khairulaizat92 9 Posted November 2, 2018 Share Posted November 2, 2018 (edited) Dear All, WARNING LIVE SAMPLE. IF ADMIN FIND THAT THIS IS RISKING TO THE OTHER FORUMERS, FEEL FREE TO DELETE THIS AFTER READING AND COPYING AND ADD THE DETECTION TO ESET SOLUTION. The below link contain the trojan that dropped Grancrab 5.04 as per below; Source Link: hxxp://europesebeweging.nl/crack-systools-pst-merge-3-3/ Trojan: hxxp://www.mediafire.com/file/tlss8cy1hd1r2mo/Sample-2-Nov.zip/file Password: infected Online Scanner: https://www.virustotal.com/#/file/d4f770cd8d86972948709b43ef4a56f3d7ddf5ddaf15c6133b0c42ec5f3c3d21/detection Analysis: https://www.hybrid-analysis.com/sample/d4f770cd8d86972948709b43ef4a56f3d7ddf5ddaf15c6133b0c42ec5f3c3d21 Edited November 2, 2018 by khairulaizat92 Link to comment Share on other sites More sharing options...
ESET Insiders stackz 115 Posted November 2, 2018 ESET Insiders Share Posted November 2, 2018 It's already detected as Win32/GenKryptik.CPVT. In future, submit samples via email to samples@eset.com Link to comment Share on other sites More sharing options...
khairulaizat92 9 Posted November 2, 2018 Author Share Posted November 2, 2018 14 minutes ago, stackz said: It's already detected as Win32/GenKryptik.CPVT. In future, submit samples via email to samples@eset.com Thanks for the verification Link to comment Share on other sites More sharing options...
Administrators Marcos 5,392 Posted November 2, 2018 Administrators Share Posted November 2, 2018 It had been blocked by LiveGrid about 40 minutes before the sample was submitted to VT. Link to comment Share on other sites More sharing options...
khairulaizat92 9 Posted November 2, 2018 Author Share Posted November 2, 2018 5 hours ago, Marcos said: It had been blocked by LiveGrid about 40 minutes before the sample was submitted to VT. I see thanks for the verification. The malware start to be infecting customer from bitdefender producst 1 day earlier, but the sample arrive at our cegah ransomware malaysia fb group around the time i uploaded it to VT. Anyway is the website behavior seems suspicious to you? as before i submitted the sample and forum post to available vendors, it seems to display as per below. But after around 15-30 minutes after its discovery, it change as 2nd screenshot After Change: It remove the link like it was detecting the site. Though i still posses the original download link however. Its from .org domain name Link to comment Share on other sites More sharing options...
Administrators Marcos 5,392 Posted November 3, 2018 Administrators Share Posted November 3, 2018 10 hours ago, khairulaizat92 said: I see thanks for the verification. The malware start to be infecting customer from bitdefender producst 1 day earlier, but the sample arrive at our cegah ransomware malaysia fb group around the time i uploaded it to VT. ESET has blocked the url with the malicious payload for 3 months already so even if it hadn't been blocked by LiveGrid, it would have been blocked because of the url being on blacklist. Therefore it surprises me that another AV could not protect the user from it. Link to comment Share on other sites More sharing options...
khairulaizat92 9 Posted November 3, 2018 Author Share Posted November 3, 2018 1 hour ago, Marcos said: ESET has blocked the url with the malicious payload for 3 months already so even if it hadn't been blocked by LiveGrid, it would have been blocked because of the url being on blacklist. Therefore it surprises me that another AV could not protect the user from it. Well maybe ESET researcher just that good ? Link to comment Share on other sites More sharing options...
itman 1,783 Posted November 3, 2018 Share Posted November 3, 2018 4 hours ago, Marcos said: Therefore it surprises me that another AV could not protect the user from it. I'm not surprised. For example, browser based SmartScreen doesn't block the website connection. @khairulaizat92 - BTW the site is now again showing the malicious download page. Appears the hacker can modify the web site at will. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,392 Posted November 3, 2018 Administrators Share Posted November 3, 2018 7 minutes ago, itman said: @khairulaizat92 - BTW the site is now again showing the malicious download page. Appears the hacker can modify the web site at will. Hm, I don't see any download link there. The url that the malware was previously downloaded from seems to have been dead since Oct 19. Link to comment Share on other sites More sharing options...
itman 1,783 Posted November 3, 2018 Share Posted November 3, 2018 19 minutes ago, Marcos said: Hm, I don't see any download link there. When I went to the web site using this link: http: //europesebeweging.nl/crack-systools-pst-merge-3-3/ , the web page displayed was identical to the first screen shot @khairulaizat92 posted above. That web page does contain the download link. Obviously I didn't click on the link to check if it would start the download. Note: I did override Eset's PUA alert to get to the web site. Link to comment Share on other sites More sharing options...
khairulaizat92 9 Posted November 4, 2018 Author Share Posted November 4, 2018 12 hours ago, Marcos said: Hm, I don't see any download link there. The url that the malware was previously downloaded from seems to have been dead since Oct 19. 12 hours ago, itman said: When I went to the web site using this link: http: //europesebeweging.nl/crack-systools-pst-merge-3-3/ , the web page displayed was identical to the first screen shot @khairulaizat92 posted above. That web page does contain the download link. Obviously I didn't click on the link to check if it would start the download. Note: I did override Eset's PUA alert to get to the web site. Well update for both of you, the link indeed alive, and shockingly, the link automatically update new variant or type of trojan for grancrab 5.0.4 everyday. And i have been collecting sample everyday put it to the test and submit to the vendor that missed it. And the latest 4 Nov 2018 GMT+8 theres new update that eset missed, already submitted it though to samples@eset.com and yeah, im crazy enough to click it everyday, hahah. well obviously in safe environment, on unused pc with vpn enable. Link to comment Share on other sites More sharing options...
itman 1,783 Posted November 4, 2018 Share Posted November 4, 2018 I have seen enough that Eset needs to outright block the web site URL as malicious and not treat it as a PUA. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,392 Posted November 4, 2018 Administrators Share Posted November 4, 2018 I'm unable to download any fresh malware from there with web protection enabled. Even after disabling web protection new variants are detected as Suspicious object. Link to comment Share on other sites More sharing options...
itman 1,783 Posted November 4, 2018 Share Posted November 4, 2018 (edited) 1 hour ago, Marcos said: Even after disabling web protection new variants are detected as Suspicious object Well, now I am confused, Isn't this how, and now thankfully, Eset would detect new malware for which there isn't an existing code signature for? I assume a behavior signature was triggered by the process's activity. Granted Eset's DNA signatures are pretty good against variants but the code could have been altered. Then the malware perpetrator tested against major AV detection. Edited November 4, 2018 by itman Link to comment Share on other sites More sharing options...
Recommended Posts