Jump to content

Sample


Recommended Posts

  • ESET Moderators

Hello @0xDEADBEEF

you can send me a private message with a link to download or you can upload it to ftp://ftp.nod.sk/samples/ with a unique name, you can use the file hash and let me know once, the upload is complete, we will check it.

Thank you, P.R.

 

Link to comment
Share on other sites

7 hours ago, Peter Randziak said:

Hello @0xDEADBEEF

you can send me a private message with a link to download or you can upload it to ftp://ftp.nod.sk/samples/ with a unique name, you can use the file hash and let me know once, the upload is complete, we will check it.

Thank you, P.R.

 

I have uploaded the sample (filename is the SHA256 hash), let me know if you need more info

In addition, I have uploaded another sample with SHA256 hash: 0b22c637cdd4da733aa159a0e4d754c35d94b01ec98d37e6c04324eb5f545de0

Thanks

Link to comment
Share on other sites

10 hours ago, 0xDEADBEEF said:

SHA256: 295c16a5179255058c98d35b6915bf963e47f0c76406bf3ffb96288381fb4bf2

the file is too large to be submitted through email

More Chinese malware. Looks like few that are detecting it are doing so strictly on behavior. Would love to know if this is a Spectre/Meldown one that can be added to the 123 detected so far by AV-Test: https://twitter.com/avtestorg/status/955823351141949440

Link to comment
Share on other sites

  • Administrators
14 minutes ago, itman said:

More Chinese malware. Looks like few that are detecting it are doing so strictly on behavior. Would love to know if this is a Spectre/Meldown one that can be added to the 123 detected so far by AV-Test: https://twitter.com/avtestorg/status/955823351141949440

As far as I know, those samples from AV-Test are just innocuous POCs and we were not going to detect them.

Regarding the sample above, the verdict is:

It is already detected as a variant of Win32/Packed.VMProtect.M suspicious application. After the next update it will be detected as Win32/RiskWare.GameHack.CB application.

 

Link to comment
Share on other sites

12 minutes ago, Marcos said:

It is already detected as a variant of Win32/Packed.VMProtect.M suspicious application. After the next update it will be detected as Win32/RiskWare.GameHack.CB application.

Are you referring to the sample: 295c16a5179255058c98d35b6915bf963e47f0c76406bf3ffb96288381fb4bf2 ?

At least at the time I posted this thread, it is not detected as any threat (I've turned on PUA and suspicious detection) upon a scanning. The observation is that running it will have AMS detected one dropped dll in memory as SMSBomber.L, but there are still some side effects remaining.

Link to comment
Share on other sites

  • Administrators
2 minutes ago, 0xDEADBEEF said:

Are you referring to the sample: 295c16a5179255058c98d35b6915bf963e47f0c76406bf3ffb96288381fb4bf2 ?

Correct. I've scanned it with my Endpoint 6.6 and it's detected:

Log
E:\test\a9e11807f3cccd52f5476956f96d853e794ced2d - a variant of Win32/Packed.VMProtect.M suspicious application

As for the SMSBomber.L, it will be reclassified later. It's not malware.

Link to comment
Share on other sites

3 minutes ago, Marcos said:

Correct. I've scanned it with my Endpoint 6.6 and it's detected:

Log
E:\test\a9e11807f3cccd52f5476956f96d853e794ced2d - a variant of Win32/Packed.VMProtect.M suspicious application

As for the SMSBomber.L, it will be reclassified later. It's not malware.

Interesting.. this make me wondering why my updated ESET at the time didn't get Packed.VMProtect.M verdict (it's not on virustotal either)

BTW, RiskWare.GameHack.CB means it is not doing actual damage to the system as typical malware (categorized into PUA)? 

Link to comment
Share on other sites

4 hours ago, Marcos said:

As far as I know, those samples from AV-Test are just innocuous POCs and we were not going to detect them.

Actually, Eset does detect them; at least this one:

Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here
1/24/2018 10:12:08 AM;HTTP filter;file;https://raw.githubusercontent.com/gentilkiwi/spectre_meltdown/master/ErikAugust_724d4a969fb2c6ae1bbd7b2a9e3d4bb6/spectre.exe;a variant of Generik.GQSYVD trojan;connection terminated;xxx-xxx\xxxxxxx;Threat was detected upon access to web by the application: C:\Program Files\internet explorer\iexplore.exe (ED7203B276B50126A56892D3C80CC498F54D9384).;E9DF231CC81DBB76EE0C44B67F9A45BBD7C8DF2B;1/24/2018 10:12:08 AM
 

Link to comment
Share on other sites

  • Administrators
2 hours ago, itman said:

Actually, Eset does detect them; at least this one:

Yes but this is an automated detection, not one created intentionally by a malware analyst. Since it's not triggered on a file that somebody would complain about if detected, we usually don't remove such detections.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...