Aura

Aura Malware Submissions

638 posts in this topic

Hi everyone :)

 

I guess that this will be my submissions thread. Starting off by some samples I recovered from an infected laptop at work today. There's 5 files that aren't detected by Emsisoft. Here's their VirusTotal reports:

 

https://www.virustotal.com/fr/file/aa2a2e64956841e7e57e01294dd0a99c55ac69f9e818e724da1f10cf6ed0d6b1/analysis/1429736773/

https://www.virustotal.com/fr/file/0f1719023f7abfc875901c0f9aaed836a70dcca8f0d216793f1b3893e53ba8f5/analysis/1429736791/

https://www.virustotal.com/fr/file/3a37b9f112a3724af96e25b0cc0a0a19d70dedf7436ed73d9e25aa541fe22f10/analysis/1429736806/

https://www.virustotal.com/fr/file/e39fe46bd0881ae4e42ebde06a2623ffbe6d24d7a581efaab55dabeaa0a54e15/analysis/1429736842/

https://www.virustotal.com/fr/file/a8cd2b8386813077549e98d54440961fdea2eda40a4a31ed36751d9f5d28f45f/analysis/1429736862/

 

I also submit samples to Malwarebytes, so now I'll start comparing all the samples I get against both Emsisoft and Malwarebytes and submit undetected samples to both companies. 

 

Have fun! :)

0

Share this post


Link to post
Share on other sites

Additional sample from the same laptop as yesterday where I got the 5 samples above. Comes from C:\Program Files (x86)\Windows Audio\R1. The Netclean.exe executable file is flagged by Emsisoft, but not the AudioSrv.exe one. I include them both in case you need the detected one for comparison purposes.

 

AudioSrv.exe: https://www.virustotal.com/fr/file/c509e9c9dd004b936c289607da1add8c2efce767f92667758cf5c312e7ee6083/analysis/1429817314/- Not detected

Netclean.exe: https://www.virustotal.com/fr/file/489985dd0f562d527a86cbac4f086fe17900f35e98a7645348c8cb05d85f50cd/analysis/1429817321/- Detected

0

Share this post


Link to post
Share on other sites

Thank you for your submission. I will look into it as soon as possible.

0

Share this post


Link to post
Share on other sites

As a follow-up, netclean.exe was a false-positive detection, Bitdefender just confirmed it has been fixed, neither file is malicious.

0

Share this post


Link to post
Share on other sites

Thank you for your submission. I will look into it as soon as possible.

0

Share this post


Link to post
Share on other sites

File was found in:

 

C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}

CLSID matches the one in this article:

 

http://research.zscaler.com/2015/01/malvertising-leading-to-flash-zero-day.html

Sample was uploaded for the first time to VirusTotal by me.

 

https://www.virustotal.com/fr/file/8e96368f7cc33620f70563e6f943cef77589004eb8383a36b90e3468b4c2f8ec/analysis/1431013397/

0

Share this post


Link to post
Share on other sites

Thank you for your submission. I will look into it as soon as possible.

0

Share this post


Link to post
Share on other sites

Thank you for your submission. I will look into it as soon as possible.

0

Share this post


Link to post
Share on other sites

This isn't an upload, but I thought you guys would be interested in it since you follow Cryptoware activity a lot.

 

This thread got posted on Malwarebytes Forums around an hour ago.

 

https://forums.malwarebytes.org/index.php?/topic/168251-malwarebytes-beats-hitmanpro-alert-on-its-own-game/

 

I asked him to upload the sample and PM me it, instead he found the upload on malwr.com, which allows you to download the sample.

 

https://malwr.com/analysis/ZDE4NWQ5ZDA3NzZhNDI0Y2JiZmFmMWFhYTZkMGEyMGI/

 

Looks like TeslaCrypt or Alpha Crypt. 

Edit: I forgot to add, he posted a VirusTotal link of the sample in the OP, and Emsisoft doesn't detect it, hence why I'm reporting it here.

0

Share this post


Link to post
Share on other sites

Thank you for your submission. I will look into it as soon as possible.

0

Share this post


Link to post
Share on other sites

One sample. Found in C:\Users\$USERNAME\AppData\Roaming\plesome. Contains two files, enat.dll and oftuget.dll. Only the second one is detected by Emsisoft, not the first one.

 

enat.dll: https://www.virustotal.com/sv/file/aae5c81c88fe771e94dd131c03889d83abf1d03a6c75efcf68505ae5c3094f57/analysis/1431358400/- Not detected

oftuget.dll: https://www.virustotal.com/sv/file/be521712708e258efd3ceaa068202e2eee312f25e9262ea906f4e4a73b7946d9/analysis/1431358414/- Detected

0

Share this post


Link to post
Share on other sites

Thank you for your submission. I will look into it as soon as possible.

0

Share this post


Link to post
Share on other sites

3 samples.

C:\Windows\SysWOW64\jmdp\stij.exe: https://www.virustotal.com/sv/file/c6941d004f5dc9fda383bac7d475a8033317461bba73dcc73327376e17b91e80/analysis/1431527060/

C:\Windows\System32\ljkb\stij.exe: https://www.virustotal.com/sv/file/04c91a19254c45a61cf1d6b8ad2ef970316df25da3c40a874ebc42f4c4f56fd6/analysis/1431527149/

C:\Windows\SysWOW64\dmwu.exe: https://www.virustotal.com/sv/file/0aa6d3c6db7ad4f8a867a9454535308564fa916250ef21467bf75df495f05444/analysis/1431527163/

They all belong to the same infection, IB Updater Service by Perion Network Ltd. was installed on the system. I left both stij.exe in their respective folder inside the archive so you guys see the difference.

Edit: I just scanned the folders with Malwarebytes and two of the .dll inside were also picked up by it. So it might be a good idea to scan the .dll as well. It was lmrn.dll, one in each folder.

0

Share this post


Link to post
Share on other sites

Thank you for your submission. I will look into it as soon as possible.

0

Share this post


Link to post
Share on other sites

Thank you for your submission. I will look into it as soon as possible.

0

Share this post


Link to post
Share on other sites

Thank you for your submission. I will look into it as soon as possible.

0

Share this post


Link to post
Share on other sites

So I'm currently doing a "sweep" of all our computers/laptops on the domain to find malicious programs and gather samples. Right now, I'm at 77, none of them are detected by Emsisoft, all of them are detected by Malwarebytes. Do I have to manually provide a link to the 77 VirusTotal results (will have to upload them one by one) or can I just pack all the .exe, .dll, .jar, etc. in one archive and post it here?

0

Share this post


Link to post
Share on other sites

Feel free to zip them all up in one archive and attach them to your post. No need to do it separately.

0

Share this post


Link to post
Share on other sites

Well there goes, 162 samples! However, due to the location I found them, I'm pretty sure most of them are all variants of the same malware family. Since I won't provide 162 VirusTotal links for that pack, I'll at least provide a MBAM log for comparison.

Edit: Apparently, 20MB is too big to upload at once here, any alternatives? Or should I make smaller packs?

0

Share this post


Link to post
Share on other sites

No need to provide the VT links. What max. size does the forum uploader say the file has to be?

0

Share this post


Link to post
Share on other sites

According to the forum, it's 100MB per single upload. Can I try uploaded a .rar archive instead (since I had the same issue yesterday on Malwarebytes, and converting it to .rar worked), or do you guys takes .zip only?

0

Share this post


Link to post
Share on other sites

A .rar worked fine smile.png Size was downed to 17MB compared to .zip (20MB). Removed a legitimate .dll file in the pack too (a Lua .dll). Next sweep should be either later on today or next week.

0

Share this post


Link to post
Share on other sites

Thank you for your submission. I will look into it as soon as possible.

0

Share this post


Link to post
Share on other sites

Thank you for your submission. I will look into it as soon as possible.

0

Share this post


Link to post
Share on other sites

1 sample, comes from a system that came out in the firewall with the detection MAGNITUDE Exploit Kit Detection. The archive name is the name of the folder where it was found in ProgramData.

Edit: Found another computer infected with that same infection, but the .dll is named differently. I'll attach it too.

0

Share this post


Link to post
Share on other sites

Thank you for your submission. I will look into it as soon as possible.

0

Share this post


Link to post
Share on other sites

Another computer infected with MAGNITUDE Exploit Kit. Same path, same folder location, yet a differently named .dll. This time, I'll give the VirusTotal report (forgot with the two others). Also, infection on another computer, bin.exe found in the Roaming folder of the user.

msvcirt.dll: https://www.virustotal.com/sv/file/ab262a96a8ddb411b56f896953ab0d3c36941899068953948e87364061a46cc4/analysis/1432562030/

bin.exe: https://www.virustotal.com/sv/file/d272cf1853db2b474391638c2a5b2245451bfe29acd10784799cefa51b84817b/analysis/1432562024/

0

Share this post


Link to post
Share on other sites

Thank you for your submission. I will look into it as soon as possible.

0

Share this post


Link to post
Share on other sites

15 samples, from WiseConvert_B2 toolbar. I attached the Malwarebytes log. I also included the uninstall.exe, even thought it wasn't detected by Malwarebytes.

Edit: Might have found the variant of WiseConvert on another computer. Called WiseConvert_2.1. Folder architecture with the files is the same except the .exe are named differently. Do you want these samples as well, or scan the ones I submitted, wait for a database update and then I could scan that folder with EAM to see if they are detected?

0

Share this post


Link to post
Share on other sites

Thank you for your submission. I will look into it as soon as possible.

0

Share this post


Link to post
Share on other sites

Hi,

1 Sample belonging to Bedep. Found on a computer that came out in our firewall logs for a Angler EK detection. Archive name is the name of the folder where it was in, in ProgramData.

VirusTotal: https://www.virustotal.com/sv/file/13bb95805ba330251c30c86211512e3be3562b1b141c7185ce1130499f94a28e/analysis/1433248103/

0

Share this post


Link to post
Share on other sites

Thank you for your submission. I will look into it as soon as possible.

0

Share this post


Link to post
Share on other sites

Taken from a computer that came up with a MAGNITUDE Exploit Kit detection (it's Bedep) in our firewall. Archive name is the name of the folder where it was found, in ProgramData.

recovery.dll: https://www.virustotal.com/sv/file/e3ba26f387a4330bdeff6a7c275cd2d7696ba0b151384f4b64f590f202ff6279/analysis/1433334436/

0

Share this post


Link to post
Share on other sites

Thank you for your submission. I will look into it as soon as possible.

0

Share this post


Link to post
Share on other sites

Another sample, same thing, different computer, not detected by EAM.

apds.dll: https://www.virustotal.com/sv/file/0aca9bdf45bd631a6ceaf56b3954afa8c812bc9cccc5aabee5a69f767ca5c599/analysis/1433346147/

With my submissions, Emsisoft will eventually detect every Bedep samples ever tongue.png

0

Share this post


Link to post
Share on other sites

Thank you for your submission. I will look into it as soon as possible.

0

Share this post


Link to post
Share on other sites

Thank you for your submission. I will look into it as soon as possible.

0

Share this post


Link to post
Share on other sites

Thank you for your submission. I will look into it as soon as possible.

0

Share this post


Link to post
Share on other sites

Found an old PUP on a computer: SiteRanker. Looks like no one really paid attention to it ever, submitting two samples just in case.

SiteRankTray.exe: https://www.virustotal.com/sv/file/4794f246c28f1766f489aa1375cc04c3ab8c6e25e639d5b672f3e39ea350089d/analysis/1433443359/

SiteRank.dll: https://www.virustotal.com/sv/file/245f907f4ab7d98b5ab1fd17ba7783bf8972fb671e0e2f8ca86bdf38bdeedddb/analysis/1433443499/

0

Share this post


Link to post
Share on other sites

Thank you for your submission. I will look into it as soon as possible.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.