Jump to content

PowerShell/TrojanDownloader.Agent.ETC on virustotal link


Recommended Posts

Hi

when I visit this link https://www.virustotal.com/gui/file/4364a60cc5f7039a24528452680648850d7b3f434c25892d1b3b5e5aa14898fb/detection/f-4364a60cc5f7039a24528452680648850d7b3f434c25892d1b3b5e5aa14898fb-1688041704

it’s infected with PowerShell/TrojanDownloader I’m not sure if its real or false but in my settings, I choose for every automatic action to ask the end user (real time, web access, manual scan, etc.…) for web access scan usually there two option to disconnect or ignore and this should happen in this case because its downloading malware.

But what really happened is that the malware downloaded and real time protection catches this malware and ask to clean or ignore and it pass the web protection.

I tested this link in edge, chrome, firefox.

In edge and chrome the same issue, but in firefox the malware downloaded with no alert at all but when you scan firefox cash folder you can find it there.

Why the web access it's not strict in this case and pass the malware?

 

Thanks

Link to comment
Share on other sites

I get no detection alert from Eset when accessing the posted VT link. Also no download activity that I can detect. It would be highly unlikely that VT would be infected with something.

Post the Eset Detection log entry for this download you describe.

At this point, it appears you are being redirected to some other web site that is downloading the malware.

Also one comment on the VT web page notes;

Quote

Joe Sandbox Analysis:

Verdict: MAL
Score: 100/100
Threat Name: Njrat, PasteDownloader
Malware Config: see the report for the full malware config

Domains: pasteio.com bogota2023.duckdns.org cdn.discordapp.com wtools.io pastebin.com
Hosts: 188.114.97.7 188.114.96.7 104.20.68.143 104.21.6.247 46.246.6.11 104.20.67.143 162.159.135.233

HTML Report: https://www.joesandbox.com/analysis/896277/0/html
PDF Report: https://www.joesandbox.com/analysis/896277/0/pdf
Executive Report: https://www.joesandbox.com/analysis/896277/0/executive
Incident Report: https://www.joesandbox.com/analysis/896277/0/irxml
IOCs: https://www.joesandbox.com/analysis/896277?idtype=analysisid

 

Edited by itman
Link to comment
Share on other sites

I record a video for that 

If you use firefox there is no alert for me either but when you scan firefox cache folder, you will find it there.

Link to comment
Share on other sites

45 minutes ago, User13 said:

If you use firefox there is no alert for me either but when you scan firefox cache folder, you will find it there.

I did. Nothing detected.

As far as your video goes, its hard to figure out what you are doing there. What is see is;

1. You're uploading something to VT.

2. Then I see Kaspersky's online web site scanner running.

3. Finally, Eset detection alert for the VT web page running on Chrome.

Make a video where you directly access https://www.virustotal.com/gui/file/4364a60cc5f7039a24528452680648850d7b3f434c25892d1b3b5e5aa14898fb/detection/f-4364a60cc5f7039a24528452680648850d7b3f434c25892d1b3b5e5aa14898fb-1688041704  from the browser.

Edited by itman
Link to comment
Share on other sites

  • ESET Insiders

I can reproduce this. When you go to the VT page you are actually landing on the behavior page and ESET is picking up on some of the displayed Powershell script parts. See example pics below. So essentially there's no live malware to get infected from.

At VT:

2023-07-01_084537.thumb.png.4433ef3d76e4cc10c91324b1a4277e4d.png

 

In cache:

cache.thumb.png.eb2c521c87a918576d1e76d35fdeede9.png

Edited by stackz
Link to comment
Share on other sites

4 minutes ago, stackz said:

I can reproduce this. When you go to the VT page you are actually landing on the behavior page

Good find! I thought the same initially but when I went to the behavior section from the posted VT link, I couldn't get anything there to trigger a detection. I must not have fully accessed the PowerShell code references.

I've had the same Eset behavior on malware analysis web sites where the malware code is shown in clear text.

Link to comment
Share on other sites

  • Most Valued Members

I can confirm that it happened to me before when I reported about a zero-day here , I used to access the VT link without uploading something and eset would flag something that isn't happy about , from Linux Endpoint

Thanks @stackz for explanation

Link to comment
Share on other sites

Yeah, I have seen this happening with other products that have HTTPS scanning. Usually, products that make use of yara rules are triggered by the yara rules on VT. Saw this the most with Avast, a couple of times Kaspersky and ESET but never with Bitdefender maybe because they don't use yara.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...