Why "Normal"?

He say is normal.

It is 100% Malware.
Antivir, Ahnlab … Analyst say to me “It is Malware”
But only comodo Analyst “Normal”
It is not safe. something is wrong…

Hi hcracker,

Thanks for reporting, We’ll check this.


From Avira.

Dear Sir or Madam,

Thank you for your email to Avira’s virus lab.
Tracking number: INC01177345.

We received the following archive files:
File ID Filename Size (Byte) Result
26938211 조이파일gondad.zip 114.14 KB OK
A listing of files contained inside archives alongside their results can be found below:
File ID Filename Size (Byte) Result
26937804 gondad.exe 121 KB MALWARE

Please find a detailed report concerning each individual sample below:
Filename Result
gondad.exe MALWARE

The file ‘gondad.exe’ has been determined to be ‘MALWARE’. Our analysts named the threat TR/Crypt.ZPACK.Gen. The term “TR/” denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system. This file is detected by a special detection routine from the engine module.

Please note: If you have specific questions please address them to support@avira.com
Kind regards
Avira Virus Lab

Avira Operations GmbH & Co. KG
Kaplaneiweg 1, 88069 Tettnang, Germany
Phone: +49 (0) 7542-500 0
Fax: +49 (0) 7542-500 3000
Internet: http://www.avira.com

CEO: Tjark Auerbach
Headquarter: Tettnang
Commercial register: AG Ulm HRB 630992

hcracker sent the sample to me via PM.

Here are the:
Comodo Valkyrie Results
Comodo Instant Malware Analysis Results
Virustotal Results
Anubis Results

Based on the Anubis report this thing has enough score to be malware.
It spawns a cmd.exe to remove self, the exe just doesn’t exit normally but crashed in the end, likely deliberate to confuse auto analysis.