The_Eagle_007 3 Posted July 2, 2023 Share Posted July 2, 2023 Does Eset detects malware based on Batcloak engine. Trend micro did research and find out that most of the AVs are still unable to detect this malware. I have a link of Trend Micro page which contains Indicators of compromise which is basically SHA256 of the file. Upon checking it over virustotal it is not showing that Eset is detecting it. But I know Virustotal analysis is not the exact way of telling whether an AV is detecting a malware sample or not. Can anyone confirm that ESET is aware of this particular threat or not ? If not then please try to add it to the virus database of Eset. Link to comment Share on other sites More sharing options...
itman 1,667 Posted July 2, 2023 Share Posted July 2, 2023 (edited) First, note the following; Quote The Evolving Nature of the BatCloak Engine The actor behind Jlaive contributed to numerous iterations and adaptations of the BatCloak engine and has also contributed FUD capabilities to other projects, such as the following: CryBat, Exe2Bat, ScrubCrypt,and SeroXen. In this section, we delve into the most recent version of the BatCloak engine ScrubCrypt. ScrubCrypt ScrubCrypt is the most recent version of the BatCloak engine and represents a noteworthy development in the evolution of this batch obfuscation modification technique. The decision to transition from an open-source framework to a closed-source model, taken by the developer of ScrubCrypt, can be attributed to the achievements of prior projects such as Jlaive, as well as the desire to monetize the project and safeguard it against unauthorized replication. https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/analyzing-the-fud-malware-obfuscation-engine-batcloak/tb-the-dark-evolution-advanced-malicious-actors-unveil-malware-modification-progression.pdf I just downloaded a .ps1 ScrubCrypt malware sample. The result was; Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 7/2/2023 12:43:53 PM;Real-time file system protection;file;C:\Users\xxxxxx\Downloads\779475904292505f5062d51635f1bf3bf674ede9ac27fff303c2d371930c70f9.ps1;PowerShell/Kryptik.H trojan;cleaned by deleting;xxxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (DF22612647E9404A515D48EBAD490349685250DE).;CD2BEEA6BF84BF5A7BA9983FAC7B136A6BA9E1EF;7/2/2023 12:43:41 PM Edited July 2, 2023 by itman Link to comment Share on other sites More sharing options...
itman 1,667 Posted July 2, 2023 Share Posted July 2, 2023 (edited) I also downloaded a .bat ScrubCrypt malware sample that VT currently shows no Eset detection for. Upon attempted file creation, Eset detected it; Quote Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 7/2/2023 2:40:00 PM;Real-time file system protection;file;C:\Users\xxxxxx\Downloads\79f4a39ad1111931963b1d7f7398ece7c6f971b855e3845f3b5029fc35da216b.bat;PowerShell/Kryptik.FU trojan;cleaned by deleting;xxxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (DF22612647E9404A515D48EBAD490349685250DE).;77E5E64742EF85E2DD5F05C7571A98D0C6583346;7/2/2023 2:39:48 PM Again, another example that you can't rely on VT results as to whether Eset will detect the malware. Edited July 2, 2023 by itman Link to comment Share on other sites More sharing options...
rotaru 10 Posted July 2, 2023 Share Posted July 2, 2023 (edited) . Edited July 2, 2023 by rotaru Link to comment Share on other sites More sharing options...
rotaru 10 Posted July 2, 2023 Share Posted July 2, 2023 2 hours ago, itman said: I also downloaded a .bat ScrubCrypt malware sample that VT currently shows no Eset detection for. I checked VT for the detection you mentioned in your post (77E5E64742EF85E2DD5F05C7571A98D0C6583346) I got this: Detected by ESET more than 1 month ago. Link to comment Share on other sites More sharing options...
itman 1,667 Posted July 2, 2023 Share Posted July 2, 2023 7 minutes ago, rotaru said: Detected by ESET more than 1 month ago. Here's the VT link for my second posting detection: https://www.virustotal.com/gui/file/79f4a39ad1111931963b1d7f7398ece7c6f971b855e3845f3b5029fc35da216b . As far as the first posting detection, Eset did have a previous detection at VT. Nice try though in using the wrong hash value. Link to comment Share on other sites More sharing options...
rotaru 10 Posted July 2, 2023 Share Posted July 2, 2023 1 hour ago, itman said: Nice try though in using the wrong hash value. Was the only available MD5 I could extract from your post. Surprisingly enough though , Microsoft Defender (free) detects it! Link to comment Share on other sites More sharing options...
ESET Insiders stackz 113 Posted July 3, 2023 ESET Insiders Share Posted July 3, 2023 (edited) Re 77E5E64742EF85E2DD5F05C7571A98D0C6583346 - Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 3/07/2023 9:58:53 AM;Real-time file system protection;file;D:\Downloads\77E5E64742EF85E2DD5F05C7571A98D0C6583346.bat;PowerShell/Kryptik.FU trojan;cleaned by deleting;;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zFM.exe (6F47DBFD6FF36DF7BA581A4CEF024DA527DC3046).;77E5E64742EF85E2DD5F05C7571A98D0C6583346;3/07/2023 9:58:45 AM Edited July 3, 2023 by stackz Link to comment Share on other sites More sharing options...
Recommended Posts