Jump to content

malware hashes


Go to solution Solved by Marcos,

Recommended Posts

  • Administrators
1 hour ago, hellosky11 said:

4b5ee9f735a16ba089175f1e98dbb0916ccc74af40b92ba16b8485d77c5096da

This is yet to be detected; the latest test results show that Kaspersky has also started detecting the hash as ransomware

We'll add a detection as it's a kind of POC but not actual ransomware that poses a threat to users.

 

Link to comment
Share on other sites

1 hour ago, Marcos said:

We'll add a detection as it's a kind of POC but not actual ransomware that poses a threat to users.

There is a Windows version of this bugger; why am I not surprised, that is malicious. It also uses PyInstaller to run Python. Hopefully, the script detection's created by Eset will cover this variant. However since the Windows version is written in Python, this might not be the case;

Quote

Twitter/X user @siri_urz first unveiled DEDSEC. However, it appears that this ransomware was created by GitHub user 0xbitx - who claims to reside in the Sichuan province of China - at least a month before its discovery. It also appears that the version here is a bit different than the version posted on the user's GitHub repository, but the only difference seems to be subtle nuances in the ransom note and the operating system they target. This one targets Windows, while the version posted on GitHub targets Linux. Nevertheless, this ransomware is considered crypto-ransomware and FOSS because it encrypts files and is readily available on GitHub, respectively. The Windows version is written in Python and bundled with PyInstaller. We were able to partially reverse the sample and determine it uses symmetric cryptography, believed to be AES. However, we couldn't determine the bit size of the algorithm.

https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/dedsec

-EDIT- I just checked VT and Eset does not have a sig. for it: https://www.virustotal.com/gui/file/a19656adec64b83834cb95a9007cf102bc7cce24d513e9d5b8b1ac4dd7aa926f?nocache=1

Edited by itman
Link to comment
Share on other sites

20 hours ago, itman said:

There is a Windows version of this bugger; why am I not surprised, that is malicious. It also uses PyInstaller to run Python. Hopefully, the script detection's created by Eset will cover this variant. However since the Windows version is written in Python, this might not be the case;

https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/dedsec

-EDIT- I just checked VT and Eset does not have a sig. for it: https://www.virustotal.com/gui/file/a19656adec64b83834cb95a9007cf102bc7cce24d513e9d5b8b1ac4dd7aa926f?nocache=1

Hi, did you send it to malware researchers?

Link to comment
Share on other sites

2 hours ago, hellosky11 said:

Hi, did you send it to malware researchers?

Here's the story on this Windows version of DEDSEC ransomware that VT shows as not detected by Eset.

I found the sample on a malware share and downloaded it. Upon file creation, Eset detected and deleted it;

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
9/7/2024 2:59:14 PM;Real-time file system protection;file;C:\Users\xxxxxx\Downloads\a19656adec64b83834cb95a9007cf102bc7cce24d513e9d5b8b1ac4dd7aa926f;Python/Filecoder.AJG trojan;cleaned by deleting;xxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (755AF3328261B37426BC495C6C64BBA0C18870B2).;02B9AB6F81EB119209D5D1AA4B5DA49921D68FD9;9/7/2024 2:58:57 PM

A great example of why you can't trust what is shown at VT as to if Eset detects the malware.

I am a bit disappointed however since I wanted to use this to test Eset's ransomware shield protection.

 

Link to comment
Share on other sites

26 minutes ago, itman said:

Here's the story on this Windows version of DEDSEC ransomware that VT shows as not detected by Eset.

I found the sample on a malware share and downloaded it. Upon file creation, Eset detected and deleted it;

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
9/7/2024 2:59:14 PM;Real-time file system protection;file;C:\Users\xxxxxx\Downloads\a19656adec64b83834cb95a9007cf102bc7cce24d513e9d5b8b1ac4dd7aa926f;Python/Filecoder.AJG trojan;cleaned by deleting;xxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (755AF3328261B37426BC495C6C64BBA0C18870B2).;02B9AB6F81EB119209D5D1AA4B5DA49921D68FD9;9/7/2024 2:58:57 PM

A great example of why you can't trust what is shown at VT as to if Eset detects the malware.

I am a bit disappointed however since I wanted to use this to test Eset's ransomware shield protection.

 

as checked, eset detects it on virustotal too

image.thumb.png.ea5a61e983923eed6b468e53316c36d9.png

Link to comment
Share on other sites

its been 2 days sending phihing link to eset, but guess what no detection

https://ik.imagekit.io/b4qwhuqle/FortniteVbucks.html?updatedAt=1716315459700

i fear if eset malware research team are even recieving my email ??

 

Link to comment
Share on other sites

trust me, if ever eset would have replied back, but no, despite sending follow up also, nooooooooooo, that is why i said marcos to remove the follow up section part from the link

image.thumb.png.79bb1c4457120a87cfce02cb1ff43e48.png

Link to comment
Share on other sites

3 hours ago, hellosky11 said:

anyone to answer the reason behind this, @Marcoswhat do you have to say about this

Just keep posting at the forum. They will do the rest.

Link to comment
Share on other sites

"It's not like this, mate. It's forcefully creating a fight. This has to be a normal conversation; a normal conversation is better than a forced one. I know Marcos will look into this and take the necessary steps. Well, let's keep the original way. Instead of sending samples to the malware research team, if you need a reply, you can simply send the same thing to support and share it with them. Ultimately, the support staff will have to get back to you with an answer because they cannot close your ticket without it. I know sometimes the support staff also waits for a reply from the malware research team, but in this case, you are sure that the support staff cannot close your ticket until your query is resolved.

That being said, since we know Marcos is checking on this and even if the malware research team does not respond back despite the ESET article stating to drop a follow-up email, if the malware research team does not respond...

Now, in the support section, you can easily see that there is a section related to malware. You can create unlimited tickets there, but they cannot close your ticket until you are satisfied with a reply. So, if no one is helping, you will have to approach support and potentially increase their workload."

Link to comment
Share on other sites

  • Administrators

Since the discussion has gone astray, we'll draw it to a close. Also a post above claims that we treat test results of AV-Comparatives and AV-Test fake which is absolutely not true and the results are respected as long as tests adhere to the standards of AV testing created by AMTSO.

I kindly remind you how samples are supposed to be submitted: How to submit Suspicious file to ESET Research Lab via program GUI.

Also it is up to the detection engineers to decide what is subject to detection and what is clean or grey and what samples have higher priorities than others or vice-versa. You assure you that it is our priority to protect our users from actual threats but detection of PoCs or programs that do not pose actual risk to users can be treated with lower priority than actual threats.

Link to comment
Share on other sites

  • Marcos locked this topic
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...