Number Of samples
3
Verified Malware Samples
Yes, this only contains malware
Threat Analysis report
https://www.hybrid-analysis.com/sample/38e8e97b87fae46c5615834adbb8bf8db3b407de8a0ac175f620214499457e02?environmentId=100
https://www.hybrid-analysis.com/sample/40831e46c181257ff4bc8618ec7720c18d44fa74b1b0173d93e1f5837956d807?environmentId=100
https://www.hybrid-analysis.com/sample/7b45c41a26cf7c88bc9b289d3a33deee0a30ffed0741f707d4dbd5c31353be72
Disclaimer

This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
We encourage you to compare these results with others and take informed decisions on what security products to use.
Before buying an antivirus you should consider factors such as price, ease of use, compatibility and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Der.Reisende

Level 37
Content Creator
MWT-Tester
Verified
Joined
Dec 27, 2014
Messages
2,665
Operating System
Windows 10
Antivirus
Tencent
#3
Containment: Shadow Defender v1.4.0.680
Guest/OS: Win10 Home v1809 (Build 17763.194)
Product: Tencent PC Manager v12.3.26595.901 (Tencent Cloud Protection engine + Bitdefender Local Antivirus Engine) + WiseVector v1.30
Static (On-demand scan): 1/3
Dynamic (On execution): see Dynamic Tab
Total: see Dynamic Tab
SUD: see Dynamic Tab
VPN: Windscribe v1.83 b18
System Status: see Dynamic Tab
Files encrypted: no
update.png
static.png wise.png
see Dynamic Tab
Tencent PC Manager Global:
Realtime protection mode: Expert mode (Prompt upon detecting suspect actions)
File system protection level: High (monitor all file operations)
Action on threat detection: Choose action manually
Download Protection: Security prompt on dangerous files only
see Dynamic Tab
see Dynamic Tab
see Dynamic Tab
Norton Power Eraser (NPE) entries: Baidu registry entries belong to TPCM installation. The registry hijack for "openas\command" appears once an inital installation of TCPM has been in-app upgraded. It's safe.
 

Der.Reisende

Level 37
Content Creator
MWT-Tester
Verified
Joined
Dec 27, 2014
Messages
2,665
Operating System
Windows 10
Antivirus
Tencent
#4
Containment: Shadow Defender v1.4.0.680
Guest/OS: Win10 Home v1809 (Build 17763.194)
Product: Tencent PC Manager v12.3.26595.901 (Tencent Cloud Protection engine + Bitdefender Local Antivirus Engine) + WiseVector v1.2.9.0
Static (On-demand scan): 1/3
Dynamic (On execution): 1/3 (detection is for the dyamic test of the known to signature haha.exe)
Total: 1/3
SUD: Everything missed by TCPM BB or cloud
VPN: Windscribe v1.83 b18
System Status: infected (AutoRun for signed ac47dfc4.exe, vbc.exe and sysinfo.exe in memory, calling out CPU 100%)
Files encrypted: no
update.png
wise.png static.png
SUD.png
Tencent PC Manager Global:
Realtime protection mode: Expert mode (Prompt upon detecting suspect actions)
File system protection level: High (monitor all file operations)
Action on threat detection: Choose action manually
Download Protection: Security prompt on dangerous files only
1.vbe triggers vbc.exe, drops and runs systeminfo.exe, which sets an AutoRun and calls out. To prevent damage to the computer, I manually terminated the malware shortly after. MISS.
1.vbs triggers vbc.exe, drops and runs systeminfo.exe, which sets an AutoRun and calls out. To prevent damage to the computer, I manually terminated the malware shortly after. MISS.
Bonus test for haha.exe (with Realtime Protection turned off):
haha.exe gets instantly intercepted and autoquarantined by TCPM BB. HIT.
run1.png run2.png run3.png
PE.png TCP_PE.png autorun.png files.png 2o.png NPE_detail.png
Norton Power Eraser (NPE) entries: Baidu registry entries belong to TPCM installation. The registry hijack for "openas\command" appears once an inital installation of TCPM has been in-app upgraded. It's safe.
 

Daniel Hidalgo

Level 33
MWT-Tester
Verified
Joined
Mar 17, 2015
Messages
2,262
Operating System
Windows 10
Antivirus
Kaspersky
#5
Containment: VMware® Workstation Pro 14.1.1 build-7528167 & Shadow Defender 1.4.0.672
Guest/OS: Windows 10 PRO RS5 build 1811 x64 bits
Product: McAfee Internet Security 2019 V. 16.0 (Default Settings)
Static (On-demand scan): 1/3
Dynamic (On execution): only the static scan with this product, the static and dynamic test with ESET at the moment
Total: 1/3
SUD: YES
VPN: Avira Phatom VPN v. 2.18.1.30309
System Status: CLEAN
Files encrypted: NONE

1546188703326.png
1546188984444.png
1546206443348.png
Clean
1546210506086.png
 
Last edited:

Daniel Hidalgo

Level 33
MWT-Tester
Verified
Joined
Mar 17, 2015
Messages
2,262
Operating System
Windows 10
Antivirus
Kaspersky
#6
Containment: VMware® Workstation Pro 14.1.1 build-7528167 & Shadow Defender 1.4.0.672
Guest/OS: Windows 8.1 HOME build 9600 x64 bits
Product: ESET Internet Security 2019 V. 12.0.31.0 (Custom Settings)
Static (On-demand scan): 3/3
Dynamic (On execution) (Bonus Test): 0/3
Total: 3/3
SUD: No
VPN: Avira Phatom VPN v. 2.18.1.30309
System Status: CLEAN
Files encrypted: NONE
Second Opinion Scanners:
Caputra de configuracion 1.png Caputra de configuracion 2.png Caputra de configuracion 3.png Caputra de configuracion 4.png Caputra de configuracion 5.png
1546220264273.png
1546220386084.png
Bonus Test
Disable Real Time Protection
Sample 1.vbe MISS
Process wscript.exe, vbc.exe
Connections YES
Ends minutes later without the intervention of ESET


1546220644186.png
Sample 1.vbs MISS
Process wscript.exe, etpoavbort.exe
Connections No connections used
Ends minutes later without the intervention of ESET


1546221032530.png
Sample haha.exe MISS
Process haha.exe
Connections No connections used
Ends minutes later without the intervention of ESET


1546221324690.png
Remove Samples Folder
Run Ccleaner
Process Explorer: SAFE
Autoruns: SAFE
1546222010183.png
CLEAN
1546224805203.png
 

Der.Reisende

Level 37
Content Creator
MWT-Tester
Verified
Joined
Dec 27, 2014
Messages
2,665
Operating System
Windows 10
Antivirus
Tencent
#8
Containment: Shadow Defender v1.4.0.680
Guest/OS: Win10 Home v1809 (Build 17763.195)
Product: Tencent PC Manager v12.3.26596.901 (Tencent Cloud Protection engine + Bitdefender Local Antivirus Engine)
Static (On-demand scan): 1/3
Dynamic (On execution): 3/3 (*bonus test)
Total: 3/3
SUD: Everything not covered by TCPM BB or cloud
VPN: Windscribe v1.83 b18
System Status: clean (signatures) / infected (*Bonus test - b00m.exe payload in AutoRuns, intercepted before doing harm on manual execution)
Files encrypted: no
update.png
static.png
SUD.png
Tencent PC Manager Global:
Realtime protection mode: Expert mode (Prompt upon detecting suspect actions)
File system protection level: High (monitor all file operations)
Action on threat detection: Choose action manually
Download Protection: Security prompt on dangerous files only
1.exe gets instantly intercepted and autoquarantined on execution by TCPM Realtime Protection (Tencent cloud). No further malicious traces, no AutoRuns. HIT.
predator.exe calls out for second, before TPCM BB intercepts and autoquarantines it (2x alert). No further malicious traces, no AutoRuns. HIT.

Bonus Dynamic test (Realtime Protection turned off):
1.exe gets intercepted and autoquarantined by TCPM BB (3x alerts) within seconds after run. Multiple ransom notes get autoquarantined silently. No files were harmed. No further malicious traces, no AutoRuns. HIT.
b00m.exe triggers UAC, does not appear in running processes, even on multiple tries. Does silently set an AutoRun! On manual execution, drops and runs tempsvchost.exe. Both Malwares get instantly intercepted and autoquarantined by TCPM BB (4x alerts). No files were harmed. Untouched source file (=dropper) deleted before firing off 2nd_opinion scans. HIT.

run1.png run2.png run1_bonus.png run1_bonus_1.png run2_bonus.png run2_bonus1.png run2_bonus2.png run2_bonus3.png
PE.png TCP_PE.png autorun.png autorun_after.png files.png 2o.png NPE_detail.png
Norton Power Eraser (NPE) entries: Baidu registry entries belong to TPCM installation. The registry hijack for "openas\command" appears once an inital installation of TCPM has been in-app upgraded. It's safe.
 

askalan

Level 14
MWT-Tester
Verified
Joined
Jul 27, 2017
Messages
669
Operating System
Linux
#9
Disclaimer: Experimental setup for testing the effectiveness of Windows SmartScreen and script restrictions against 0-day malware samples. This test is suitable for users with more knowledge about Windows built-in security features.
Code:
1. Containment: VirtualBox 5.1.38
2. Windows: 10 Home
3. VPN: CyberGhost
4. Product: Windows SmartScreen (activated by Hard_Configurator with recommended SRP and restrictions)
5. Office: LibreOffice 6.0 (lowest Macro protection level)

Samples that have harmed the system/changed system configuration: 0/3

The presented system configuration has successfully blocked all malware. No files were encrypted.
Before the second opinion scan the samples were deleted.


Thanks for the samples @Der.Reisende
@Andy Ful

Hard_Configurator
 
Last edited:

harlan4096

Moderator
MalwareTips Team
MWT-Tester
Verified
Joined
Apr 28, 2015
Messages
4,232
Operating System
Windows 10
Antivirus
Kaspersky
#10
Containment: VMWare WorkStation Pro 15.0.2-10952284 (running over Windows 10 Pro x64 Build 1809-17763)
Guest/OS: Windows 10 Pro x64 Build 1809-17763
Product: KSCloud Free 2019 19.0.0.1088 / VPN: Kaspersky Secure Connection
Tweaked Settings

Dynamic BB Bonus Test: 3 / 3 (Disabled modules: File AV + KSN)
3 by Dangerous Application Behaviour (PDM:Trojan)
Files Encrypted: No - Second Opinion Scanners: All Clean - System Final Status: Clean

Samples Pack Posted: 05/01/2019 11:35am
Dynamic Test Started: 06/01/2019 09:58am

The 3 samples were detected/deleted upon execution by Dangerous/Suspicious Application Behaviour (PDM:Trojan).

1.png 2.png 3.png

_____________________________________________________________________

After testing samples dynamically I ran AutoRuns and Comodo AutoRuns:

AR.png

Warning: All original samples from the extracted folder were deleted manually before run Second Opinion Scanners, except those who are still active running on system and/or are referred in a registry key in Windows AutoRuns sections.

ZAM (Full System Scan + C:\ProgramData + C:\...\<user account>\AppData\) HMP WiseVector -> All Clean, System Clean :

SOS.png

Thanks to @Der.Reisende !
__________

MWHub Monthly Statistics & Reports
 

Latest Threads