Number Of samples
6
Verified Malware Samples
Yes, this only contains malware
Threat Analysis report
https://www.virustotal.com/#/file/e5e04249645b9f5ef41c4f72f8a0a89bb4861758f4865b469beeb32d5b92949c/detection
https://www.virustotal.com/#/file/3e69829b720e8ee3570788b54b1c5f8ea35751a0760f842a8f92f76979e94a1f/detection
https://www.virustotal.com/#/file/87f045b39fd0ae451091039fedfb3272054b2bbf7ff6f4d1633afc8d9de78437/detection
https://www.virustotal.com/#/file/23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2/detection
https://www.virustotal.com/#/file/c74586d9f3f6a8415bba3651ace437fbbadc73b2ab685bcbbbd27706315c3eeb/detection
https://www.virustotal.com/#/file/bd772acd6115129f398717ea856c0141225a9ac31cf676514cbadcf54f7b42a4/detection

https://www.hybrid-analysis.com/sample/e5e04249645b9f5ef41c4f72f8a0a89bb4861758f4865b469beeb32d5b92949c?environmentId=100
https://www.hybrid-analysis.com/sample/3e69829b720e8ee3570788b54b1c5f8ea35751a0760f842a8f92f76979e94a1f?environmentId=100
https://www.hybrid-analysis.com/sample/87f045b39fd0ae451091039fedfb3272054b2bbf7ff6f4d1633afc8d9de78437?environmentId=100
https://www.hybrid-analysis.com/sample/23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2?environmentId=100
https://www.hybrid-analysis.com/sample/c74586d9f3f6a8415bba3651ace437fbbadc73b2ab685bcbbbd27706315c3eeb?environmentId=100
https://www.hybrid-analysis.com/sample/bd772acd6115129f398717ea856c0141225a9ac31cf676514cbadcf54f7b42a4?environmentId=100
Disclaimer

This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
We encourage you to compare these results with others and take informed decisions on what security products to use.
Before buying an antivirus you should consider factors such as price, ease of use, compatibility and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Lord Ami

Level 17
MWT-Tester
Verified
Joined
Sep 14, 2014
Messages
841
Antivirus
F-Secure
#3
Containment: VMware® Workstation Pro 15.0.0 build-10134415
Guest/OS: W8.1 X64
Product: fs protection 17.5 beta 14
Static (On-demand scan): 5/6
Dynamic (On execution): 1/1
Total: 6/6
SUD: 1
VPN: Windscribe Pro
System Status: Protected
Files encrypted: No
1546618048086.png
GandCrab Thoai Cai runs, Powershell gets blocked
1546618083504.png 1546618146516.png
1546618314397.png
 

askalan

Level 14
MWT-Tester
Verified
Joined
Jul 27, 2017
Messages
669
Operating System
Linux
#4
Disclaimer: Experimental setup for testing the effectiveness of Windows SmartScreen and script restrictions against 0-day malware samples. This test is suitable for users with more knowledge about about Windows built-in security features.
Code:
1. Containment: VirtualBox 5.1.34
2. Windows: 10 Home
3. VPN: CyberGhost
4. Product: Windows SmartScreen (activated by Hard_Configurator with recommended SRP and restrictions)
5. Office: LibreOffice 6.0 (lowest Macro protection level)

Samples that have harmed the system/changed system configuration: 0/6

The presented system configuration has successfully blocked all malware. No files were encrypted.
Before the second opinion scan the samples were deleted.


Thanks for the samples @erreale
@Andy Ful

Hard_Configurator
 
Last edited:

harlan4096

Moderator
MalwareTips Team
MWT-Tester
Verified
Joined
Apr 28, 2015
Messages
4,229
Operating System
Windows 10
Antivirus
Kaspersky
#5
Containment: VMWare WorkStation Pro 15.0.2-10952284 (running over Windows 10 Pro x64 Build 1809-17763)
Guest/OS: Windows 10 Pro x64 Build 1809-17763
Product: KSCloud Free 2019 19.0.0.1088 / VPN: Kaspersky Secure Connection
Tweaked Settings

Static/Contextual Scan: 6 / 6 - Total: 6 / 6 - SUD: N/A
2 by UDS (Urgent Detection System) / 4 by Heur (Trojan)
System Final Status: Clean

Samples Pack Posted: 04/01/2019 01:42pm
Static Test Started: 04/01/2019 05:56pm

U.png
ST.png

Thanks to @erreale !
__________

MWHub Monthly Statistics & Reports
 
Last edited:

harlan4096

Moderator
MalwareTips Team
MWT-Tester
Verified
Joined
Apr 28, 2015
Messages
4,229
Operating System
Windows 10
Antivirus
Kaspersky
#6
Containment: VMWare WorkStation Pro 15.0.2-10952284 (running over Windows 10 Pro x64 Build 1809-17763)
Guest/OS: Windows 10 Pro x64 Build 1809-17763
Product: KSCloud Free 2019 19.0.0.1088 / VPN: Kaspersky Secure Connection
Tweaked Settings

Dynamic BB Bonus Test: 5 / 6 (Disabled modules: File AV + KSN)
4 by Dangerous Application Behaviour (PDM:Trojan) / 1 by WebAV
Files Encrypted: No - Second Opinion Scanners: All Clean - System Final Status: Protected

Samples Pack Posted: 04/01/2019 01:42pm
Dynamic Test Started: 04/01/2019 06:12pm

* (Hit) GandCrab Thoai Cai.js: detected/deleted upon execution by Dangerous/Suspicious Application Behaviour (PDM:Trojan). KL Advanced Disinfection was started.

1A.png 1B.png


* (Hit) Ransom Crypren.exe: detected/deleted upon execution by Dangerous/Suspicious Application Behaviour (PDM:Trojan). KL Advanced Disinfection was started.

2.png


* (Miss) Ransom REntS.exe: ran for 1 about second and auto terminated, it generated a txt warning the users the system has been encrypted, but just a Hoax.

3.png


* (Hit) Ransom Ryuk.exe: detected/deleted upon execution by Dangerous/Suspicious Application Behaviour (PDM:Trojan).

4.png


* (Hit) Trojan Chapak.exe: detected/deleted upon execution by Dangerous/Suspicious Application Behaviour (PDM:Trojan).

5.png


* (Hit) Trojan Locky.vbs: triggered wscript.exe and a dangerous URL was detected/blocked, and auto terminated.

6A.png 6B.png

_____________________________________________________________________

After testing samples dynamically I ran AutoRuns and Comodo AutoRuns:

AR.png

Warning: All original samples from the extracted folder were deleted manually before run Second Opinion Scanners, except those who are still active running on system and/or are referred in a registry key in Windows AutoRuns sections.

ZAM (Full System Scan + C:\ProgramData + C:\...\<user account>\AppData\) HMP WiseVector -> All Clean, System Protected:

SOS.png

Thanks to @erreale !
__________

MWHub Monthly Statistics & Reports
 
Last edited:

Der.Reisende

Level 37
Content Creator
MWT-Tester
Verified
Joined
Dec 27, 2014
Messages
2,665
Operating System
Windows 10
Antivirus
Tencent
#7
Containment: Shadow Defender v1.4.0.680
Guest/OS: Win10 Home v1809 (Build 17763.195)
Product: Tencent PC Manager v12.3.26596.901 (Tencent Cloud Protection engine + Bitdefender Local Antivirus Engine)
Static (On-demand scan): 5/6
Dynamic (On execution - bonus test with Realtime Protection turned off): 4/6
Total: 5/6 (Bitdefender signatures) / 4/6 (TCPM BB only)
SUD: GandCrab Thoai Cai.js
VPN: Windscribe v1.83 b18
System Status: protected
Files encrypted: no
update.png
static.png
SUD.png
Tencent PC Manager Global:
Realtime protection mode: Expert mode (Prompt upon detecting suspect actions)
File system protection level: High (monitor all file operations)
Action on threat detection: Choose action manually
Download Protection: Security prompt on dangerous files only
GandCrab Thoai Cai.js triggers wscript.exe, powershell.exe and conhost.exe. All end seconds after. No further malicious actions, no AutoRuns, no encrypted files. Malware folder and untouched source file deleted before firing off 2nd_opinion scans. MISS.
Ransom Crypren.exe gets instantly intercepted and autoquarantined by TCPM BB (2x alert). Apart from a dropped remnant, no further malicious actions, no AutoRuns, no encrypted files. Malware folder deleted before firing off 2nd_opinion scans. HIT.
Ransom REntS.exe drops a funny ransom note (see screenshot), then autoterminates. No further malicious actions, no AutoRuns, no encrypted files. Untouched source file and malware folder deleted before firing off 2nd_opinion scans. HIT.
Ransom Ryuk.exe drops and runs ebpxb.exe, TCPM BB instantly intercepts and autoquarantines both malwares. No further malicious actions, no AutoRuns, no encrypted files. Empty malware folder deleted before firing off 2nd_opinion scans. HIT.
Trojan Chapak.exe drops a copy of itself to AppData/Roaming. TCPM BB instantly intercepts and autoquarantines both malwares. No further malicious actions, no AutoRuns, no encrypted files. Empty malware folder deleted before firing off 2nd_opinion scans. HIT.
Trojan Locky.vbs triggers wscript.exe, which ends seconds after. No further malicious actions, no AutoRuns, no encrypted files. Malware folder and untouched source file deleted before firing off 2nd_opinion scans. MISS.
update.png static.png run1.png run2.png run2_1.png run3.png run4.png run4_1.png run5.png run5_1.png run6.png
PE.png TCP_PE.png autorun.png files.png 2o.png NPE_detail.png
Thank you @erreale for the pack!
Norton Power Eraser (NPE) entries: Baidu registry entries belong to TPCM installation. The registry hijack for "openas\command" appears once an inital installation of TCPM has been in-app upgraded. It's safe.
 

omidomi

Level 64
MWT-Tester
Verified
Joined
Apr 5, 2014
Messages
5,381
Operating System
Windows 8.1
Antivirus
Kaspersky
#8
Containment :Virtual Box 5.2.22
Guest/OS : Windows 7 Ultimate 86X
Product: WebRoot IS (9.0.24.37) - Default Setting
Static(On-demand scan):4/6
SUD : 2
VPN: Security Kiss Tunnel 0.3.2

thanks for the pack
 

omidomi

Level 64
MWT-Tester
Verified
Joined
Apr 5, 2014
Messages
5,381
Operating System
Windows 8.1
Antivirus
Kaspersky
#9
Containment :Virtual Box 5.2.22
Guest/OS : Windows 7 Ultimate 86X
Product: WebRoot IS (9.0.24.37) - Default Setting
Static(On-demand scan): 4/6
Dynamic(On execution) : 0/2
Total : 4/6
SUD : 2
VPN: Security Kiss Tunnel 0.3.2
File encrypted: Yes
Second Opinion Scanners: All Clean
System Final Status:Infected,Files were Encrypted!
GandCrab Thoai Cai.js:
Encrypted Files+Background Changed!


Trojan Locky.vbs:lets run sample,try to remote"..." no alert from Webroot
PE & Autorun reported safe:

Zemana(full,custom) & HMP & NPE reported safe:

thanks for the pack