Jump to content
Sign in to follow this  
khairulaizat92

Grancrab 5.04

Recommended Posts

Dear All,

WARNING LIVE SAMPLE. IF ADMIN FIND THAT THIS IS RISKING TO THE OTHER FORUMERS, FEEL FREE TO DELETE THIS AFTER READING AND COPYING AND ADD THE DETECTION TO ESET SOLUTION.


The below link contain the trojan that dropped Grancrab 5.04 as per below;

Source Link: hxxp://europesebeweging.nl/crack-systools-pst-merge-3-3/

Trojan:  hxxp://www.mediafire.com/file/tlss8cy1hd1r2mo/Sample-2-Nov.zip/file

Password: infected

Online Scanner: https://www.virustotal.com/#/file/d4f770cd8d86972948709b43ef4a56f3d7ddf5ddaf15c6133b0c42ec5f3c3d21/detection

Analysis: https://www.hybrid-analysis.com/sample/d4f770cd8d86972948709b43ef4a56f3d7ddf5ddaf15c6133b0c42ec5f3c3d21

Edited by khairulaizat92

Share this post


Link to post
Share on other sites

It's already detected as Win32/GenKryptik.CPVT.

In future, submit samples via email to samples@eset.com

Share this post


Link to post
Share on other sites
14 minutes ago, stackz said:

It's already detected as Win32/GenKryptik.CPVT.

In future, submit samples via email to samples@eset.com

Thanks for the verification

Share this post


Link to post
Share on other sites

It had been blocked by LiveGrid about 40 minutes before the sample was submitted to VT.

Share this post


Link to post
Share on other sites
5 hours ago, Marcos said:

It had been blocked by LiveGrid about 40 minutes before the sample was submitted to VT.

I see thanks for the verification. The malware start to be infecting customer from bitdefender producst 1 day earlier, but the sample arrive at our cegah ransomware malaysia fb group around the time i uploaded it to VT.

Anyway is the website behavior seems suspicious to you? as before i submitted the sample and forum post to available vendors, it seems to display as per below. But after around 15-30 minutes after its discovery, it change as 2nd screenshot


Grancrab.jpg.ffaf165480e7821c441bd04cffc65175.jpg

 

After Change:

Grancrab-2.thumb.png.b114ccadec2ce0c6ed688fe0dcf51fb0.png

It remove the link like it was detecting the site.

Though i still posses the original download link however. Its from .org domain name

Share this post


Link to post
Share on other sites
10 hours ago, khairulaizat92 said:

I see thanks for the verification. The malware start to be infecting customer from bitdefender producst 1 day earlier, but the sample arrive at our cegah ransomware malaysia fb group around the time i uploaded it to VT.

ESET has blocked the url with the malicious payload for 3 months already so even if it hadn't been blocked by LiveGrid, it would have been blocked because of the url being on blacklist.
Therefore it surprises me that another AV could not protect the user from it.

Share this post


Link to post
Share on other sites
1 hour ago, Marcos said:

ESET has blocked the url with the malicious payload for 3 months already so even if it hadn't been blocked by LiveGrid, it would have been blocked because of the url being on blacklist.
Therefore it surprises me that another AV could not protect the user from it.

Well maybe ESET researcher just that good ?

Share this post


Link to post
Share on other sites
4 hours ago, Marcos said:

Therefore it surprises me that another AV could not protect the user from it.

I'm not surprised. For example, browser based SmartScreen doesn't block the website connection.

@khairulaizat92 - BTW the site is now again showing the malicious download page. Appears the hacker can modify the web site at will.

Share this post


Link to post
Share on other sites
7 minutes ago, itman said:

@khairulaizat92 - BTW the site is now again showing the malicious download page. Appears the hacker can modify the web site at will.

Hm, I don't see any download link there. The url that the malware was previously downloaded from seems to have been dead since Oct 19.

Share this post


Link to post
Share on other sites
19 minutes ago, Marcos said:

Hm, I don't see any download link there.

When I went to the web site using this link: http: //europesebeweging.nl/crack-systools-pst-merge-3-3/ , the web page displayed was identical to the first screen shot @khairulaizat92 posted above. That web page does contain the download link. Obviously I didn't click on the link to check if it would start the download.

Note: I did override Eset's PUA alert to get to the web site.

Share this post


Link to post
Share on other sites
12 hours ago, Marcos said:

Hm, I don't see any download link there. The url that the malware was previously downloaded from seems to have been dead since Oct 19.

 

12 hours ago, itman said:

When I went to the web site using this link: http: //europesebeweging.nl/crack-systools-pst-merge-3-3/ , the web page displayed was identical to the first screen shot @khairulaizat92 posted above. That web page does contain the download link. Obviously I didn't click on the link to check if it would start the download.

Note: I did override Eset's PUA alert to get to the web site.

Well update for both of you, the link indeed alive, and shockingly, the link automatically update new variant or type of trojan for grancrab 5.0.4 everyday. And i have been collecting sample everyday put it to the test and submit to the vendor that missed it. And the latest 4 Nov 2018 GMT+8 theres new update that eset missed, already submitted it though to samples@eset.com 

and yeah, im crazy enough to click it everyday, hahah. well obviously in safe environment, on unused pc with vpn enable.

Share this post


Link to post
Share on other sites

I have seen enough that Eset needs to outright block the web site URL as malicious and not treat it as a PUA.

Share this post


Link to post
Share on other sites

I'm unable to download any fresh malware from there with web protection enabled. Even after disabling web protection new variants are detected as Suspicious object.

Share this post


Link to post
Share on other sites
1 hour ago, Marcos said:

Even after disabling web protection new variants are detected as Suspicious object

Well, now I am confused, Isn't this how, and now thankfully, Eset would detect new malware for which there isn't an existing code signature for? I assume a behavior signature was triggered by the process's activity. Granted Eset's DNA signatures are pretty good against variants but the code could have been altered. Then the malware perpetrator tested against major AV detection.

Edited by itman

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×