Grancrab 5.04

[khairulaizat92 9]

Dear All,

WARNING LIVE SAMPLE. IF ADMIN FIND THAT THIS IS RISKING TO THE OTHER FORUMERS, FEEL FREE TO DELETE THIS AFTER READING AND COPYING AND ADD THE DETECTION TO ESET SOLUTION.

The below link contain the trojan that dropped Grancrab 5.04 as per below;

Source Link: hxxp://europesebeweging.nl/crack-systools-pst-merge-3-3/

Trojan:  hxxp://www.mediafire.com/file/tlss8cy1hd1r2mo/Sample-2-Nov.zip/file

Password: infected

Online Scanner: https://www.virustotal.com/#/file/d4f770cd8d86972948709b43ef4a56f3d7ddf5ddaf15c6133b0c42ec5f3c3d21/detection

Analysis: https://www.hybrid-analysis.com/sample/d4f770cd8d86972948709b43ef4a56f3d7ddf5ddaf15c6133b0c42ec5f3c3d21

Edited November 2, 2018 by khairulaizat92

[stackz 83]

It's already detected as Win32/GenKryptik.CPVT.

In future, submit samples via email to samples@eset.com

[khairulaizat92 9]

14 minutes ago, stackz said:

It's already detected as Win32/GenKryptik.CPVT.

In future, submit samples via email to samples@eset.com

Thanks for the verification

[Marcos 4,361]

It had been blocked by LiveGrid about 40 minutes before the sample was submitted to VT.

[khairulaizat92 9]

5 hours ago, Marcos said:

It had been blocked by LiveGrid about 40 minutes before the sample was submitted to VT.

I see thanks for the verification. The malware start to be infecting customer from bitdefender producst 1 day earlier, but the sample arrive at our cegah ransomware malaysia fb group around the time i uploaded it to VT.

Anyway is the website behavior seems suspicious to you? as before i submitted the sample and forum post to available vendors, it seems to display as per below. But after around 15-30 minutes after its discovery, it change as 2nd screenshot

 

After Change:

It remove the link like it was detecting the site.

Though i still posses the original download link however. Its from .org domain name

[Marcos 4,361]

10 hours ago, khairulaizat92 said:

I see thanks for the verification. The malware start to be infecting customer from bitdefender producst 1 day earlier, but the sample arrive at our cegah ransomware malaysia fb group around the time i uploaded it to VT.

ESET has blocked the url with the malicious payload for 3 months already so even if it hadn't been blocked by LiveGrid, it would have been blocked because of the url being on blacklist.
Therefore it surprises me that another AV could not protect the user from it.

[khairulaizat92 9]

1 hour ago, Marcos said:

ESET has blocked the url with the malicious payload for 3 months already so even if it hadn't been blocked by LiveGrid, it would have been blocked because of the url being on blacklist.
Therefore it surprises me that another AV could not protect the user from it.

Well maybe ESET researcher just that good ?

[itman 1,436]

4 hours ago, Marcos said:

Therefore it surprises me that another AV could not protect the user from it.

I'm not surprised. For example, browser based SmartScreen doesn't block the website connection.

@khairulaizat92 - BTW the site is now again showing the malicious download page. Appears the hacker can modify the web site at will.

[Marcos 4,361]

7 minutes ago, itman said:

@khairulaizat92 - BTW the site is now again showing the malicious download page. Appears the hacker can modify the web site at will.

Hm, I don't see any download link there. The url that the malware was previously downloaded from seems to have been dead since Oct 19.

[itman 1,436]

19 minutes ago, Marcos said:

Hm, I don't see any download link there.

When I went to the web site using this link: http: //europesebeweging.nl/crack-systools-pst-merge-3-3/ , the web page displayed was identical to the first screen shot @khairulaizat92 posted above. That web page does contain the download link. Obviously I didn't click on the link to check if it would start the download.

Note: I did override Eset's PUA alert to get to the web site.

[khairulaizat92 9]

12 hours ago, Marcos said:

Hm, I don't see any download link there. The url that the malware was previously downloaded from seems to have been dead since Oct 19.

 

12 hours ago, itman said:

When I went to the web site using this link: http: //europesebeweging.nl/crack-systools-pst-merge-3-3/ , the web page displayed was identical to the first screen shot @khairulaizat92 posted above. That web page does contain the download link. Obviously I didn't click on the link to check if it would start the download.

Note: I did override Eset's PUA alert to get to the web site.

Well update for both of you, the link indeed alive, and shockingly, the link automatically update new variant or type of trojan for grancrab 5.0.4 everyday. And i have been collecting sample everyday put it to the test and submit to the vendor that missed it. And the latest 4 Nov 2018 GMT+8 theres new update that eset missed, already submitted it though to samples@eset.com 

and yeah, im crazy enough to click it everyday, hahah. well obviously in safe environment, on unused pc with vpn enable.

[itman 1,436]

I have seen enough that Eset needs to outright block the web site URL as malicious and not treat it as a PUA.

[Marcos 4,361]

I'm unable to download any fresh malware from there with web protection enabled. Even after disabling web protection new variants are detected as Suspicious object.

[itman 1,436]

1 hour ago, Marcos said:

Even after disabling web protection new variants are detected as Suspicious object

Well, now I am confused, Isn't this how, and now thankfully, Eset would detect new malware for which there isn't an existing code signature for? I assume a behavior signature was triggered by the process's activity. Granted Eset's DNA signatures are pretty good against variants but the code could have been altered. Then the malware perpetrator tested against major AV detection.

Edited November 4, 2018 by itman