koza4ok 0 Posted October 10 Share Posted October 10 (edited) After the first run, is placed in the autostart, when the system reboots, opens a QEMU window and have a title “deSecurity_test”, on the computer, this virus can get in without user involvement, presumably it is a vulnerability that has full access to windows. UNREGONIZED_VIRUS.zip Edited October 10 by koza4ok Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted October 10 Administrators Share Posted October 10 Please provide logs collected with ESET Log Collector. Quote Link to comment Share on other sites More sharing options...
koza4ok 0 Posted October 10 Author Share Posted October 10 15 minutes ago, Marcos said: Please provide logs collected with ESET Log Collector. I would like to add a note, I was test this virus on an Oracle VM VirtualBox virtual machine for security purposes. This virus will create a second explorer.exe file, which destinate in c:\windows\syswow64, where he can't be in default system. I'll block network to him through Windows Firewall. And, presumably, this virus create a second, fake cmd and powershell file, and this files will destinate in syswow64 folder too ELC_logs.zip Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted October 10 Administrators Share Posted October 10 ESET is not installed on the machine. For an unknown reason the installer was unable to connect to the download server: Failed to connect to server. Error: 0x8007043C You might need to boot from a 100% clean drive and then run a full disk scan. Quote Link to comment Share on other sites More sharing options...
koza4ok 0 Posted October 10 Author Share Posted October 10 I understand, but I would like you to analyze this virus if possible. especially if you upload these files to virustotal, they are not detected by any antivirus. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted October 10 Administrators Share Posted October 10 5 minutes ago, koza4ok said: especially if you upload these files to virustotal, they are not detected by any antivirus. What files are you referring to? Please provide a link to VT results. The files in your initial post are clean. There are 2 obfuscated data files which look like a part of a NSIS Injector but they alone do not pose any risk. Quote Link to comment Share on other sites More sharing options...
koza4ok 0 Posted October 10 Author Share Posted October 10 https://www.virustotal.com/gui/file/0f4f0b0fe0f664e38df5d92d323d39cd75645d5003b4f90b62576d0e7fee4395?nocache=1 I analyzed in this test the zip archive where the virus itself is located, I can analyze all files individually if necessary. UNREGONIZED_VIRUS.zip Quote Link to comment Share on other sites More sharing options...
koza4ok 0 Posted October 10 Author Share Posted October 10 In order for you to understand me exactly, try to run this file, and see what happens to the system, look for example through the program System Informer, and when you delete two obfuscated files, the virus does not work correctly. Quote Link to comment Share on other sites More sharing options...
itman 1,789 Posted October 10 Share Posted October 10 (edited) 1 hour ago, koza4ok said: https://www.virustotal.com/gui/file/0f4f0b0fe0f664e38df5d92d323d39cd75645d5003b4f90b62576d0e7fee4395?nocache=1 Refer to VT Behavior Analysis. The sandbox detects it as malicious; i.e. YARA rule detection for RemcosRAT; Quote alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Remcos 3.x/4.x TLS Connection"; flow:established,to_server; ja3.hash; content:"a85be79f7b569f1df5e6087b69deb493"; classtype:command-and-control; sid:2036594; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_19, deployment Perimeter, malware_family Remcos, confidence High, signature_severity Major, updated_at 2023_10_19;) Edited October 10 by itman Quote Link to comment Share on other sites More sharing options...
itman 1,789 Posted October 10 Share Posted October 10 Also of note is many AV's won't detect anything in this archive until its contents have been extracted. You need to extract its file contents and see if whatever AV you have installed detects any malware within the archive contents. Quote Link to comment Share on other sites More sharing options...
koza4ok 0 Posted October 10 Author Share Posted October 10 The problem is that this virus got on the computer by itself, secondly I checked the files and not in the archive separately, still was not detected. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted October 10 Administrators Share Posted October 10 There's a patched dll that exploits dll side-loading. Will be detected as Win64/Agent.ERF trojan. Quote Link to comment Share on other sites More sharing options...
itman 1,789 Posted October 10 Share Posted October 10 (edited) 4 hours ago, koza4ok said: The problem is that this virus got on the computer by itself, secondly I checked the files and not in the archive separately, still was not detected. My guess is this app installer dialed out to attacker's C&C server and downloaded the malicious .dll and dropped it in directory where the app installed. Windows; via its since day one vulnerable .dll side loading feature, will search the directory where the app installed first in regards to .dll loading. Edited October 10 by itman Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.