Report Undetected Malware for Valkyrie Service Here - 2022

Previous topic

Valkyrie is a very sophisticated detection service for detecting malware. It currently finds many different types of malware that comodo antivirus does not find but like anything it is not perfect. This is a place to report malware the Valkyrie does NOT detect. Reporting malware that Valkyrie does not detect helps comodo gather undetected samples so they can add the appropriate algorithms and heuristics to detect these malware in the future.

If you believe you have found a piece of malware that Valkyrie does not detect just post the Virustotal link and Valkyrie analysis link below.

Happy testing

NOTE: DO NOT post live malware

Generic.PUP/Hacktool

Valkyrie Final Verdict: CLEAN

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler: Microsoft Visual C++ 8.0 , Packer: aPLib Compression , File has multiple binary anomalies ( File ignores Code Integrity , CRC value set in PE header does not match actual value , Imports sensitive Libarys ( Windows image helper ) , The file contains another files (type: Executable, location: resources, file-offset: 0x000CBB90, 0x000DACD0, 0x000E9C10, 0x000F8B50 ) , Found BlackBone Driver injector, Expects Administrative permission, References “2” Windows built-in privileges, Tries to detect the presence of a debugger, Contains known anti-VM tricks ( Found VM detection artifact “CPUID trick”, Anti-Sandbox checks for ThreatExpert ) , Contains native function calls , Contains ability to create a remote thread , Contains ability to enumerate processes/modules/threads, Contains ability to register a top-level exception handler , Found strings in conjunction with a procedure lookup that resolve to a known API export symbol , Tries do delay/evade the analysis , Installs itself for autorun at Windows startup , Reads the active computer name , Drops system driver , Loads device driver, Installs hooks/patches the running process, Creates and modifies windows services, Opens the Kernel Security Device Driver, Generates some ICMP Traffic

Generic.Hacktool/Trojan

Valkyrie Final Verdict: No Threat Found

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler: Microsoft Visual C++ 5.0 , Packer: Armadillo v1.71 , File has multiple binary anomalies ( File ignores DEP , File ignores Code Integrity , Checksum mismatches the PE header value , Contains unknwon resources , Timestamp in PE header is very old ( Tue Nov 9 11:37:39 1999 , Foreign language identified in PE resource ( Chinese ) ) , Found a potential E-Mail address in binary/memory ( “laingml[at]163.net” ) , Tries to detect the presence of a debugger, Scanning for window names , Monitors specific registry key for changes , Reads terminal service related keys , Installs hooks/patches the running process ( “NSI.DLL” ) , Touches files in the Windows directory , Opens the Kernel Security Device Driver , Communicates with host for which no DNS query was performed ( “2.16.155.9” , “2.18.77.109” , “212.247.14.11” ) , Sends traffic on typical HTTP outbound port, but without HTTP header ( TCP traffic to “172.217.16.174” on port “443” )

Trojan.Agent.SMHeist3

Valkyrie Final Verdict: No Threat Found

Some suspicious/malicious Indicators : Compiler/Packer/Crypter signature > Compiler: Borland Delphi 6.0 - 7.0, Packer: BobSoft Mini Delphi, Crypter: VMProtect, Found Yara signature match ( “disable_antivirus” - Disable AntiVirus, “hijack_network” - Hijack network configuration ), File has multiple binary anomalies ( File ignores DEP, File ignores Code Integrity, PE file has unusual entropy sections, CRC value set in PE header does not match actual value, Entrypoint in PE header is within an uncommon section, Contains zero-size sections, Timestamp value suspicious ( “06/20/1992” ), File Has “3” shared sections, Contains “3” another files > location overlay > Type: “Smart Installer” ( “0x00071800” ), “Flash” ( “0x00183652” ), “Flash” ( “0x0034492B” ), Contains ability to reboot/shutdown the operating system, Contains ability to query CPU information, Contains ability to read monitor info, Contains ability to retrieve keyboard strokes, Contains ability to lookup the windows account name, Expects Administrative permission, Drops multiple executable files, Drops a text file that contains suspicious strings ( “Mirillis.vbs” > “WScript.Shell” ), Reads the active computer name, Reads the cryptographic machine GUID, Reads the registry for installed applications, Scanning for window names, Queries kernel debugger information, Queries process information, Reads terminal service related keys, References security related windows services ( “\windefendam.log” ), Open a windows service ( “ADVAPI32.dll” ), Allocates virtual memory in a remote process ( “HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings” & “\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE” ), Writes data to another processes ( “C:\Windows\System32\wscript.exe” & “C:\Program Files\Internet Explorer\iexplore.exe” ), Writes to the hosts file, Looks up many procedures within the same disassembly stream ( found “58” calls to “KERNEL32.DLL” ), Opens the MountPointManager, Makes a code branch decision directly after an API that is environment aware, Accesses sensitive information from local browsers, Queries sensitive IE security settings, Modifies proxy settings, Generates some ICMP traffic, Communicates with host for which no DNS query was performed ( “2.16.155.67”, “2.16.155.9”, “2.18.77.109”, “212.247.20.9” ), Sends traffic on typical HTTP outbound port, but without HTTP header ( TCP traffic to “23.43.62.9” and “184.24.102.115” on port “80” )

Hey Guys,

were these two files already checked?

As decision support, Comodo detects the execution parents from the first file as:

TrojWare.Win32.KeyLogger.Ardamax.G >>> VirusTotal

TrojWare.Win32.TrojanDropper.Binder.cls >>> VirusTotal

Win32.Neshta.A >>> VirusTotal

Application.Win32.Ardamax.NBX >>> VirusTotal

Backdoor.Win32.Agent.CEP13[at]11x22w >>> VirusTotal

And also the PE Resource Parents as:

TrojWare.Win32.TrojanDropper.Binder.cls >>> VirusTotal

Both files were previously used as part of malware and should therefore at least be classified as Riskware/Hacktool or PUP. The second file also has indicators or shows the behavior of a Trojan horse.

So i ask for a processing and classification. Thank you !!!

Hi pio,

We are taking care of these. Thank you!

Regards,
Ionel

Thank you for taking note !!! :-TU

Trojan.CoinMiner.Stealer.Electrum

Valkyrie Final Verdict: No Threat Found *(valkyrie link has been corrected)

Some suspicious/malicious Indicators : File has multiple binary anomalies (Timestamp in PE header is very old, File ignores Code Integrity, Checksum mismatches the PE header value, Contains zero-size sections, Imports sensitive libaries ( Crypto API 32, Windows Socket 2.0 32-Bit DLL, Win32 LDAP API DLL), Found a Wine emulator related string (Indicator: “wine_get_version”), Contains ability to enumerate processes/modules/threads, Contains ability to query CPU information, Contains ability to download files from the internet, Dropped very many files (dropped “1641” files), Reads the active computer name, Reads the cryptographic machine GUID, Reads the registry for installed applications, Queries kernel debugger information, Queries process information, Allocates virtual memory in a remote process (“transactionservices.exe” allocated memory in “HKCU\Control Panel\Desktop\MuiCached”), Looks up many procedures within the same disassembly stream (found “80” calls to “GetProcAddress”[at]“KERNEL32.dll”), Modifies auto-execute functionality, Receives data from 3 IP´s who were classified as malicious (“194.63.143.226” > VirusTotal, “217.147.169.179” > VirusTotal, “188.214.135.174” > VirusTotal)

Trojan.MSIL.Agent

Some suspicious/malicious Indicators : File has multiple binary anomalies (File ignores Code Integrity, Checksum mismatches the PE header value, Imports count (1) is very low), Tries to implement anti-virtualization techniques ( against “vmware”, “qemu”, “vbox”, Checks the version of Bios, Checks the CPU name from registry), Tries to delay the analysis (“sms.exe” called API “NtYieldExecution” 28954 times), Contains API references not part of its Import Address Table, Makes “BSOD” via debug property, Creates guarded memory sections, Queries kernel debugger information, Reads the active computer name, Reads the cryptographic machine GUID, Launches the WMI Provider Host, Opened the service control manager, Modifies windows services (“CREATE”; Path: “HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS”), Modifies Software Policy Settings, Modify system certificates, Opens the Kernel Security Device Driver, Touches files in the Windows directory (“C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config”,“C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch”,“C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config”,“C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch”), Contacts 2 domains and 2 hosts, Sends traffic on typical HTTP outbound port, but without HTTP header (TCP traffic to “104.20.209.21” on port “443”> VirusTotal), Uses network protocols on unusual ports (TCP traffic to “186.212.36.104” on port “2000”)

Hi, Pio,

The files were taken care of.

Regards,
Ionel

Hi Ionel,

All right and thanks for the notification! :-TU

Best Regards!
pio

Trojan.Generic

File has Indicators of Ransomware, but no Files were encrypted during my Analysis.

Some suspicious/malicious Indicators : Compiler: MASM32(8-11), File has multiple binary anomalies (File is resource-less, The dos-stub message is missing, File ignores DEP, File ignores Code Integrity, Entrypoint is outside of first section, Checksum mismatches the PE header value, Address Space Layout Randomization is disabled), Reads the active computer name, Reads terminal service related keys , Reads the registry for installed applications, Scanning for window names, Opened the service control manager, Creates or sets a registry key to a long series of bytes (regkeyval: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCache), Creates a hidden file (file: C:\Users\user\AppData\Roaming\Microsoft\Windows\IETldCache\Low), Attempts to modify proxy settings, One martian processes was created (““C:\Windows\SysWOW64\ie4uinit.exe” -ShowQLIcon”), Writes data to a remote process (“iexplore.exe”), Uses Windows utilities for basic functionality (command: “C:\Program Files (x86)\Internet Explorer\iexplore.exe” -nohome & command: “C:\Program Files (x86)\Internet Explorer\iexplore.exe” SCODEF:2672 CREDAT:79873"), Process launched with changed environment (“iexplore.exe”), Writes a potential ransom message to disk (ransom_file: cryptl0ck.html), Found TOR related URLs in process memory dump (“h**p://78a3zjw10ojm7sf6.onion/1aaea8e2f108af2fe1c2e72e35c27d94”), Attempts to connect to a dead IP:Port (IP: “204.79.197.200:80” - “United States”)

Adware.PUA.Downloader.Deceptpcclean

File is signed by Comodo, but the Certificate was not detected correctly!

Some suspicious/malicious Indicators : Compiler: Borland Delphi, Packer: Inno Installer 5.57, File has multiple binary anomalies ( The file contains another file (type: InnoSetup, location: overlay, file-offset: 0x0001D200), File ignores Code Integrity, Entrypoint is outside of first section, Contains zero-size sections, The dos-stub message is missing, Has “2” executable sections, The file-ratio of the overlay reaches 76.95 %), Contains ability to listen for incoming connections, Contains ability to open the clipboard, Contains ability to retrieve keyboard strokes, Contains ability to block user input, Contains ability to download files from the internet, Contains ability to enumerate processes/modules/threads, Contains ability to create named pipes, Found more than one unique User-Agent (IS Download DLL & Autoit), Sets a global windows hook to intercept mouse events, Tries to implement anti-virtualization techniques (VirtualBox), Tries to evade analysis by sleeping many times, Creates guarded memory sections, Reads the active computer name, Reads the cryptographic machine GUID, Reads the windows installation language, Scanning for window names, Modifies proxy settings, Accesses Software Policy Settings, Accesses System Certificates Settings, Creates a hidden window, Creates windows services ( (Access type: “CREATE”; Path: “HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS”), Process launched with changed environment (%WINDIR%\CSC.EXE"), Opens the Kernel Security Device Driver, Queries sensitive IE security settings, Queries the internet cache settings, HTTP request contains Base64 encoded artifacts, POSTs data to > “67.219.147.194:80” > “dusrv2.malwarecrusher.com” > VirusTotal), Downloads and executes files who classified as PUA/Adware

Additional indicators:

Downloads files containing harmful content:

• “mlcstsetup.tmp” GET > h**p://bgtc.malwarecrusher.com/mlc/mlc_builds/apst/10111/mlcsetup.exe >>> VirusTotal
• “mlcst.exe” GET > h**p://bgtc.malwarecrusher.com/mlc/mlc_builds/apst/10111/mcrsetup.exe >>> VirusTotal

Get in touch with suspicious / malicious IPs:

• Found PUA.Win32/Freemake.A UserAgent >>> VirusTotal
• Found PUA.Optional.WinTonic UserAgent >>> VirusTotal
• Found PUA.Win32/GT32SupportGeeks.Q UserAgent >>> VirusTotal

Hi pio,

Thank you for reporting this.
We’ll check it.

Best regards
Umamaheshwari M

NanoCore.RAT.Agent.Downloader

Undetected for a long time!

Some suspicious/malicious Indicators : Compiler: Microsoft visual C# v7.0 / Basic .NET, File has multiple binary anomalies (Checksum mismatches the PE header value, PE file has unusual entropy sections (.text with unusual entropies 7.57139459433), File ignores Code Integrity, Debug timestamp (1970/01/01 01:00:00) mismatches compiler timestamp (2062/12/24 19:47:21), The number of directories is suspicious “15”), Contains ability to query CPU information, Tries to sleep for a long time, Creates guarded memory sections, Reads data out of its own binary image, Reads the active computer name, Reads the cryptographic machine GUID, Reads configuration files, Reads the registry for installed applications , Queries kernel debugger information, Queries process information, Spawns new processes that are not known child processes (“explorer.exe”), Writes data to another process (“explorer.exe”), Opens the service control manager, Modifies proxy settings, Queries sensitive IE security settings, Opens the Kernel Security Device Driver, HTTP traffic contains a GET request with no user-agent header, HTTP connection was made to an IP address rather than domain name, Creates windows services ((Access type: “CREATE”; Path: “HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS”), Contacts an IP classified as malicious >>> “137.74.44.216” > VirusTotal, Downloads and executes a file who is known as malicious (NanoCore Family) >>> VirusTotal

Hi pio,

Thank you for reporting this.
We’ll check it.

Best regards
Saravanapathi V

Variant.Trojan.Agent.Downloader.Chindo

The file has a valid certificate, but Valkyrie could not recognize it!

Some suspicious/malicious Indicators: Compiler/Packer signature (Inno Setup Module [SFX] - ver. (5.6.2) Borland Delphi), File has multiple binary anomalies (File ignores Code Integrity, Contains zero-size sections, CRC value set in PE header does not match actual value, PE file has unusual entropy sections, Contains another file (type: InnoSetup, location: overlay, offset: “0x00016800”), Has a PE timestamp using the buggy magic timestamp “0x2A425E19”), The file-ratio of the overlay is suspicious (ratio: 94.67%), Contains resource in a language tagged as suspicious (Chinese), Contains shared sections, Contains a virtualized section), Contains ability to query CPU information, Contains ability to enumerate processes/modules/threads, Contains ability to open the clipboard, Contains ability to elevate privileges (admin), Reads data out of its own binary image, Creates guardes memory sections, Reads the active computer name, Queries volume information of an entire harddrive, Reads the registry for installed applications, Reads configuration files, Scanning for window names, Checks adapter addresses, Sets a registry key to a long series of bytes (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCache), Writes data to a remote process (C:\Windows\System32\taskkill.exe" & “C:\Windows\System32\regsvr32.exe”), Modifies auto-execute functionality, Modifies the open verb of a shell class, Opens the Kernel Security Device Driver, Creates windows services (Access type: “CREATE”; Path: “HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS”), Modifies proxy settings, Queries the internet cache settings, Attempts to modify browser security settings, Network activity contains more than one unique useragent (Mozilla/5.0), HTTP request contains Base64 encoded artifacts, HTTP traffic contains multiple GET requests with no user-agent header to one or more malicious IPs/URLs (TCP traffic to “121.40.77.138” - “st.qswzayy.com” > VirusTotal, “211.159.191.18” - “pv.sohu.com” > VirusTotal, “59.111.181.52” - “ip.ws.126.net” > VirusTotal, “27.22.54.146” - “cfg.qswzayy.com” > VirusTotal,

Hi pio,

Thank you for reporting this.
We’ll check it.

Best regards
Saravanapathi V

Variant.Trojan.Spyware.AgentTesla

Some suspicious/malicious Indicators: Compiler: Microsoft Visual C# v7.0 / Basic .NET, File has multiple binary anomalies (File ignores Code Integrity, Checksum mismatches the PE header value, PE File has unusual entropy sections, References a string with a suspicious size,size: “2394” bytes), Reads Windows Product ID, Reads Environment values, Reads data out of its own binary image, Reading critical registry keys, Creates a copy of itself, Checks for external IP, Changes the autorun value in the registry, Creates RWX memory, Creates guarded memory sections, Creates files in the user directory, Attempts to remove evidence of file being downloaded from the Internet, Sniffs keystrokes, Stores a script command in the registry, Harvests credentials from various local FTP client softwares, Harvests information related to installed mail clients, Connects to SMTP port (“198.54.116.63” > mail.jiratane.com > VirusTotal

MITRE ATT&CK™ Techniques: T1106, T1060, T1081, T1012, T1082, T1071, T1045 >>> (Matrix - Enterprise - Windows | MITRE ATT&CK®)

Hi pio,

Thank you for reporting.
We’ll check it.

Regards,
Kowsalya R