Number Of samples
15
Verified Malware Samples
Yes, this only contains malware
Threat Analysis report
https://www.hybrid-analysis.com/sample/da969ab09db793f54e36a36d82a1a24d14ac71abdeb011f0b5caca11e901a280?environmentId=100
https://www.hybrid-analysis.com/sample/ea30492f29da6ea83bcf9ca3e4fee0eac51705b4eb40d62334c53441b537091c?environmentId=100
https://www.hybrid-analysis.com/sample/0754dfeba09ef3e30d46d85d83559b14fbd4b8e4b019a9f1f62ca129cde53864?environmentId=100
https://www.hybrid-analysis.com/sample/7af729e359966cbc3b3e33e6cbda8952472af4f54c74f417d633293f00564fdd?environmentId=100
https://www.hybrid-analysis.com/sample/f7795e593986b7153da567e3386dfadfa1f581eab6084eeb01fe4e8713a73c21?environmentId=100
https://www.hybrid-analysis.com/sample/67155d21a74caa0d99ef154c8e3e4640e75a1c7e1f3a70224618ea98491a5c6a?environmentId=100
https://www.hybrid-analysis.com/sample/9b1325507e18ac3910bf6dd9e420e6d8c308d9aa69c0718bb35a509620b7007c?environmentId=100
https://www.hybrid-analysis.com/sample/c3f8edb12fc0a1f99f0d1e5ffa945a9c1b99ff2cba7580e0fe2e0d00523a8aa6?environmentId=100
https://www.hybrid-analysis.com/sample/2ff58edf203dd8eaaa95fd47887d2cbab800623a53a6db5b7909e48a1663e833?environmentId=100
https://www.hybrid-analysis.com/sample/8da33fdf98427fee19b209f24c3e1c1245369b94e59a877dac54b4420e412acf?environmentId=100
https://www.hybrid-analysis.com/sample/5cc4238d0f768df51b4b05d9dce6cbc0fa2ca3b01a8ef24bcee8d6c629177263?environmentId=120
https://www.hybrid-analysis.com/sample/7bc3755cf5ba608aa124eacfc3e4d02d9470a817fc295e9c1f3110d310def109?environmentId=100
https://www.hybrid-analysis.com/sample/fa9cd210e17b82b443c2f23c6b4bb2884c28049e27ec0eb94ace8984f0eca0da?environmentId=100
https://www.hybrid-analysis.com/sample/bae8ba38e521cc1d4177b0583a470fa3dd338e069f0f826d97e7a38228cd7ee8?environmentId=100
https://www.hybrid-analysis.com/sample/e032a06a791dcf2971cbed8ce4f8c7d8ce1e844f0468343ed6b503de4438ee5c?environmentId=100
Disclaimer

This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
We encourage you to compare these results with others and take informed decisions on what security products to use.
Before buying an antivirus you should consider factors such as price, ease of use, compatibility and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Der.Reisende

Level 37
Content Creator
MWT-Tester
Verified
Joined
Dec 27, 2014
Messages
2,665
Operating System
Windows 10
Antivirus
Tencent
#3
Containment: Shadow Defender v1.4.0.680
Guest/OS: Win10 Home v1809 (Build 17763.195)
Product: Tencent PC Manager v12.3.26596.901 (Tencent Cloud Protection engine + Bitdefender Local Antivirus Engine)
Static (On-demand scan): 8/15
Dynamic (On execution): 5/7
Total: 13/15
SUD: Everything missed by TCPM BB or cloud
VPN: Windscribe v1.83 b18
System Status: before reboot: infected (triggered but not showing malicious behavior regasm.exe in memory, wscript.exe calling out) / after reboot: protected
Files encrypted: no
update.png
static1.png static2.png
SUD.png
Tencent PC Manager Global:
Realtime protection mode: Expert mode (Prompt upon detecting suspect actions)
File system protection level: High (monitor all file operations)
Action on threat detection: Choose action manually
Download Protection: Security prompt on dangerous files only
doc.exe runs in memory for about a minute or two, before it triggers TCPM BB (8 times), intercepting and autoquarantining the malware. TCPM BB silenty autoquarantines dropped browser.exe. No further malicious traces, no AutoRuns. HIT.
palaeobiologic.exe creates a subprocess of it's own. Calls out, TCPM HIPS monitor. A minute later, TCPM BB (3 alerts) intercepts and autoquarantines the malware as well as related files (silently). No further malicious traces, no AutoRuns. HIT.
vbc.exe tries hollowing regasm.exe, TCPM BB instantly intercepts and autoquarantines the source malware. regasm.exe remains running without showing malicious behavior (like outbounds). Does not appear in AutoRuns. Therefore, I still call this a HIT.
video.exe drops and runs audiodef.exe. TCPM BB intercepts and autoquarantines the source malware, it's dropped content and some related files are autoquarantined silently. No further malicious traces, no AutoRuns. HIT.
eFax_scanned_41119293.doc opens a Word file. The contained exploit does not work with SoftMaker Office Professional 2018. Untouched source file deleted before firing off 2nd_opinion scans. MISS.
Document_20182412a.vbs triggers wscript.exe, bitsadmin.exe and conhost.exe. svchost.exe appears in TCPView, transferrring data. After completion, wscript.exe, bitsadmin.exe, conhost.exe and schedtasks.exe are triggered, autoterminating within seconds. TCPM Realtime Protection autoquarantines dropped malware, removes the scheduled task. No further malicious traces, no AutoRuns. HIT.
__faktura_6636.vbs triggers wscript.exe, shows to messages, the second one keeps getting spammed over and over. wscript.exe calls out. Does not set an AutoRun. Untouched source file deleted before firing off 2nd_opinion scans. Because it remains untouched in memory until reboot, MISS.
update.png static1.png static2.png run1.png run1_1.png run2.png run2_1.png run2_2.png run3.png run4.png run4_1.png run5.png run6.png run6_1.png run6_2.png run7.png run7_1.png
PE.png TCP_PE.png autorun.png files.png 2o.png NPE_detail.png
Thank you @silversurfer for the pack!
Norton Power Eraser (NPE) entries: Baidu registry entries belong to TPCM installation. The registry hijack for "openas\command" appears once an inital installation of TCPM has been in-app upgraded. It's safe.
 
Last edited:

Daniel Hidalgo

Level 33
MWT-Tester
Verified
Joined
Mar 17, 2015
Messages
2,262
Operating System
Windows 10
Antivirus
Kaspersky
#4
Containment: VMware® Workstation Pro 14.1.1 build-7528167 & Shadow Defender 1.4.0.672
Guest/OS: Windows 8.1 HOME build 9600 x64 bits
Product: ESET Internet Security 2019 V. 12.0.31.0 (Custom Settings)
Static (On-demand scan): 13/15
Dynamic (On execution): 0/2
Total: 13/15
SUD: YES
VPN: Avira Phatom VPN v. 2.18.1.30309
System Status: INFECTED
Files encrypted: YES
Caputra de configuracion 1.png Caputra de configuracion 2.png Caputra de configuracion 3.png Caputra de configuracion 4.png Caputra de configuracion 5.png Caputra de configuracion 6.png Caputra de configuracion 7.png Caputra de configuracion 8.png Caputra de configuracion 9.png
1546576686771.png
1546577395846.png
Sample eFax_scanned_41119293.doc MISS
Process WINWORD.EXE, cmd.exe, conhost.exe, cmstp.exe, regsvr32.exe
Connections YES
create 2 remote connections (they were intercepted by the ESET firewall, but they are allowed)
The macro creates an .ocx file inside the roaming folder. The regsvr32.exe processes remain active even
1546577715329.png 1546577745350.png 1546578218207.png 1546577993093.png 1546578268237.png
Sample SEO.exe MISS
Process SEO.exe,cmd.exe, conhost.exe, powershell.exe, notepad.exe
Connections YES
minutes later opens a notepad, and the files end encrypted


1546578683049.png 1546578699741.png 1546579070139.png
1546577451536.png
Remove Samples Folder
Run Ccleaner
Process Explorer: INFECTED (the regsvr32.exe process remains active)
Autoruns: SAFE
1546579441764.png
NOT CLEAN
1546582427779.png
 

Daniel Hidalgo

Level 33
MWT-Tester
Verified
Joined
Mar 17, 2015
Messages
2,262
Operating System
Windows 10
Antivirus
Kaspersky
#5
Containment: VMware® Workstation Pro 14.1.1 build-7528167 & Shadow Defender 1.4.0.672
Guest/OS: Windows 10 PRO 64bits v1809
Product: McAfee Internet Security 2019 V.16.0 (Default Settings)
Static/Contextual Scan: 7/15
Total: 7/15
SUD: YES
UPDATE
1546572959676.png
Static Scan
1546573694376.png
SUD
1546574006770.png
 

harlan4096

Moderator
MalwareTips Team
MWT-Tester
Verified
Joined
Apr 28, 2015
Messages
4,232
Operating System
Windows 10
Antivirus
Kaspersky
#6
Containment: VMWare WorkStation Pro 15.0.2-10952284 (running over Windows 10 Pro x64 Build 1809-17763)
Guest/OS: Windows 10 Pro x64 Build 1809-17763
Product: KSCloud Free 2019 19.0.0.1088 / VPN: Kaspersky Secure Connection
Tweaked Settings

Static/Contextual Scan: 15 / 15 - Total: 15 / 15 - SUD: N/A
3 by UDS (Urgent Detection System) / 9 by Heur (Trojan / Backdoor) / 4 by Signatures
U.png
ST1.png ST2.png
SOS.png

__________

MWHub Monthly Statistics & Reports
 

omidomi

Level 64
MWT-Tester
Verified
Joined
Apr 5, 2014
Messages
5,381
Operating System
Windows 8.1
Antivirus
Kaspersky
#7
Containment :Virtual Box 5.2.22
Guest/OS : Windows 7 Ultimate 86X
Product: WebRoot IS (9.0.24.37) - Default Setting
Static(On-demand scan): 2/15
SUD : 13
VPN: Security Kiss Tunnel 0.3.2

thanks for the pack
 

omidomi

Level 64
MWT-Tester
Verified
Joined
Apr 5, 2014
Messages
5,381
Operating System
Windows 8.1
Antivirus
Kaspersky
#8
Containment :Virtual Box 5.2.22
Guest/OS : Windows 7 Ultimate 86X
Product: WebRoot IS (9.0.24.37) - Default Setting
Static(On-demand scan): 2/15
Dynamic(On execution) : 1/13
Total :3/15
VPN: Security Kiss Tunnel 0.3.2
File encrypted: YES
Second Opinion Scanners: Infected(HMP,Zemana)
System Final Status:Infected,Live malware in Memory!
__faktura_6636.vbs:lets run sample,Crashed?

doc.exe:lets run sample,run in memory.

Document_20182412a.vbs:lets run sample,try to remote"..." no alert from Webroot.

eFax_scanned_41119293.doc:lets run sample & Click on Enabled content,no alert from Webroot.

fx.js:

IMG036022904_2018-JPG.js:lets run sample,run in memory.

INQUIRY DOC.exe:lets run sample,run in memory.

Outbalanced.exe:lets run sample,run in memory.

palaeobiologic.exe:lets run sample,run in memory.

SEO.exe:lets run sample,run in memory.

usps.jar:lets run sample,blocked by Webroot.

vbc.exe:lets run sample,run in memory.

video.exe:lets run sample,run in memory.
PE & Autorun reported infected:


Zemana(cutom,full) & HMP & NPE reported infected:

NPE crashed....So test with NPE Skipped:
thanks for the pack
 

Latest Threads