Number Of samples
1
Verified Malware Samples
Yes, this only contains malware
Threat Analysis report
https://app.any.run/tasks/00935e88-e56c-4a55-bd2d-8afaf3c466a8

https://www.hybrid-analysis.com/sample/c6575be738c2e53097ff78202066089f6a16cefa711bedbd6c1bdd7a0d5f7ae0?environmentId=100
Disclaimer

This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
We encourage you to compare these results with others and take informed decisions on what security products to use.
Before buying an antivirus you should consider factors such as price, ease of use, compatibility and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Der.Reisende

Level 37
Content Creator
MWT-Tester
Verified
Joined
Dec 27, 2014
Messages
2,665
Operating System
Windows 10
Antivirus
Tencent
#3
Containment: Shadow Defender v1.4.0.680
Guest/OS: Win10 Home v1809 (Build 17763.195)
Product: Tencent PC Manager v12.3.26596.901 (Tencent Cloud Protection engine + Bitdefender Local Antivirus Engine)
Static (On-demand scan): 1/1 (on execution by Tencent cloud)
Dynamic (On execution - Bonus test with Realtime Protection turned off): 1/1
Total: 1/1
SUD: N/A
VPN: Windscribe v1.83 b18
System Status: clean
Files encrypted: no
update.png
static.png
Tencent PC Manager Global:
Realtime protection mode: Expert mode (Prompt upon detecting suspect actions)
File system protection level: High (monitor all file operations)
Action on threat detection: Choose action manually
Download Protection: Security prompt on dangerous files only
newtest.exe: With Realtime Protection on, the file gets instantly intercepted and autoquarantined by TCPM cloud. HIT.
Bonus Test with Realtime Protection turned off:
newtest.exe runs in memory for a few seconds. TCPM BB intercepts and autoquarantines the malware (3x alert). No further malicious traces, no AutoRuns. HIT.
run.png run_bonus.png PE.png TCP_PE.png autorun.png files.png 2o.png NPE_detail.png
Thank you @silversurfer for the file!
Norton Power Eraser (NPE) entries: Baidu registry entries belong to TPCM installation. The registry hijack for "openas\command" appears once an inital installation of TCPM has been in-app upgraded. It's safe.
 

Daniel Hidalgo

Level 33
MWT-Tester
Verified
Joined
Mar 17, 2015
Messages
2,262
Operating System
Windows 10
Antivirus
Kaspersky
#4
Guest/OS: Windows 10 PRO 64 Bits
Product: McAfee Internet Security 2019 V.16.0
Result Static: 0/ 1
SUD: YES
at the moment this product will only use it to perform the static test
Update
1546387009432.png
Static Scan
1546387152077.png
SUD
1546387481971.png
 

Daniel Hidalgo

Level 33
MWT-Tester
Verified
Joined
Mar 17, 2015
Messages
2,262
Operating System
Windows 10
Antivirus
Kaspersky
#5
Containment: VMware® Workstation Pro 14.1.1 build-7528167 & Shadow Defender 1.4.0.672
Guest/OS: Windows 8.1 HOME build 9600 x64 bits
Product: ESET Internet Security 2019 V. 12.0.31.0 (Custom Settings)
Static (On-demand scan): 1/1
Dynamic (On execution)(BONUS TEST): 1/1
Total: 1/1
SUD: NO
VPN: Avira Phatom VPN v. 2.18.1.30309
System Status: CLEAN
Files encrypted: NONE
Second Opinion Scanners:
Caputra de configuracion 1.png Caputra de configuracion 2.png Caputra de configuracion 3.png Caputra de configuracion 4.png Caputra de configuracion 5.png Caputra de configuracion 6.png Caputra de configuracion 7.png Caputra de configuracion 8.png Caputra de configuracion 9.png
1546383974601.png
1546384471837.png
Bonus Test
Disable Real Time Protection
Sample newtest.exe HIT
Process newtest.exe, cmd.exe, conhost.exe, wstni.exe
Connections YES
Create a file in the ProgramData folder, make a connection (intercepted by the ESET firewall, but in the end it is allowed), but it was immediately blocked and removed by being active in memory, preventing infection, and causing processes to end


1546384609751.png 1546384646521.png 1546384665730.png 1546384726548.png
Remove Samples Folder
Run Ccleaner
Process Explorer: SAFE
Autrouns SAFE
1546385095708.png
upload_2018-3-17_12-57-54.png
 

harlan4096

Moderator
MalwareTips Team
MWT-Tester
Verified
Joined
Apr 28, 2015
Messages
4,232
Operating System
Windows 10
Antivirus
Kaspersky
#6
Containment: VMWare WorkStation Pro 15.0.2-10952284 (running over Windows 10 Pro x64 Build 1809-17763)
Guest/OS: Windows 10 Pro x64 Build 1809-17763
Product: KSCloud Free 2019 19.0.0.1088 / VPN: Kaspersky Secure Connection
Tweaked Settings

Dynamic BB Bonus Test: 1 / 1 (Disabled modules: File AV + KSN)
1 by Dangerous Application Behaviour (PDM:Trojan)
Files Encrypted: No - Second Opinion Scanners: All Clean - System Final Status: Clean
Samples Pack Posted: 01/01/2019 01:34pm
Dynamic Test Started: 01/01/2019 07:33pm

* (Hit) newtest.exe: detected/deleted upon execution by Dangerous/Suspicious Application Behaviour (PDM:Trojan).

1.png

_____________________________________________________________________

After testing samples dynamically I ran AutoRuns and Comodo AutoRuns:

AR.png

Warning: All original samples from the extracted folder were deleted manually before run Second Opinion Scanners, except those who are still active running on system and/or are referred in a registry key in Windows AutoRuns sections.

ZAM (Full System Scan + C:\ProgramData + C:\...\<user account>\AppData\) HMP WiseVector -> All Clean, System Clean:

SOS.png

Thanks to @silversurfer !
__________

MWHub Monthly Statistics & Reports
 
Last edited:

harlan4096

Moderator
MalwareTips Team
MWT-Tester
Verified
Joined
Apr 28, 2015
Messages
4,232
Operating System
Windows 10
Antivirus
Kaspersky
#7
Containment: VMWare WorkStation Pro 15.0.2-10952284 (running over Windows 10 Pro x64 Build 1809-17763)
Guest/OS: Windows 10 Pro x64 Build 1809-17763
Product: KSCloud Free 2019 19.0.0.1088
Tweaked Settings

Static/Contextual Scan: 1 / 1 - Total: 1 / 1 - SUD: N/A
1 by UDS (Urgent Detection System)
U.png
ST.png
 

Latest Threads