itman 1,806 Posted June 29 Posted June 29 Sample is here: https://bazaar.abuse.ch/sample/9aaf2a66b2754921fe133385136dc6fbe7bc730d5302a002103980bdfc13a1be/. VT detection rate is 61/74: https://www.virustotal.com/gui/file/9aaf2a66b2754921fe133385136dc6fbe7bc730d5302a002103980bdfc13a1be Upon sample archive extraction, file was sent to LiveGuard w/no file locking at all occuring.
SeriousHoax 87 Posted June 30 Posted June 30 (edited) It is from 2020 yet not detected by ESET? Very strange if the sample is not broken somehow which is unlikely based on the behavior on VT. Edited June 30 by SeriousHoax
Administrators Marcos 5,462 Posted June 30 Administrators Posted June 30 The archive contains NSSM potentially unsafe application which is detected. Besides that there is also an old file svchost.exe from 2018 which is detected by a few AVs but it's probably not malicious per se but loads a batch script from the Sqlite database OnTimer.db. The script download payload from a dead url which used to serve Win64/CoinMiner.OF potentially unwanted application in the past (detected since 2019). I've sent svchost.exe to the viruslab to find out if it's subject to detection or not.
itman 1,806 Posted June 30 Author Posted June 30 (edited) 4 hours ago, Marcos said: The archive contains NSSM potentially unsafe application which is detected. Is this only upon execution of the sample .exe? It was not detected upon file creation; Ditto for LiveGuard analysis. Does LiveGuard ignore Eset PUA detections? Quote Time;Hash;File;Size;Category;Reason;Sent to;User 6/29/2024 5:24:06 PM;A268031D2E74F058CBB2AD984E4A5556F59CFCF8;C:\Users\18436\Downloads\9aaf2a66b2754921fe133385136dc6fbe7bc730d5302a002103980bdfc13a1be.exe;1070725;Executable;Automatic;ESET LiveGuard;xxxxxxxxxxx -EDIT- I downloaded the sample again. Now Eset detects upon archive extraction; Quote Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 6/30/2024 12:13:36 PM;Real-time file system protection;file;C:\Users\xxxxxx\Downloads\9aaf2a66b2754921fe133385136dc6fbe7bc730d5302a002103980bdfc13a1be.exe;multiple detections;deleted;xxxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (755AF3328261B37426BC495C6C64BBA0C18870B2).;A268031D2E74F058CBB2AD984E4A5556F59CFCF8; Edited June 30 by itman
Recommended Posts