Number Of samples
1
Verified Malware Samples
Yes, this only contains malware
Threat Analysis report
https://www.virustotal.com/en/file/f12c462906f27b54849c8282719269fcd2a5c0e5c1464b93f3189f4200a42be2/analysis/1546965909/

https://www.hybrid-analysis.com/sample/f12c462906f27b54849c8282719269fcd2a5c0e5c1464b93f3189f4200a42be2
Disclaimer

This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
We encourage you to compare these results with others and take informed decisions on what security products to use.
Before buying an antivirus you should consider factors such as price, ease of use, compatibility and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Lord Ami

Level 17
MWT-Tester
Verified
Joined
Sep 14, 2014
Messages
839
Antivirus
F-Secure
#2
Containment: VMware® Workstation Pro 15.0.2 build-10952284
Guest/OS: W10 X64 1809
Product: AVG Internet Security 19.1.3075
Static (On-demand scan): 0/1
Dynamic (On execution): 1/1
Total: 1/1
SUD: N/A (Automatically submitted)
VPN: Windscribe Pro
System Status: Protected
Files encrypted: No
1546967460860.png
alb runs, gets DeepScreened and after ~1minute blocked by Behavior Shield
1546967519121.png 1546967702591.png
1546967750541.png 1546967856137.png
* Autoruns entries are safe. Same goes for NPE. I've modified some Windows settings to lower telemetry.
 

harlan4096

Moderator
MalwareTips Team
MWT-Tester
Verified
Joined
Apr 28, 2015
Messages
4,203
Operating System
Windows 10
Antivirus
Kaspersky
#3
Containment: VMWare WorkStation Pro 15.0.2-10952284 (running over Windows 10 Pro x64 Build 1809-17763)
Guest/OS: Windows 10 Pro x64 Build 1809-17763
Product: KSCloud Free 2019 19.0.0.1088 / VPN: Kaspersky Secure Connection
Tweaked Settings

Static/Contextual Scan: 1 / 1 - Dynamic/On Execution Scan: 1 / 1 - Total: 1 / 1 - SUD: N/A
1 by Heur (Backdoor)
1 by Dangerous Application Behaviour (PDM:Trojan)
Files Encrypted: No - Second Opinion Scanners: All Clean - System Final Status: Clean

Location: Almería (Spain) CET
Samples Pack Posted: 08/01/2019 05:51pm
Static Test Started: 08/01/2019 06:17pm
Dynamic Test Started: 08/01/2019 06:23pm

U.png

ST.png

* (Hit) alb.exe: detected/deleted upon execution by Dangerous/Suspicious Application Behaviour (PDM:Trojan).

1.png

_____________________________________________________________________

After testing samples dynamically I ran AutoRuns and Comodo AutoRuns:

AR.png

Warning: All original samples from the extracted folder were deleted manually before run Second Opinion Scanners, except those who are still active running on system and/or are referred in a registry key in Windows AutoRuns sections.

ZAM (Full System Scan + C:\ProgramData + C:\...\<user account>\),
WiseVector
(C:\ProgramData + C:\...\<user account>\),
HMP (Default Scan: Recommended) -> All Clean, System Clean:

SOS.png

Thanks to @erreale !
__________

MWHub Monthly Statistics & Reports
 

Solarquest

Moderator
MalwareTips Team
MWT-Tester
Verified
Joined
Jul 22, 2014
Messages
2,067
#4
Containment: VirtualBox-6.0.0.127566
Host Windows 10 pro 64 bit v1809
Guest/OS: Windows 10, Home v1809 + Java
VPN: Windscribe 1.83
Product: Emsisoft 12 AM 2018.12.1.9144, default settings + Emsisoft Browser security
Static (On-demand scan): 1/1
BONUS Dynamic (On execution): 1/1
Total: 1/1
SUD: all samples missed on static
2nd opinion detection of new files or in memory: Zemana: 0 HMP:0 autoruns:0 PE: 0 NPE:0
File encrypted:no
Final status: System clean

Additional notes:Thank you @ Erreale for the samples!
(I decided to keep the missed/not deleted samples in the malware folder to see if 2nd opinion scanners detect them.)

[ SPOILER="SUD+ update" ][ updated signatures.PNG /SPOILER]


[ Static.PNG /SPOILER]


[

alb.exe-starts, when it creates a sub-process Emsi blocks it, after reboot it deletes it.
alb.PNG alb2.PNG alb reboot.PNG

/SPOILER]


[
files in MW folder:0

2nd opinion scanners:
PE.PNG Autoruns compare.PNG HMP.PNG NPE.PNG Zemana appdata.PNG zemana.PNG


/SPOILER]
 

askalan

Level 14
MWT-Tester
Verified
Joined
Jul 27, 2017
Messages
667
Operating System
Linux
#5
Product: Windows SmartScreen (activated by Hard_Configurator with recommended SRP and restrictions)

Disclaimer: Experimental setup for testing the effectiveness of Windows SmartScreen and script restrictions against 0-day malware samples. This test is suitable for users with more knowledge about Windows built-in security features.

Code:
1. Containment: VirtualBox 5.1.38
2. Windows: 10 LTSB
3. VPN: CyberGhost
4. Office: LibreOffice (standard settings)

Samples that have harmed the system/changed system configuration: 0/1

The presented system configuration has successfully blocked all malware. No files were encrypted.
Before the second opinion scan the samples were deleted.

The video is still being processed. It will take about 5 minutes to 30 minutes. Please be patient.


Thanks for the samples @erreale
@Andy Ful

Hard_Configurator
 
Last edited:

Faybert

Level 22
MWT-Tester
Verified
Joined
Jan 8, 2017
Messages
1,156
Operating System
Windows 10
Antivirus
G Data
#6
Containment: Shadow Defender v1.4.0.680
Guest/OS: Windows 10 Pro x64 Build v1809 - build 17763.253
Product:
G Data Internet Security - v25.5.1.21 (Default Settings )
VPN: F-Secure FREEDOME VPN - v2.23.5653.0
Static (On-demand scan): 1/1
Dynamic (On execution): 1/1 (bonus test - signatures disabled, only BB enabled.)
Total: 1/1
SUD: No
System Status: Clean
Files Encrypted: No
Second Opinion Scanners: Clean
update.png verson.png
sobdeman.png
Locked and moved to quarantine by BB.
bandicam 2019-01-09 14-08-37-754.png bandicam 2019-01-09 14-08-38-753.png bandicam 2019-01-09 14-08-41-750.png bandicam 2019-01-09 14-08-43-754.png bandicam 2019-01-09 14-08-48-747.png quarentina.png
Zemana (full scan in system and AppData folder), HitmanPro and NPE = Clean
fgfgfg.png

Process Explorer clean and without keys created in Autoruns.
processexplorer.png processexplorer.2png.png autorun.png

Thanks for the sample, @erreale (y)
 
Last edited:

omidomi

Level 64
MWT-Tester
Verified
Joined
Apr 5, 2014
Messages
5,375
Operating System
Windows 8.1
Antivirus
Kaspersky
#7
Containment :Virtual Box 5.2.22
Guest/OS : Windows 7 Ultimate 86X
Product: WebRoot IS (9.0.24.37) - Default Setting
Static(On-demand scan): 0/1
Dynamic(On execution) : 0/1
Total :0/1
SUD : 1
VPN: Security Kiss Tunnel 0.3.2
File encrypted: No
Second Opinion Scanners: Infected(HMP,Zemana)
System Final Status:Infected,Live malware in Memory!
lets run sample,run in memory
PE & Autorun reported infected:

Zemana(full,custom) & HMP reported infected:

NPE not work,so test with NPE skipped:

thanks for the sample
 

Daniel Hidalgo

Level 33
MWT-Tester
Verified
Joined
Mar 17, 2015
Messages
2,261
Operating System
Windows 10
Antivirus
Kaspersky
#8
Containment: VMware® Workstation Pro 14.1.1 build-7528167 & Shadow Defender 1.4.0.672
Guest/OS: Windows 8.1 HOME build 9600 x64 bits
Product: ESET Internet Security 2019 V. 12.0.31.0 (Custom Settings)
Static (On-demand scan): 1/1
Dynamic (On execution)Bonus Test: 0/1
Total: 1/1
SUD: NO
VPN: Avira Phatom VPN v. 2.18.1.30309
System Status: CLEAN
Files encrypted: NONE
Bonus test
System Status: INFECTED
Files encrypted: NONE
Caputra de configuracion 1.png Caputra de configuracion 2.png Caputra de configuracion 3.png Caputra de configuracion 4.png Caputra de configuracion 5.png Caputra de configuracion 6.png Caputra de configuracion 7.png Caputra de configuracion 8.png Caputra de configuracion 9.png
1547080751903.png
1547080961158.png
Bonus Test
Disable Real Time Proctection
Sample alb.exe MISS
Process alb.exe
Connections YES
it was intercepted by the ESET firewall but remote connections were allowed and therefore it remains active


1547081101531.png 1547081248948.png 1547082683954.png
Run Ccleaner
Process Explorer: INFECTED (the alb.exe process remains active)
Autoruns: INFECTED (a malicious entry was created)
1547083506349.png
INFECTED
1547086885399.png