Number Of samples
13
Verified Malware Samples
Yes, this only contains malware
Threat Analysis report
https://www.hybrid-analysis.com/sample/ed7722f33d316f500ae679f53323dd60d1190fb4df680c30ef95ef7b535b2bbd?environmentId=100
https://www.hybrid-analysis.com/sample/9a403a32df4e8ec349ec050303bd4df12f1e074cd8b38a723f69bd904aaa7665?environmentId=120
https://www.hybrid-analysis.com/sample/bf6b75ffe11878fcd4700eed13a428ea3a62e71818889f35ca1e47692ddfe36b?environmentId=100
https://www.hybrid-analysis.com/sample/78957e1db02f0dc8ef58c4170e62753425552a684ae5eefec41d0c60cae8a1a8?environmentId=120
https://www.hybrid-analysis.com/sample/c6941b5ca9ce97632aa25322d6ab98a96368bcb1744470d10d319976cf3d0ad4?environmentId=100
https://www.hybrid-analysis.com/sample/335b6cc1fa44027daa102c6a43e8fc2ea74b02c6788bf07b59b1d0f003c22f00?environmentId=100
https://www.hybrid-analysis.com/sample/9b407ae39622e5fb6b414cccb359d8407c2e860d19d6284d4a8ff4ffd1580211?environmentId=120
https://www.hybrid-analysis.com/sample/d992c8f2e5994b959125c4a7598f463e54fa9e26cf4c797dbe3cbc7ac997f878?environmentId=100
https://www.hybrid-analysis.com/sample/267a7b2fa24467c54d8feae00c4d8c3fd5ad2e90905a6a509b0ca71b74519f86?environmentId=100
https://www.hybrid-analysis.com/sample/66a3617e6028a4db7c72bcdb869f0aa87b9feff1b30cfb0de5c45953a9677a4b?environmentId=120
https://www.hybrid-analysis.com/sample/3d506422d027f3c8f77582a00d193ab373bc886cf1a3d650b238fb868ddb4f1b?environmentId=100
https://www.hybrid-analysis.com/sample/46a8f47f6de5d94c02465b6e74f9d74a590947ec3b47eb3260cb04cb46aa74f3?environmentId=100
https://www.hybrid-analysis.com/sample/ab826ff0726a309a9f6fda4a08138caf26e692f58c7162d1e1277a6cf43a7416?environmentId=100
Disclaimer

This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
We encourage you to compare these results with others and take informed decisions on what security products to use.
Before buying an antivirus you should consider factors such as price, ease of use, compatibility and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Lord Ami

Level 17
MWT-Tester
Verified
Joined
Sep 14, 2014
Messages
841
Antivirus
F-Secure
#2
Containment: VMware® Workstation Pro 15.0.2 build-10952284
Guest/OS: W10 X64 1809
Product: AVG Internet Security 19.1.3075
Static (On-demand scan): 8/13
Dynamic (On execution): 2/5
Total: 10/13
SUD: 5
VPN: Windscribe Pro
System Status: Infected
Files encrypted: No
1547139875285.png
__faktura_5333 is removed by IDP
1547139972481.png

Pax_5451_10_01_2019p. runs, nothing from AVG
1547139989571.png

sample_190110 is instantly removed
1547140013874.png

TBPB_1_P202473713 runs, nothing from AVG
1547140028039.png

wobler runs, gets DeepScreened and is allowed to run. Runs for about a minute and then terminates itself
1547140063920.png 1547140090397.png
1547140313122.png 1547140327947.png
I restarted VM as the file is executed upon restart. File runs and terminates around minute later
1547140440757.png 1547140709321.png
Manual execution:
1547140735175.png
VirusTotal
 

Lord Ami

Level 17
MWT-Tester
Verified
Joined
Sep 14, 2014
Messages
841
Antivirus
F-Secure
#3
Containment: VMware® Workstation Pro 15.0.2 build-10952284
Guest/OS: W10 X64 1809
Product: fs protection 17.6 beta 1
Static (On-demand scan): 9/13
Dynamic (On execution): 2/4
Total: 11/13
SUD: 4
VPN: Windscribe Pro
System Status: Protected
Files encrypted: No
1547142189407.png
__faktura_5333 runs, nothing from FS
1547142514913.png

6383926382756786 runs, nothing from FS
1547142538292.png

Pax_5451_10_01_2019p. runs and is blocked by DeepGuard
1547142571398.png

TBPB_1_P202473713 runs, executes CMD which gets blocked
1547142594719.png
1547142863854.png 1547142751076.png
* Autoruns entries are safe. Same goes for NPE. I've modified some Windows settings to lower telemetry.
 

Der.Reisende

Level 37
Content Creator
MWT-Tester
Verified
Joined
Dec 27, 2014
Messages
2,665
Operating System
Windows 10
Antivirus
Tencent
#4
Containment: Shadow Defender v1.4.0.680
Guest/OS: Win10 Home v1809 (Build 17763.253)
Product: Tencent PC Manager v12.3.26596.901 (Tencent Cloud Protection engine + Bitdefender Local Antivirus Engine)
Static (On-demand scan): 3/13
Dynamic (On execution): 5/10
Total: 8/13
SUD: Everything not detected by TCPM cloud or BB
VPN: Windscribe v1.83 b18
System Status: infected (before AutoRun: hollowed svchost.exe in memory calling out, wscript.exe calling out, liter.exe + sample_190110.exe and conhost.exe in memory, performing no malicious actions) / after reboot: not clean
Files encrypted: no
update.png
static.png
SUD.png
Tencent PC Manager Global:
Realtime protection mode: Expert mode (Prompt upon detecting suspect actions)
File system protection level: High (monitor all file operations)
Action on threat detection: Choose action manually
Download Protection: Security prompt on dangerous files only
Anilinfarven.exe triggers mshta.exe, drops and runs SHIDE.exe. Both source file and dropped file get autoquarantined, all named processes get intercepted by TCPM BB. HIT.
DEPARTING2.exe drops and runs xsqadegvf.exe. Triggers wscript.exe, getting intercepted instantly by TCPM BB. The two .exe get intercepted and autoquarantined by TCPM BB after some time. 3B0DDB.exe got intercepted and autoquarantined silently. No further malicious traces, no AutoRuns. HIT.
helaarsbeboelserstritlivsen.exe drops and runs imgburn.exe. TCPM BB instantly intercepts and autoquarantines both files (dropped file silently). No further malicious traces, no AutoRuns. HIT.
liter.exe runs in memory. Does neither call out nor does set an AutoRun. MISS.
MIL031088410.exe gets intercepted and autoquarantined by TCPM BB. No further malicious traces, no AutoRuns. HIT.
sample_190110.exe triggers conhost.exe. Instantly, a Windows Firewall pops up (alert confirmed). No further malicious traces, no AutoRuns. MISS.
wobler.exe tries hollowing svchost.exe (indicated in red in System Explorer). TCPM BB instantly intercepts and autoquarantines the malware. After a long time, multiple subprocesses of svchost.exe get triggered, they call out for seconds. TCPM BB TCPM BB instantly intercepts wobler.exe again. Because of the active infection, MISS.
Pax_5451_10_01_2019p..js triggers wscript.exe, cmd.exe, conhost.exe, powershell.exe. All named processes get instantly intercepted and autoquarantined by TCPM BB. No further malicious traces, no AutoRuns. Untouched source file deleted before firing off 2nd_opinion scans. HIT.
__faktura_5333.vbs triggers wscript.exe, which shows a fake error message, then calls out. Does not set an AutoRun. Untouched source file deleted before firing off 2nd_opinion scans. MISS.
TBPB_1_P202473713.vbs triggers wscript.exe, cmd.exe, bitsadmin.exe and conhost.exe. All services autoterminate instantly. No further malicious traces, no AutoRuns. Untouched source file deleted before firing off 2nd_opinion scans. MISS.
run1.png run1_1.png run1_2.png run2.png run2_1.png run2_2.png run3.png run3_1.png run4.png run5.png run6.png run7.png run8.png run8_1.png run8_2.png run8_3.png run9.png run10.png
PE.png TCP_PE.png autorun.png files.png 2o.png NPE_detail.png
Thank you @silversurfer for the pack!
Norton Power Eraser (NPE) entries: Baidu registry entries belong to TPCM installation. The registry hijack for "openas\command" appears once an inital installation of TCPM has been in-app upgraded. It's safe.
 

askalan

Level 14
MWT-Tester
Verified
Joined
Jul 27, 2017
Messages
669
Operating System
Linux
#5
Product: Windows SmartScreen (activated by Hard_Configurator with recommended SRP and restrictions)

Disclaimer: Experimental setup for testing the effectiveness of Windows SmartScreen and script restrictions against 0-day malware samples. This test is suitable for users with more knowledge about Windows built-in security features.

Code:
1. Containment: VirtualBox 5.1.38
2. Windows: 10 LTSB
3. VPN: CyberGhost
4. Office: LibreOffice (standard settings)

Samples that have harmed the system/changed system configuration: 0/13

The presented system configuration has successfully blocked all malware. No files were encrypted.
Before the second opinion scan the samples were deleted.

The video is still being processed. It will take about 5 minutes to 30 minutes. Please be patient.


Thanks for the samples!
@Andy Ful

Hard_Configurator
 

Daniel Hidalgo

Level 33
MWT-Tester
Verified
Joined
Mar 17, 2015
Messages
2,262
Operating System
Windows 10
Antivirus
Kaspersky
#6
Containment: VMware® Workstation Pro 15.0.2 build-10952284 & Shadow Defender 1.4.0.672
Guest/OS: Windows 10 PRO RS5 build 1811 x64 bits
Product: McAfee Internet Security 2019 V. 16.0 (Default Settings)
Static (On-demand scan): 7/13
Dynamic (On execution): 1/6
Total: 8/13
SUD: YES
VPN: Avira Phatom VPN v. 2.18.1.30309
System Status: INFECTED
Files encrypted: NONE
Firewall
Settings.png
1547151479765.png
1547152020514.png
Sample __faktura_5333.vbs MISS
Process wscript.exe
Connections yes
it remains active without the intervention of McAfee


1547152480737.png 1547152508682.png
Sample 6383926382756786.js MISS
Process wscript.exe, javaw.exe, java.exe
Connections YES
the javaw.exe process remains active without the intervention of McAfee


1547153288947.png 1547153315899.png
Sample MIL031088410.exe MISS
Process MIL031088410.exe
Connections YES
the MIL031088410.exe process remains active without the intervention of McAfee


1547153792518.png
Sample Pax_5451_10_01_2019p..js HIT
Process wscript.exe, cmd.exe conhost.exe, powershell.exe
Connections YES
was blocked and the execution of the payload was removed, avoiding the infection


1547154342538.png 1547154398308.png
Sample TBPB_1_P202473713.vbs MISS
Process wscript.exe, cmd.exe, conhost.exe, taskill.exe
Connections No connectons used
finish minutes later


1547154683695.png
Sample wobler.exe MISS
Process wobler.exe
Connections No connections used
finish minutes later


1547154830132.png
1547152278119.png
Remove Samplesd Folder
Run Ccleaner
Proces Explorer: INFECTED (multiple processes are active)
Autorus: INFECTED (2 malicious entries were created)
1547155301985.png
INFECTED
1547159541528.png
 

Daniel Hidalgo

Level 33
MWT-Tester
Verified
Joined
Mar 17, 2015
Messages
2,262
Operating System
Windows 10
Antivirus
Kaspersky
#7
Containment: VMware® Workstation Pro 15.0.2 build-10952284 & Shadow Defender 1.4.0.672
Guest/OS: Windows 8.1 HOME build 9600 x64 bits
Product: ESET Internet Security 2019 V. 12.0.31.0 (Custom Settings)
Static (On-demand scan): 13/13
Dynamic (On execution): N/A
Total: 13/13
SUD: NO
VPN: Avira Phatom VPN v. 2.18.1.30309
System Status: CLEAN
Files encrypted: NONE
Caputra de configuracion 1.png Caputra de configuracion 2.png Caputra de configuracion 3.png Caputra de configuracion 4.png Caputra de configuracion 5.png Caputra de configuracion 6.png Caputra de configuracion 7.png Caputra de configuracion 8.png Caputra de configuracion 9.png
1547181738087.png
1547181831003.png
Remove Samples Folder
Run Ccleaner
Process Explorer: SAFE
Autoruns SAFE
1547182144072.png

upload_2018-3-17_12-57-54.png
 

harlan4096

Moderator
MalwareTips Team
MWT-Tester
Verified
Joined
Apr 28, 2015
Messages
4,217
Operating System
Windows 10
Antivirus
Kaspersky
#8
Containment: VMWare WorkStation Pro 15.0.2-10952284 (running over Windows 10 Pro x64 Build 1809-17763)
Guest/OS: Windows 10 Pro x64 Build 1809-17763
Product: KSCloud Free 2019 19.0.0.1088 / VPN: Kaspersky Secure Connection
Tweaked Settings

Static/Contextual Scan: 10 / 13 - Dynamic/On Execution Scan: 2 / 3 - Total: 12 / 13 - SUD: 1
2 by UDS (Urgent Detection System) / 4 by Heur (Trojan / Backdoor) / 4 by Signatures
2 by Dangerous Application Behaviour (PDM:Trojan)
Before System Reboot -> Files Encrypted: No - Second Opinion Scanners: N/A - System Final Status: Infected
After System Reboot -> Files Encrypted: No - Second Opinion Scanners: All Clean - System Final Status: Protected


Location: Almería (Spain) CET
Samples Pack Posted: 10/01/2019 03:40pm
Static Test Started: 10/01/2019 07:04pm
Dynamic Test Started: 10/01/2019 07:13pm
SUD: 10/01/2019 08:03pm

U.png S.png

ST1.png ST2.png

* (Hit) Pax_5451_10_01_2019p..js, chrome.exe: These 2 samples were detected/deleted upon execution by Dangerous/Suspicious Application Behaviour (PDM:Trojan).

1A.png

2A.png


* (Miss) sample_190110.exe: ran and triggered WD FireWall (allowed) + conhost.exe, it remained listing and apparently no other suspicious activity detected. No entries in Windows AutoRun sections nor dropped/spawned files, after 15 minutes I rebooted the system and it didn't run any more.

3A.png 3B.png

_____________________________________________________________________

After testing samples dynamically I ran AutoRuns and Comodo AutoRuns:

AR - BEFORE SYSTEM REBOOT.png

After system reboot:

AR - AFTER SYSTEM REBOOT.png

Warning: All original samples from the extracted folder were deleted manually before run Second Opinion Scanners, except those who are still active running on system and/or are referred in a registry key in Windows AutoRuns sections.

After System Reboot:
ZAM (Full System Scan + C:\ProgramData + C:\...\<user account>\),
WiseVector
(C:\ProgramData + C:\...\<user account>\),
HMP (Default Scan: Recommended) -> All Clean, System Protected:

SOS.png

Thanks to @silversurfer !

Kaspersky VirusDesk Final Verdict:
Hello, New malicious software was found in the attached file. Its detection will be included in the next update.

chrome.exe - Trojan.Win32.Crypt.agex
sample_190110.exe - Backdoor.Win32.Agent.mytnnk


Thank you for your help.
Best regards
__________

MWHub Monthly Statistics & Reports
 

Solarquest

Moderator
MalwareTips Team
MWT-Tester
Verified
Joined
Jul 22, 2014
Messages
2,073
#9
Containment: VirtualBox-6.0.0.127566
Host Windows 10 pro 64 bit v1809
Guest/OS: Windows 10, Home v1809 + Java
VPN: Windscribe 1.83
Product: Emsisoft 12 AM 2018.12.1.9144, default settings + Emsisoft Browser security
Static (On-demand scan): 8 /13
Dynamic (On execution): 4/5
Total: 12/13
SUD: all samples missed on static
2nd opinion detection of new files or in memory: Zemana: 0 HMP:0 autoruns:0 PE: 0 NPE:0
File encrypted: no
Final status: System protected

Additional notes:Thank you @silversurfer for the samples!
(I decided to keep the missed/not deleted samples in the malware folder to see if 2nd opinion scanners detect them.)

[ SUD+ update updated signatures.jpg SUD.PNG /SPOILER]


[ Static.PNG /SPOILER]


[

haalars....exe- quarantined
haa.PNG

MIL0310....exe- Emsi BB alerts when it starts a subprocess. Reboot needed to delete it.

MIL03.PNG

PAX...js- wsacript-> conhost-cmd-powershell- error message.
PAX.PNG PAX2.PNG PAX3.PNG PAX4.PNG

sample 190110.exe- starts->conhost->quarantined
sample.PNG sample2.PNG

TBPB...vbs-wscript-> quarantined
TB.PNG
/SPOILER]


[
files in MW folder after reboot: 1 (PAx...js)

2nd opinion scanners:
before reboot
PE.PNG Autoruns compare.PNG
then
reboot.PNG

HMP.PNG NPE.PNG PE2.PNG Zemana appdata.PNG

/SPOILER]