Report Undetected Malware for Valkyrie Service Here - 2022

Because of hardware issues, I’m currently running very limited analytics, as I’m currently unable to create a secure analytics environment. Therefore, this time I can only offer incomplete information regarding the following file. The file implements various Anti-VM techniques and succeeds very well with that. :-La

The file is not recognized by VT for several days! But despite my limited analysis capabilities, I’m pretty sure the file must be considered as malicious.

Trojan…Generic

https://valkyrie.comodo.com/get_info?sha1=96a615da33c1ef185a1e9dea56c244a1e7c48107

VirusTotal

Matched Yara Rules: crime_win_gamarue_andromeda_common_strings

Some suspicious/malicious Indicators:Compiler: Visual C/C++(19.00.24210), Packer: Overlay > zlib, File has multiple binary anomalies (The file doesn’t register any VersionInfo, File ignores Code Integrity, The file checksum is invalid > checksum: “0x00000000”, ImageBase is suspicious > Value in File > “5368709120”, Imports sensitive Libraries > “Windows Socket 2.0 32-Bit DLL”, Contains another files > type: Flash, location: overlay, offset: “0x00275E6F”, type: Flash, location: overlay, offset: “0x004BA03B”, type: Flash, location: overlay, offset: “0x005EA293”, The file-ratio of the overlay is suspicious > ratio: “95.98%”), The file may be hiding some of its imports (GetProcAddress, LoadLibraryExW, LoadLibraryA), Reads data out of its own binary image, Checks if being debugged, Calls the “sleep-function” many times, Uses low level APIs, Enumerates local disk drives, Leverages the raw socket API to access the Internet, File was downloaded from an IP/domain known to propagate malicious content > hxxp://92.63.192.128/attach/get/■■■.exe > VirusTotal

I am very curious about the classification by a Comodo expert and in a few days my entire hardware should be ready for use again.

Hi pio,

Detection will be added soon.

Regards,
Ionel

Hi Ionel,

I can already confirm the signature detection for CAV & Valkyrie and the detection on Virus Total will certainly follow soon!!?

For me this is the first malicious file that has absolutely NO detection on VT even after a few days and in which the additional analysis performed with AnyRun, CAPE, VxStream Sandbox and Tencent Habo was not feasible because it was not even started or then failed. Unfortunately, Cuckoo and Valkyrie were unable to provide any further meaningful indicators.

:P0l

Thanks and Regards!
Pio

The file still has a very low detection rate on VT after almost 20 days.

Trojan…RAT.Remcos

https://valkyrie.comodo.com/get_info?sha1=4d9b0d397c2f1376d9160703368c39003139ccf6

VirusTotal

Found Mitre Tactics: Defense Evasion, Discovery, Persistence, Execution

Found Mitre Techniques: Hooking, Execution through API, Query Registry, System Information Discovery, System Time Discovery, Access Token Manipulation, Modify Registry, Virtualization/Sandbox Evasion

Some suspicious/malicious Indicators:Compiler: Visual C/C++ 6.0, Crypter/Protector: Armadillo 1.71, File has multiple binary anomalies (File ignores DEP, File ignores Code Integrity, Checksum mismatches the PE header value, Contains zero size sections, The compiler time stamp is outside of the Certificate time stamp, References debug symbols, Contains various unknown resources), Found multiple Anti-VM/Evasion Strings ( Calls the “SleepEx” function, Querries the Disk Size, Checks adapter addresses, Checks amount of memory, Performs access token manipulation), Found more than one unique User-Agent (Mozilla/5.0), Contains ability to open/control a service (OpenServiceA[at]ADVAPI32.dll), Contains indicators of bot communication commands (useManualLogin = (Indicator: “login=”), Creates guarded memory sections, Installs itself for autorun at Windows startup, Contains ability to lookup the windows account name, Queries kernel debugger information, Queries process information, Queries sensitive IE security settings, Scanning for window names, Reads the active computer name, Reads the cryptographic machine GUID, Reads the registry for installed applications, Logs keyboard strokes, Hooks windows functions, Opens the MountPointManager, Opens the Kernel Security Device Driver, Tries to hide a procedure lookup using single characters, Tries to steal FTP credentials, Steals private information from local Internet browsers, Installs a Browser Helper Object, Disables proxy, Outgoing Basic Auth Base64 HTTP Password detected (unencrypted), Sends traffic on typical HTTP outbound port, but without HTTP header > TCP traffic to “169.55.0.224” on port 80 & TCP traffic to “23.63.209.10” on port 443

Hi pio,

Thank you for reporting this.
We’ll check it.

Best regards
Qiuhui.■■■■

[b]I would like to give some more information regarding this file.

Simple skills of checking file reputation. Only for those who have time for such things.[/b] 8)

The file pretends to be the “Internet Download Manager” from the company “Tonec, Inc”. >>> https://www.internetdownloadmanager.com/

Based on the information published on the developer’s homepage, the specific version reported by the file was released on “20.11.19”. The compiler and debugger-stamp refer to the “22.11.19”. ??? Including a possible time shift, this only leaves the conclusion that this can not be a legitimate version. I also looked at 5 different versions (older and newer ones like the file in question) for their size and the smallest version has 7.4 MB, the latest version 8.1 MB. The file I rated as harmful is almost half the size of all official installers of the Internet Download Manager. In addition, all 5 installers I reviewed have a valid certificate, but the suspect file does not.

There is also more up-to-date malware that tries to use exactly the same facade for its own purposes. “Execution Parents” from the last official “Internet Download Manager” installer and with very high detection rate on VT. >>> VirusTotal (NOT detected from CAV)

Still for comparison, 2 screenshots of the inital analysis from the malicious file and the latest official installer version, carried out with “pestudio”.

:P0l

APT.Document.VBA.Downloader.Agent.PredatorTheThief

VirusTotal

https://valkyrie.comodo.com/get_info?sha1=11fa3ac12d53d73f552d949a04ad3ab4f00cc0e1

Some suspicious/malicious Indicators: Found more than one unique User-Agent (Microsoft BITS/7.5, Mozilla/5.0, AppleWebKit/537.36, Chrome/72.0.281.121 Safari/537.36), Contains embedded VBA macros with keywords that indicate auto-execute behavior, Contains deobfuscation code, Checks for a “ADS” file, Creates guarded memory sections, Writes data to another processes (“C:\Windows\System32\certutil.exe”, “C:\Windows\System32\PING.EXE”), Creates OLE objects, Checks network status using ping, Uses “C:\Windows\System32\certutil.exe” to decode a file (with commandline “-decode sfera redol”), Modifies proxy settings, Raised Suricata alerts (PE EXE or DLL Windows file download HTTP, Certificate with Unknown Content, Found “Win32/Predator The Thief” Initial CnC Checkin Request, Found MALWARE “MSIL/Predator The Thief” CnC Checkin), POSTs files to a malicious webserver > Host: “coinbase-promo.info” > VirusTotal

A short description of “Predator The Thief” malware: “Predator” is a feature-rich information stealer. It is sold on hacking forums as a bundle which includes: Payload builder and Command and Control web panel. It is able to grab passwords from browsers, replace cryptocurrency wallets, and take photos from the web-camera. It is developed by using a modular approach so that criminals may add more sophisticated tools on top of the it.

Hi pio,

Thank you for reporting this.
We’ll check it.

Best regards
Mageshwaran.B

APT19.Backdoor.UAC.Exploit.CodosoGh0st

VirusTotal

https://valkyrie.comodo.com/get_info?sha1=f32c6b6b184625594a5fd90e369d706329de9a6e

Some suspicious/malicious Indicators: Compile/Crypter signature: Compiler: Microsoft Visual C/C++(2013)[DLL32], Crypter: XOR - 0x20, Xord Javascript, File has multiple binary anomalies (File ignores Code Integrity, The file contains another file (type: executable, location: .data, offset: “0x000DA710” & type: executable, location: .data, offset: “0x000DCB10”), Imports sensitive libraries (Windows Socket 2.0 32-Bit DLL), Checksum mismatches the PE header value, Cryptographic algorithms detected in the binary > Uses constants related to SHA1, SHA256, SHA512 ,AES, CRC32, MD5), Contains a known anti-VM trick (Found VM detection artifact “CPUID trick” in Offset: “898347”), Contains references to system tools (“rundll32.exe”), Contains ability to open the clipboard, Tries to detect the presence of a debugger, Enumerates local disk drives (“GetLogicalDriveStringsW”, “GetVolumeInformationW”, “GetDriveTypeW”), Launches other programs (“CreateProcessW”, “ShellExecuteW”), Allocates read-write-execute memory, Creates guarded memory sections, Makes a code branch decision directly after an API that is environment aware (Found API call GetTimeZoneInformation[at]KERNEL32.dll, Found API call GetVersion[at]KERNEL32.dll, Found API call GetVersionExW[at]KERNEL32.dll), Listen for incoming communication, Leverages the raw socket API to access the Internet, Uses communication over “SMTP”, Contains domain names (267-esmtp.gmail.com, esmtp.gmail.com, gmail.com, hxxp://www.openssl.org, hxxp://www.openssl.org/support/faq.html, openssl.org, smtp.gmail.com)

Hi pio,

Thank you for reporting this.
We’ll check it.

Best regards,
Kowsalya R

579f2fcbc9fc6201502c335b9d98a61e9bb671b0
e702e043702ffbabc9157776acc6d324c5809b9b
008021281b2f8130c6c2fc288b263671428a58dd
f912f5dd802bca78dc9dcfb6b44aeca0151ef57f
46f16026eeb1b4751acff7a7dec30e1ed0e2e48e
5a1a4802f886130a87369ac5d5bfbd6766e14ad7
ccf64721bd9691e0a27cbb0d258b6bc14f8fa32c
04e1cbe7f51a9f1944b4ce3b3c5d90b453ed8746
9513401c3d18037f8fd6612c4bff17088f674bf6
f934d5b4f465c3e4590d1b6f874c2a971eafaf77
a99a1a28a0fa27ccfd2edfcb1422891bdd25834e

Hello yigido,

The files are already under process, there’s no need to double post.

Best regards,
FlorinG

Hi FlorinG,

These files are also undetected by Valkyrie, this is why I post it here as well.

Sorry,
yigido

Siganture database detects the file on VirusTotal.

But the file undetected on Valkyrie and Human Expert maked the file as safe. Please check.

Hello there
Our website baitsalam.com has been classified as a Phishing website by your database.

Can you delete or change the categorization?

Removed.