Submission of Malware Samples for Analysis

[Hardq 0]

Hello, 

I hope this message finds you well. I wanted to inform you that I submitted a malware sample to samples@eset.com, and the submission has been assigned the ID [TRACK#657769690055]. I reached out to technical support regarding the matter, but unfortunately, I received a denial stating that the file is too large for customer support assistance. 

I appreciate your attention to this issue and would like guidance on how to proceed.

Best regards,
[Steven]

License ID: 3A9-BC8-BGH

[Nightowl 205]

If the file is too big to be uploaded through ESET Gui or through Email , you can archieve it and protect it with password "infected" and then you can send the link to ESET(Upload it through Google Drive , Microsoft OneDrive etc....)

But is your infected file over 50MB/100MB ?

Edited December 27, 2023 by Nightowl

[Marcos 5,085]

I've been trying to download the file but the download failed after an about an hour. The archive was too big, probably several GB in size. What makes you think it was malware?

[Hardq 0]

Additionally, I've identified some suspicious IP addresses associated with the file. They appear to be linked to recent security concerns and unusual system activities. Please consider these details in the analysis. Thank you

[Hardq 0]

The file size is approximately 22.9 GB. I attempted to download it using Internet Download Manager on the Windows operating system without success. He has recommended using the tool from this link: [Internet Download Manager](https://www.internetdownloadmanager.com/download.html). The suspicious nature of this large file raises concerns, and I believe it is crucial to investigate further. Your help is greatly appreciated.

 

"Right-click on the download link, copy the link address, and then paste it into IDM using the 'Add' button."

Edited December 27, 2023 by Hardq

[itman 1,665]

Quote

The file size is approximately 22.9 GB.

The file containing the malware could be a .iso file: https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/ .

Edited December 27, 2023 by itman

[Hardq 0]

Thank you for the link, itman. If I'm not mistaken, it would be helpful to have a member of the Eset staff from the Malware Research Team try to download the file and take a look at it for verification.

Let's hope that a Malware Researcher from Eset can assist with this situation, as Marcos failed in attempting to download the file, which was too large.

[Hardq 0]

13 hours ago, itman said:

The file containing the malware could be a .iso file: https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/ .

In addition, this malware sample was sent to the Eset laboratory. On another note, it appears to be a rootkit. Since my knowledge is basic, I forwarded it to Eset for their examination and manual analysis.

[Marcos 5,085]

There are 775 files in total in the iso image. All of them seem legitimate, there are 2 dlls in a "crack" folder but no AV detects them. Which one do you suspect to be malicious? And what makes you think it's a rootkit?

[Hardq 0]

As you said, it seems legitimate now. However, on virustotal.com, several suspicious IPs were found, and the rootkit is designed to hide in the operating system. 

On the other hand, this malware sample needs to be analyzed by a malware researcher, so I posted a message on this forum hoping to get assistance from a malware researcher.

[Hardq 0]

Furthermore, this requires analysis in a virtual machine, both static and dynamic analysis, and deobfuscation of the code. Otherwise, how are they going to identify the threat, given that several days have already passed and it seems that the sample sent to your email was not processed. 

[Veremo 6]

5 hours ago, Hardq said:

Furthermore, this requires analysis in a virtual machine, both static and dynamic analysis, and deobfuscation of the code. Otherwise, how are they going to identify the threat, given that several days have already passed and it seems that the sample sent to your email was not processed. 

Wow, and how much are you going to pay for such service ?

[Hardq 0]

Ah, my apologies for any confusion. I was referring to the internal processes of antivirus companies. They typically have dedicated teams, like Malware Researchers, who handle sample analysis and database updates.

This isn't something you pay for directly as a user; it's part of the antivirus service they provide. If you have specific samples you'd like them to analyze, you can reach out to ESET's laboratory at samples@eset.com.

Edited December 30, 2023 by Hardq

[Hardq 0]

Dear Administrator Marcos, I have not heard from you.

Can you send this file to one of the malware researchers at the Eset lab? I would also like to receive a response from you, please, we appreciate it.

[Marcos 5,085]

Please submit just one or few suspicious files from the image as an email attachment to samples[at]eset.com. I assume the big image must have thousands of files inside, we need just the suspicious ones which should be also substantially smaller in size. Also provide valid reasons why you find them suspicious; if the files are detected by other AVs, if you ran them and they did something malicious on your machine, etc.

[Hardq 0]

Hi Marcos

Thanks for the reply. I uploaded the file to samples@eset.sk on January 23rd. On the other hand, in the email message I warned them that they should use a tool to improve the stability of the download

[Hardq 0]

Hi Marcos

The sample has been sent to eset samples@eset.sk on January 23, on the other hand, it is being explained there, answering your question.

[Marcos 5,085]

You have received a reply on January 10:

This file will be detected as potentially unsafe application Win32/HackTool.Crack.OH.

 

Since there's nothing else to add, we'll draw this topic to a close.