QuickSilverST250 0 Posted September 3 Share Posted September 3 I have the same issue. I test with thousands of samples monthly. We manually submit the 10 samples via GUI (painful process as this is the limit everytime). I have reported to support that LiveGuard does not auto submit all the samples and requires manually action many times. Then LiveGuard rates alot of the files as safe, yet it's being detected but 40+ other vendors. When rated safe this causes alot of the infection to take place in our lab testing as it's false negative. Many times, we have ransomware infections as not detected, and you see sample reputation is green. You then send a mail to threat labs, zip the files every time and also limited due to mail size limits. Then as everyone here states, you might be lucky to get a reply. Also, only a fraction of samples send via LiveGuard/Mail gets flagged. Many of them still stay undetected, or maybe some gets detected days later. For example, this hash e22731d9c3a47edcc4e6d1e31d1eba588d8778f05dce1ba16e8a0d189eacfb01 / b0e1e030ad98fe4164d26e7f6a0e6e9a4ecb229b504f816ca7772b119996ad3e and many other like it eset does not detect or stop. Been submitting them many times. I have also noticed, you will submit samples to LiveGuard, non gets detected for example, but you submit those same samples over and over again then they will get detected hours/days later via LiveGuard not signatures. It's like the samples don't stay on the eset servers, as they don't get automatically removed later on. You need to keep submitting them. The policy stated to never delete samples. Link to comment Share on other sites More sharing options...
IvanL_5306 1 Posted September 4 Share Posted September 4 (edited) 12 hours ago, hellosky11 said: I don't want to say this, but on my other PC, I have Bitdefender installed. When an undetected sample comes in and I don't have the sample itself, I simply send the malware research team the hashes, or sometimes the sample if I have it. The best thing about Bitdefender's malware researchers is that they reply to every single email you send them with samples or hashes. They clearly state whether the file/website is malicious, potentially unwanted (PUP), or neither. The key point here is that they respond to everything, and you don't even need to send them a follow-up email. This is something ESET has been lacking from the start. @Marcos, would you like to add something here? If you want to speak in favor of ESET's malware researchers, kindly consider the positive aspects I’ve mentioned about Bitdefender’s malware researchers. If your argument is that they receive thousands of samples every day and can’t respond to every single one, well, they are not the only ones. Bitdefender, Kaspersky, and Malwarebytes also receive thousands of samples, yet they manage to reply to every single email. Please consider this statement before providing your feedback. Also, the follow-up email suggestion in the ESET article I shared above doesn’t make sense and should be removed. I am not against ESET, but how can ESET's malware researchers compete with the positive feedback provided by other companies who inform users about the status of the samples/hashes they send? I just wondering if there is currently a shortage of malware analysts at ESET HQ... Edited September 4 by IvanL_5306 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted September 4 Administrators Share Posted September 4 13 hours ago, QuickSilverST250 said: e22731d9c3a47edcc4e6d1e31d1eba588d8778f05dce1ba16e8a0d189eacfb01 / b0e1e030ad98fe4164d26e7f6a0e6e9a4ecb229b504f816ca7772b119996ad3e The first one is clean, the Autoit script checks for the default browser and opens a MS website in it. The AVs that detect it have FP on the file. The second one has been detected as Suspicious object, a detection was created although it's not clear what it sends to Discord. Link to comment Share on other sites More sharing options...
QuickSilverST250 0 Posted September 4 Share Posted September 4 (edited) 2 hours ago, Marcos said: The first one is clean, the Autoit script checks for the default browser and opens a MS website in it. The AVs that detect it have FP on the file. The second one has been detected as Suspicious object, a detection was created although it's not clear what it sends to Discord. Thnx Marcos Edited September 4 by QuickSilverST250 Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 4 Share Posted September 4 (edited) 17 hours ago, QuickSilverST250 said: For example, this hash e22731d9c3a47edcc4e6d1e31d1eba588d8778f05dce1ba16e8a0d189eacfb01 Let's get things in proper perspective here. Yesterday evening, 9/3/2024, I downloaded this sample from Malware Bazaar. Of note is the sample was posted on Malware Bazaar on 9/3/2024 and appears subsequently uploaded to VirusTotal that same day. Upon download, the sample was submitted to LiveGuard which didn't detect anything. As @Marcos posted above, the sample doesn't contain any malware and existing VirusTotal detection's of it are false positives. Edited September 4 by itman Link to comment Share on other sites More sharing options...
AnthonyQ 51 Posted September 4 Share Posted September 4 Seems that all the samples I’ve posted here have been properly detected, which leads me to question whether submitting samples via email is the best approach, or if I should share file hashes on this forum instead. Anyway, I will also share three additional backdoor trojans that have been submitted but not detected yet: https://www.virustotal.com/gui/file/63285afce5ca55fba6111ef18317fd6dbe3444bf348ee383b9889de117233f72 https://www.virustotal.com/gui/file/581df120220b4da0cbe55c272e770411356277f8ea536755f0a653709983876e https://www.virustotal.com/gui/file/141e91c7ba01314e754d06b2cecd7bfebca3271852b3df18fd8eb985748a67a9 Link to comment Share on other sites More sharing options...
IvanL_5306 1 Posted September 4 Share Posted September 4 https://www.virustotal.com/gui/file/0c2d0f0b85a76ac05844d0936b045e36a2b2edf2af1da8b5c811c40bd735336a https://www.virustotal.com/gui/file/214163efc2c80d0ba248e0f7686f5aad2c038f1d6a1c1aa332ffbf31f87687d3 https://www.virustotal.com/gui/file/05db795353977fa9918cfddb3f9df6a863038565e3a0fde0b60f7dc7a5d62226 https://www.virustotal.com/gui/file/959459860e93f4d4bce14434e77cbbae702cf972e7846ae5d06289a1829c2380 https://www.virustotal.com/gui/file/c1a86d176c920b7d65b54f02df0a8e5f92518a12aae5f0bcde5e8e25d281f091 https://www.virustotal.com/gui/file/bae4011581698e98ef16018861be6aa6052477f4f435f0e01aa2b859e2f402bd https://www.virustotal.com/gui/file/7075394a4ec7f872483914bb6581035944f420eff07ec476e9baac310c00c664 https://www.virustotal.com/gui/file/d77b0d31ec04ce01fdfd4f7564dc39fcae1e68d7afc3cbaa6a52ed5898975624 https://www.virustotal.com/gui/file/64a9f54ae38732bf5083501a894b8d4795791718dd55655b2392519c6dd6dcd3 https://www.virustotal.com/gui/file/171d37105e828ee641b0e6a386dd3fb131857ac9b3ba0246566bc4b0f78d7752 Undetected malicious DLLs used for side-loading. Link to comment Share on other sites More sharing options...
hellosky11 1 Posted September 5 Author Share Posted September 5 On 8/30/2024 at 11:30 PM, hellosky11 said: 8c1de5e2f95d1b23f0a4b1445b572d3c2c2bb1b715265b1fd145ba19b2830209 264281a0866d0b1d8636de9e3643c1d7117028055dc5c7f2d20ce7ba7e6ec6c1 b5f05f4fbb39ee3d29708161d0f1c98012e066817a6bcb3e6444cd3ff7c43bac now only these 3 are left for other also one by one detection is created, @Marcos can you get above 3 hashes shared these re yet to be answered a sit was sent way to ago, the file hashes before these were sent by marcos and they were detected but i guess marcos forgot to send these ones. @Marcosplease if you can get these checked. Link to comment Share on other sites More sharing options...
hellosky11 1 Posted September 5 Author Share Posted September 5 also, more python ransomware 4b5ee9f735a16ba089175f1e98dbb0916ccc74af40b92ba16b8485d77c5096da 9f5a4f509412cf1408a33f2586c244cb8be13726eb07491ee633e154a9dade42 18e2795030fff749990c8264aab46a0f026074e46cf9de02467da1a090149986 8a2f2dcdf0a2f4b3bf2c7ac94205e769dfcdb7c161df5a8d9df52935dbaeb936 7c0091c346271f9ab0e66e1ea79f8a1bdab786a84a4c3dd0240002e3a76156cc Link to comment Share on other sites More sharing options...
sesk 23 Posted September 5 Share Posted September 5 this can go on forever. it is not the dude job to go through your hashes. he has got better to do. Link to comment Share on other sites More sharing options...
hellosky11 1 Posted September 5 Author Share Posted September 5 (edited) 18 minutes ago, sesk said: this can go on forever. it is not the dude job to go through your hashes. he has got better to do. Well, in that case, @sesk you can also get in touch with the malware researchers. If you are a staff member of ESET (which I don't think you are), you will be able to contribute to this post. Otherwise, you can just leave this chat and let the ESET management staff handle these matters. To ESET employees, will these malware hashes remain unchecked in the wild, while users like us think, 'Oh yes, ESET is protecting us, so cool,' and then, by mistake, click on a ransomware file, resulting in our PCs getting encrypted even though we had already sent the hashes to samples@eset.com? Will ESET cover the loss? And as previously mentioned, I am already following the steps outlined in the ESET article to send a follow-up email to malware researchers, but I am still not getting any results. Edited September 5 by hellosky11 IvanL_5306 1 Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 5 Share Posted September 5 (edited) 5 hours ago, hellosky11 said: 4b5ee9f735a16ba089175f1e98dbb0916ccc74af40b92ba16b8485d77c5096da Let's review what VT has to say about this sample; Quote Code insights The code begins by importing necessary libraries and modules. It then attempts to run a script named "Runner.sh" using the bash command, potentially indicating an attempt to execute additional malicious actions on the network. Next, it generates a unique encryption key using the Fernet library and establishes a connection to a MySQL database, where it stores the key and the hostname of the infected machine. The code proceeds to gather a list of file extensions to target for encryption. It then scans the entire C drive, searching for files with the specified extensions. For each eligible file, it encrypts the file's contents and renames the file with an encrypted filename. A warning message is displayed to the user, demanding a ransom payment in bitcoins within a specified time frame. Failure to comply threatens the sale of sensitive data and passwords. Finally, the code creates a text file on the user's desktop, providing instructions for decrypting the files and reiterating the ransom demand. Bottom line here - it's Linux based ransomware. Edited September 5 by itman Link to comment Share on other sites More sharing options...
hellosky11 1 Posted September 5 Author Share Posted September 5 And it clearly shows, detection is not available! Link to comment Share on other sites More sharing options...
hellosky11 1 Posted September 5 Author Share Posted September 5 @Marcoscan you enlighten here? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted September 5 Administrators Share Posted September 5 3 hours ago, itman said: Let's review what VT has to say about this sample; Bottom line here - it's Linux based ransomware. It doesn't run: Traceback (most recent call last): File "C:\test\test.py", line 1, in <module> import mysql.connector ModuleNotFoundError: No module named 'mysql' Plus this can't work as is: conn = mysql.connector.connect( host = "*****", user = "*****", password = "*****", database = "*****", ) Did somebody install MySQL and made the script work to see if it's detected upon execution and encryption? Link to comment Share on other sites More sharing options...
hellosky11 1 Posted September 5 Author Share Posted September 5 i will give it a try and get back in some time till that time as i had provided at the starting of the post, below hashes were still not sent to malware labs 9f5a4f509412cf1408a33f2586c244cb8be13726eb07491ee633e154a9dade42 18e2795030fff749990c8264aab46a0f026074e46cf9de02467da1a090149986 8a2f2dcdf0a2f4b3bf2c7ac94205e769dfcdb7c161df5a8d9df52935dbaeb936 7c0091c346271f9ab0e66e1ea79f8a1bdab786a84a4c3dd0240002e3a76156cc 8c1de5e2f95d1b23f0a4b1445b572d3c2c2bb1b715265b1fd145ba19b2830209 264281a0866d0b1d8636de9e3643c1d7117028055dc5c7f2d20ce7ba7e6ec6c1 b5f05f4fbb39ee3d29708161d0f1c98012e066817a6bcb3e6444cd3ff7c43bac Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 5 Share Posted September 5 49 minutes ago, Marcos said: Did somebody install MySQL and made the script work to see if it's detected upon execution and encryption? This is the key point with these constant malware submissions here. Unless the sample is actually run, you have no way to verify if Eset would detect it or not. Or, if the sample would actually run at all on your device. Also, malware sample testing needs to be performed on a stand alone test device disconnected from the local network. Running the sample in a VM or sandbox won't work anymore since most malware these days perform anti-evasion tactics to detect both and terminate execution. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted September 5 Administrators Share Posted September 5 1 minute ago, itman said: This is the key point with these constant malware submissions here. Unless the sample is actually run, you have no way to verify if Eset would detect it or not. Or, if the sample would actually run at all on your device. Also, malware sample testing needs to be performed on a stand alone test device disconnected from the local network. Running the sample in a VM or sandbox won't work anymore since most malware these days perform anti-evasion tactics to detect both and terminate execution. Well said Perhaps all of these Python scripts require additional modules to be installed to run. For instance, in order to run 4EBAE6440E83B617ABF9A0CD63692796211C9227, you first need to install Python and then also 4 additional module. If you finally run it, it doesn't encrypt files automatically but you are presented with a menu like this: That said, if somebody runs this on one's machine, he or he would already have a much bigger problem than detection of the file since the AV would be likely already killed by the attacker with an admin remote access to the machine. Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 5 Share Posted September 5 (edited) 8 minutes ago, Marcos said: Perhaps all of these Python scripts require additional modules to be installed to run. I for one have blocked execution of all Windows native Python .exe's resulting in them being inadvertently installed. On the other most games require Python use. But gamers basically already have a "big red bullseye" on their device saying attack me. Edited September 5 by itman Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 5 Share Posted September 5 (edited) 2 hours ago, Marcos said: If you finally run it, it doesn't encrypt files automatically but you are presented with a menu like this: It's one of those damn test ransomware's at Github: https://github.com/0xbitx/DEDSEC_RANSOMWARE . Quote DedSec Ransomware automatically sends the victim's unique decryption key, along with Unique ID, IP address, and username to a designated Discord server. This feature ensures that you have quick access to their information and decryption key. If you've been affected by this ransomware, reach out to me on discord to obtain your decryption key without making any payment. Edited September 5 by itman Link to comment Share on other sites More sharing options...
hellosky11 1 Posted September 6 Author Share Posted September 6 Well, the hashes were also sent to VirusTotal. How did vendors like Kaspersky, Bitdefender, Avast, etc., detect it? You cannot say that it is a false positive for all of them; that cannot happen at all. It could be that one, but not the majority of them, especially the well-known vendors. @Marcosthere is no hard and fast rule in this, you just have to share the hashes internally, that is not at all difficult, its just matter of 2-3 clicks for you. Link to comment Share on other sites More sharing options...
hellosky11 1 Posted September 6 Author Share Posted September 6 like the one is this You told the user the false positive has been fixed. How much time did it take for you to get this checked (if so)? Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 6 Share Posted September 6 On 9/5/2024 at 5:49 AM, hellosky11 said: also, more python ransomware 4b5ee9f735a16ba089175f1e98dbb0916ccc74af40b92ba16b8485d77c5096da 9f5a4f509412cf1408a33f2586c244cb8be13726eb07491ee633e154a9dade42 18e2795030fff749990c8264aab46a0f026074e46cf9de02467da1a090149986 8a2f2dcdf0a2f4b3bf2c7ac94205e769dfcdb7c161df5a8d9df52935dbaeb936 7c0091c346271f9ab0e66e1ea79f8a1bdab786a84a4c3dd0240002e3a76156cc Eset now detects these at VirusTotal. They are all DedSec test/demo ransomware or variants of it. 3 hours ago, hellosky11 said: Well, the hashes were also sent to VirusTotal. How did vendors like Kaspersky, Bitdefender, Avast, etc., detect it? Assume they are detecting by behavior; e.g. file encryption activities, and that feature has been included in their version's used at Virustotal. Whether Eset's ransomware shield protection would have done the same can only be verified by actually running these samples on your test device since the feature is not deployed on VirusTotal version. Link to comment Share on other sites More sharing options...
hellosky11 1 Posted September 6 Author Share Posted September 6 4b5ee9f735a16ba089175f1e98dbb0916ccc74af40b92ba16b8485d77c5096da This is yet to be detected; the latest test results show that Kaspersky has also started detecting the hash as ransomware Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 6 Share Posted September 6 (edited) 1 hour ago, hellosky11 said: 4b5ee9f735a16ba089175f1e98dbb0916ccc74af40b92ba16b8485d77c5096da This is yet to be detected; the latest test results show that Kaspersky has also started detecting the hash as ransomware Strange. It was detected by Eset earlier this morning at VT when I checked. Now it is not. Eset now blocks the source domain, https://github.com/0xbitx/DEDSEC_RANSOMWARE . Appears they feel that is sufficient. Edited September 6 by itman Link to comment Share on other sites More sharing options...
Recommended Posts