kamiran.asia
-
Posts
306 -
Joined
-
Last visited
-
Days Won
1
Posts posted by kamiran.asia
-
-
Hi dears.
Any update about offline Repository problem ?!
-
Hi Dears,
Same Problem for our customers. We can not create offline repository for V8.1 any more.
-
6 minutes ago, itman said:
I have my doubts KVRT.exe "cleaned" anything other than removing and quarantining C:\Windows\System32\Ms32A1591EApp.dll.
I suspect how it detected the .dll is upon seeing its encrypted status, it ran it in its sandbox; the same way VT did. Once decrypted, it detected it via signature.
As you can see , KVRT detection was : UDS:Trojan.Win32.Agentb.a
UDS : Urgent Detection System that use KSN (Not A signature detection)
-
5 hours ago, itman said:
If MS5AC23CA6APP.DLL is allowed to run, the following will occur.
The sample submitted to VT shows the malware was executed via:
- %windir%\System32\svchost.exe -k WerSvcGroup
- %windir%\system32\WerFault.exe -u -p 2592 -s 124
-u stands for user mode, -p is process id, and is -s means it was executed via SilentProcessExit API mode.
Other analysis of this malware I reviewed notes a malicious .dll is first registered . Then the legit service registry key corresponding to svchost.exe -k WerSvcGroup .dll reference is modified to point to the malicious .dll.
The real mystery is why Eset didn't detect MS5AC23CA6APP.DLL upon download. My best guess is its packed, encrypted, etc. code.
Thanks Dears @itman and @safety
As we know , in the time of infection No AV was installed. So the Dll and mentioned services was installed in the past.
When ESET Endpoint Security installed , We saw the alerts of detection from Svchost ( Win32/TrojanDownloader.Delf.BTT ) and because the Ms32A1591EApp.dll can not be accessed by explorer and ESET Kernel , infection were persist. Because if ESET can scan that Dll , It must be detected as a variant of Win32/Packed.VMProtect.ABO.
Our Customer used KVRT.exe and clean the infected DLL.
We know that these threats use special techniques so AV not scan them in normal windows mode (Just program such as Gmer and kvrt can see them or LiveOs ) and just when inject svchost or download other Trojan ESET block them.
As @Marcos said we need memory dump to analyze more , So we are finding another infected systesm in that network.
-
On 6/15/2021 at 2:27 PM, Marcos said:
The sample is already detected:
Win32/TrojanDownloader.Delf.DFG
Unfortunately without a complete memory dump we can't improve protection against this rootkit.
Unfortunately as i said we don't have any infected system right now to analyze more (Memory dump or etc..) .
QuoteThe sample is already detected:
Win32/TrojanDownloader.Delf.DFG
Yes , The source of infection is detected by eset , may be No AV was installed when PCs infected.
as you know the main problem is Rootkit dll hide it self from Windows and ESET kernel so just Gmer or liveOS can see it.
We will update this topic if we find another infected system.
-
4 hours ago, Marcos said:
That's why we've asked you for a complete memory dump from the infected machine which is necessary for further investigation of the malware.
Regarding ESET SysRescue, I didn't have any problems with update as long as the computer was connected to the Internet:
Dear @Marcos
We test again , Nup file will downloaded but Version of VSD not update more than 22313
Latest update : 22313 - 2020-11-13 and it can not be updated any more.
It seems that there is a problem in linux update files for sysrescue.
-
10 hours ago, itman said:
Per the VT link you posted, Eset's detection of the .dll you found is "A variant of Win32/Packed.VMProtect.ABO."
Are your clients using cracked software?
No We think that this DLL file is encrypted by VMProtect . So ESET Detect it as Win32/Packed.VMProtect.ABO
-
@Marcos Unfortunately all infected system are cleaned right now by KVRT.exe 😔
We are working on this threat, we find an exe file that may be the source of infection. But when we run it in our test lab nothing happen, just it download a cert from
May be it detect virtual environment and decide to not run.The File is Attached. password : infected -
We think that ESET must work on this infection because according to Livegrid data this file is on many users PC :
-
2 hours ago, Marcos said:
Please start off by running a disk scan with ESET SysRescue.
As we were testing SysRescue in this case , We find that it can not be update to latest signature.
Even with User/Pass and even from other ESET update servers.
Latest update is 22313 - 2020-11-13 and it can not be updated any more.
-
2 minutes ago, Marcos said:
Please start off by running a disk scan with ESET SysRescue.
Hi dear @Marcos and thank you for quick reply as usual.
we think that ESET SysRescue will detect this file because it will clean it from a live OS . The problem is why Kaspersky Virus Removal tool can scan this file in normal mode But ESET can not see this !
it is very hard to clean suck these infected with sysrescue in a enterprise network!
-
Hi Dear ESET Admins.
We find over 10 System in a network that was infected with a Dll that work like a rootkit. it use svchost.exe and dllhost.exe to download other Trojans and coin-miners.
The main dll threat is : c:\windows\system32\Ms32A1591EApp.dll
it's registered as a hidden service that just Gmer.exe can show in system32 (Hidden). while ESET detect this dll as A Variant Of Win32/Packed.VMProtect.ABO but in an infected system ESET Endpoint Security can not see that Dll and even can not scan it. just ESET will block injected Svchost.exe many times (As you can see in the pictures). Restart message will appear but after restart and deep scan still infection is exist.
we use kaspersky virus removal tool and it can scan and detect Ms32A1591EApp.dll and clean the infection in normal environment (Not SafeMode or RescueDisk).
ESET Log Collector log of infected system : https://we.tl/t-Ga6SeZWiTp
May be ESET SysRescue will clean this infection from a liveOS but the Questions are :
Why ESET Endpoint Security v8.0 can not scan that Dll in infected system but Kaspersky virus removal tool (Portable) can scan that file in normal environment (Not SafeMode or RescueDisk) at infected system.
Password of Zip file : infected
-
5 hours ago, itman said:
What about sqlbase.exe since this is the malicious parent process? Does that show in SysInspector?
BTW - I believe a malicious sqlbase engine was installed.
Also it appears you found the malicious versions sqlbase.exe and sqlconn.exe since they are sitting on your desktop. Is the issue these keep reappearing on the infected devices?
Also submit sqlservr.exe on one of these devices with issues to VirusTotal for a scan.
The Screenshot is for the system in our test system.
in SQL server we just see that ESET block hxxp://dl.love-network.cc/SqlBase.exe
it means that C:\ProgramFiles\MicrosoftSQLServer\MSSQL11.MSSQLSERVER\MSSQL\Binn\sqlservr.exe are downloading hxxp://dl.love-network.cc/SqlBase.exe
and ESET will block it.We are searching for the source of these commands.
-
36 minutes ago, itman said:
For starters on an infected device check if the following exists:
%WINDIR%\\FONTS\\SQLCONN.EXE
Dear @itman,
There is no SQLCONN.EXE in that location, even we can't find sqlconn.exe in sysinspector log ( https://we.tl/t-OeSUn9AXTc ).
-
8 minutes ago, itman said:
For registry subordinate keys under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\", you need to code the following, "HKEY_LOCAL_MACHINE\SYSTEM\*\". For example:
HKEY_LOCAL_MACHINE\SYSTEM\*\Services\USBSTOR\Start
Completely Correct and worked !!
Special thanks to @itman
-
As we analyze sqlBase.exe :
it's a Trojan Downloader that install a coin-miner (SqlConn.exe) that ESET detect it as Win64/CoinMuner.FQ.
But still we did not find how SQL Server run Download command !? No Job or Schedule task , ..
-
Hi dears.
We have problem with HIPS registry rules in services :
We create a HIPS block rule to prevent modification in:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Start
But it seems that ESET can not apply HIPS registry rules in this address.
it seems that any rule apply to HKEY_LOCAL_MACHINE\SYSTEM\ will not work.
ESET Version : Endpoint Security 8.0.2028.0 - Windows 10
-
Hi Dears.
In these two weeks our support team find some SQL Servers infected with this problem :
Many ESET FS Event log that show sqlservr.exe want to download hxxp://dl.love-network.cc/SqlBase.exe
So ESET block it by webAccessProtection .
info : Port 1433 was open on internet. ( We force customer to secure this port with vpn or ...)
how can we find these command are run from to clean it manually ?
This is the ESET Log Collector log : https://we.tl/t-OeSUn9AXTc
-
23 minutes ago, itman said:
Did you attempt to install Eset in safe mode? Or did you run uninstaller in safe mode, reboot, and then attempt to install Eset after normal Win 10 boot?
Mistyping dear @itman , Clean installation mean : install ESET in normal mode after using uninstaller tool in safe mode.
@Marcos Thanks dear marcos. We'll send it asap.
-
7 hours ago, itman said:
Do the devices with this problem have Win 7 installed?
Hi Dear @itman No, Windows 10 ,
Also ESET uninstaller tool was used to clean install.
-
Hi Dears.
We Have a problem in some system that ESET Drivers cloud not be installed and all modules is failed to start. (Non-Functional)
Clean Installation in safe mode with uninstaller did not Help.
What can we do for these cases ?
.png.f6241befa152fc368862e85d74c37681.png)
-
Hi dear ESET Admins.
We have this problem in a 20012 R2 Server , Clean installation not solve the problem ( Even with ESET Uninstaller in safe mode )
File Security 7.3 & 7.2 has the same issue.
ESET Log Collector Log is attached.
What can do for this problems ?
Best regards.
-
-
As our research till march 9 some web-shells just detect by 4 AV vendors :
https://www.site-shot.com/sGwBrIESEeu_JQJCrBEABQ
ESET 👌
.png.f6241befa152fc368862e85d74c37681.png)
PrintNightmare
in ESET Endpoint Products
Posted
We think that ESET can add detection of this kind of attacks in IDS ( as like as detection of Zerologon attacks )
Can we have this detection in futures updates ?