Number Of samples
1
Verified Malware Samples
Yes, this only contains malware
Threat Analysis report
https://www.virustotal.com/#/file/c41174a8683089617e99695324703025140d0b705c4b345a24b0759b8971e187/detection
https://www.hybrid-analysis.com/sample/c41174a8683089617e99695324703025140d0b705c4b345a24b0759b8971e187?environmentId=100
Disclaimer

This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
We encourage you to compare these results with others and take informed decisions on what security products to use.
Before buying an antivirus you should consider factors such as price, ease of use, compatibility and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Der.Reisende

Level 37
Content Creator
MWT-Tester
Verified
Joined
Dec 27, 2014
Messages
2,665
Operating System
Windows 10
Antivirus
Tencent
#2
Containment: Shadow Defender v1.4.0.680
Guest/OS: Win10 Home v1809 (Build 17763.253)
Product: Tencent PC Manager v12.3.26597.901 (Tencent Cloud Protection engine + Bitdefender Local Antivirus Engine)
Static (On-demand scan): 1/1
Dynamic (On execution - Bonus test with Realtime Protection turned off): 0/1 (*)
Total: 1/1
SUD: N/A
VPN: Windscribe v1.83 b18
System Status: clean (signatures) / infected (bonus dynamic test)
Files encrypted: no (signatures) / (*) yes, some system files (bonus dynamic test)
update.png
static.png
Tencent PC Manager Global:
Realtime protection mode: Expert mode (Prompt upon detecting suspect actions)
File system protection level: High (monitor all file operations)
Action on threat detection: Choose action manually
Download Protection: Security prompt on dangerous files only
GusCrypter.exe opens a commandline window. TCPM BB instantly intercepts and autoquarantines the source malware. Also intercepts cmd.exe, reg.exe, conhost.exe (plenty BB alerts). According to quarantine, a few system files got damaged. No personal files were harmed. Because of that, still a miss regardless of very quick reaction by the BB. MISS.
run1.png run1_1.png run1_2.png run1_3.png
PE.png TCP_PE.png autorun.png files.png 2o.png
Thank you @erreale for the file!
Norton Power Eraser (NPE) entries: Baidu registry entries belong to TPCM installation. The registry hijack for "openas\command" appears once an inital installation of TCPM has been in-app upgraded. It's safe.
 

askalan

Level 14
MWT-Tester
Verified
Joined
Jul 27, 2017
Messages
669
Operating System
Linux
#3
Product: Windows SmartScreen (activated by Hard_Configurator with recommended SRP and restrictions)

Disclaimer: Experimental setup for testing the effectiveness of Windows SmartScreen and script restrictions against 0-day malware samples. This test is suitable for users with more knowledge about Windows built-in security features.

Code:
1. Containment: VirtualBox 5.1.38
2. Windows: 10 LTSB
3. VPN: CyberGhost
4. Office: LibreOffice (standard settings)

Samples that have harmed the system/changed system configuration: 0/1

The presented system configuration has successfully blocked all malware. No files were encrypted.
Before the second opinion scan the samples were deleted.

The video is still being processed. It will take about 5 minutes to 30 minutes. Please be patient.


Thanks for the samples!
@Andy Ful

Hard_Configurator
 

omidomi

Level 64
MWT-Tester
Verified
Joined
Apr 5, 2014
Messages
5,380
Operating System
Windows 8.1
Antivirus
Kaspersky
#4
Containment :Virtual Box 5.2.22
Guest/OS : Windows 7 Ultimate 86X
Product: WebRoot IS (9.0.24.37) - Default Setting
Static(On-demand scan): 1/1
Dynamic(On execution) : *0/1
Total :1/1
SUD : No
VPN: Security Kiss Tunnel 0.3.2
File encrypted: *No
Second Opinion Scanners: *Infected(NPE)
System Final Status: *Infected
lets run sample, this window open(closed manually) no alert From Webroot.
PE reported safe:

Autorun reported Infected:

Zemana(full,custom) & HMP reported safe:

NPE reported infected:
thanks for the sample
 

Solarquest

Moderator
MalwareTips Team
MWT-Tester
Verified
Joined
Jul 22, 2014
Messages
2,074
#5
Containment: VirtualBox-6.0.0.127566
Host Windows 10 pro 64 bit v1809
Guest/OS: Windows 10, Home v1809 + Java
VPN: Windscribe 1.83
Product: Emsisoft 12 AM 2018.12.1.9144, default settings + Emsisoft Browser security
Static (On-demand scan): 1/1
BONUS Dynamic (On execution): 1/1
Total: 1/1
SUD: all samples missed on static
2nd opinion detection of new files or in memory: Zemana: 0 HMP:0 autoruns:0 PE: 0 NPE:0
File encrypted: no
Final status: System clean

Additional notes:Thank you @ Erreale for the samples!
(I decided to keep the missed/not deleted samples in the malware folder to see if 2nd opinion scanners detect them.)

[ SUD+ update updated signatures.PNG /SPOILER]


[ Static.PNG /SPOILER]


[

GusCrypt- starts->conhost->Emsi BB alerts->quarantined
gus.PNG
/SPOILER]


[
files in MW folder:0

2nd opinion scanners:
PE.PNG Autoruns compare.PNG Zemana appdata.PNG NPE.PNG HMP.PNG zemana.PNG


/SPOILER]
 

harlan4096

Moderator
MalwareTips Team
MWT-Tester
Verified
Joined
Apr 28, 2015
Messages
4,224
Operating System
Windows 10
Antivirus
Kaspersky
#6
Containment: VMWare WorkStation Pro 15.0.2-10952284 (running over Windows 10 Pro x64 Build 1809-17763)
Guest/OS: Windows 10 Pro x64 Build 1809-17763
Product: KSCloud Free 2019 19.0.0.1088 / VPN: Kaspersky Secure Connection
Tweaked Settings

Static/Contextual Scan: 1 / 1 - SUD: N/A
1 by Signatures
System Final Status: Clean

BB Dynamic Bonus Test/On Execution Scan (File AV + KSN disabled): 1 / 1
1 by Dangerous Application Behaviour (PDM:Trojan)
Files Encrypted: No - Second Opinion Scanners: All Clean - System Final Status: Clean

Location: Almería (Spain) CET
Samples Pack Posted: 12/01/2019 02:51pm
Static Test Started: 12/01/2019 05:26pm
Dynamic Test Started: 13/01/2019 09:06am

U.png

ST.png

* (Hit) GusCrypter.exe: detected/deleted upon execution by Dangerous/Suspicious Application Behaviour (PDM:Trojan).

1.png

_____________________________________________________________________

After testing samples dynamically I ran AutoRuns and Comodo AutoRuns:

AR.png

Warning: All original samples from the extracted folder were deleted manually before run Second Opinion Scanners, except those who are still active running on system and/or are referred in a registry key in Windows AutoRuns sections.

ZAM (Full System Scan + C:\ProgramData + C:\...\<user account>\),
WiseVector
(C:\ProgramData + C:\...\<user account>\),
HMP (Default Scan: Recommended) -> All Clean, System Clean:

SOS.png

Thanks to @erreale !
__________

MWHub Monthly Statistics & Reports
 
Last edited: