The_Eagle_007 3 Posted July 2 Share Posted July 2 Does Eset detects malware based on Batcloak engine. Trend micro did research and find out that most of the AVs are still unable to detect this malware. I have a link of Trend Micro page which contains Indicators of compromise which is basically SHA256 of the file. Upon checking it over virustotal it is not showing that Eset is detecting it. But I know Virustotal analysis is not the exact way of telling whether an AV is detecting a malware sample or not. Can anyone confirm that ESET is aware of this particular threat or not ? If not then please try to add it to the virus database of Eset. Quote Link to comment Share on other sites More sharing options...
itman 1,595 Posted July 2 Share Posted July 2 (edited) First, note the following; Quote The Evolving Nature of the BatCloak Engine The actor behind Jlaive contributed to numerous iterations and adaptations of the BatCloak engine and has also contributed FUD capabilities to other projects, such as the following: CryBat, Exe2Bat, ScrubCrypt,and SeroXen. In this section, we delve into the most recent version of the BatCloak engine ScrubCrypt. ScrubCrypt ScrubCrypt is the most recent version of the BatCloak engine and represents a noteworthy development in the evolution of this batch obfuscation modification technique. The decision to transition from an open-source framework to a closed-source model, taken by the developer of ScrubCrypt, can be attributed to the achievements of prior projects such as Jlaive, as well as the desire to monetize the project and safeguard it against unauthorized replication. https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/analyzing-the-fud-malware-obfuscation-engine-batcloak/tb-the-dark-evolution-advanced-malicious-actors-unveil-malware-modification-progression.pdf I just downloaded a .ps1 ScrubCrypt malware sample. The result was; Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 7/2/2023 12:43:53 PM;Real-time file system protection;file;C:\Users\xxxxxx\Downloads\779475904292505f5062d51635f1bf3bf674ede9ac27fff303c2d371930c70f9.ps1;PowerShell/Kryptik.H trojan;cleaned by deleting;xxxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (DF22612647E9404A515D48EBAD490349685250DE).;CD2BEEA6BF84BF5A7BA9983FAC7B136A6BA9E1EF;7/2/2023 12:43:41 PM Edited July 2 by itman Quote Link to comment Share on other sites More sharing options...
itman 1,595 Posted July 2 Share Posted July 2 (edited) I also downloaded a .bat ScrubCrypt malware sample that VT currently shows no Eset detection for. Upon attempted file creation, Eset detected it; Quote Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 7/2/2023 2:40:00 PM;Real-time file system protection;file;C:\Users\xxxxxx\Downloads\79f4a39ad1111931963b1d7f7398ece7c6f971b855e3845f3b5029fc35da216b.bat;PowerShell/Kryptik.FU trojan;cleaned by deleting;xxxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (DF22612647E9404A515D48EBAD490349685250DE).;77E5E64742EF85E2DD5F05C7571A98D0C6583346;7/2/2023 2:39:48 PM Again, another example that you can't rely on VT results as to whether Eset will detect the malware. Edited July 2 by itman Quote Link to comment Share on other sites More sharing options...
rotaru 10 Posted July 2 Share Posted July 2 (edited) . Edited July 2 by rotaru Quote Link to comment Share on other sites More sharing options...
rotaru 10 Posted July 2 Share Posted July 2 2 hours ago, itman said: I also downloaded a .bat ScrubCrypt malware sample that VT currently shows no Eset detection for. I checked VT for the detection you mentioned in your post (77E5E64742EF85E2DD5F05C7571A98D0C6583346) I got this: Detected by ESET more than 1 month ago. Quote Link to comment Share on other sites More sharing options...
itman 1,595 Posted July 2 Share Posted July 2 7 minutes ago, rotaru said: Detected by ESET more than 1 month ago. Here's the VT link for my second posting detection: https://www.virustotal.com/gui/file/79f4a39ad1111931963b1d7f7398ece7c6f971b855e3845f3b5029fc35da216b . As far as the first posting detection, Eset did have a previous detection at VT. Nice try though in using the wrong hash value. Quote Link to comment Share on other sites More sharing options...
rotaru 10 Posted July 2 Share Posted July 2 1 hour ago, itman said: Nice try though in using the wrong hash value. Was the only available MD5 I could extract from your post. Surprisingly enough though , Microsoft Defender (free) detects it! Quote Link to comment Share on other sites More sharing options...
ESET Insiders stackz 102 Posted July 3 ESET Insiders Share Posted July 3 (edited) Re 77E5E64742EF85E2DD5F05C7571A98D0C6583346 - Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 3/07/2023 9:58:53 AM;Real-time file system protection;file;D:\Downloads\77E5E64742EF85E2DD5F05C7571A98D0C6583346.bat;PowerShell/Kryptik.FU trojan;cleaned by deleting;;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zFM.exe (6F47DBFD6FF36DF7BA581A4CEF024DA527DC3046).;77E5E64742EF85E2DD5F05C7571A98D0C6583346;3/07/2023 9:58:45 AM Edited July 3 by stackz Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.