Number Of samples
14
Verified Malware Samples
Yes, this only contains malware
Threat Analysis report
https://www.hybrid-analysis.com/sample/c1592f7d5b273fb5c652af0ddadec89558a911ba911aa2e7139d1b0c787b47e9?environmentId=100
https://www.hybrid-analysis.com/sample/4a17deef72e28ac9cb029511fd70dd8318db35faaae22e636ef4b82b97d17d13?environmentId=100
https://www.hybrid-analysis.com/sample/d1155791edace2a7da04a66df5db33c829eeea94ce662c3f5baf51607df59445?environmentId=100
https://www.hybrid-analysis.com/sample/8b43516b785bcb52a53355b2a8282179945b5d0c397f7123bf5ae2e276f3ab9a?environmentId=100
https://www.hybrid-analysis.com/sample/c179b9c2eb022c7f3d31e8ca86609551fa9fc6109bd10a9a4716aa7a8d307fff?environmentId=120
https://www.hybrid-analysis.com/sample/e308ca6ba8bba9d72339b8216451d2fc58d089cb288430cf20f20199d8d37274?environmentId=100
https://www.hybrid-analysis.com/sample/2ee094c9f9524a1a67c29cf541d8ee6c3df33bad7db66c43263b90804cae377c?environmentId=100
https://www.hybrid-analysis.com/sample/1f69feeb7a150f33261b4da5e1bb562193b1a30af21069f5c65b85e1fa1f3ef8?environmentId=100
https://www.hybrid-analysis.com/sample/226bd7f0ca4731ffde091810db06532880c6a25895ffe584f6317735f63de4aa?environmentId=100
https://www.hybrid-analysis.com/sample/2aed5a7841f2d9c82b7a48d1c594649607382ee9707c427da7f41727b3b342e4?environmentId=100
https://www.hybrid-analysis.com/sample/4bf0919f97a460f318a15df99259f1b4d0c199350010ffb9be095e4c56d9ce81?environmentId=100
https://www.hybrid-analysis.com/sample/37f31394df7cdd4d8bdd01ba3d7463de6dd167fed86d0f6654aa7a0280094ddf?environmentId=100
https://www.hybrid-analysis.com/sample/89b4fcdaf49da171b96f41d58a68cde1c1c88983181fcbf46e6ecf587385a23f?environmentId=100
https://www.hybrid-analysis.com/sample/6496a214a73bbe802685e592f9f33ead991d5b93273866329a152105b85e2d93?environmentId=100
Disclaimer

This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
We encourage you to compare these results with others and take informed decisions on what security products to use.
Before buying an antivirus you should consider factors such as price, ease of use, compatibility and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

askalan

Level 14
MWT-Tester
Verified
Joined
Jul 27, 2017
Messages
667
Operating System
Linux
#3
Disclaimer: Experimental setup for testing the effectiveness of Windows SmartScreen and script restrictions against 0-day malware samples. This test is suitable for users with more knowledge about Windows built-in security features.
Code:
1. Containment: VirtualBox 5.1.38
2. Windows: 10 LTSB
3. VPN: CyberGhost
4. Product: Windows SmartScreen (activated by Hard_Configurator with recommended SRP and restrictions)
5. Office: LibreOffice (standard settings)

Samples that have harmed the system/changed system configuration: 0/14

The presented system configuration has successfully blocked all malware. No files were encrypted.
Before the second opinion scan the samples were deleted.

The video is still being processed. It will take about 5 minutes to 30 minutes. Please be patient.


Thanks for the samples @silversurfer
@Andy Ful

Hard_Configurator
 
Last edited:

Lord Ami

Level 17
MWT-Tester
Verified
Joined
Sep 14, 2014
Messages
839
Antivirus
F-Secure
#4
Containment: VMware® Workstation Pro 15.0.2 build-10952284
Guest/OS: W10 X64 1809
Product: AVG Internet Security 19.1.3075

Static (On-demand scan): 7/14
Dynamic (On execution): 7/7
Total: 14/14
SUD: 7
VPN: Windscribe Pro
System Status: Protected
Files encrypted: No
1546881073331.png
2019010181 runs, payload is removed
1546881136034.png

Court Document opens, URL is blocked
1546881169695.png

doc gets DeepScreened and put to quarantine
1546881237020.png

IMG020787096_2018-JPG runs, URL is blocked
1546881256202.png 1546881262939.png

Pago-swift1 has Enable content button, nothing from AVG. Upon closing the file (in the end of the test) one URL gets blocked
1546881289397.png 1546881407840.png

Payment Details is removed
1546881319483.png

q.png is DeepScreened - allowed to run. Seconds later Behavior shield removes it
1546881351042.png 1546881370886.png
1546881494751.png 1546881547432.png
* Autoruns entries are safe. Same goes for NPE. I've modified some Windows settings to lower telemetry.
 
Last edited:

Lord Ami

Level 17
MWT-Tester
Verified
Joined
Sep 14, 2014
Messages
839
Antivirus
F-Secure
#5
Containment: VMware® Workstation Pro 15.0.0 build-10134415
Guest/OS: W10 X64 1809
Product: fs protection 17.5 beta 14
Static (On-demand scan): 7/14
Dynamic (On execution): 5/7
Total: 12/14
SUD: 7
VPN: Windscribe Pro
System Status: Protected
Files encrypted: No
1546882343208.png
2019010181 runs and is instantly closed/blocked
1546882430990.png

cHxSfuNbDc runs and displays error. Nothing from FS
1546882459874.png

doc runs for few seconds and gets blocked
1546882485925.png

IMG020787096_2018-JPG is instantly blocked
1546882510883.png

Invoices 464A62042150 - 25.485€ (installed Java, because it's new system and I forgot :) ) runs, downloads are removed
1546882628140.png 1546882636631.png

Pago-swift1 is removed upon execution
1546882660049.png

Payment Details runs, nothing from FS
1546882708455.png
1546882759607.png 1546882833332.png
* Autoruns entries are safe. Same goes for NPE. I've modified some Windows settings to lower telemetry.
 

Der.Reisende

Level 37
Content Creator
MWT-Tester
Verified
Joined
Dec 27, 2014
Messages
2,664
Operating System
Windows 10
Antivirus
Tencent
#6
Containment: Shadow Defender v1.4.0.680
Guest/OS: Win10 Home v1809 (Build 17763.195)
Product: Tencent PC Manager v12.3.26596.901 (Tencent Cloud Protection engine + Bitdefender Local Antivirus Engine)
Static (On-demand scan): 7/14
Dynamic (On execution): 2/7
Total: 9/14
SUD: Everything not covered by TCPM BB or cloud
VPN: Windscribe v1.83 b18
System Status: infected (q.png.exe in memory; copy of it named WindowsUpdate.exe in AutoRuns, some #Adwind RAT triggered services left in memory before reboot, java.exe calling out to a dead server)
Files encrypted: no
update.png
static.png
SUD.png
Tencent PC Manager Global:
Realtime protection mode: Expert mode (Prompt upon detecting suspect actions)
File system protection level: High (monitor all file operations)
Action on threat detection: Choose action manually
Download Protection: Security prompt on dangerous files only
1[1].exe gets instantly intercepted and autoquarantined by TCPM Realtime Protection (Tencent cloud). HIT.
2019010181.js triggers cmd.exe, conhost.exe and wscript.exe, trying to load B3g.vbs. Fails, crashes instantly. Services autoterminate. No further malicious traces, no AutoRuns. Untouched source file deleted before firing off 2nd_opinion scans. MISS.
Court Document.doc opens a Word document. The contained exploit does not work with SoftMaker Office Professional 2018. No further malicious traces, no AutoRuns. Untouched source file deleted before firing off 2nd_opinion scans. MISS.
doc.exe drops and runs fpl.exe, which triggers RegSvcs.exe. TCPM intercepts and autoquarantines the source file (3x alert), autoquarantines multiple related files. RegSvcs.exe crashes with error. Services autoterminate. No further malicious traces, no AutoRuns. HIT.
Pago-swift1.doc opens a Word document. The contained exploit does not work with SoftMaker Office Professional 2018. No further malicious traces, no AutoRuns. Untouched source file deleted before firing off 2nd_opinion scans. MISS.
q.png.exe creates a subprocess of it's own, calls out twice, outbound ends after some time. Sets an AutoRun. MISS.
Invoices 464A62042150 - 25.485€.jar triggers icalcs.exe, conhost.exe and cmd.exe, all multiple times intercepted by TCPM BB. Multiple dropped files are removed by TCPM Realtime Protection (Bitdefender signatures). java.exe calls out to a dead server (Status SYN_SENT). javaw.exe, java.exe, xcopy.exe and conhost.exe remain in memory, without noticeable action (apart from previous named outbound attempt). Does not set an AutoRun. Because the malware is still active before reboot and the .jar cannot be deleted because being in use, MISS.
run1.png run2.png run3.png run4.png run4_1.png run4_2.png run4_3.png run4_4.png run5.png run6.png run7.png run7_1.png run7_2.png run7_3.png
PE.png TCP_PE.png autorun.png files.png 2o.png NPE_detail.png
Thank you @silversurfer for the pack!
Norton Power Eraser (NPE) entries: Baidu registry entries belong to TPCM installation. The registry hijack for "openas\command" appears once an inital installation of TCPM has been in-app upgraded. It's safe.
 

Daniel Hidalgo

Level 33
MWT-Tester
Verified
Joined
Mar 17, 2015
Messages
2,261
Operating System
Windows 10
Antivirus
Kaspersky
#7
Containment: VMware® Workstation Pro 14.1.1 build-7528167 & Shadow Defender 1.4.0.672
Guest/OS: Windows 10 PRO 64Bits 1809 Bluid 17763.195
Product: McAfee Internet Security 2019 V. 16.0 (Custom Settings)
Static (On-demand scan): 5/14
Dynamic (On execution): 2/9
Total: 7/14
SUD: YES
VPN: Avira Phatom VPN v. 2.18.1.30309
System Status: INFECTED
Files encrypted: NONE
Firewall
1546886905251.png
1546889457625.png
1546889668205.png
Sample 0gr1fzmmhzu.exe MISS
Process 0gr1fzmmhzu.exe
Connections YES
Ends minutes later without McAfee intervention


1546890150538.png
Sample 2019-01-07_22-22-50.exe MISS
Process 2019-01-07_22-22-50.exe, cmd.exe, conhost.exe, timeout.exe
Connections YES
Ends minutes later without McAfee intervention
the sample is automatically removed without McAfee

1546890320747.png 1546890347974.png 1546890357065.png
Sample 2019010181.js HIT
Process wscript.exe, cmd.exe, conhost.exe, timeout.exe
Connections YES
was blocked and removed the downloaded payload avoiding the infection


1546890662933.png 1546890961791.png 1546891963376.png
Sample cHxSfuNbDc.vbs MISS
Process wscript.exe
Connections YES
the process remains active without the intervention of McAfee


1546891094744.png
Sample doc.exe MISS
Process doc.exe, fpl.exe, RegSvcs.exe
Connections YES
Remove the sample effectively but, the RegSvcs.exe process remains active without the intervention of McAfee


1546891540548.png 1546891558854.png 1546892511850.png
Sample IMG020787096_2018-JPG.js MISS
Process wscript.exe, cmd.exe, conhost.exe, powershell.exe
Connections YES
It shows an error in the execution of the payload and ends


1546892285344.png 1546892304264.png
Sample Invoices 464A62042150 - 25.485€.jar MISS
Process java.exe, javaw.exe, cmd.exe, conhost.exe
Connections YES
processes are kept active without the intervention of McAfee


1546892727712.png 1546892759469.png
Sample Pago-swift1.doc HIT
Process WINWORD.EXE,VOIVHG.exe
Connections YES
was blocked and removed the macro that contained the document avoiding the infection

1546893161133.png 1546893300614.png 1546893592194.png
Sample Payment Details.vbs MISS
Process wscript.exe
Connections YES
the process remains active without the intervention of McAfee


1546893739274.png
1546889885678.png
Remove Samples
Run Ccleaner
Process Explorer: INFECTED (multiple processes remains active (see image)
Autoruns: INFECTED (2 script create entries to be executed by booting windows)
1546894411894.png
INFECTED
1546898761634.png
 

Daniel Hidalgo

Level 33
MWT-Tester
Verified
Joined
Mar 17, 2015
Messages
2,261
Operating System
Windows 10
Antivirus
Kaspersky
#8
Containment: VMware® Workstation Pro 14.1.1 build-7528167 & Shadow Defender 1.4.0.672
Guest/OS: Windows 8.1 HOME build 9600 x64 bits
Product: ESET Internet Security 2019 V. 12.0.31.0 (Custom Settings)
Static (On-demand scan): 13/14
Dynamic (On execution): 1/1
Total: 14/14
SUD: YES
VPN: Avira Phatom VPN v. 2.18.1.30309
System Status: CLEAN
Files encrypted: NONE
Caputra de configuracion 3.png Caputra de configuracion 4.png Caputra de configuracion 5.png Caputra de configuracion 6.png Caputra de configuracion 7.png Caputra de configuracion 8.png Caputra de configuracion 9.png Caputra de configuracion 1.png Caputra de configuracion 2.png
1546903978171.png
1546905470068.png
Sample 2019010181.js HIT
Process cmd.exe, wscript.exe
Connections No connections used
was blocked and removed the downloaded payload avoiding the infection


1546905832450.png 1546906052878.png
1546905571679.png
Remove Samples Folder
Run Ccleaner
Process Explorer: SAFE
Autoruns: SAFE
1546906311003.png
CLEAN
upload_2018-3-17_12-57-54.png
 

harlan4096

Moderator
MalwareTips Team
MWT-Tester
Verified
Joined
Apr 28, 2015
Messages
4,203
Operating System
Windows 10
Antivirus
Kaspersky
#9
Containment: VMWare WorkStation Pro 15.0.2-10952284 (running over Windows 10 Pro x64 Build 1809-17763)
Guest/OS: Windows 10 Pro x64 Build 1809-17763
Product: KSCloud Free 2019 19.0.0.1088 / VPN: Kaspersky Secure Connection
Tweaked Settings

Static/Contextual Scan: 12 / 14 - Dynamic/On Execution Scan: 1 / 2 - Total: 13 / 14 - SUD: 2
3 by UDS (Urgent Detection System) / 9 by Heur (Trojan / Backdoor / Exploit) / 3 by Signatures
Before System Reboot -> Files Encrypted: No - System Final Status: Infected
After System Reboot -> Files Encrypted: No - Second Opinion Scanners: All Clean - System Final Status: Protected


Location: Almería (Spain) CET
Samples Pack Posted: 07/01/2019 05:00pm
Static Test Started: 07/01/2019 07:02pm
Dynamic Test Started: 07/01/2019 07:07pm
SUD: 07/01/2019 07:05pm

U.png S.png

ST1.png ST2.png

* (Hit) Payment Details.vbs: detected/deleted upon execution by Heur (Trojan.Script).

1.png


* (Miss) BR.exe: ran and after a while spawned a subprocess and auto terminated it, no outbounds connections, it remained running on system and after some minutes I decided to reboot the system. An entry was set to Windows AutoRuns sections pointing to an empty folder in \AppData\Local\Temp (see next Windows AutoRuns section). After system reboot it didn't run any more.

2A.png 2B.png

_____________________________________________________________________

After testing samples dynamically I ran AutoRuns and Comodo AutoRuns:

AR - BEFORE SYSTEM REBOOT.png

After system reboot:

AR - AFTER SYSTEM REBOOT.png

Warning: All original samples from the extracted folder were deleted manually before run Second Opinion Scanners, except those who are still active running on system and/or are referred in a registry key in Windows AutoRuns sections.

After System Reboot -> ZAM (Full System Scan + C:\ProgramData + C:\...\<user account>\AppData\) HMP WiseVector -> All Clean, System Protected:

SOS.png

Thanks to @silversurfer !

Kaspersky VirusDesk Final Verdict:
Hello, New malicious software was found in the attached file. Its detection will be included in the next update.

Payment Details.vbs - Trojan.VBS.Agent.apd
BR.exe - Trojan.Win32.VB.dorr


Thank you for your help.
Best regards,
__________

MWHub Monthly Statistics & Reports
 

omidomi

Level 64
MWT-Tester
Verified
Joined
Apr 5, 2014
Messages
5,375
Operating System
Windows 8.1
Antivirus
Kaspersky
#10
Containment :Virtual Box 5.2.22
Guest/OS : Windows 7 Ultimate 86X
Product: WebRoot IS (9.0.24.37) - Default Setting
Static(On-demand scan): 6/14
Dynamic(On execution) : 2/8
Total : 8/14
SUD : 8
VPN: Security Kiss Tunnel 0.3.2
File encrypted: No
Second Opinion Scanners: Infected(HMP,NPE,Zemana)
System Final Status:Infected,Live malware in Memory!
2019010181.js:Lets run sample,try to remote"..." No alert from Webroot.

cHxSfuNbDc.vbs:Lets run sample,try to remote"..." blocked by Webroot.

Court Document.doc:Lets run sample & Click on "Enabled..." No alert from Webroot, 1.exe dropped in Memory.


IMG020787096_2018-JPG.js:Lets run sample,Crashed

doc.exe:Lets run sample,a blank word page open, Blocked by Webroot.

Invoices 464A62042150 - 25.485€.jar:Lets run sample,try to remote"..." No alert from Webroot.

Pago-swift1.doc:Lets run sample & Click on "Enabled..." No alert from Webroot.

Payment Details.vbs:Lets run sample,try to remote"..." No alert from Webroot.
PE & Autorun reported infected:

Zemana(full,custom) & HMP & NPE reported safe:

thanks for the pack