Report trusted and whitelisted malware here - 2022 (NO LIVE MALWARE!)

Previous Thread

Comodo is constantly improving its whitelist. This makes CIS more user friendly but does, in some circumstances, have some downsides. Some malware may sometimes be trusted because it is signed by a trusted certificate or perhaps the vendor was trustworthy, but then changed their ways. This is rare, but it does happen.

Regardless of how it happens it’s important to take action against this. If you find malware that is whitelisted, but seems suspicious, please report it here. The name of the trusted vendor, or any other information, is also useful.

Upload these files to one of the following services and post a link to the results:

• Comodo Valkyrie
• VirusTotal

DO NOT attach or link any malware or malicious links to your post.

When coming across a malware signed by Comodo please follow the steps as described in How to report fraudulent or malicious use of certificates issued by Comodo:

Code Signing Certificates

If you have come across malware signed with a Comodo issued Code Signing certificate please send as much detail as possible to:

signedmalwarealert[at]comodo.com

Helpful details include:
link to the signed malware
screenshots of the certificate details showing the signer organization or certificate serial number or other details which will help us identify the certificate
a copy of the actual certificate if possible

P.S. Comodo Instant Malware Analysis (CIMA) is no longer active and can no longer be used to submit files to Comodo.

PUA/Adware.Win32/SpeedChecker / MSIL.GT32SupportGeeks - Certificate issued by Comodo & countersigned by DigiCert

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Borland Delphi , Packer: Inno Setup Installer , File has multiple binary anomalies ( File ignores Code Integrity, Entrypoint is outside of first section, CRC value set in PE header does not match actual value, Contains zero-size sections, The file-ratio of the overlay is “97.62%”, The file has “2” executable sections, Contains unknown resources, Contains another files ( type: InnoSetup, location: overlay, file-offset: “0x00029A00” & “0x006E8A4C” ), Drops multiple executable files, Reads Antivirus engine related registry keys (“HKLM\SOFTWARE\AVG\ANTIVIRUS”), Contains references to WMI/WMIC, Reads the active computer name, Reads the cryptographic machine GUID, Reads the registry for installed applications, Scanning for window names, Queries kernel debugger information, Queries process information, Queries volume information of an entire harddrive, Allocates virtual memory in a remote process ( “\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0”, Writes data to a remote process ( “C:\Windows\System32\taskkill.exe” ), Installs hooks/patches the running process ( “ISCRYPT.DLL”, “SHFOLDER.DLL”, “MSIMG32.DLL”, “NSI.DLL” ), Opens the Kernel Security Device Driver, Modifies proxy settings, Queries sensitive IE security settings, Generates some ICMP traffic, Communicates with host for which no DNS query was performed (“104.81.60.216” & “104.81.60.33”)

Certificate Details:

Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 65547316699348809872486349231859438233
Serial (Hex): 314ff439614ea611359fa634ba041299
Valid from: Oct 5 00:00:00 2018 GMT
Valid until: Jun 12 23:59:59 2019 GMT

C (countryName): IN [494E]
CN (commonName): PC CARE TOOLS [5043204341524520544F4F4C53]
L (localityName): JAIPUR [4A4149505552]
O (organizationName): PC CARE TOOLS [5043204341524520544F4F4C53]
ST (stateOrProvinceName): RAJASTHAN [52414A41535448414E]
postalCode (postalCode): 302017 [333032303137]
street (streetAddress): 3/213, MALVIYA NAGAR [332F3231332C204D414C56495941204E41474152]

File is rated as fully trustworthy !!!

PUP.Adware.Variant.OpenCandy - Certificate issued by Thawte & countersigned by Symantec

Some suspicious/malicious Indicators : Compiler/Packer Signature > Compiler: Borland Delphi 6.0 - 7.0, Packer: INNO, NSIS, appended, 7Z, File has multiple binary anomalies ( File ignores DEP, File ignores Code Integrity, Found Delphi 4 - Delphi 2006 artifact (using the buggy magic timestamp “0x2A425E19”), The file-ratio of the overlay is “99.77” %, The file has “3” shared sections, Contains multiple another files (type: Pkzip, Inno Setup, Flash, 7zsfx, Nullsoft), Contains zero-size sections, Contains unknown resources, CRC value set in PE header does not match actual value), Found more than one unique User-Agent (InnoDownloadPlugin 1.4 - Microsoft-CryptoAPI/6.1), References a MIME64 encoding string, References “4” Windows built-in privileges, Drops executable files, Tries to delay/evade the analysis, Reads the active computer name, Reads the cryptographic machine GUID, Reads the registry for installed applications, Reads Windows Trust Settings, Checks for a ADS, Queries kernel debugger information, “Wscript.exe” wrote an executable file to disk (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe), Opens the Kernel Security Device Driver, Opened the service control manager, Queries the internet cache settings, Writes Data to itself, Modifies Software Policy Settings, Modifies proxy settings, Queries sensitive IE security settings, Modifies System Certificates Settings, Creates windows services (Access type: “CREATE”; Path: “HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS”), Sends traffic on typical HTTP outbound port, but without HTTP header, Resolves a suspicious TLD (smtp.mail.ru)

See the file related hex / strings in the Attachment !!!

Certifcate Details:

Algorithm: rsaEncryption
Version: 3
Issuer: /C=US/O=Thawte, Inc./CN=Thawte Code Signing CA - G2
Serial: 150241173182772474830240502896664126402
Serial (Hex): 710765be0e0b40112c8a61f0d99623c2
Valid from: Mar 15 00:00:00 2013 GMT
Valid until: Mar 15 23:59:59 2015 GMT

C (countryName): DE
CN (commonName): pdfforge GmbH
L (localityName): Hamburg
O (organizationName): pdfforge GmbH
ST (stateOrProvinceName): Hamburg

Hi,

Thank you for your submission.
We’ll check it.

Kind Regards,
Erik M.

gootkit

Hi,

Thank you for your submission.
We’ll check it.

Kind Regards,
Erik M.

Malware

VT

valkyrie

Hi syc070,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Abinaya R

malware

Hi syc070,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Ananthalakshmi M

File is rated as fully trustworthy !!!

PUA.Riskware.Downloader.Agent.FusionCore - Certificate issued by VeriSign & countersigned by Symantec

Some suspicious/malicious Indicators : Compiler/Packer Signature > Compiler: Microsoft Visiual C++ 10 - 7.0, Packer: NSIS, appended, Unicode, File has multiple binary anomalies ( File ignores Code Integrity, PE file has unusual entropy sections, Found Delphi 4 - Delphi 2006 artifact - “Fusion.dll” has a PE timestamp using the buggy magic timestamp “0x2A425E19”, CRC value set in PE header does not match actual value, Contains zero-size sections, Contains another file (type: Nullsoft, location: overlay, file-offset: “0x00014208”), Runs a Keyloger, Expects Administrative permission, Checks for an ADS, Queries volume information of an entire harddrive, Modifies auto-execute functionality, Spawns a lot of processes, Reads the active computer name, Reads terminal service related keys, Reads the registry for installed applications, Creates guarded memory sections, Allocates virtual memory in a remote process (“HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing” - “\REGISTRY\USER\S-1-5-21-2092356043-4041700817-663127204-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders”- “%WINDIR%\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll” - “\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE” - “\REGISTRY\MACHINE\SOFTWARE\Microsoft\Rpc\Extensions”), Writes data to a another process (“C:\Windows\System32\regsvr32.exe”), Creates a suspicious process (cmdline > “regsvr32.exe” /s /u "C:\Program Files (x86)\PowerISO\PWRISOSH.DLL) Opened the service control manager, Stops windows services (“SCDEmu” (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCDEmu\Start), Opens the Kernel Security Device Driver, Modifies proxy settings, Queries sensitive IE security settings, Process launched with changed environment (“iexplorer.exe”), Generates some ICMP traffic, Communicates with host for which no DNS query was performed (“193.229.113.152” & “193.229.113.56”)

Certificate Details:

Algorithm: rsaEncryption
Version: 3
Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Code Signing 2010 CA
Serial: 25447212857388114618160785493989438414
Serial (Hex): 1324f475eba5951391c5126cf4eeb3ce
Valid from: Jan 5 00:00:00 2018 GMT
Valid until: Jan 5 23:59:59 2019 GMT

C (countryName): HK [484B]
CN (commonName): Power Software Limited
L (localityName): NORTH POINT
O (organizationName): Power Software Limited
ST (stateOrProvinceName): HONG KONG

Does not seem to have been edited yet !!!

Hi pio,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Ananthalakshmi M

File is rated as fully trustworthy !!!

PUP.Adware.Variant.InstallCore - Certificate issued by Thawte

Some suspicious/malicious Indicators : Compiler/Packer Signature > Compiler: Borland Delphi 6.0 - 7.0, Packer: Inno Setup Installer 5.62, File has multiple binary anomalies (File ignores DEP, File ignores Code Integrity, Checksum mismatches the PE header value, Has “3” shared sections, Contains zero-size sections, Contains unknown resources, The file-ratio of the overlay is “97.75” %, Time Stamp is suspicious > “06/20/1992”, Contains another file (type: InnoSetup, location: overlay, file-offset: “0x0000D400”), Reads data out of its own binary image, References a Windows built-in privilege, Get TickCount value, Input file contains API references not part of its Import Address Table (“SetDllDirectoryW”, “SetSearchPathMode”, “SetProcessDEPPolicy”, “GetUserDefaultUILanguage”, “Wow64DisableWow64FsRedirection”, “Wow64RevertWow64FsRedirection”, Creates guarded memory sections, Touches files in the Windows directory (“WINDIR%\SysWOW64\en-US\KernelBase.dll.mui” & “WINDIR%\SysWOW64\netmsg.dll”), Set special directory property (C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files, C:\Documents and Settings\Administrator\Local Settings\History, C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5, C:\Documents and Settings\Administrator\Cookies, C:\Documents and Settings\Administrator\Local Settings\History\History.IE5), Generates some ICMP traffic

Certificate Details:

Algorithm: rsaEncryption
Version: 3
Issuer: /C=US/O=thawte, Inc./CN=thawte SHA256 Code Signing CA
Serial: 4468084437249212705824920047946844446
Serial (Hex): 035c859223ee74265664f784b1dc491e
Valid from: Sep 26 00:00:00 2018 GMT
Valid until: Sep 26 23:59:59 2019 GMT

C (countryName): RO [524F]
CN (commonName): XLNT Web Services SRL
L (localityName): Bucuresti
O (organizationName): XLNT Web Services SRL
OU (organizationalUnitName): IT

Hi pio,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Ananthalakshmi M

Malware

Hi,

Thank you for your submission.
We’ll check it.

Kind Regards,
Erik M.

False Positive:

File Name: procexpnt.zip
File Type: Zip archive data, at least v2.0 to extract
SHA1: a3ffa3ef88f5abcd81123ae8309c5e1e857477b9
MD5: 4a506726e9e5d07105a72d6b281cb6aa

False Positive:

File Name: Up.zip
File Type: Zip archive data, at least v1.0 to extract
SHA1: d92cbbbb415468c13ac9a72d7c8cec32aab64c15
MD5: 3241c751e8ae1f929f44d4eaa0707b50

False Positive:
“procexp9x.zip”
Cannot upload, webpage claims this un-uploaded file is already uploaded, but attempting to validate the “existing” upload instead loads results for the following submission: