0xDEADBEEF

SHA256: a06af1ebeff4795126cbe2765954bbe177b7a34ba11e84631b347e79ef23f6f0

SHA256: 67589ebe860dee5fcd8927d62c7085a23ddaca517657e6bc9e76225df2097544 SHA256: ef9d512a9fb0c93bfda9d6427690c0880f500968798411f85b825c085df1de3b It is detected as potentially unwanted on VT. However, it seems the Chinese version of ESET doesn't flag FlyStudio Packed detection even with PUA on. Since FlyStudio Packed-type malware is very popular in China, this is considered a miss I've seen many Chinese-born FlyStudio malware. I am not sure if ESET will add a secondary detection on those malware even with this PUA detection. If ESET doesn't, then Chinese version ESET might miss many samples.

Yep, continue improving my auto exec and submission system while tightening the control.. I also added some yara rules to scan the samples as a reference. Recently I didn't find any missed samples. Good job ESET

We tried again but it still doesn't help. I've sent you the download link of the dump through private message.

The result from SE Lab is a bit counter-intuitive. e.g. Norton generally generates many of FPs in real life use (not only I myself, but also the case from the feedback of many other people). This makes me wondering what their sampling method and sample size are. This also reminds me of AVC's malware protection test. Their test shows that ESET's score is identical before/after execution (so no dynamic detection, unless they also count AMS into "scan"). This strongly implies that their testing samples are too old to reflect the real-world situation.

I've been offline for a while to debug that sample in my testing env, because my cuckoo failed to capture its behaviors. And later I realized it is crashing most of the processes (including cuckoo's agent) when doing manual check, indeed an interesting one. Looking forward to seeing that cuckoo will gradually move from R3 hooks to more reliable ones

The test machine for that screenshot is a bit special (UAC disabled and admin granted, similar to a typical Cuckoo machine setup). Will check on another machine. Usually when I see ESET popping up tens of messages, I know it fails to stop a ransomware (those messages are usually for some ransom notes). This one is, however, a bit more interesting. But I haven't got a time to do any behavioral analysis on it yet.

Interesting. I will grant the sample to run for a longer time in the virtual env and see if I can observe that

Trying my best to build isolated environment, including my physical testbed

SHA256: 8b16103d8019fae324e7f6f9409a612b0b24a90177e413fe3d4101fbabe61b47 filecoder, my test machine is encrypted with latest eset (15975). (it is detecting filecoder.nmk, but files are encrypted anyway) And it bypassed my non-physical testing machine AND other vendors:

No, the issue still persists

SHA256: 1c7245076c34455fb532e5cb5fef71df7b083ba44cb89f37f31b054f4446ce81 (putty connect to some host ) SHA256: 222cfaa71487f5b0b9f5fbaaf710482f99647f90eb68c4814a6f1f18e8f14f2f (delay the execution for some minutes, the downloaded filecoder is detected)

The person who originally reported this issue provided the dump: https://1drv.ms/u/s!AkO8JVZQ3apzg1lBNYrnDzsah7PI Hopefully ESET could fix this issue soon. Please let me know if more info is needed.

Cool! I observed the same situation in the first run. Perhaps in the second reboot, ESET receives 15954 and directly detected the exe itself.

SHA256: 9c96696aef7f0baeecd8e52d7075928e886bd2ff2f90d7bd2d928245637f55c9 ESET blocks some threats, but the original executable remains persistent in the machine and therefore the memory EDIT: Hmm interesting, after I reverted the snapshot and tested again, ESET detects it. Alright this doesn't count.

That's indeed strange. I tested the sample 1 hour ago with latest ESET and LiveGrid enabled, but I didn't get any warnings from ESET, even after the execution (do I expect to see ESET reporting "Suspicious Object" if it is by LiveGrid?)

Nope. ESET is silent I used a cloaked VM anyway

Isn't relying on adblock for safety similar to relying on some AVs which purely based on hash/fuzzy-hash blacklisting? Besides, simple anti-adblock tricks and some social engineering can easily bypass this, if the user is not "cautious enough"

SHA256: 3b60fde281d91cc3e7ea3e343ee5b13a31def564903c0136ae928f70e25c3c02 Some sort of injector?

I usually submit by the right click menu. I post here because I never get response from ESET and sometimes I am curious if the sample is worth detecting.

No, early first seen date doesn't necessarily mean it is benign. The sample I provided is very likely to be malicious before it is expired (share advertisement) In case if you are interested in this family, here is a translated version https://translate.google.com/translate?hl=en&sl=zh-CN&u=hxxp://www.freebuf.com/articles/system/144525.html&prev=search

thx for the reply. It should be an expired one (connecting to a dead host). But since ESET didn't detect it I chose to put it here (another one from the same source (type) is detected as Generic.IXMGFLM, maybe currently it is not categorized into some family?)

SHA256: cf9a800c3b009abed68a684aaf2f8cad7793b930fc323a2a2231edd5e8c3747b

Yes, I had my own cuckoo run this sample and was not sure about this particular one after looking at the report. I tend to feel that it is an FP

SHA256: 8de12700ad1cb6b9573bd0bf4cfa8d17c6370bec30576262ced4dd3916f4c9ab is this malicious?