Jump to content

malware hashes


Go to solution Solved by Marcos,

Recommended Posts

I have the same issue. I test with thousands of samples monthly. We manually submit the 10 samples via GUI (painful process as this is the limit everytime). I have reported to support that LiveGuard does not auto submit all the samples and requires manually action many times. Then LiveGuard rates alot of the files as safe, yet it's being detected but 40+ other vendors. When rated safe this causes alot of the infection to take place in our lab testing as it's false negative. Many times, we have ransomware infections as not detected, and you see sample reputation is green.

You then send a mail to threat labs, zip the files every time and also limited due to mail size limits. Then as everyone here states, you might be lucky to get a reply. Also, only a fraction of samples send via LiveGuard/Mail gets flagged. Many of them still stay undetected, or maybe some gets detected days later. For example, this hash e22731d9c3a47edcc4e6d1e31d1eba588d8778f05dce1ba16e8a0d189eacfb01 / b0e1e030ad98fe4164d26e7f6a0e6e9a4ecb229b504f816ca7772b119996ad3e and many other like it eset does not detect or stop. Been submitting them many times.

I have also noticed, you will submit samples to LiveGuard, non gets detected for example, but you submit those same samples over and over again then they will get detected hours/days later via LiveGuard not signatures. It's like the samples don't stay on the eset servers, as they don't get automatically removed later on. You need to keep submitting them. The policy stated to never delete samples.

Link to comment
Share on other sites

12 hours ago, hellosky11 said:

I don't want to say this, but on my other PC, I have Bitdefender installed. When an undetected sample comes in and I don't have the sample itself, I simply send the malware research team the hashes, or sometimes the sample if I have it. The best thing about Bitdefender's malware researchers is that they reply to every single email you send them with samples or hashes. They clearly state whether the file/website is malicious, potentially unwanted (PUP), or neither. The key point here is that they respond to everything, and you don't even need to send them a follow-up email. This is something ESET has been lacking from the start.

@Marcos, would you like to add something here? If you want to speak in favor of ESET's malware researchers, kindly consider the positive aspects I’ve mentioned about Bitdefender’s malware researchers. If your argument is that they receive thousands of samples every day and can’t respond to every single one, well, they are not the only ones. Bitdefender, Kaspersky, and Malwarebytes also receive thousands of samples, yet they manage to reply to every single email. Please consider this statement before providing your feedback.

Also, the follow-up email suggestion in the ESET article I shared above doesn’t make sense and should be removed.

I am not against ESET, but how can ESET's malware researchers compete with the positive feedback provided by other companies who inform users about the status of the samples/hashes they send?

I just wondering if there is currently a shortage of malware analysts at ESET HQ...

Edited by IvanL_5306
Link to comment
Share on other sites

  • Administrators
13 hours ago, QuickSilverST250 said:

e22731d9c3a47edcc4e6d1e31d1eba588d8778f05dce1ba16e8a0d189eacfb01 / b0e1e030ad98fe4164d26e7f6a0e6e9a4ecb229b504f816ca7772b119996ad3e

The first one is clean, the Autoit script checks for the default browser and opens a MS website in it. The AVs that detect it have FP on the file.

The second one has been detected as Suspicious object, a detection was created although it's not clear what it sends to Discord.

Link to comment
Share on other sites

2 hours ago, Marcos said:

The first one is clean, the Autoit script checks for the default browser and opens a MS website in it. The AVs that detect it have FP on the file.

The second one has been detected as Suspicious object, a detection was created although it's not clear what it sends to Discord.

Thnx Marcos

Edited by QuickSilverST250
Link to comment
Share on other sites

17 hours ago, QuickSilverST250 said:

For example, this hash e22731d9c3a47edcc4e6d1e31d1eba588d8778f05dce1ba16e8a0d189eacfb01

Let's get things in proper perspective here. Yesterday evening, 9/3/2024, I downloaded this sample from Malware Bazaar.

Of note is the sample was posted on Malware Bazaar on 9/3/2024 and appears subsequently uploaded to VirusTotal that same day.

Upon download, the sample was submitted to LiveGuard which didn't detect anything. As @Marcos posted above, the sample doesn't contain any malware and existing VirusTotal detection's of it are false positives.

Edited by itman
Link to comment
Share on other sites

Seems that all the samples I’ve posted here have been properly detected, which leads me to question whether submitting samples via email is the best approach, or if I should share file hashes on this forum instead. 

Anyway, I will also share three additional backdoor trojans that have been submitted but not detected yet:

https://www.virustotal.com/gui/file/63285afce5ca55fba6111ef18317fd6dbe3444bf348ee383b9889de117233f72

https://www.virustotal.com/gui/file/581df120220b4da0cbe55c272e770411356277f8ea536755f0a653709983876e

https://www.virustotal.com/gui/file/141e91c7ba01314e754d06b2cecd7bfebca3271852b3df18fd8eb985748a67a9

Link to comment
Share on other sites

On 8/30/2024 at 11:30 PM, hellosky11 said:

8c1de5e2f95d1b23f0a4b1445b572d3c2c2bb1b715265b1fd145ba19b2830209

264281a0866d0b1d8636de9e3643c1d7117028055dc5c7f2d20ce7ba7e6ec6c1

b5f05f4fbb39ee3d29708161d0f1c98012e066817a6bcb3e6444cd3ff7c43bac

 

 

now only these 3 are left for other also one by one detection is created, @Marcos can you get above 3 hashes shared

these re yet to be answered a sit was sent way to ago, the file hashes before these were sent by marcos and they were detected but i guess marcos forgot to send these ones.

@Marcosplease if you can get these checked.

Link to comment
Share on other sites

also, more python ransomware

4b5ee9f735a16ba089175f1e98dbb0916ccc74af40b92ba16b8485d77c5096da

9f5a4f509412cf1408a33f2586c244cb8be13726eb07491ee633e154a9dade42

18e2795030fff749990c8264aab46a0f026074e46cf9de02467da1a090149986

8a2f2dcdf0a2f4b3bf2c7ac94205e769dfcdb7c161df5a8d9df52935dbaeb936

7c0091c346271f9ab0e66e1ea79f8a1bdab786a84a4c3dd0240002e3a76156cc

Link to comment
Share on other sites

this can go on forever. it is not the dude job to go through your hashes. he has got better to do.

Link to comment
Share on other sites

18 minutes ago, sesk said:

this can go on forever. it is not the dude job to go through your hashes. he has got better to do.

Well, in that case, @sesk you can also get in touch with the malware researchers. If you are a staff member of ESET (which I don't think you are), you will be able to contribute to this post. Otherwise, you can just leave this chat and let the ESET management staff handle these matters.

To ESET employees, will these malware hashes remain unchecked in the wild, while users like us think, 'Oh yes, ESET is protecting us, so cool,' and then, by mistake, click on a ransomware file, resulting in our PCs getting encrypted even though we had already sent the hashes to samples@eset.com? Will ESET cover the loss?

And as previously mentioned, I am already following the steps outlined in the ESET article to send a follow-up email to malware researchers, but I am still not getting any results.

Edited by hellosky11
Link to comment
Share on other sites

5 hours ago, hellosky11 said:

4b5ee9f735a16ba089175f1e98dbb0916ccc74af40b92ba16b8485d77c5096da

Let's review what VT has to say about this sample;

Quote

Code insights

The code begins by importing necessary libraries and modules. It then attempts to run a script named "Runner.sh" using the bash command, potentially indicating an attempt to execute additional malicious actions on the network.

Next, it generates a unique encryption key using the Fernet library and establishes a connection to a MySQL database, where it stores the key and the hostname of the infected machine.

The code proceeds to gather a list of file extensions to target for encryption. It then scans the entire C drive, searching for files with the specified extensions. For each eligible file, it encrypts the file's contents and renames the file with an encrypted filename.

A warning message is displayed to the user, demanding a ransom payment in bitcoins within a specified time frame. Failure to comply threatens the sale of sensitive data and passwords.

Finally, the code creates a text file on the user's desktop, providing instructions for decrypting the files and reiterating the ransom demand.

Bottom line here - it's Linux based ransomware.
Edited by itman
Link to comment
Share on other sites

  • Administrators
3 hours ago, itman said:

Let's review what VT has to say about this sample;

Bottom line here - it's Linux based ransomware.

It doesn't run:

Traceback (most recent call last):                                                                               File "C:\test\test.py", line 1, in <module>                                                                           import mysql.connector                                                                                     ModuleNotFoundError: No module named 'mysql' 

Plus this can't work as is:

conn = mysql.connector.connect(
    host = "*****",
    user = "*****",
    password = "*****",
    database = "*****",
)

Did somebody install MySQL and made the script work to see if it's detected upon execution and encryption?

Link to comment
Share on other sites

i will give it a try and get back in some time

till that time as i had provided at the starting of the post, below hashes were still not sent to malware labs

 

9f5a4f509412cf1408a33f2586c244cb8be13726eb07491ee633e154a9dade42

18e2795030fff749990c8264aab46a0f026074e46cf9de02467da1a090149986

8a2f2dcdf0a2f4b3bf2c7ac94205e769dfcdb7c161df5a8d9df52935dbaeb936

7c0091c346271f9ab0e66e1ea79f8a1bdab786a84a4c3dd0240002e3a76156cc

8c1de5e2f95d1b23f0a4b1445b572d3c2c2bb1b715265b1fd145ba19b2830209

264281a0866d0b1d8636de9e3643c1d7117028055dc5c7f2d20ce7ba7e6ec6c1

b5f05f4fbb39ee3d29708161d0f1c98012e066817a6bcb3e6444cd3ff7c43bac

Link to comment
Share on other sites

49 minutes ago, Marcos said:

Did somebody install MySQL and made the script work to see if it's detected upon execution and encryption?

This is the key point with these constant malware submissions here. Unless the sample is actually run, you have no way to verify if Eset would detect it or not. Or, if the sample would actually run at all on your device.

Also, malware sample testing needs to be performed on a stand alone test device disconnected from the local network. Running the sample in a VM or sandbox won't work anymore since most malware these days perform anti-evasion tactics to detect both and terminate execution.

Link to comment
Share on other sites

  • Administrators
1 minute ago, itman said:

This is the key point with these constant malware submissions here. Unless the sample is actually run, you have no way to verify if Eset would detect it or not. Or, if the sample would actually run at all on your device.

Also, malware sample testing needs to be performed on a stand alone test device disconnected from the local network. Running the sample in a VM or sandbox won't work anymore since most malware these days perform anti-evasion tactics to detect both and terminate execution.

Well said :) Perhaps all of these Python scripts require additional modules to be installed to run.

For instance, in order to run 4EBAE6440E83B617ABF9A0CD63692796211C9227, you first need to install Python and then also 4 additional module. If you finally run it, it doesn't encrypt files automatically but you are presented with a menu like this:

image.png

That said, if somebody runs this on one's machine, he or he would already have a much bigger problem than detection of the file since the AV would be likely already killed by the attacker with an admin remote access to the machine.

Link to comment
Share on other sites

8 minutes ago, Marcos said:

Perhaps all of these Python scripts require additional modules to be installed to run.

I for one have blocked execution of all Windows native Python .exe's resulting in them being inadvertently installed.

On the other most games require Python use. But gamers basically already have a "big red bullseye" on their device saying attack me.

Edited by itman
Link to comment
Share on other sites

2 hours ago, Marcos said:

If you finally run it, it doesn't encrypt files automatically but you are presented with a menu like this:

It's one of those damn test ransomware's at Github: https://github.com/0xbitx/DEDSEC_RANSOMWARE .

Quote

DedSec Ransomware automatically sends the victim's unique decryption key, along with Unique ID, IP address, and username to a designated Discord server. This feature ensures that you have quick access to their information and decryption key.

If you've been affected by this ransomware, reach out to me on discord to obtain your decryption key without making any payment.

 

Edited by itman
Link to comment
Share on other sites

Well, the hashes were also sent to VirusTotal. How did vendors like Kaspersky, Bitdefender, Avast, etc., detect it? You cannot say that it is a false positive for all of them; that cannot happen at all. It could be that one, but not the majority of them, especially the well-known vendors.

 

@Marcosthere is no hard and fast rule in this, you just have to share the hashes internally, that is not at all difficult, its just matter of 2-3 clicks for you.

Link to comment
Share on other sites

like the one is this

You told the user the false positive has been fixed. How much time did it take for you to get this checked (if so)?

Link to comment
Share on other sites

On 9/5/2024 at 5:49 AM, hellosky11 said:

also, more python ransomware

4b5ee9f735a16ba089175f1e98dbb0916ccc74af40b92ba16b8485d77c5096da

9f5a4f509412cf1408a33f2586c244cb8be13726eb07491ee633e154a9dade42

18e2795030fff749990c8264aab46a0f026074e46cf9de02467da1a090149986

8a2f2dcdf0a2f4b3bf2c7ac94205e769dfcdb7c161df5a8d9df52935dbaeb936

7c0091c346271f9ab0e66e1ea79f8a1bdab786a84a4c3dd0240002e3a76156cc

Eset now detects these at VirusTotal. They are all DedSec test/demo ransomware or variants of it.

3 hours ago, hellosky11 said:

Well, the hashes were also sent to VirusTotal. How did vendors like Kaspersky, Bitdefender, Avast, etc., detect it?

Assume they are detecting by behavior; e.g. file encryption activities, and that feature has been included in their version's used at Virustotal. Whether Eset's ransomware shield protection would have done the same can only be verified by actually running these samples on your test device since the feature is not deployed on VirusTotal version.

Link to comment
Share on other sites

4b5ee9f735a16ba089175f1e98dbb0916ccc74af40b92ba16b8485d77c5096da

This is yet to be detected; the latest test results show that Kaspersky has also started detecting the hash as ransomware

Link to comment
Share on other sites

1 hour ago, hellosky11 said:

4b5ee9f735a16ba089175f1e98dbb0916ccc74af40b92ba16b8485d77c5096da

This is yet to be detected; the latest test results show that Kaspersky has also started detecting the hash as ransomware

Strange. It was detected by Eset earlier this morning at VT when I checked. Now it is not.

Eset now blocks the source domain, https://github.com/0xbitx/DEDSEC_RANSOMWARE . Appears they feel that is sufficient.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...