Hello guys,
Thank you for submitting these, we’ll check them.
Best regards,
FlorinG
malware
Hi tg912,
Thank you for submitting these, we’ll check them.
Best regards,
Saravanapathi V
PUA.Variant.InstallCore - Certificate issued by VeriSign & countersigned by Symantec & Thawte
Some suspicious/malicious Indicators : Compiler/Packer Signature > Compiler: Microsoft Visual C/C++ (2010 SP1), Packer: NSIS, File has multiple binary anomalies ( File ignores Code Integrity, PE file has unusual entropy sections, CRC value set in PE header does not match actual value, Contains zero-size sections, The file contains another file > type: Nullsoft, location: overlay, offset: “0x00014208” & type: Flash, location: overlay, offset: “0x003D634E”, Contains a virtualized section), Contains ability to open the clipboard, Contains ability to retrieve keyboard strokes, Contains ability to query CPU information, Reads data out of its own binary image, Creates guarded memory sections, Checks for an ADS file, Queries kernel debugger information, Reads the active computer name, Reads the cryptographic machine GUID, Reads terminal service related keys, Scanning for window names, Queries volume information of an entire harddrive, Modifies auto-execute functionality, Allocates virtual memory in a remote process (“HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections”), Writes data to a remote process (“iexplore.exe”), Makes a code branch decision directly after an API that is environment aware, Modifies proxy settings, Queries the internet cache settings, Queries sensitive IE security settings, Creates windows services (Access type: “CREATE”; Path: “HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS”), Network activity contains more than one unique useragent (Mozilla/4.0), Sends traffic on typical HTTP outbound port, but without HTTP header, POSTs files to malicious webservers (Host: “rp.powopibobu3.com” > VirusTotal & (Host: os.powopibobu3.com > VirusTotal), GETs files from a malicious webserver (Host: “rp.powopibobu3.com”)
Algorithm: sha1WithRSAEncryption
Version: 3
Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at hXXps://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Code Signing 2010 CA
Serial: 75499940057207870675512860210071768171
Serial (Hex): 38ccc270ec2e13e9590e3dcf982e8c6b
Valid from: Dec 6 00:00:00 2018 GMT
Valid until: Feb 4 23:59:59 2020 GMT
C (countryName): HK
CN (commonName): Power Software Limited
L (localityName): NORTH POINT
O (organizationName): Power Software Limited
ST (stateOrProvinceName): HONG KONG
Hello pio,
Thank you for submitting these, we’ll check them.
Best regards,
Umamaheshwari M
Hi,
14 days have now passed since the indicated notice, i allow myself to point out that the file is still classified as completely trustworthy. It would therefore make sense to remove the manufacturer from the TVL and classify the file as harmful.
Hi pio,
We will look into it.
Thanks and regards,
Ionel
Thank you and i can confirm! 
:-TU
PUA.Variant.FusionCore - Certificate issued by Sectigo & countersigned by DigiCert, AddTrust & USERTrust
https://valkyrie.comodo.com/get_info?sha1=76288415866556b46611ec696317b73eb5292d1e
Some suspicious/malicious Indicators : Compiler/Packer Signature: NSIS, File has multiple binary anomalies ( File ignores Code Integrity, The file contains another file > (type: Nullsoft, location: overlay, offset: “0x00012808”, type: Flash, location: overlay, offset: “0x0054698F”, type: Flash, location: overlay, offset: “0x00579199”) PE file has unusual entropy sections , CRC value set in PE header does not match actual value, The file contains a virtualized section, Timestamp in PE header is very old (00:00:00 1970), Contains zero-size sections,), Contains ability to open the clipboard, Attempts to identify installed AV products by registry key (Avast & AVG), Reads the active computer name, Reads data out of its own binary image, Reads the cryptographic machine GUID, Reads the registry for installed applications, Reads Windows Trust Settings, Scanning for window names Queries kernel debugger information, Queries process information, Queries sensitive IE security settings, Queries the internet cache settings, Checks for a ADS file, Creates guarded memory sections, Makes a code branch decision directly after an API that is environment aware, Opens the Kernel Security Device Driver, Opens the MountPointManager, Modifies System Certificates Settings, Modifies Software Policy Settings, Modifies proxy settings, Opened the service control manager, Creates windows services ((Access type: “CREATE”; Path: “HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS”), Sends traffic on typical HTTP outbound port, but without HTTP header, Network activity contains more than one unique useragent (NSIS_Inetc & Mozilla/4.0)
Certificate Details:
Algorithm: sha256WithRSAEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
Serial: 123913368237704527069529292303013110410
Serial (Hex): 5d38d8bd64455068c2d1c74088c5e28a
Valid from: Feb 13 00:00:00 2019 GMT
Valid until: Feb 12 23:59:59 2022 GMT
C (countryName): DE
CN (commonName): Tim Kosse
L (localityName): Köln
O (organizationName): Tim Kosse
ST (stateOrProvinceName): NRW
postalCode (postalCode): 50823
street (streetAddress): Lukasstr. 10
Trojan.Agent.Dropper - Certificate issued by DigiCert
The certificate was stolen with great certainty!
Some suspicious/malicious Indicators : Compiler/Packer Signature: Compiler: Microsoft Visual C++ 8, Packer: APLib Compression, File has multiple binary anomalies ( File ignores Code Integrity, File ignores DEP, The export table has a invalid RVA at “19f70”, The file contains a suspicious section (name:Winzip), PE file has unusual entropy sections, The file doesn’t register any VersionInfo), Spawns a “doc” file contains VBA Macros (Obfuscation method: VBA Macro String Functions > Suspicious Macro Strings: “WinHttpRequest”, “CreateObject”, “Shell”…), Contains native function calls (NtdllDefWindowProc_A[at]NTDLL.DLL), Contains ability to query CPU information, Contains ability to lookup its own filename, Tries to detect if debugger is attached, Reads data out of its own binary image, Spawns a child process, The initial file deletes itself, Writes data to a new created process, Reads terminal service related keys, Checks for an ADS, Creates an ADS, Makes a code branch decision directly after an API that is environment aware, Found strings in conjunction with a procedure lookup that resolve to a known API export symbol, Opens the Kernel Security Device Driver
Yara rules matches:
#openxml_remote_content
#DIE_libavcodec_ff_mjpeg_val_ac_chrominance
#DIE_libavcodec_ff_mjpeg_val_ac_luminance
#DIE_lzari_StartModel_LE
#VBA_suspicious_strings
#mraptor_oletools
#VBA_external_connections
#DIE_RNG_original_numbers_LE
#DIE_PKCS_DigestDecoration_MD5
#DIE_Boucher_randgen5_LE
#DIE_SSL3_define_BE
#DIE_Boucher_randgen1_LE
#misc_pe_signature
#DIE_Zip_Crypto_LE
#DIE_function_where_is_handled_the_ZipCrypto_password_LE
#DIE_SSH_RSA_id_sha1_OBJ_ID_oiw_14_secsig_3_algorithms_2_26
#DIE_unlzx_table_three_LE
#DIE_zinflate_distanceStarts_LE
#DIE_zinflate_lengthStarts_LE
#DIE_zinflate_distanceExtraBits_LE
Certificate Details:
Algorithm: sha256WithRSAEncryption
Version: 3
Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2)
Serial: 18197605158510993702346925233214526630
Serial (Hex): 0db0bb34737f4292896e7b3c163714a6
Valid from: Oct 26 00:00:00 2017 GMT
Valid until: Oct 30 12:00:00 2020 GMT
C (countryName): US
CN (commonName): Endres Actuarial Consulting LLC
L (localityName): Eden Prairie
O (organizationName): Endres Actuarial Consulting LLC
ST (stateOrProvinceName): Minnesota
businessCategory : Private Organization
jurisdictionC: US
jurisdictionST: Minnesota
serialNumber: 709967500025
Hi pio,
Thank you for reporting.
We’ll check it
Regards,
Mageshwaran B
Obviously not yet processed and still fully trusted!
Hi pio,
This is a well-known application highly used by people. Installer contains a plugin which prompts user during installation with offers to install other known applications. It is not harmful for users, but for some can be nagging. However, there are two use-cases here, users who want to be able to install this without issues, without being sandboxed by CIS (therefore clean verdict needs to be held) and users who are very strict about what they install on their systems, therefore offer has to be blocked. So, for this case the following measure has been put in place: maintain the vendor in trusted vendor list and safe verdict for installer (in order not to break functionality, being a highly used application), but add detection for the plugin which is responsible for displaying the 3rd party offer, so upon installation CIS will block it.
This is a case of false-positive from other vendors, no reason to report the certificate.
Regards,
Ionel
Hi Ionel,
Thank you for detailed information. :-TU I am very grateful for this, because it gives me the opportunity to better understand which criteria are crucial for your particular classification.
Regarding the first file, I have already noticed that the “fusion.dll” is now captured via signature recognition. This file has been uploaded separately by myself some time ago on Valkyrie and VT and provided with the reference to its harmfulness. I should have included the presence of FusionCore components in my classification, but I will do so in the next case of this kind.
As for the second file, after closer examination of the dropped file “eac_pv.xlam” (VirusTotal) i can confirm that it is a false positive. Responsible for the wrong evaluations are the macros that are recognized as strong indicators of potentially harmful behavior. I’ve changed and adapted my Yara detection rules accordingly.
Best Regards,
pio
For those who are interested here are the reasons for detection by numerous antivirus software manufacturers and sandboxes
Dropped file “eac_pv.xlam” >>> (VirusTotal)
Commonly Abused Properties:
May execute code from Dynamically Linked Libraries.
May try to run other files, shell commands or applications.
Makes use of macros
Contains code to deceive researchers and automatic analysis systems.
Automatically runs commands or instructions when the file is opened.
May attempt to create directories.
May create OLE objects.
May enumerate open windows.
May perform operations with other files.
Contains deobfuscation code.
Found encoded VBA Macros/Strings:
Chr: May attempt to obfuscate specific strings (use option --deobf to deobfuscate)
Open: May open a file
Output: May write to a file (if combined with Open)
Print #: May write to a file (if combined with Open)
run: May run an executable file or a system command
Windows: May enumerate application windows (if combined with Shell.Application object)
Kill: May delete a file
Binary: May read or write a binary file (if combined with Open)
Environ: May read system environment variables
Put: May write to a file (if combined with Open)
ChrW: May attempt to obfuscate specific strings (use option --deobf to deobfuscate)
Xor: May attempt to obfuscate specific strings (use option --deobf to deobfuscate)
Shell: May run an executable file or a system command
vbNormalFocus: May run an executable file or a system command
CreateObject: May create an OLE object
GetVolumeInformationA: May detect Anubis Sandbox
GetVolumeInformation: May detect Anubis Sandbox
Lib: May run code from a DLL
Run: May run an executable file or a system command
put: May write to a file (if combined with Open)
MkDir: May create a directory
binary: May read or write a binary file (if combined with Open)
E-mail address: Email = chris.endres[at]ICLOUD.com
E-mail address: OpenWebPage mailto://info[at]endresactuarial.com
URL: X =
E-mail address: frmUnlock.txtEmail = chris.endres[at]icloud.com
E-mail address: t = ‘reginald.andre[at]gs.com’,‘2329’,‘eacpv’,‘9/2/2019’,‘9/3/2018 12:00:00 AM’,‘0.00’,‘Reg Andre’,‘5’
URL: FileName = hxxps://endresactuarial.com/eac/eac_users.csv?aparam=Now() 'now needed to refesh cache
URL: OpenWebPage hxxps://mort.soa.org
URL: OpenWebPage hxxps://www.irs.gov/Retirement-Plans/Minimum-Present-Value-Segment-Rates
URL: X = XvbCrLfhxxps://www.irs.gov/retirement-plans/minimum-present-value-segment-rates.
URL: Public Const EAC_URL = hxxps://endresactuarial.com/eac/
URL: OpenWebPage hxxps://www.irs.gov/Retirement-Plans/Minimum-Present-Value-Segment-Rates
URL: t = GetURLText(hxxps://www.irs.gov/Retirement-Plans/Minimum-Present-Value-Segment-Rates)
URL: t = GetURLText(hxxps://www.ssa.gov/OACT/COLA/cbb.html)
URL: t = GetURLText(hxxps://www.ssa.gov/OACT/COLA/colaseries.html)
URL: t = GetURLText(hxxps://www.ssa.gov/OACT/COLA/AWI.html)
Various InstallCore variants - All fully trustworthy!
Advanced File Analysis System | Valkyrie
VirusTotal
All 3 files use the same certificate:
Issuer: Thawte
Name: Atomiq Technologies Inc.
Status: Valid
Valid From: 12:00 AM 12/10/2018
Valid: To11:59 PM 12/10/2019
Valid Usage: Code Signing
Algorithm: sha256RSA
Thumbprint: 81A58F3450CA8CFAAB4095D6B842A6898B47928A
Serial Number: 44 D2 81 9E 36 C4 06 2B 82 31 E0 54 5E D5 D6 3A
Hi pio,
Thank you for reporting.
We’ll check it
Regards,
Mageshwaran B
Due to time limitations, I have not been able to give more details about the last files I’ve posted. I would like to make up for it now.
Advanced File Analysis System | Valkyrie > Signature detection was added
PUA.Variant.InstallCore
Both files belong to the same variant of “InstallCore” and therefore have the same indicators.
Some suspicious/malicious Indicators: Compiler/Packer Signature: Compiler: Embarcadero Delphi (2009-2010), Packer: Inno Setup Module 5 [SFX] - ver. (5.5.0) Borl.Delphi 2009, File has multiple binary anomalies ( File ignores Code Integrity, File ignores DEP, ALSR is disabled, The location of the entry-point is suspicious (“section: .itext:0x000113BC”), Contains another file, type: InnoSetup, location: overlay, offset: “0x0001D200”), The file-ratio of the overlay is suspicious,ratio: “94.70 %”, Contains unknown resources, References a string with a suspicious size,size: “1594 bytes”, Contains several executable sections, Contains a virtualized section, Contains zero-size sections ), Contains ability to reboot/shutdown the operating system, Tries to delay the analysis, Reads Environment values, Reads internet explorer settings, Reads settings of System Certificates, Escalades priviledges, Runs a Keylogger, Reads data out of its own binary image, Creates guarded memory sections, Found strings in conjunction with a procedure lookup that resolve to a known API export symbol (Found reference to API GetLongPathNameW[at]“KERNEL32.DLL”), Hooks running process (“user32.dll”), POSTs data to IP´s who are part of the InstallCore Network ( ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1 > “52.16.29.135”, ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M3 > “52.212.215.62”, ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M4 > “52.51.217.55”
MITRE ATT&CK Techniques:
Execution: “T1059” (Command-Line Interface) > Starts CMD.EXE for commands execution
Execution: “T1106” (Execution through API) > Application launched itself
Defense Evasion: “T1107” (File Deletion) > Starts CMD.EXE for self-deleting
Discovery: “T1012” (Query Registry) > Searches for installed software, Reads internet explorer settings, Reads Environment values, Reads settings of System Certificates
Discovery: “T1082” (System Information Discovery) > Reads Environment values
Riskware.PUP.ExelAddin.Bluematrix - Certificate issued by GoDaddy
Some suspicious/malicious Indicators : Compiler/Packer Signature: Compiler: Microsoft Visual C/C++(2008-2010)[EXE32], File has multiple binary anomalies (File ignores Code Integrity, Contains another file (type: executable, location: resources, offset: “0x0008A900”), Buffers contains embedded PE files (sha1: bc75d4e61747fd8cb61c7e83c08fb43b417c7a59 & sha1: d26a366e8c5ce4c756ee62e0fe51798eeb33f588), CRC value set in PE header does not match actual value, Imports sensitive libraries (Shell Folder Service, Windows Installer, Internet Extensions for Win32, OLE32 Extensions for Win32, Process Status Helper), Contains ability to create named pipes, Contains ability to elevate privileges, Contains ability to open the clipboard, Expresses interest in specific running processes (“msiexec.exe”), Creates RWX memory, A process created a hidden window (Setup_6_6.exe → “C:\Windows\system32\msiexec.exe” /i “C:\Users\user\AppData\Local\ExcelAddin_2020228944\Setup_6_6.msi”), Creates a windows hook that monitors keyboard input, Tries to detect if debugger is attached, Checks adapter addresses, Queries volume information of an entire harddrive, Queries kernel debugger information, Queries process information, Queries sensitive IE security settings, Queries the internet cache settings, Reads the active computer name, Reads the cryptographic machine GUID, Queries the installation properties of user installed products, Reads Windows Trust Settings, Scanning for window names, Opens the MountPointManager, Modifies System Certificates Settings, Modifies Software Policy Settings, Modifies auto-execute functionality, Modifies “WPAD” proxy autoconfiguration file, Mimics the system’s user agent string for its own requests, Opens the Kernel Security Device Driver, Performs Access Token Manipulation, Communicates with host for which no DNS query was performed (“192.124.249.23”, “192.124.249.41”, “38.109.109.199”)
Certificate Details:
Algorithm: sha256WithRSAEncryption
Version: 3
Issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
Serial: 16618953072637513010
Serial (Hex): e6a261c4c1720d32
Valid from: Jul 17 20:17:47 2018 GMT
Valid until: Jul 17 20:17:47 2021 GMT
C (countryName): US
CN (commonName): Blue Matrix I LLC
L (localityName): New York
O (organizationName): Blue Matrix I LLC
ST (stateOrProvinceName): New York
Hi pio,
Thank you for reporting.
We’ll check and verify it
Regards,
Mageshwaran B