Administrators Marcos 5,257 Posted September 6 Administrators Share Posted September 6 1 hour ago, hellosky11 said: 4b5ee9f735a16ba089175f1e98dbb0916ccc74af40b92ba16b8485d77c5096da This is yet to be detected; the latest test results show that Kaspersky has also started detecting the hash as ransomware We'll add a detection as it's a kind of POC but not actual ransomware that poses a threat to users. Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 6 Share Posted September 6 (edited) 1 hour ago, Marcos said: We'll add a detection as it's a kind of POC but not actual ransomware that poses a threat to users. There is a Windows version of this bugger; why am I not surprised, that is malicious. It also uses PyInstaller to run Python. Hopefully, the script detection's created by Eset will cover this variant. However since the Windows version is written in Python, this might not be the case; Quote Twitter/X user @siri_urz first unveiled DEDSEC. However, it appears that this ransomware was created by GitHub user 0xbitx - who claims to reside in the Sichuan province of China - at least a month before its discovery. It also appears that the version here is a bit different than the version posted on the user's GitHub repository, but the only difference seems to be subtle nuances in the ransom note and the operating system they target. This one targets Windows, while the version posted on GitHub targets Linux. Nevertheless, this ransomware is considered crypto-ransomware and FOSS because it encrypts files and is readily available on GitHub, respectively. The Windows version is written in Python and bundled with PyInstaller. We were able to partially reverse the sample and determine it uses symmetric cryptography, believed to be AES. However, we couldn't determine the bit size of the algorithm. https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/dedsec -EDIT- I just checked VT and Eset does not have a sig. for it: https://www.virustotal.com/gui/file/a19656adec64b83834cb95a9007cf102bc7cce24d513e9d5b8b1ac4dd7aa926f?nocache=1 Edited September 6 by itman Link to comment Share on other sites More sharing options...
hellosky11 1 Posted September 6 Author Share Posted September 6 2 hours ago, itman said: Strange. It was detected by Eset earlier this morning at VT when I checked. Now it is not. Eset now blocks the source domain, https://github.com/0xbitx/DEDSEC_RANSOMWARE . Appears they feel that is sufficient. maybe @Marcoscan get it checked for us. Link to comment Share on other sites More sharing options...
hellosky11 1 Posted September 7 Author Share Posted September 7 20 hours ago, itman said: There is a Windows version of this bugger; why am I not surprised, that is malicious. It also uses PyInstaller to run Python. Hopefully, the script detection's created by Eset will cover this variant. However since the Windows version is written in Python, this might not be the case; https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/dedsec -EDIT- I just checked VT and Eset does not have a sig. for it: https://www.virustotal.com/gui/file/a19656adec64b83834cb95a9007cf102bc7cce24d513e9d5b8b1ac4dd7aa926f?nocache=1 Hi, did you send it to malware researchers? Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 7 Share Posted September 7 2 hours ago, hellosky11 said: Hi, did you send it to malware researchers? Here's the story on this Windows version of DEDSEC ransomware that VT shows as not detected by Eset. I found the sample on a malware share and downloaded it. Upon file creation, Eset detected and deleted it; Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 9/7/2024 2:59:14 PM;Real-time file system protection;file;C:\Users\xxxxxx\Downloads\a19656adec64b83834cb95a9007cf102bc7cce24d513e9d5b8b1ac4dd7aa926f;Python/Filecoder.AJG trojan;cleaned by deleting;xxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (755AF3328261B37426BC495C6C64BBA0C18870B2).;02B9AB6F81EB119209D5D1AA4B5DA49921D68FD9;9/7/2024 2:58:57 PM A great example of why you can't trust what is shown at VT as to if Eset detects the malware. I am a bit disappointed however since I wanted to use this to test Eset's ransomware shield protection. Link to comment Share on other sites More sharing options...
hellosky11 1 Posted September 7 Author Share Posted September 7 26 minutes ago, itman said: Here's the story on this Windows version of DEDSEC ransomware that VT shows as not detected by Eset. I found the sample on a malware share and downloaded it. Upon file creation, Eset detected and deleted it; Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 9/7/2024 2:59:14 PM;Real-time file system protection;file;C:\Users\xxxxxx\Downloads\a19656adec64b83834cb95a9007cf102bc7cce24d513e9d5b8b1ac4dd7aa926f;Python/Filecoder.AJG trojan;cleaned by deleting;xxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (755AF3328261B37426BC495C6C64BBA0C18870B2).;02B9AB6F81EB119209D5D1AA4B5DA49921D68FD9;9/7/2024 2:58:57 PM A great example of why you can't trust what is shown at VT as to if Eset detects the malware. I am a bit disappointed however since I wanted to use this to test Eset's ransomware shield protection. as checked, eset detects it on virustotal too Link to comment Share on other sites More sharing options...
hellosky11 1 Posted September 7 Author Share Posted September 7 its been 2 days sending phihing link to eset, but guess what no detection https://ik.imagekit.io/b4qwhuqle/FortniteVbucks.html?updatedAt=1716315459700 i fear if eset malware research team are even recieving my email ?? Link to comment Share on other sites More sharing options...
hellosky11 1 Posted September 7 Author Share Posted September 7 trust me, if ever eset would have replied back, but no, despite sending follow up also, nooooooooooo, that is why i said marcos to remove the follow up section part from the link Link to comment Share on other sites More sharing options...
hellosky11 1 Posted September 9 Author Share Posted September 9 anyone to answer the reason behind this, @Marcoswhat do you have to say about this Link to comment Share on other sites More sharing options...
IvanL_5306 1 Posted September 9 Share Posted September 9 https://www.virustotal.com/gui/file/c795b9d60652428e17659c318a77f7cd571071ac6b2104896683351a6e57b014 https://www.virustotal.com/gui/file/3a042c0f373e48523760be41a0eebe51410a598641777c7ae4295b4f2e0cc185 https://www.virustotal.com/gui/file/1bd590fadc42d055443cd3b7e81bdd0cdb1baf7625c3835526b92791bb3c31f8 https://www.virustotal.com/gui/file/171d37105e828ee641b0e6a386dd3fb131857ac9b3ba0246566bc4b0f78d7752 https://www.virustotal.com/gui/file/bf8988e79276f5f1d472d3554dcd48d87c24180be6b4b117a0c56146698b9f64 New variants of malicious DLLs used for side-loading. How to reproduce its malicious behavior can be obtained from [TRACK#66DC71A302C6]. Link to comment Share on other sites More sharing options...
IvanL_5306 1 Posted September 9 Share Posted September 9 3 hours ago, hellosky11 said: anyone to answer the reason behind this, @Marcoswhat do you have to say about this Just keep posting at the forum. They will do the rest. Link to comment Share on other sites More sharing options...
hellosky11 1 Posted September 9 Author Share Posted September 9 "It's not like this, mate. It's forcefully creating a fight. This has to be a normal conversation; a normal conversation is better than a forced one. I know Marcos will look into this and take the necessary steps. Well, let's keep the original way. Instead of sending samples to the malware research team, if you need a reply, you can simply send the same thing to support and share it with them. Ultimately, the support staff will have to get back to you with an answer because they cannot close your ticket without it. I know sometimes the support staff also waits for a reply from the malware research team, but in this case, you are sure that the support staff cannot close your ticket until your query is resolved. That being said, since we know Marcos is checking on this and even if the malware research team does not respond back despite the ESET article stating to drop a follow-up email, if the malware research team does not respond... Now, in the support section, you can easily see that there is a section related to malware. You can create unlimited tickets there, but they cannot close your ticket until you are satisfied with a reply. So, if no one is helping, you will have to approach support and potentially increase their workload." Link to comment Share on other sites More sharing options...
sesk 23 Posted September 9 Share Posted September 9 somebody does not get the love he deserves. Link to comment Share on other sites More sharing options...
hellosky11 1 Posted September 9 Author Share Posted September 9 10 minutes ago, sesk said: somebody does not get the love he deserves. should i laugh at your replies! Link to comment Share on other sites More sharing options...
hellosky11 1 Posted September 9 Author Share Posted September 9 (edited) @Marcoskindly close this post, as don't want other people to reply to this post again! Edited September 9 by hellosky11 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted September 9 Administrators Share Posted September 9 Since the discussion has gone astray, we'll draw it to a close. Also a post above claims that we treat test results of AV-Comparatives and AV-Test fake which is absolutely not true and the results are respected as long as tests adhere to the standards of AV testing created by AMTSO. I kindly remind you how samples are supposed to be submitted: How to submit Suspicious file to ESET Research Lab via program GUI. Also it is up to the detection engineers to decide what is subject to detection and what is clean or grey and what samples have higher priorities than others or vice-versa. You assure you that it is our priority to protect our users from actual threats but detection of PoCs or programs that do not pose actual risk to users can be treated with lower priority than actual threats. Link to comment Share on other sites More sharing options...
Recommended Posts