” by Symantec & Thawte
Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Borland Dephi 4.0 , Packer : Inno Setup Installer , File has multiple binary anomalies ( Embeds another file ( type : Inno Setup , location : overlay ) , File ignores DEP , File ignores Code Integrity , CRC value set in PE header does not match actual value , PE file contains zero-size sections , The size ( 18328 bytes ) of the certificate is suspicious , The file has “3” shared sections , Contains unknown resources ) , Checks for an ADS , Creates guarded memory sections , Reads the active computer name , Reads the cryptographic machine GUID , Reads the system/video BIOS version , Reads the windows product ID , Scanning for window names , Reads the registry for installed applications , Duplicates the process handle of an other process to obtain access rights to that process , Writes bytes to another process ( “%WINDIR%\SysWOW64\regsvr32.exe” ) , Opens the MountPointManager , Uses a User Agent typical for browsers, although no browser was ever launched ( Found user agent : Mozilla/5.0 ) , Modifies proxy settings , Queries sensitive IE security settings , Found malicious network releated activity , POSTs data to a webserver ( "POST / HTTP/1.1Accept: */*Host : 4.tanefedgan.com , IP : 54.72.212.121 , User-Agent: Mozilla/5.0
Certificate Details :
Algorithm: rsaEncryption
Version: 3
Issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA
Serial: 37764354959338783732895431177534749187
Serial (Hex): 1c692673d01fd2db5c97c2cc2114ba03
Valid from: Jul 13 00:00:00 2017 GMT
Valid until: Jul 13 23:59:59 2018 GMT
C (countryName): US [5553]
CN (commonName): Andy OS Inc [416E6479204F5320496E63]
L (localityName): San Francisco [53616E204672616E636973636F]
O (organizationName): Andy OS Inc [416E6479204F5320496E63]
ST (stateOrProvinceName): California [43616C69666F726E6961]
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Regards,
Aravindhraj J
Submited 11 days ago, ultil yesterday was “unknown”.
Today is “reliable”. OMG :-TD
SHA1: 7471490fb90d87a4ede290287d12c6b71b4c20f5
Hi, Felipe Oliveira
Thank you for your submission.
We’ll check it.
Best regards
Chunli.chen
Hi Felipe,
Thanks for your submission. We’ll check the files and add detection where necesarry.
Best regards,
Andrei Savin
Hi, Felipe Oliveira
Thank you for your submission.
We’ll check it.
Best regards
Chunli.chen
File is unjustifiably FULLY trusted !!! The File certificate was not recognized !
PUA.InstallRex. - Certificate “issued” by Comodo & UserTrust & “countersigned” by Comodo & UserTrust
YARA signature “PUP_InstallRex_AntiFWb” matched file “OpalConvert-CSV-JSON_Setup.exe.bin” as “Malware InstallRex / AntiFW” based on indicators: “Error %u while loading TSU.DLL %ls,GetModuleFileName() failed => %u,5400530055004c006f0061006400650072002e00650078006500,5c0053007400720069006e006700460069006c00650049006e0066006f005c00250030003400780025003000340078005c0041007200670075006d0065006e0074007300,5400730075002500300038006c0058002e0064006c006c00”
YARA signature “PUP_InstallRex_AntiFWb” matched file “all.bstring” as “Malware InstallRex / AntiFW” based on indicators: “Error %u while loading TSU.DLL %ls,GetModuleFileName() failed => %u,TSULoader.exe,\StringFileInfo%04x%04x\Arguments,Tsu%08lX.dll”
Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : MS Visual C++ , File has multiple binary anomalies ( Digisig is expired: Jul 17 23:59:59 2016 , File ignores Code Integrity , PE file has unusual entropy sections , CRC value set in PE header does not match actual value , Contains zero-size sections ) , Contains ability to open/control a service , Contains ability to download files from the internet , Contains ability to query CPU information , Found cryptographic related strings , Has no visible windows , Tries to detect the presence of a debugger , Expects Administrative permission , Reads the active computer name , Reads the cryptographic machine GUID , Reads the registry for installed applications , Queries volume information of an entire harddrive , Tries to sleep a long time , Duplicates the process handle of an other process to obtain access rights to that process , Creates a windows hook that monitors keyboard input , Opens the MountPointManager , Touches multiple files in the Windows directory
Certificate Details :
Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Code Signing CA 2
Serial: 331637911641072385803597201282442856423
Serial (Hex): f97f2372ecad1fa435b0ad02c8b607e7
Valid from: Jul 18 00:00:00 2013 GMT
Valid until: Jul 17 23:59:59 2016 GMT
C (countryName): GB [4742]
CN (commonName): Daniel White [44616E69656C205768697465]
L (localityName): Bedford [426564666F7264]
O (organizationName): Daniel White [44616E69656C205768697465]
ST (stateOrProvinceName): Bedfordshire [426564666F72647368697265]
postalCode (postalCode): MK44 3NG [4D4B343420334E47]
street (streetAddress): 18 The Hill [3138205468652048696C6
Hi Pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Qiuhui.■■■■
File is unjustifiably FULLY trusted !!!
PUA.Riskware.Asparnet - Certificate “issued” by UserTrust & “countersigned” by Comodo & UserTrust
Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Borland Delphi , Packer: Inno Setup Installer , Morphine v1.2 , File has multiple binary anomalies ( File ignores DEP , File ignores Code Integrity , Embeds another file ( type: InnoSetup , location: overlay ) , Contains zero size sections , CRC value set in PE header does not match actual value , The file has “3” shared sections , Contains unknown resourses , The certificate issuer (UTN-USERFirst-Object) has expired (10/05/2015) , The certificate subject (COMODO Time Stamping Signer) has expired (10/05/2015) ) , Contains ability to query CPU information , Contains ability to download files from the internet , Contains ability to lookup the windows account name , Found more than one unique User-Agent , Queries volume information of an entire harddrive , Reads terminal service related keys , Reads the active computer name , Reads the cryptographic machine GUID , Found strings in conjunction with a procedure lookup that resolve to a known API export symbol , Reads the registry for installed applications , Reads Windows Trust Settings , Scanning for window names , Creates windows services ( “HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS”) , Deletes its original binary from disk , A process created a hidden window , Duplicates the process handle of an other process to obtain access rights to that process , Opens the Kernel Security Device Driver , Accesses sensitive information from local browsers , Modifies Software Policy Settings , Modifies proxy settings , Queries sensitive IE security settings , Found malicious network releated activity , HTTP request contains Base64 encoded artifacts , GETs data from various hosts , Found malicious artifacts related to “199.36.102.106” (websearch.ask.com) & “74.113.233.61” (img.apnanalytics.com)
Certificate Details :
Algorithm: rsaEncryption
Version: 3
Issuer: /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Object
Serial: 120323648035794777459439591763436950514
Serial (Hex): 5a857dde8b4fa115416d87781fc4d3f2
Valid from: Feb 10 00:00:00 2011 GMT
Valid until: Feb 9 23:59:59 2014 GMT
C (countryName): AU [4155]
CN (commonName): Auslogics Software Pty Ltd [4175736C6F6769637320536F66747761726520507479204C7464]
L (localityName): Crows Nest [43726F7773204E657374]
O (organizationName): Auslogics Software Pty Ltd [4175736C6F6769637320536F66747761726520507479204C7464]
ST (stateOrProvinceName): NSW [4E5357]
postalCode (postalCode): 1585 [31353835]
street (streetAddress): PO Box 1644 [504F20426F782031363434]
Hi Pio,
Thank you for your submission.
We’ll check it.
Kind Regards,
Erik M.
Riskware/InstallCore VT: 15/65
PUA/InstallCore VT: 17/65
PUA/InstallCore VT: 13/65
PUA/InstallCore VT: 13/54
Hi Felipe Oliveira,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Qiuhui.■■■■
File is unjustifiably FULLY trusted !!!
PUA.Adware.Variant.InstallCore - Certificate “issued” by Symantec & VeriSign & “countersigned” by Symantec & Thawte
Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Borland Delphi 6.0 - 7.0 , Packer: Inno Setup Installer , File has multiple binary anomalies ( File ignores DEP , File ignores Code Integrity , Contains another file ( type: InnoSetup, location: overlay ) , CRC value set in PE header does not match actual value , Contains zero-size sections , The count “5” of libraries is suspicious , The file has “3” shared sections ) , Found Delphi 4 - Delphi 2006 artifact ( has a PE timestamp using the buggy magic timestamp “0x2A425E19” ) , File has no visible windows , Creates guarded memory sections , References Windows built-in privileges , File modifies the filesystem , Touches multiple files in the Windows system directory
Certificate Details :
Algorithm: rsaEncryption
Version: 3
Issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA
Serial: 118202670773406737515473305365598042868
Serial (Hex): 58ed019dda867257493e61e5f18dfaf4
Valid from: May 17 00:00:00 2017 GMT
Valid until: Aug 15 23:59:59 2020 GMT
C (countryName): HK [484B]
CN (commonName): Power Software Limited
L (localityName): North Point
O (organizationName): Power Software Limited
ST (stateOrProvinceName): Hong Kong
Hello pio,
We’ll check the file and take appropiate measures.
Best regards,
Andrei Savin
File is unjustifiably FULLY trusted !!!
PUA.Adware.FusionCore - Certificate “issued” by GlobalSign & “countersigned” by GlobalSign
Some suspicious/malicious Indicators : Compiler/Packer/Protector signature > Compiler : MS Visual 10.0 , Packer: Nullsoft Scriptable Installer - UPX , Protector: “VMProtect v1.70.4” , File has multiple binary anomalies ( File ignores Code Integrity , The file contains another file ( type: Nullsoft, location: overlay, file-offset: 0x00010408 ) , CRC value set in PE header does not match actual value , Entrypoint in PE header is within an uncommon section , PE file has unusual entropy sections , Contains zero-size sections ) , Checks if a debugger is present , Found Anti-VM Strings ( Checks a device property , Queries volume information of an entire harddrive ) , Contains native function calls ( NtOpenThreadToken[at]ntdll.dl ) , Contains ability to measure performance , Contains ability to open the clipboard , Contains ability to retrieve keyboard strokes , Found Delphi 4 - Delphi 2006 artifact ( has a PE timestamp using the buggy magic timestamp “0x2A425E19” ) , References Windows built-in privileges , Expects Administrative permission , Creates guarded Memory sections , Reads the active computer name , Reads the cryptographic machine GUID , Scanning for window names , Reads the registry for installed applications , Reads terminal service related keys , Writes Data to iteself and to “C:\Program Files\Internet Explorer\iexplore.exe”, Creates windows services ( Access type: “CREATE”; Path: “HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS”) , Opens the Kernel Security Device Driver , Accesses sensitive information from local browsers , Modifies proxy settings , Process launched with changed environment ( “iexplore.exe” )
Certificate Details :
Algorithm: rsaEncryption
Version: 3
Issuer: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign CodeSigning CA - SHA256 - G3
Serial: 14866108405781186065315592385
Serial (Hex): 3008f4e77f65ed777552f8c1
Valid from: Dec 2 10:26:31 2016 GMT
Valid until: Dec 3 10:26:31 2018 GMT
C (countryName): KR
CN (commonName): 3DP
L (localityName): Gimhae-si
O (organizationName): 3DP
ST (stateOrProvinceName): Gyeongsangnam-do
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Qiuhui.■■■■