itman 1,719 Posted Saturday at 11:16 PM Share Posted Saturday at 11:16 PM Sample is here: https://bazaar.abuse.ch/sample/9aaf2a66b2754921fe133385136dc6fbe7bc730d5302a002103980bdfc13a1be/. VT detection rate is 61/74: https://www.virustotal.com/gui/file/9aaf2a66b2754921fe133385136dc6fbe7bc730d5302a002103980bdfc13a1be Upon sample archive extraction, file was sent to LiveGuard w/no file locking at all occuring. Quote Link to comment Share on other sites More sharing options...
SeriousHoax 85 Posted Sunday at 08:29 AM Share Posted Sunday at 08:29 AM (edited) It is from 2020 yet not detected by ESET? Very strange if the sample is not broken somehow which is unlikely based on the behavior on VT. Edited Sunday at 08:30 AM by SeriousHoax Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,158 Posted Sunday at 11:58 AM Administrators Share Posted Sunday at 11:58 AM The archive contains NSSM potentially unsafe application which is detected. Besides that there is also an old file svchost.exe from 2018 which is detected by a few AVs but it's probably not malicious per se but loads a batch script from the Sqlite database OnTimer.db. The script download payload from a dead url which used to serve Win64/CoinMiner.OF potentially unwanted application in the past (detected since 2019). I've sent svchost.exe to the viruslab to find out if it's subject to detection or not. Quote Link to comment Share on other sites More sharing options...
itman 1,719 Posted Sunday at 01:46 PM Author Share Posted Sunday at 01:46 PM (edited) 4 hours ago, Marcos said: The archive contains NSSM potentially unsafe application which is detected. Is this only upon execution of the sample .exe? It was not detected upon file creation; Ditto for LiveGuard analysis. Does LiveGuard ignore Eset PUA detections? Quote Time;Hash;File;Size;Category;Reason;Sent to;User 6/29/2024 5:24:06 PM;A268031D2E74F058CBB2AD984E4A5556F59CFCF8;C:\Users\18436\Downloads\9aaf2a66b2754921fe133385136dc6fbe7bc730d5302a002103980bdfc13a1be.exe;1070725;Executable;Automatic;ESET LiveGuard;xxxxxxxxxxx -EDIT- I downloaded the sample again. Now Eset detects upon archive extraction; Quote Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 6/30/2024 12:13:36 PM;Real-time file system protection;file;C:\Users\xxxxxx\Downloads\9aaf2a66b2754921fe133385136dc6fbe7bc730d5302a002103980bdfc13a1be.exe;multiple detections;deleted;xxxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (755AF3328261B37426BC495C6C64BBA0C18870B2).;A268031D2E74F058CBB2AD984E4A5556F59CFCF8; Edited Sunday at 04:19 PM by itman Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.