khairulaizat92 9 Posted November 2, 2018 Posted November 2, 2018 (edited) Dear All, WARNING LIVE SAMPLE. IF ADMIN FIND THAT THIS IS RISKING TO THE OTHER FORUMERS, FEEL FREE TO DELETE THIS AFTER READING AND COPYING AND ADD THE DETECTION TO ESET SOLUTION. The below link contain the trojan that dropped Grancrab 5.04 as per below; Source Link: hxxp://europesebeweging.nl/crack-systools-pst-merge-3-3/ Trojan: hxxp://www.mediafire.com/file/tlss8cy1hd1r2mo/Sample-2-Nov.zip/file Password: infected Online Scanner: https://www.virustotal.com/#/file/d4f770cd8d86972948709b43ef4a56f3d7ddf5ddaf15c6133b0c42ec5f3c3d21/detection Analysis: https://www.hybrid-analysis.com/sample/d4f770cd8d86972948709b43ef4a56f3d7ddf5ddaf15c6133b0c42ec5f3c3d21 Edited November 2, 2018 by khairulaizat92
ESET Insiders stackz 126 Posted November 2, 2018 ESET Insiders Posted November 2, 2018 It's already detected as Win32/GenKryptik.CPVT. In future, submit samples via email to [email protected]
khairulaizat92 9 Posted November 2, 2018 Author Posted November 2, 2018 14 minutes ago, stackz said: It's already detected as Win32/GenKryptik.CPVT. In future, submit samples via email to [email protected] Thanks for the verification
Administrators Marcos 5,742 Posted November 2, 2018 Administrators Posted November 2, 2018 It had been blocked by LiveGrid about 40 minutes before the sample was submitted to VT.
khairulaizat92 9 Posted November 2, 2018 Author Posted November 2, 2018 5 hours ago, Marcos said: It had been blocked by LiveGrid about 40 minutes before the sample was submitted to VT. I see thanks for the verification. The malware start to be infecting customer from bitdefender producst 1 day earlier, but the sample arrive at our cegah ransomware malaysia fb group around the time i uploaded it to VT. Anyway is the website behavior seems suspicious to you? as before i submitted the sample and forum post to available vendors, it seems to display as per below. But after around 15-30 minutes after its discovery, it change as 2nd screenshot After Change: It remove the link like it was detecting the site. Though i still posses the original download link however. Its from .org domain name
Administrators Marcos 5,742 Posted November 3, 2018 Administrators Posted November 3, 2018 10 hours ago, khairulaizat92 said: I see thanks for the verification. The malware start to be infecting customer from bitdefender producst 1 day earlier, but the sample arrive at our cegah ransomware malaysia fb group around the time i uploaded it to VT. ESET has blocked the url with the malicious payload for 3 months already so even if it hadn't been blocked by LiveGrid, it would have been blocked because of the url being on blacklist. Therefore it surprises me that another AV could not protect the user from it.
khairulaizat92 9 Posted November 3, 2018 Author Posted November 3, 2018 1 hour ago, Marcos said: ESET has blocked the url with the malicious payload for 3 months already so even if it hadn't been blocked by LiveGrid, it would have been blocked because of the url being on blacklist. Therefore it surprises me that another AV could not protect the user from it. Well maybe ESET researcher just that good ?
itman 1,924 Posted November 3, 2018 Posted November 3, 2018 4 hours ago, Marcos said: Therefore it surprises me that another AV could not protect the user from it. I'm not surprised. For example, browser based SmartScreen doesn't block the website connection. @khairulaizat92 - BTW the site is now again showing the malicious download page. Appears the hacker can modify the web site at will.
Administrators Marcos 5,742 Posted November 3, 2018 Administrators Posted November 3, 2018 7 minutes ago, itman said: @khairulaizat92 - BTW the site is now again showing the malicious download page. Appears the hacker can modify the web site at will. Hm, I don't see any download link there. The url that the malware was previously downloaded from seems to have been dead since Oct 19.
itman 1,924 Posted November 3, 2018 Posted November 3, 2018 19 minutes ago, Marcos said: Hm, I don't see any download link there. When I went to the web site using this link: http: //europesebeweging.nl/crack-systools-pst-merge-3-3/ , the web page displayed was identical to the first screen shot @khairulaizat92 posted above. That web page does contain the download link. Obviously I didn't click on the link to check if it would start the download. Note: I did override Eset's PUA alert to get to the web site.
khairulaizat92 9 Posted November 4, 2018 Author Posted November 4, 2018 12 hours ago, Marcos said: Hm, I don't see any download link there. The url that the malware was previously downloaded from seems to have been dead since Oct 19. 12 hours ago, itman said: When I went to the web site using this link: http: //europesebeweging.nl/crack-systools-pst-merge-3-3/ , the web page displayed was identical to the first screen shot @khairulaizat92 posted above. That web page does contain the download link. Obviously I didn't click on the link to check if it would start the download. Note: I did override Eset's PUA alert to get to the web site. Well update for both of you, the link indeed alive, and shockingly, the link automatically update new variant or type of trojan for grancrab 5.0.4 everyday. And i have been collecting sample everyday put it to the test and submit to the vendor that missed it. And the latest 4 Nov 2018 GMT+8 theres new update that eset missed, already submitted it though to [email protected] and yeah, im crazy enough to click it everyday, hahah. well obviously in safe environment, on unused pc with vpn enable.
itman 1,924 Posted November 4, 2018 Posted November 4, 2018 I have seen enough that Eset needs to outright block the web site URL as malicious and not treat it as a PUA.
Administrators Marcos 5,742 Posted November 4, 2018 Administrators Posted November 4, 2018 I'm unable to download any fresh malware from there with web protection enabled. Even after disabling web protection new variants are detected as Suspicious object.
itman 1,924 Posted November 4, 2018 Posted November 4, 2018 (edited) 1 hour ago, Marcos said: Even after disabling web protection new variants are detected as Suspicious object Well, now I am confused, Isn't this how, and now thankfully, Eset would detect new malware for which there isn't an existing code signature for? I assume a behavior signature was triggered by the process's activity. Granted Eset's DNA signatures are pretty good against variants but the code could have been altered. Then the malware perpetrator tested against major AV detection. Edited November 4, 2018 by itman
Recommended Posts