Report Undetected Malware for Valkyrie Service Here - 2022

Because of hardware issues, I’m currently running very limited analytics, as I’m currently unable to create a secure analytics environment. Therefore, this time I can only offer incomplete information regarding the following file. The file implements various Anti-VM techniques and succeeds very well with that. :-La

The file is not recognized by VT for several days! But despite my limited analysis capabilities, I’m pretty sure the file must be considered as malicious.


Advanced File Analysis System | Valkyrie


Matched Yara Rules: crime_win_gamarue_andromeda_common_strings

Some suspicious/malicious Indicators:Compiler: Visual C/C++(19.00.24210), Packer: Overlay > zlib, File has multiple binary anomalies (The file doesn’t register any VersionInfo, File ignores Code Integrity, The file checksum is invalid > checksum: “0x00000000”, ImageBase is suspicious > Value in File > “5368709120”, Imports sensitive Libraries > “Windows Socket 2.0 32-Bit DLL”, Contains another files > type: Flash, location: overlay, offset: “0x00275E6F”, type: Flash, location: overlay, offset: “0x004BA03B”, type: Flash, location: overlay, offset: “0x005EA293”, The file-ratio of the overlay is suspicious > ratio: “95.98%”), The file may be hiding some of its imports (GetProcAddress, LoadLibraryExW, LoadLibraryA), Reads data out of its own binary image, Checks if being debugged, Calls the “sleep-function” many times, Uses low level APIs, Enumerates local disk drives, Leverages the raw socket API to access the Internet, File was downloaded from an IP/domain known to propagate malicious content > hxxp://■■■.exe > VirusTotal

I am very curious about the classification by a Comodo expert and in a few days my entire hardware should be ready for use again. :slight_smile:

Hi pio,

Detection will be added soon.


Hi Ionel,

I can already confirm the signature detection for CAV & Valkyrie and the detection on Virus Total will certainly follow soon!!?

For me this is the first malicious file that has absolutely NO detection on VT even after a few days and in which the additional analysis performed with AnyRun, CAPE, VxStream Sandbox and Tencent Habo was not feasible because it was not even started or then failed. Unfortunately, Cuckoo and Valkyrie were unable to provide any further meaningful indicators.


Thanks and Regards!

The file still has a very low detection rate on VT after almost 20 days.


Advanced File Analysis System | Valkyrie


Found Mitre Tactics: Defense Evasion, Discovery, Persistence, Execution

Found Mitre Techniques: Hooking, Execution through API, Query Registry, System Information Discovery, System Time Discovery, Access Token Manipulation, Modify Registry, Virtualization/Sandbox Evasion

Some suspicious/malicious Indicators:Compiler: Visual C/C++ 6.0, Crypter/Protector: Armadillo 1.71, File has multiple binary anomalies (File ignores DEP, File ignores Code Integrity, Checksum mismatches the PE header value, Contains zero size sections, The compiler time stamp is outside of the Certificate time stamp, References debug symbols, Contains various unknown resources), Found multiple Anti-VM/Evasion Strings ( Calls the “SleepEx” function, Querries the Disk Size, Checks adapter addresses, Checks amount of memory, Performs access token manipulation), Found more than one unique User-Agent (Mozilla/5.0), Contains ability to open/control a service (OpenServiceA[at]ADVAPI32.dll), Contains indicators of bot communication commands (useManualLogin = (Indicator: “login=”), Creates guarded memory sections, Installs itself for autorun at Windows startup, Contains ability to lookup the windows account name, Queries kernel debugger information, Queries process information, Queries sensitive IE security settings, Scanning for window names, Reads the active computer name, Reads the cryptographic machine GUID, Reads the registry for installed applications, Logs keyboard strokes, Hooks windows functions, Opens the MountPointManager, Opens the Kernel Security Device Driver, Tries to hide a procedure lookup using single characters, Tries to steal FTP credentials, Steals private information from local Internet browsers, Installs a Browser Helper Object, Disables proxy, Outgoing Basic Auth Base64 HTTP Password detected (unencrypted), Sends traffic on typical HTTP outbound port, but without HTTP header > TCP traffic to “” on port 80 & TCP traffic to “” on port 443

Hi pio,

Thank you for reporting this.
We’ll check it.

Best regards

[b]I would like to give some more information regarding this file.

Simple skills of checking file reputation. Only for those who have time for such things.[/b] 8) :wink:

The file pretends to be the “Internet Download Manager” from the company “Tonec, Inc”. >>>

Based on the information published on the developer’s homepage, the specific version reported by the file was released on “20.11.19”. The compiler and debugger-stamp refer to the “22.11.19”. ??? Including a possible time shift, this only leaves the conclusion that this can not be a legitimate version. I also looked at 5 different versions (older and newer ones like the file in question) for their size and the smallest version has 7.4 MB, the latest version 8.1 MB. The file I rated as harmful is almost half the size of all official installers of the Internet Download Manager. In addition, all 5 installers I reviewed have a valid certificate, but the suspect file does not.

There is also more up-to-date malware that tries to use exactly the same facade for its own purposes. “Execution Parents” from the last official “Internet Download Manager” installer and with very high detection rate on VT. >>> VirusTotal (NOT detected from CAV)

Still for comparison, 2 screenshots of the inital analysis from the malicious file and the latest official installer version, carried out with “pestudio”.




Advanced File Analysis System | Valkyrie

Some suspicious/malicious Indicators: Found more than one unique User-Agent (Microsoft BITS/7.5, Mozilla/5.0, AppleWebKit/537.36, Chrome/ Safari/537.36), Contains embedded VBA macros with keywords that indicate auto-execute behavior, Contains deobfuscation code, Checks for a “ADS” file, Creates guarded memory sections, Writes data to another processes (“C:\Windows\System32\certutil.exe”, “C:\Windows\System32\PING.EXE”), Creates OLE objects, Checks network status using ping, Uses “C:\Windows\System32\certutil.exe” to decode a file (with commandline “-decode sfera redol”), Modifies proxy settings, Raised Suricata alerts (PE EXE or DLL Windows file download HTTP, Certificate with Unknown Content, Found “Win32/Predator The Thief” Initial CnC Checkin Request, Found MALWARE “MSIL/Predator The Thief” CnC Checkin), POSTs files to a malicious webserver > Host: “” > VirusTotal

A short description of “Predator The Thief” malware: “Predator” is a feature-rich information stealer. It is sold on hacking forums as a bundle which includes: Payload builder and Command and Control web panel. It is able to grab passwords from browsers, replace cryptocurrency wallets, and take photos from the web-camera. It is developed by using a modular approach so that criminals may add more sophisticated tools on top of the it.

Hi pio,

Thank you for reporting this.
We’ll check it.

Best regards



Advanced File Analysis System | Valkyrie

Some suspicious/malicious Indicators: Compile/Crypter signature: Compiler: Microsoft Visual C/C++(2013)[DLL32], Crypter: XOR - 0x20, Xord Javascript, File has multiple binary anomalies (File ignores Code Integrity, The file contains another file (type: executable, location: .data, offset: “0x000DA710” & type: executable, location: .data, offset: “0x000DCB10”), Imports sensitive libraries (Windows Socket 2.0 32-Bit DLL), Checksum mismatches the PE header value, Cryptographic algorithms detected in the binary > Uses constants related to SHA1, SHA256, SHA512 ,AES, CRC32, MD5), Contains a known anti-VM trick (Found VM detection artifact “CPUID trick” in Offset: “898347”), Contains references to system tools (“rundll32.exe”), Contains ability to open the clipboard, Tries to detect the presence of a debugger, Enumerates local disk drives (“GetLogicalDriveStringsW”, “GetVolumeInformationW”, “GetDriveTypeW”), Launches other programs (“CreateProcessW”, “ShellExecuteW”), Allocates read-write-execute memory, Creates guarded memory sections, Makes a code branch decision directly after an API that is environment aware (Found API call GetTimeZoneInformation[at]KERNEL32.dll, Found API call GetVersion[at]KERNEL32.dll, Found API call GetVersionExW[at]KERNEL32.dll), Listen for incoming communication, Leverages the raw socket API to access the Internet, Uses communication over “SMTP”, Contains domain names (,,, hxxp://, hxxp://,,

Hi pio,

Thank you for reporting this.
We’ll check it.

Best regards,
Kowsalya R


Hello yigido,

The files are already under process, there’s no need to double post.

Best regards,

Hi FlorinG,

These files are also undetected by Valkyrie, this is why I post it here as well.


Siganture database detects the file on VirusTotal.

But the file undetected on Valkyrie and Human Expert maked the file as safe. Please check.

Hello there
Our website has been classified as a Phishing website by your database.

Can you delete or change the categorization?