0xDEADBEEF 43 Posted January 26, 2018 Share Posted January 26, 2018 SHA256: 295c16a5179255058c98d35b6915bf963e47f0c76406bf3ffb96288381fb4bf2 the file is too large to be submitted through email Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,171 Posted January 26, 2018 ESET Moderators Share Posted January 26, 2018 Hello @0xDEADBEEF you can send me a private message with a link to download or you can upload it to ftp://ftp.nod.sk/samples/ with a unique name, you can use the file hash and let me know once, the upload is complete, we will check it. Thank you, P.R. Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted January 26, 2018 Author Share Posted January 26, 2018 7 hours ago, Peter Randziak said: Hello @0xDEADBEEF you can send me a private message with a link to download or you can upload it to ftp://ftp.nod.sk/samples/ with a unique name, you can use the file hash and let me know once, the upload is complete, we will check it. Thank you, P.R. I have uploaded the sample (filename is the SHA256 hash), let me know if you need more info In addition, I have uploaded another sample with SHA256 hash: 0b22c637cdd4da733aa159a0e4d754c35d94b01ec98d37e6c04324eb5f545de0 Thanks Link to comment Share on other sites More sharing options...
itman 1,756 Posted January 26, 2018 Share Posted January 26, 2018 10 hours ago, 0xDEADBEEF said: SHA256: 295c16a5179255058c98d35b6915bf963e47f0c76406bf3ffb96288381fb4bf2 the file is too large to be submitted through email More Chinese malware. Looks like few that are detecting it are doing so strictly on behavior. Would love to know if this is a Spectre/Meldown one that can be added to the 123 detected so far by AV-Test: https://twitter.com/avtestorg/status/955823351141949440 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted January 26, 2018 Administrators Share Posted January 26, 2018 14 minutes ago, itman said: More Chinese malware. Looks like few that are detecting it are doing so strictly on behavior. Would love to know if this is a Spectre/Meldown one that can be added to the 123 detected so far by AV-Test: https://twitter.com/avtestorg/status/955823351141949440 As far as I know, those samples from AV-Test are just innocuous POCs and we were not going to detect them. Regarding the sample above, the verdict is: It is already detected as a variant of Win32/Packed.VMProtect.M suspicious application. After the next update it will be detected as Win32/RiskWare.GameHack.CB application. Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted January 26, 2018 Author Share Posted January 26, 2018 12 minutes ago, Marcos said: It is already detected as a variant of Win32/Packed.VMProtect.M suspicious application. After the next update it will be detected as Win32/RiskWare.GameHack.CB application. Are you referring to the sample: 295c16a5179255058c98d35b6915bf963e47f0c76406bf3ffb96288381fb4bf2 ? At least at the time I posted this thread, it is not detected as any threat (I've turned on PUA and suspicious detection) upon a scanning. The observation is that running it will have AMS detected one dropped dll in memory as SMSBomber.L, but there are still some side effects remaining. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted January 26, 2018 Administrators Share Posted January 26, 2018 2 minutes ago, 0xDEADBEEF said: Are you referring to the sample: 295c16a5179255058c98d35b6915bf963e47f0c76406bf3ffb96288381fb4bf2 ? Correct. I've scanned it with my Endpoint 6.6 and it's detected: Log E:\test\a9e11807f3cccd52f5476956f96d853e794ced2d - a variant of Win32/Packed.VMProtect.M suspicious application As for the SMSBomber.L, it will be reclassified later. It's not malware. Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted January 26, 2018 Author Share Posted January 26, 2018 3 minutes ago, Marcos said: Correct. I've scanned it with my Endpoint 6.6 and it's detected: Log E:\test\a9e11807f3cccd52f5476956f96d853e794ced2d - a variant of Win32/Packed.VMProtect.M suspicious application As for the SMSBomber.L, it will be reclassified later. It's not malware. Interesting.. this make me wondering why my updated ESET at the time didn't get Packed.VMProtect.M verdict (it's not on virustotal either) BTW, RiskWare.GameHack.CB means it is not doing actual damage to the system as typical malware (categorized into PUA)? Link to comment Share on other sites More sharing options...
itman 1,756 Posted January 26, 2018 Share Posted January 26, 2018 4 hours ago, Marcos said: As far as I know, those samples from AV-Test are just innocuous POCs and we were not going to detect them. Actually, Eset does detect them; at least this one: Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here 1/24/2018 10:12:08 AM;HTTP filter;file;https://raw.githubusercontent.com/gentilkiwi/spectre_meltdown/master/ErikAugust_724d4a969fb2c6ae1bbd7b2a9e3d4bb6/spectre.exe;a variant of Generik.GQSYVD trojan;connection terminated;xxx-xxx\xxxxxxx;Threat was detected upon access to web by the application: C:\Program Files\internet explorer\iexplore.exe (ED7203B276B50126A56892D3C80CC498F54D9384).;E9DF231CC81DBB76EE0C44B67F9A45BBD7C8DF2B;1/24/2018 10:12:08 AM Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted January 27, 2018 Administrators Share Posted January 27, 2018 2 hours ago, itman said: Actually, Eset does detect them; at least this one: Yes but this is an automated detection, not one created intentionally by a malware analyst. Since it's not triggered on a file that somebody would complain about if detected, we usually don't remove such detections. Link to comment Share on other sites More sharing options...
Recommended Posts