- Mar 10, 2015
- 30
Recently I found that hybrid-analysis results are required (although you can just leave a "-" in the blank) while uploading malware samples to this forum. It's a pretty good web-based free analysis service with detailed reports at first glance.
But after uploaded a installer to this site, I'm now doubting the rating system used by this service is not as accurate as we think.
The file I uploaded is called "junior-icon-editor.exe", which is a free windows icon editor by sibcode and can be easily found on Google.
hxxp://www.sibcode.com/junior-icon-editor/
And here's its VT analysis report:
https://www.virustotal.com/en/file/...87aa2d62eca22ab61ef504fec9860918613/analysis/
As you can see, virustotal suggested that this file is likely to be harmless. (I've tried it with sandboxie and wireshark, found nothing suspicious with it.)
But the hybrid-analysis report tells a totally opposite result. This file is rated "malicious" based on their analyzing engine ,and "Sample was identified as malicious by at least one Antivirus engine."
https://www.hybrid-analysis.com/sam...62eca22ab61ef504fec9860918613?environmentId=2
After seeing the result, I decided to do an experiment with a self-extracting zip file dropping a dummy .exe file (coded by myself using Dev-Cpp 4.9.9.2, and what it does is just asking you to insert some integers into the console screen), then execute the dropped file.
Here's the virustotal report of the zip file:
https://www.virustotal.com/en/file/...270648b01f55bf41a140dba9/analysis/1429368721/
And here's the hybrid-analysis report:
https://www.hybrid-analysis.com/sam...9c08a270648b01f55bf41a140dba9?environmentId=2
Thus, I don't think hybrid-analysis is a well-developed service and it's maybe not a good idea to keep the report as "required" since it may causes false positive on our forum.
Tell me your thoughts below! Any feedback are welcomed! :>
But after uploaded a installer to this site, I'm now doubting the rating system used by this service is not as accurate as we think.
The file I uploaded is called "junior-icon-editor.exe", which is a free windows icon editor by sibcode and can be easily found on Google.
hxxp://www.sibcode.com/junior-icon-editor/
And here's its VT analysis report:
https://www.virustotal.com/en/file/...87aa2d62eca22ab61ef504fec9860918613/analysis/
As you can see, virustotal suggested that this file is likely to be harmless. (I've tried it with sandboxie and wireshark, found nothing suspicious with it.)
But the hybrid-analysis report tells a totally opposite result. This file is rated "malicious" based on their analyzing engine ,and "Sample was identified as malicious by at least one Antivirus engine."
https://www.hybrid-analysis.com/sam...62eca22ab61ef504fec9860918613?environmentId=2
After seeing the result, I decided to do an experiment with a self-extracting zip file dropping a dummy .exe file (coded by myself using Dev-Cpp 4.9.9.2, and what it does is just asking you to insert some integers into the console screen), then execute the dropped file.
Here's the virustotal report of the zip file:
https://www.virustotal.com/en/file/...270648b01f55bf41a140dba9/analysis/1429368721/
And here's the hybrid-analysis report:
https://www.hybrid-analysis.com/sam...9c08a270648b01f55bf41a140dba9?environmentId=2
Thus, I don't think hybrid-analysis is a well-developed service and it's maybe not a good idea to keep the report as "required" since it may causes false positive on our forum.
Tell me your thoughts below! Any feedback are welcomed! :>