Jump to content

Grancrab 5.04


Recommended Posts

Dear All,

WARNING LIVE SAMPLE. IF ADMIN FIND THAT THIS IS RISKING TO THE OTHER FORUMERS, FEEL FREE TO DELETE THIS AFTER READING AND COPYING AND ADD THE DETECTION TO ESET SOLUTION.


The below link contain the trojan that dropped Grancrab 5.04 as per below;

Source Link: hxxp://europesebeweging.nl/crack-systools-pst-merge-3-3/

Trojan:  hxxp://www.mediafire.com/file/tlss8cy1hd1r2mo/Sample-2-Nov.zip/file

Password: infected

Online Scanner: https://www.virustotal.com/#/file/d4f770cd8d86972948709b43ef4a56f3d7ddf5ddaf15c6133b0c42ec5f3c3d21/detection

Analysis: https://www.hybrid-analysis.com/sample/d4f770cd8d86972948709b43ef4a56f3d7ddf5ddaf15c6133b0c42ec5f3c3d21

Edited by khairulaizat92
Link to comment
Share on other sites

5 hours ago, Marcos said:

It had been blocked by LiveGrid about 40 minutes before the sample was submitted to VT.

I see thanks for the verification. The malware start to be infecting customer from bitdefender producst 1 day earlier, but the sample arrive at our cegah ransomware malaysia fb group around the time i uploaded it to VT.

Anyway is the website behavior seems suspicious to you? as before i submitted the sample and forum post to available vendors, it seems to display as per below. But after around 15-30 minutes after its discovery, it change as 2nd screenshot


Grancrab.jpg.ffaf165480e7821c441bd04cffc65175.jpg

 

After Change:

Grancrab-2.thumb.png.b114ccadec2ce0c6ed688fe0dcf51fb0.png

It remove the link like it was detecting the site.

Though i still posses the original download link however. Its from .org domain name

Link to comment
Share on other sites

  • Administrators
10 hours ago, khairulaizat92 said:

I see thanks for the verification. The malware start to be infecting customer from bitdefender producst 1 day earlier, but the sample arrive at our cegah ransomware malaysia fb group around the time i uploaded it to VT.

ESET has blocked the url with the malicious payload for 3 months already so even if it hadn't been blocked by LiveGrid, it would have been blocked because of the url being on blacklist.
Therefore it surprises me that another AV could not protect the user from it.

Link to comment
Share on other sites

1 hour ago, Marcos said:

ESET has blocked the url with the malicious payload for 3 months already so even if it hadn't been blocked by LiveGrid, it would have been blocked because of the url being on blacklist.
Therefore it surprises me that another AV could not protect the user from it.

Well maybe ESET researcher just that good ?

Link to comment
Share on other sites

4 hours ago, Marcos said:

Therefore it surprises me that another AV could not protect the user from it.

I'm not surprised. For example, browser based SmartScreen doesn't block the website connection.

@khairulaizat92 - BTW the site is now again showing the malicious download page. Appears the hacker can modify the web site at will.

Link to comment
Share on other sites

  • Administrators
7 minutes ago, itman said:

@khairulaizat92 - BTW the site is now again showing the malicious download page. Appears the hacker can modify the web site at will.

Hm, I don't see any download link there. The url that the malware was previously downloaded from seems to have been dead since Oct 19.

Link to comment
Share on other sites

19 minutes ago, Marcos said:

Hm, I don't see any download link there.

When I went to the web site using this link: http: //europesebeweging.nl/crack-systools-pst-merge-3-3/ , the web page displayed was identical to the first screen shot @khairulaizat92 posted above. That web page does contain the download link. Obviously I didn't click on the link to check if it would start the download.

Note: I did override Eset's PUA alert to get to the web site.

Link to comment
Share on other sites

12 hours ago, Marcos said:

Hm, I don't see any download link there. The url that the malware was previously downloaded from seems to have been dead since Oct 19.

 

12 hours ago, itman said:

When I went to the web site using this link: http: //europesebeweging.nl/crack-systools-pst-merge-3-3/ , the web page displayed was identical to the first screen shot @khairulaizat92 posted above. That web page does contain the download link. Obviously I didn't click on the link to check if it would start the download.

Note: I did override Eset's PUA alert to get to the web site.

Well update for both of you, the link indeed alive, and shockingly, the link automatically update new variant or type of trojan for grancrab 5.0.4 everyday. And i have been collecting sample everyday put it to the test and submit to the vendor that missed it. And the latest 4 Nov 2018 GMT+8 theres new update that eset missed, already submitted it though to samples@eset.com 

and yeah, im crazy enough to click it everyday, hahah. well obviously in safe environment, on unused pc with vpn enable.

Link to comment
Share on other sites

  • Administrators

I'm unable to download any fresh malware from there with web protection enabled. Even after disabling web protection new variants are detected as Suspicious object.

Link to comment
Share on other sites

1 hour ago, Marcos said:

Even after disabling web protection new variants are detected as Suspicious object

Well, now I am confused, Isn't this how, and now thankfully, Eset would detect new malware for which there isn't an existing code signature for? I assume a behavior signature was triggered by the process's activity. Granted Eset's DNA signatures are pretty good against variants but the code could have been altered. Then the malware perpetrator tested against major AV detection.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...