That's one way attackers attempt to bypass security mechanisms by masquerading as a legitimate process, one that's often signed like software that performs a useful function on the system.
Harmony Endpoint by Check Point
- Thread starter Trident
- Start date
That's one way attackers attempt to bypass security mechanisms by masquerading as a legitimate process, one that's often signed like software that performs a useful function on the system.
piquiteco
Level 14
- Oct 16, 2022
- 626
But it was not contained by the CIS
It has a signature but it is invalid, so CIS should have contained it. However, the signature is Microsoft's, surely forged to remain undetectable by AVs, posing as signed by Microsoft, and the certificate expired on 05/11/2023
piquiteco
Level 14
- Oct 16, 2022
- 626
In ZoneAlarm Extreme Security NextGen there is no way to change the size?
- Feb 7, 2023
- 1,753
I don't think Comodo performs any validity checks (I may be wrong). Microsoft does not provide the necessary APIs to do it, you will have to rely on internal lists. Hence, it was not contained by Comodo under default setup.
No, there is no way to change the size limit in ZA and in many others.
piquiteco
Level 14
- Oct 16, 2022
- 626
Comodo was not in the default settings, it is in proactive configuration and all enabled, the CIS was only possible to block when it was with the hips enabled, when I disabled and ran the malware the CIS could not contain in the sandbox. PS: The CIS by default comes with the hips disabled.
Proactive configuration active, still couldn't block stealer malware.*/off topic
with Default Settings(expected I guess)
- Aug 19, 2019
- 1,027
Was "Do not virtualize the following..." selected? If the file was in the Download Folder it would be ignored initially unless that box is unchecked.
piquiteco
Level 14
- Oct 16, 2022
- 626
When I used comodo I never checked this box Do not virtualize the following, I always do it from the CF/CIS GUI and the same goes for a trusted file, never from the popup shown.
- Aug 19, 2019
- 1,027
It's ticked by default, just wanted to check whether that was unticked or not when you ran the malware.
- Jan 6, 2022
- 436
Was it signed by a reputable vendor?I didn't look at the sample.
piquiteco
Level 14
- Oct 16, 2022
- 626
It was not unchecked when I ran the malware. The Malware I ran from the Desktop. First I did a scan and found nothing, then I decided to run it but with Hips enabled and it showed a red popup that the file was unknown then I clicked finish and block. Then I ran with HIPS disabled trusting that CIS would play in containment and it didn't the malware did the party, but when trying to connect to C&C servers the connections were blocked, probably the data stolen but didn't leave the machine.
No, forged Microsoft signature to appear to be legitimate Windows process, but the certificate expired 11/05 and I have it here is still packaged .exe
piquiteco
Level 14
- Oct 16, 2022
- 626
Bitdefender doesn't detect it either, maybe only at runtime. I don't believe BD has cloud. MS-Defender, kaspersky, Webroot are the only ones I know of that have ☁ really.
- Feb 7, 2023
- 1,753
Majority of the content inside is just filler to increase the size and do it in a way that won’t raise suspicion by static analysis, which suggests that AVs like Norton, Defender or Kaspersky were the target for evasion. The Cursed.exe is the actual stealer, which is configured with a very high refresh rate (amateur attacker maybe) and has very high CPU usage. Upon execution, I noticed that high network activity occured which means it is not a stealer but a full-fledged RAT and the attackers were looking at my screen and browsing the folders. I would normally say hi in this case Notepad and most amateur attackers sometimes would even reply but I was lazy this time.
@piquiteco BD uses cloud and everyone else does as well. There is nobody not using it.
Last edited:
piquiteco
Level 14
- Oct 16, 2022
- 626
Now that he steals after all lol, passwords saved in the browser, empties cryptocurrency wallets? I am looking like an idiot, I get an atomic bomb, what is this button for? let me press it and see what happens, there goes me and my city and my country into space, kidding aside this business should never have created.
piquiteco
Level 14
- Oct 16, 2022
- 626
I don't think they all work the same as the cloud, Kaspersky for example when I used and disabled update for almost a month, even then it was able to detect and block through KSN I had never seen before that.
piquiteco
Level 14
- Oct 16, 2022
- 626
- Feb 7, 2023
- 1,753
I am not sure as I didn't analyse that deep, it wasn't a very interesting sample. But normally RAT builders include all necessary bypasses already, including UAC bypass. If you ask me, they just copied bunch of random files.
piquiteco
Level 14
- Oct 16, 2022
- 626
When scanning with Norton Power Eraser it detected as High risk, untrusted reputation see in the screenshots, so it is good to have a second opinion scanner. It's cloud yes, all AVs use cloud @Trident was correct in his statements, I was the one who didn't know how to express it.
I'm not pulling @Trident's leg but norton seems to be really good, so guys, leave the saved NPE in your arsenal that one day you might need it.
I'm not pulling @Trident's leg but norton seems to be really good, so guys, leave the saved NPE in your arsenal that one day you might need it.
piquiteco
Level 14
- Oct 16, 2022
- 626
Wow, my God I had not even read carefully what you posted is like VNC, TeamViewer, Windows RDP? If I had run on real machine without any scruples would they have controlle on my computer? Probably if it happened to me I would pull the network cable on the spot fly router and modem everywhere lol
Just a fun test, nothing serious. Installed a bunch of malware and then enabled Harmony to see its disinfection and detection capabilities.ntlhost.exe is still active, can't upload it to VT because of size (bloated intentionally). Installed Avast Free and the file was caught immediately.
Similar threads
