• Announcements

    • Marcos

      Filecoder.Crysis updated to decode .dharma files   03/01/2017

      We are happy to announce you that we have updated the Filecoder.Crysis decoder to support decryption of files with the .wallet and .onion extensions. The decoder is downloadable from https://download.eset.com/com/eset/tools/decryptors/crysis/latest/esetcrysisdecryptor.exe.
Sign in to follow this  
0xDEADBEEF

Interesting Samples

Recommended Posts

43 minutes ago, 0xDEADBEEF said:

SHA256: cf9a800c3b009abed68a684aaf2f8cad7793b930fc323a2a2231edd5e8c3747b

it's a one month old file, almost no big vendor detects it. Resembles DealPly PUA. Drops a batch file that deletes the exe. The file was passed for further analysis to find out if it's worth detection.

Share this post


Link to post
Share on other sites
6 minutes ago, Marcos said:

it's a one month old file, almost no big vendor detects it. Resembles DealPly PUA. Drops a batch file that deletes the exe. The file was passed for further analysis to find out if it's worth detection.

thx for the reply. It should be an expired one (connecting to a dead host). But since ESET didn't detect it I chose to put it here (another one from the same source (type) is detected as Generic.IXMGFLM, maybe currently it is not categorized into some family?)

Edited by 0xDEADBEEF

Share this post


Link to post
Share on other sites

 

1 hour ago, 0xDEADBEEF said:

SHA256: cf9a800c3b009abed68a684aaf2f8cad7793b930fc323a2a2231edd5e8c3747b

Shouldn't this be submitted to samples@eset .com? There is an established procedure in place.

http://support.eset.com/kb141/

Edited by TomFace

Share this post


Link to post
Share on other sites

Been in the wild for close to 7 years with a creation date of 1992 per VT, but security solutions just started detecting it in June, 2017? And all the AI/Net Gen solutions are doing so. Again, CloudStrike gives it 80% confidence. I say it's a FP.

Quote

 

History

Creation Time: 1992-06-19 22:22:17

First Seen In The Wild: 2010-11-20 23:29:33

First Submission: 2017-06-14 18:05:17

Last Submission: 2017-08-19 04:18:18

Last Analysis: 2017-08-19 04:18:18

 

 

Edited by itman

Share this post


Link to post
Share on other sites

I do see a pattern forming though. Suspect a lot of these AI/Next solutions along w/Avast-AVG and a few others are perhaps "plugged-in" to Microsoft's Azure AI servers. So when it detects, they all post a positive hit.

Share this post


Link to post
Share on other sites
1 hour ago, itman said:

I do see a pattern forming though. Suspect a lot of these AI/Next solutions along w/Avast-AVG and a few others are perhaps "plugged-in" to Microsoft's Azure AI servers. So when it detects, they all post a positive hit.

No, early first seen date doesn't necessarily mean it is benign. The sample I provided is very likely to be malicious before it is expired (share advertisement)

In case if you are interested in this family, here is a translated version https://translate.google.com/translate?hl=en&sl=zh-CN&u=hxxp://www.freebuf.com/articles/system/144525.html&prev=search

Share this post


Link to post
Share on other sites
11 hours ago, TomFace said:

 

Shouldn't this be submitted to samples@eset .com? There is an established procedure in place.

hxxp://support.eset.com/kb141/

I usually submit by the right click menu. I post here because I never get response from ESET and sometimes I am curious if the sample is worth detecting.

Share this post


Link to post
Share on other sites

SHA256: 3b60fde281d91cc3e7ea3e343ee5b13a31def564903c0136ae928f70e25c3c02 

Some sort of injector?

Edited by 0xDEADBEEF

Share this post


Link to post
Share on other sites
1 hour ago, 0xDEADBEEF said:

The translation is pretty bad. What I could glean was that it spread through Internet cafes in China? As such, it could be actually state created malware. 

Share this post


Link to post
Share on other sites
1 hour ago, 0xDEADBEEF said:

I usually submit by the right click menu. I post here because I never get response from ESET and sometimes I am curious if the sample is worth detecting.

The process exists for a reason. Your personal requests are denying other posters the help then need from the Moderators.

Edited by TomFace

Share this post


Link to post
Share on other sites
1 hour ago, 0xDEADBEEF said:

SHA256: 3b60fde281d91cc3e7ea3e343ee5b13a31def564903c0136ae928f70e25c3c02 

Some sort of injector?

This appears to be ransomware just discovered this morning. Appears to be delivered via a zip file. Most likely an e-mail attachment.

Also Eset might already be blocking this by blacklist. Only way to know for sure is run the sample w/Eset installed in a VM. This also might not work since many ransomware are now employing VM and sandbox detection methods and refuse to run.

Edited by itman

Share this post


Link to post
Share on other sites
14 minutes ago, itman said:

This appears to be ransomware just discovered this morning. Appears to be delivered via a zip file. Most likely an e-mail attachment.

Also Eset might already be blocking this by blacklist. Only way to know for sure is run the sample w/Eset installed in a VM. This also might not work since many ransomware are now employing VM and sandbox detection methods and refuse to run.

Nope. ESET is silent :) I used a cloaked VM anyway

Share this post


Link to post
Share on other sites

Detected and blocked by LiveGrid :) It's Filecoder.Locky. We'll need to investigate what happened during replication as it should have been blocked by LiveGrid hours ago. Strange that almost no other big AV vendors detect it yet.

Share this post


Link to post
Share on other sites
10 minutes ago, Marcos said:

Detected and blocked by LiveGrid :) It's Filecoder.Locky. We'll need to investigate what happened during replication as it should have been blocked by LiveGrid hours ago. Strange that almost no other big AV vendors detect it yet.

That's indeed strange. I tested the sample 1 hour ago with latest ESET and LiveGrid enabled, but I didn't get any warnings from ESET, even after the execution (do I expect to see ESET reporting "Suspicious Object" if it is by LiveGrid?)

Share this post


Link to post
Share on other sites

 

16 hours ago, Marcos said:

it's a one month old file, almost no big vendor detects it. Resembles DealPly PUA. Drops a batch file that deletes the exe. The file was passed for further analysis to find out if it's worth detection.

On VT this file is being detected by 22 engines; sure enough ESET is NOT one of them.

Untitled.jpg

Share this post


Link to post
Share on other sites
4 hours ago, TomFace said:

The process exists for a reason.

Personally I like to see such postings which make people aware .

The "process" is a hidden one, which can induce a false feeling of security. 

0xDEADBEEF  , keep up the good work.

Edited by MSE

Share this post


Link to post
Share on other sites
5 hours ago, Marcos said:

Detected and blocked by LiveGrid :) It's Filecoder.Locky. We'll need to investigate what happened during replication as it should have been blocked by LiveGrid hours ago. Strange that almost no other big AV vendors detect it yet.

Couldn't think of better example why LiveGrid should be alerting on unknown process detection but I won't get into that discussion again.

Share this post


Link to post
Share on other sites

SHA256: 9c96696aef7f0baeecd8e52d7075928e886bd2ff2f90d7bd2d928245637f55c9  

ESET blocks some threats, but the original executable remains persistent in the machine :( and therefore the memory

EDIT: Hmm interesting, after I reverted the snapshot and tested again, ESET detects it. Alright this doesn't count.

Edited by 0xDEADBEEF

Share this post


Link to post
Share on other sites
2 hours ago, 0xDEADBEEF said:

SHA256: 9c96696aef7f0baeecd8e52d7075928e886bd2ff2f90d7bd2d928245637f55c9  

ESET blocks some threats, but the original executable remains persistent in the machine :( and therefore the memory

EDIT: Hmm interesting, after I reverted the snapshot and tested again, ESET detects it. Alright this doesn't count.

It seems to be a new TrickBot blocked in LiveGrid about 9 hours ago and the detection added in update 15954 released about 3 hours ago. If malware is already running in memory and we detect it, the process is either terminated or suspended. That said, even if you see a malicious process among running processes, it may be in suspended state and do nothing. The computer should be restarted to finish cleaning.

Share this post


Link to post
Share on other sites
8 hours ago, Marcos said:

It seems to be a new TrickBot blocked in LiveGrid about 9 hours ago and the detection added in update 15954 released about 3 hours ago. If malware is already running in memory and we detect it, the process is either terminated or suspended. That said, even if you see a malicious process among running processes, it may be in suspended state and do nothing. The computer should be restarted to finish cleaning.

Cool! I observed the same situation in the first run. Perhaps in the second reboot, ESET receives 15954 and directly detected the exe itself.

Share this post


Link to post
Share on other sites

SHA256: 1c7245076c34455fb532e5cb5fef71df7b083ba44cb89f37f31b054f4446ce81 (putty connect to some host :) )

SHA256: 222cfaa71487f5b0b9f5fbaaf710482f99647f90eb68c4814a6f1f18e8f14f2f  (delay the execution for some minutes, the downloaded filecoder is detected)

Edited by 0xDEADBEEF

Share this post


Link to post
Share on other sites

SHA256: 8b16103d8019fae324e7f6f9409a612b0b24a90177e413fe3d4101fbabe61b47

filecoder, my test machine is encrypted with latest eset (15975). (it is detecting filecoder.nmk, but files are encrypted anyway)

And it bypassed my non-physical testing machine :( 

filecoder.thumb.png.7eeb9e87cf07841f5859b08dabff9f8f.png

AND other vendors:

vt.thumb.jpg.86cc8ec2d5202e32580a1bb9b751b017.jpg

Edited by 0xDEADBEEF

Share this post


Link to post
Share on other sites

This one appears to be hijacking a valid 32 bit .dll, cl3d32.dll, which is located in the SysWOW64 directory. Appears ransomware .exe is 32 bit.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.