Administrators Marcos 5,736 Posted September 6, 2024 Administrators Posted September 6, 2024 1 hour ago, hellosky11 said: 4b5ee9f735a16ba089175f1e98dbb0916ccc74af40b92ba16b8485d77c5096da This is yet to be detected; the latest test results show that Kaspersky has also started detecting the hash as ransomware We'll add a detection as it's a kind of POC but not actual ransomware that poses a threat to users.
itman 1,924 Posted September 6, 2024 Posted September 6, 2024 (edited) 1 hour ago, Marcos said: We'll add a detection as it's a kind of POC but not actual ransomware that poses a threat to users. There is a Windows version of this bugger; why am I not surprised, that is malicious. It also uses PyInstaller to run Python. Hopefully, the script detection's created by Eset will cover this variant. However since the Windows version is written in Python, this might not be the case; Quote Twitter/X user @siri_urz first unveiled DEDSEC. However, it appears that this ransomware was created by GitHub user 0xbitx - who claims to reside in the Sichuan province of China - at least a month before its discovery. It also appears that the version here is a bit different than the version posted on the user's GitHub repository, but the only difference seems to be subtle nuances in the ransom note and the operating system they target. This one targets Windows, while the version posted on GitHub targets Linux. Nevertheless, this ransomware is considered crypto-ransomware and FOSS because it encrypts files and is readily available on GitHub, respectively. The Windows version is written in Python and bundled with PyInstaller. We were able to partially reverse the sample and determine it uses symmetric cryptography, believed to be AES. However, we couldn't determine the bit size of the algorithm. https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/dedsec -EDIT- I just checked VT and Eset does not have a sig. for it: https://www.virustotal.com/gui/file/a19656adec64b83834cb95a9007cf102bc7cce24d513e9d5b8b1ac4dd7aa926f?nocache=1 Edited September 6, 2024 by itman
Guest Posted September 6, 2024 Posted September 6, 2024 2 hours ago, itman said: Strange. It was detected by Eset earlier this morning at VT when I checked. Now it is not. Eset now blocks the source domain, https://github.com/0xbitx/DEDSEC_RANSOMWARE . Appears they feel that is sufficient. maybe @Marcoscan get it checked for us.
Guest Posted September 7, 2024 Posted September 7, 2024 20 hours ago, itman said: There is a Windows version of this bugger; why am I not surprised, that is malicious. It also uses PyInstaller to run Python. Hopefully, the script detection's created by Eset will cover this variant. However since the Windows version is written in Python, this might not be the case; https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/dedsec -EDIT- I just checked VT and Eset does not have a sig. for it: https://www.virustotal.com/gui/file/a19656adec64b83834cb95a9007cf102bc7cce24d513e9d5b8b1ac4dd7aa926f?nocache=1 Hi, did you send it to malware researchers?
itman 1,924 Posted September 7, 2024 Posted September 7, 2024 2 hours ago, hellosky11 said: Hi, did you send it to malware researchers? Here's the story on this Windows version of DEDSEC ransomware that VT shows as not detected by Eset. I found the sample on a malware share and downloaded it. Upon file creation, Eset detected and deleted it; Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 9/7/2024 2:59:14 PM;Real-time file system protection;file;C:\Users\xxxxxx\Downloads\a19656adec64b83834cb95a9007cf102bc7cce24d513e9d5b8b1ac4dd7aa926f;Python/Filecoder.AJG trojan;cleaned by deleting;xxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (755AF3328261B37426BC495C6C64BBA0C18870B2).;02B9AB6F81EB119209D5D1AA4B5DA49921D68FD9;9/7/2024 2:58:57 PM A great example of why you can't trust what is shown at VT as to if Eset detects the malware. I am a bit disappointed however since I wanted to use this to test Eset's ransomware shield protection.
Guest Posted September 7, 2024 Posted September 7, 2024 26 minutes ago, itman said: Here's the story on this Windows version of DEDSEC ransomware that VT shows as not detected by Eset. I found the sample on a malware share and downloaded it. Upon file creation, Eset detected and deleted it; Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 9/7/2024 2:59:14 PM;Real-time file system protection;file;C:\Users\xxxxxx\Downloads\a19656adec64b83834cb95a9007cf102bc7cce24d513e9d5b8b1ac4dd7aa926f;Python/Filecoder.AJG trojan;cleaned by deleting;xxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (755AF3328261B37426BC495C6C64BBA0C18870B2).;02B9AB6F81EB119209D5D1AA4B5DA49921D68FD9;9/7/2024 2:58:57 PM A great example of why you can't trust what is shown at VT as to if Eset detects the malware. I am a bit disappointed however since I wanted to use this to test Eset's ransomware shield protection. as checked, eset detects it on virustotal too
Guest Posted September 7, 2024 Posted September 7, 2024 its been 2 days sending phihing link to eset, but guess what no detection https://ik.imagekit.io/b4qwhuqle/FortniteVbucks.html?updatedAt=1716315459700 i fear if eset malware research team are even recieving my email ??
Guest Posted September 7, 2024 Posted September 7, 2024 trust me, if ever eset would have replied back, but no, despite sending follow up also, nooooooooooo, that is why i said marcos to remove the follow up section part from the link
Guest Posted September 9, 2024 Posted September 9, 2024 anyone to answer the reason behind this, @Marcoswhat do you have to say about this
IvanL_5306 1 Posted September 9, 2024 Posted September 9, 2024 https://www.virustotal.com/gui/file/c795b9d60652428e17659c318a77f7cd571071ac6b2104896683351a6e57b014 https://www.virustotal.com/gui/file/3a042c0f373e48523760be41a0eebe51410a598641777c7ae4295b4f2e0cc185 https://www.virustotal.com/gui/file/1bd590fadc42d055443cd3b7e81bdd0cdb1baf7625c3835526b92791bb3c31f8 https://www.virustotal.com/gui/file/171d37105e828ee641b0e6a386dd3fb131857ac9b3ba0246566bc4b0f78d7752 https://www.virustotal.com/gui/file/bf8988e79276f5f1d472d3554dcd48d87c24180be6b4b117a0c56146698b9f64 New variants of malicious DLLs used for side-loading. How to reproduce its malicious behavior can be obtained from [TRACK#66DC71A302C6].
IvanL_5306 1 Posted September 9, 2024 Posted September 9, 2024 3 hours ago, hellosky11 said: anyone to answer the reason behind this, @Marcoswhat do you have to say about this Just keep posting at the forum. They will do the rest.
Guest Posted September 9, 2024 Posted September 9, 2024 "It's not like this, mate. It's forcefully creating a fight. This has to be a normal conversation; a normal conversation is better than a forced one. I know Marcos will look into this and take the necessary steps. Well, let's keep the original way. Instead of sending samples to the malware research team, if you need a reply, you can simply send the same thing to support and share it with them. Ultimately, the support staff will have to get back to you with an answer because they cannot close your ticket without it. I know sometimes the support staff also waits for a reply from the malware research team, but in this case, you are sure that the support staff cannot close your ticket until your query is resolved. That being said, since we know Marcos is checking on this and even if the malware research team does not respond back despite the ESET article stating to drop a follow-up email, if the malware research team does not respond... Now, in the support section, you can easily see that there is a section related to malware. You can create unlimited tickets there, but they cannot close your ticket until you are satisfied with a reply. So, if no one is helping, you will have to approach support and potentially increase their workload."
sesk 23 Posted September 9, 2024 Posted September 9, 2024 somebody does not get the love he deserves.
Guest Posted September 9, 2024 Posted September 9, 2024 10 minutes ago, sesk said: somebody does not get the love he deserves. should i laugh at your replies!
Guest Posted September 9, 2024 Posted September 9, 2024 (edited) @Marcoskindly close this post, as don't want other people to reply to this post again! Edited September 9, 2024 by hellosky11
Administrators Marcos 5,736 Posted September 9, 2024 Administrators Posted September 9, 2024 Since the discussion has gone astray, we'll draw it to a close. Also a post above claims that we treat test results of AV-Comparatives and AV-Test fake which is absolutely not true and the results are respected as long as tests adhere to the standards of AV testing created by AMTSO. I kindly remind you how samples are supposed to be submitted: How to submit Suspicious file to ESET Research Lab via program GUI. Also it is up to the detection engineers to decide what is subject to detection and what is clean or grey and what samples have higher priorities than others or vice-versa. You assure you that it is our priority to protect our users from actual threats but detection of PoCs or programs that do not pose actual risk to users can be treated with lower priority than actual threats.
Recommended Posts