0xDEADBEEF 43 Posted August 19, 2017 Share Posted August 19, 2017 SHA256: cf9a800c3b009abed68a684aaf2f8cad7793b930fc323a2a2231edd5e8c3747b Link to comment Share on other sites More sharing options...
Administrators Marcos 5,286 Posted August 19, 2017 Administrators Share Posted August 19, 2017 43 minutes ago, 0xDEADBEEF said: SHA256: cf9a800c3b009abed68a684aaf2f8cad7793b930fc323a2a2231edd5e8c3747b it's a one month old file, almost no big vendor detects it. Resembles DealPly PUA. Drops a batch file that deletes the exe. The file was passed for further analysis to find out if it's worth detection. Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted August 19, 2017 Author Share Posted August 19, 2017 (edited) 6 minutes ago, Marcos said: it's a one month old file, almost no big vendor detects it. Resembles DealPly PUA. Drops a batch file that deletes the exe. The file was passed for further analysis to find out if it's worth detection. thx for the reply. It should be an expired one (connecting to a dead host). But since ESET didn't detect it I chose to put it here (another one from the same source (type) is detected as Generic.IXMGFLM, maybe currently it is not categorized into some family?) Edited August 19, 2017 by 0xDEADBEEF Link to comment Share on other sites More sharing options...
TomFace 539 Posted August 19, 2017 Share Posted August 19, 2017 (edited) 1 hour ago, 0xDEADBEEF said: SHA256: cf9a800c3b009abed68a684aaf2f8cad7793b930fc323a2a2231edd5e8c3747b Shouldn't this be submitted to samples@eset .com? There is an established procedure in place. http://support.eset.com/kb141/ Edited August 19, 2017 by TomFace Link to comment Share on other sites More sharing options...
itman 1,754 Posted August 19, 2017 Share Posted August 19, 2017 (edited) Been in the wild for close to 7 years with a creation date of 1992 per VT, but security solutions just started detecting it in June, 2017? And all the AI/Net Gen solutions are doing so. Again, CloudStrike gives it 80% confidence. I say it's a FP. Quote History Creation Time: 1992-06-19 22:22:17 First Seen In The Wild: 2010-11-20 23:29:33 First Submission: 2017-06-14 18:05:17 Last Submission: 2017-08-19 04:18:18 Last Analysis: 2017-08-19 04:18:18 Edited August 19, 2017 by itman Link to comment Share on other sites More sharing options...
itman 1,754 Posted August 19, 2017 Share Posted August 19, 2017 I do see a pattern forming though. Suspect a lot of these AI/Next solutions along w/Avast-AVG and a few others are perhaps "plugged-in" to Microsoft's Azure AI servers. So when it detects, they all post a positive hit. Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted August 19, 2017 Author Share Posted August 19, 2017 1 hour ago, itman said: I do see a pattern forming though. Suspect a lot of these AI/Next solutions along w/Avast-AVG and a few others are perhaps "plugged-in" to Microsoft's Azure AI servers. So when it detects, they all post a positive hit. No, early first seen date doesn't necessarily mean it is benign. The sample I provided is very likely to be malicious before it is expired (share advertisement) In case if you are interested in this family, here is a translated version https://translate.google.com/translate?hl=en&sl=zh-CN&u=hxxp://www.freebuf.com/articles/system/144525.html&prev=search Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted August 19, 2017 Author Share Posted August 19, 2017 11 hours ago, TomFace said: Shouldn't this be submitted to samples@eset .com? There is an established procedure in place. hxxp://support.eset.com/kb141/ I usually submit by the right click menu. I post here because I never get response from ESET and sometimes I am curious if the sample is worth detecting. Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted August 19, 2017 Author Share Posted August 19, 2017 (edited) SHA256: 3b60fde281d91cc3e7ea3e343ee5b13a31def564903c0136ae928f70e25c3c02 Some sort of injector? Edited August 19, 2017 by 0xDEADBEEF Link to comment Share on other sites More sharing options...
itman 1,754 Posted August 19, 2017 Share Posted August 19, 2017 1 hour ago, 0xDEADBEEF said: In case if you are interested in this family, here is a translated version https://translate.google.com/translate?hl=en&sl=zh-CN&u=hxxp://www.freebuf.com/articles/system/144525.html&prev=search The translation is pretty bad. What I could glean was that it spread through Internet cafes in China? As such, it could be actually state created malware. Link to comment Share on other sites More sharing options...
TomFace 539 Posted August 19, 2017 Share Posted August 19, 2017 (edited) 1 hour ago, 0xDEADBEEF said: I usually submit by the right click menu. I post here because I never get response from ESET and sometimes I am curious if the sample is worth detecting. The process exists for a reason. Your personal requests are denying other posters the help then need from the Moderators. Edited August 19, 2017 by TomFace Link to comment Share on other sites More sharing options...
itman 1,754 Posted August 19, 2017 Share Posted August 19, 2017 (edited) 1 hour ago, 0xDEADBEEF said: SHA256: 3b60fde281d91cc3e7ea3e343ee5b13a31def564903c0136ae928f70e25c3c02 Some sort of injector? This appears to be ransomware just discovered this morning. Appears to be delivered via a zip file. Most likely an e-mail attachment. Also Eset might already be blocking this by blacklist. Only way to know for sure is run the sample w/Eset installed in a VM. This also might not work since many ransomware are now employing VM and sandbox detection methods and refuse to run. Edited August 19, 2017 by itman Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted August 19, 2017 Author Share Posted August 19, 2017 14 minutes ago, itman said: This appears to be ransomware just discovered this morning. Appears to be delivered via a zip file. Most likely an e-mail attachment. Also Eset might already be blocking this by blacklist. Only way to know for sure is run the sample w/Eset installed in a VM. This also might not work since many ransomware are now employing VM and sandbox detection methods and refuse to run. Nope. ESET is silent I used a cloaked VM anyway Link to comment Share on other sites More sharing options...
Administrators Marcos 5,286 Posted August 19, 2017 Administrators Share Posted August 19, 2017 Detected and blocked by LiveGrid It's Filecoder.Locky. We'll need to investigate what happened during replication as it should have been blocked by LiveGrid hours ago. Strange that almost no other big AV vendors detect it yet. Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted August 19, 2017 Author Share Posted August 19, 2017 10 minutes ago, Marcos said: Detected and blocked by LiveGrid It's Filecoder.Locky. We'll need to investigate what happened during replication as it should have been blocked by LiveGrid hours ago. Strange that almost no other big AV vendors detect it yet. That's indeed strange. I tested the sample 1 hour ago with latest ESET and LiveGrid enabled, but I didn't get any warnings from ESET, even after the execution (do I expect to see ESET reporting "Suspicious Object" if it is by LiveGrid?) Link to comment Share on other sites More sharing options...
novice 20 Posted August 19, 2017 Share Posted August 19, 2017 16 hours ago, Marcos said: it's a one month old file, almost no big vendor detects it. Resembles DealPly PUA. Drops a batch file that deletes the exe. The file was passed for further analysis to find out if it's worth detection. On VT this file is being detected by 22 engines; sure enough ESET is NOT one of them. Link to comment Share on other sites More sharing options...
Guest Posted August 19, 2017 Share Posted August 19, 2017 latest detection https://www.virustotal.com/#/file/cf9a800c3b009abed68a684aaf2f8cad7793b930fc323a2a2231edd5e8c3747b/detection Link to comment Share on other sites More sharing options...
novice 20 Posted August 19, 2017 Share Posted August 19, 2017 (edited) 4 hours ago, TomFace said: The process exists for a reason. Personally I like to see such postings which make people aware . The "process" is a hidden one, which can induce a false feeling of security. 0xDEADBEEF , keep up the good work. Edited August 19, 2017 by MSE Link to comment Share on other sites More sharing options...
itman 1,754 Posted August 19, 2017 Share Posted August 19, 2017 5 hours ago, Marcos said: Detected and blocked by LiveGrid It's Filecoder.Locky. We'll need to investigate what happened during replication as it should have been blocked by LiveGrid hours ago. Strange that almost no other big AV vendors detect it yet. Couldn't think of better example why LiveGrid should be alerting on unknown process detection but I won't get into that discussion again. Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted August 22, 2017 Author Share Posted August 22, 2017 (edited) SHA256: 9c96696aef7f0baeecd8e52d7075928e886bd2ff2f90d7bd2d928245637f55c9 ESET blocks some threats, but the original executable remains persistent in the machine and therefore the memory EDIT: Hmm interesting, after I reverted the snapshot and tested again, ESET detects it. Alright this doesn't count. Edited August 22, 2017 by 0xDEADBEEF Link to comment Share on other sites More sharing options...
Administrators Marcos 5,286 Posted August 22, 2017 Administrators Share Posted August 22, 2017 2 hours ago, 0xDEADBEEF said: SHA256: 9c96696aef7f0baeecd8e52d7075928e886bd2ff2f90d7bd2d928245637f55c9 ESET blocks some threats, but the original executable remains persistent in the machine and therefore the memory EDIT: Hmm interesting, after I reverted the snapshot and tested again, ESET detects it. Alright this doesn't count. It seems to be a new TrickBot blocked in LiveGrid about 9 hours ago and the detection added in update 15954 released about 3 hours ago. If malware is already running in memory and we detect it, the process is either terminated or suspended. That said, even if you see a malicious process among running processes, it may be in suspended state and do nothing. The computer should be restarted to finish cleaning. Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted August 22, 2017 Author Share Posted August 22, 2017 8 hours ago, Marcos said: It seems to be a new TrickBot blocked in LiveGrid about 9 hours ago and the detection added in update 15954 released about 3 hours ago. If malware is already running in memory and we detect it, the process is either terminated or suspended. That said, even if you see a malicious process among running processes, it may be in suspended state and do nothing. The computer should be restarted to finish cleaning. Cool! I observed the same situation in the first run. Perhaps in the second reboot, ESET receives 15954 and directly detected the exe itself. Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted August 24, 2017 Author Share Posted August 24, 2017 (edited) SHA256: 1c7245076c34455fb532e5cb5fef71df7b083ba44cb89f37f31b054f4446ce81 (putty connect to some host ) SHA256: 222cfaa71487f5b0b9f5fbaaf710482f99647f90eb68c4814a6f1f18e8f14f2f (delay the execution for some minutes, the downloaded filecoder is detected) Edited August 24, 2017 by 0xDEADBEEF Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted August 25, 2017 Author Share Posted August 25, 2017 (edited) SHA256: 8b16103d8019fae324e7f6f9409a612b0b24a90177e413fe3d4101fbabe61b47 filecoder, my test machine is encrypted with latest eset (15975). (it is detecting filecoder.nmk, but files are encrypted anyway) And it bypassed my non-physical testing machine AND other vendors: Edited August 25, 2017 by 0xDEADBEEF Link to comment Share on other sites More sharing options...
itman 1,754 Posted August 25, 2017 Share Posted August 25, 2017 This one appears to be hijacking a valid 32 bit .dll, cl3d32.dll, which is located in the SysWOW64 directory. Appears ransomware .exe is 32 bit. Link to comment Share on other sites More sharing options...
Recommended Posts