Serious Discussion False Positive by Kaspersky or Real Malware?

Khushal

Khushal

Level 15
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
728
4,552
1,369


1757748421631.png


Further discovery by me led to the following being the root cause of dtection (or false detection)

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
opentip.kaspersky.com

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses
opentip.kaspersky.com opentip.kaspersky.com

What is your opinion?
Is Malware Identification by strings and mutexes always reliable?
 
  • Like
Reactions: Jack, simmerskool, Trident and 2 others
Where to find the installer? Impossible unless to register in Palo Alto... now 5 detections at VT, but not from main avs except K...

opentip.kaspersky.com

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses
opentip.kaspersky.com opentip.kaspersky.com

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
 
  • Like
Reactions: simmerskool, Trident, Dave Russo and 4 others
harlan4096 said:
Where to find the installer? Impossible unless to register in Palo Alto... now 5 detections at VT, but not from main avs except K...

opentip.kaspersky.com

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses
opentip.kaspersky.com opentip.kaspersky.com

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
Click to expand...
no idea but that is not the main point
f979cca83cf316e30a73b478613ebc5578fa9b14b4b29d9f989fb0f7ca8a11bf according to VT and Thor has mimikatz strings.
 
  • Like
Reactions: Zero Knowledge, simmerskool, Trident and 2 others
Khushal said:


View attachment 290922

Further discovery by me led to the following being the root cause of dtection (or false detection)

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
opentip.kaspersky.com

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses
opentip.kaspersky.com opentip.kaspersky.com

What is your opinion?
Is Malware Identification by strings and mutexes always reliable?
Click to expand...

False Positive, but not completely False Positive.

PaloAlto has been having this trouble with UaCredService for over 10 years because PaloAlto uses Mimikitaz code within UaCredService. More specifically, UaCredService takes the domain user/password and checks it over the internet. UaCredService performs credentials verification when the credential detection feature is enabled. When a corporate (usually a domain) user uses their credentials to access some resource, their credentials are sent to the UaCredService which, in turn, checks the user's credentials over a network with a connected Credential Verification or Authentication Service (not a PaloAlto product or service). This entire process mimics Mimikatz and UaCredService uses Mimikatz code.

Submit ticket to PaloAlto or search available PaloAlto support forums for confirmation of further details.
 
  • Like
Reactions: Wrecker4923, harlan4096 and Khushal
bazang said:
False Positive, but not completely False Positive.

PaloAlto has been having this trouble with UaCredService for over 10 years because PaloAlto uses Mimikitaz code within UaCredService. More specifically, UaCredService takes the domain user/password and checks it over the internet. UaCredService performs credentials verification when the credential detection feature is enabled. When a corporate (usually a domain) user uses their credentials to access some resource, their credentials are sent to the UaCredService which, in turn, checks the user's credentials over a network with a connected Credential Verification or Authentication Service (not a PaloAlto product or service). This entire process mimics Mimikatz and UaCredService uses Mimikatz code.

Submit ticket to PaloAlto or search available PaloAlto support forums for confirmation of further details.
Click to expand...
Thank You i'll lrequest if u would reply to malwarehunter team on X so that there is more clarity.
 
  • Like
Reactions: Jack

You may also like...