Malware Analysis Malware/PUA listed as clean (again)

Sandbox Breaker - DFIR

Sandbox Breaker - DFIR

Level 12
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
538
1,723
1,069
Inside a sandbox.
Found this at a customer. It was blocked but upon further inspection I saw that Xcitium marks the files as clean. Their human analyst also concluded its clean. ITS NOT.

verdict.xcitium.com

Xcitium Cloud Verdict

Scan Files Online using Comodo File Verdict Service that runs tens of different methods to analyze a file and display the detailed results in seconds
verdict.xcitium.com verdict.xcitium.com

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
 
  • Like
  • HaHa
Reactions: Zartarra, Nevi, simmerskool and 7 others
Sandbox Breaker said:
Found this at a customer. It was blocked but upon further inspection I saw that Xcitium marks the files as clean. Their human analyst also concluded its clean. ITS NOT.

verdict.xcitium.com

Xcitium Cloud Verdict

Scan Files Online using Comodo File Verdict Service that runs tens of different methods to analyze a file and display the detailed results in seconds
verdict.xcitium.com verdict.xcitium.com

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
Click to expand...
Could you share the sample please?
 
  • Like
Reactions: Nevi, roger_m, Dave Russo and 1 other person
Detected by CheckPoint Harmony ( Trojan.Win32.Agent.xataeo )

Capture d’écran 2023-06-28 180149.png

DeepInstinct too

image_2023-06-28_180327866.png
 
  • Like
  • Applause
Reactions: Nevi, roger_m, simmerskool and 3 others
Trident said:
There is no human analysis. This is a browser hijacker, there is no way a real human won’t see that. And it’s also an old one. The human analysis is just marketing.
Click to expand...
That's a disgrace.

Trident said:
There is no human analysis. This is a browser hijacker, there is no way a real human won’t see that. And it’s also an old one. The human analysis is just marketing.
Click to expand...
They are also still using the sample. Wierd how a two month old file is still being distributed.
 
  • Like
Reactions: roger_m, Trident and Kongo
HAs anyone tried to execute this on a virtual machine or a sandboxed state, with the AV disabled, just to check what it does?
 
  • Like
Reactions: Nevi and Kongo
partha_roy said:
HAs anyone tried to execute this on a virtual machine or a sandboxed state, with the AV disabled, just to check what it does?
Click to expand...

147e1b5a750fbfd8863449d523e3d6d110defceb74ad9cdb7c939ab75ffa2180 | Triage

Check this report malware sample 147e1b5a750fbfd8863449d523e3d6d110defceb74ad9cdb7c939ab75ffa2180, with a score of 8 out of 10.
tria.ge tria.ge
You can see the report here.

Trident said:
This one would be detected both with Kaspersky and Sophos engines.

@partha_roy it is a browser hijacker, it was mentioned above.
Click to expand...
The malware family is "Agent". Funny. Kaspersky sig
 
  • Like
Reactions: Trident and Kongo
You must log in or register to reply here.

You may also like...