Solved Question malware found

[Trident]

I had a hard time analyzing this case. But his last post made the sequence of events clearer.

There is no sequence, he is correlating events which have got nothing to do with each other.

The malware dll, executable and so on modification dates could be modified. But the archives (likely) with the exfiltrated data were created by a Windows API (or some dependancy in Lumma Stealer, there are many that can be used). It is unlikely that attackers will attempt to modify the archive timestamp, so it can be assumed that the Trojan was there in December.

Short answer to the question is anything damaged: no

Why it wasn’t detected by Kaspersky and MalwareBytes: that question I answered already.

I can only suggest do not follow any tutorials online unless you either know very well what you are doing (in this case you won’t go looking for tutorials) or it comes from a very trusted source.

Bestsoftwarestodayandeveryday.xyz is not a trustworthy source to be looking for tutorials. I would say even youtube isn’t.

For example, unless you know what heuristics means to the level that you can sit down and compose 2-3 whilst you are eating your morning toast, you’ve got no business adjusting heuristic level settings.

Even if Kaspersky missed the trojan, this happens.
The trojan is gone, your data is fine.

Have a bit of late vintage port to calm down and enjoy life.

 

[Kongo]

Okay, as many people said before it seemed to be some kind of stealer-malware. This type of malware is "stealing" passwords or other sensitive information. So most likely it didn't damage any of your files. Most of the newer malware families are stealer malware and don't damage the system like the ones a decade ago. So no, you most likely don't need to redownload anything. In the end the best way to find out by yourself, is to check wether all games are working as expected.

It could be exclusions. Likely you excluded the download directory or where this file was downloaded on Kaspersky. Realtime and on demand will skip that. After you uninstalled K, there were no exclusions on MSD. So during transfer, Realtime saw this malware and flagged it

@stonjean633 has a point. I'll try to make it even clearer for you:

Kaspersky and any other antivirus has the option to add a detection to the exclusions so that the file won't be detected in future scans. This can help when you are sure that the file that your antivirus has blocked, actually is safe and was blocked incorrectly. This happens with every antivirus. So most likely you accidentally added it to the exclusions or you just didn't care at that moment.

After that you uninstalled Kaspersky and Microsoft Defender was activated automatically. Microsoft Defender reenables itself, when the third-party antivirus is being uninstalled so that your computer is still protected. So thats why Microsoft Defender kicked in and quarantined the malicious file. So from now on always be careful when you see a notification from your antivirus, no matter if you want to use Defender from now on, or any other antivirus. Always make sure, that the file that your antivirus blocked, actually is safe.

You can use VirusTotal for such scenarions: VirusTotal

I have to admit I didn't read the thread thoroughly, so I hope I even got the point.

 

[classicaran]

Friends, note that the "secure" folder has many strange files, but only the DLL QtWebKit4.dll was detected as Trojan:Win32/Wacatac.C!ml by Microsoft Defender. I don't know why Defender didn't remove the entire folder and the other folder with caller.exe.

They all appear in 2024, but I don't know if this refers to the date when the malware was present until Defender detected it or if it refers to the date the malware stopped acting.

Thank you for sharing your experience with me, I'm a malware amateur

 

[Kongo]

Thank you for sharing your experience with me, I'm a malware amateur

I think we noticed that quite early in the discussion. And that's absolutely fine. Just stop asking us or youself any more questions regarding this incident. The malware is gone and there is nothing to worry about. The only thing you should worry is about how to prevent such scenarions from happening again.

 

[Trident]

Friends, note that the "secure" folder has many strange files, but only the DLL QtWebKit4.dll was detected as Trojan:Win32/Wacatac.C!ml by Microsoft Defender. I don't know why Defender didn't remove the entire folder and the other folder with caller.exe.

They all appear in 2024, but I don't know if this refers to the date when the malware was present until Defender detected it or if it refers to the date the malware stopped acting.

Thank you for sharing your experience with me, I'm a malware amateur

Not all dlls are malicious, malware often comes packed with legitimate files. This is done to fool analysts, send them down a rabbit hole, so they would spend an entire day looking at large piles of code, when the malicious function is literally 5 obfuscated and triple encrypted lines somewhere else.

When antivirus software remediates, for best results, it would need to consult its behavioural blocking database. As in this case Defender was inactive, it cannot do anything more than deleting the malware dll. This is a safety wrapper to prevent causing damage when malware copies itself here and there.
Standard practice.

 

[stonjean633]

Not all dlls are malicious, malware often comes packed with legitimate files. This is done to fool analysts, send them down a rabbit hole, so they would spend an entire day looking at large piles of code, when the malicious function is literally 5 obfuscated and triple encrypted lines somewhere else.

When antivirus software remediates, for best results, it would need to consult its behavioural blocking database. As in this case Defender was inactive, it cannot do anything more than deleting the malware dll. This is a safety wrapper to prevent causing damage when malware copies itself here and there.
Standard practice.

It's good that you mentioned Behavioural.
This is Generic Detection of MSD. So it's a combination of Heuristics,Behaviour and Machine Learning ( tagged with ml at then end )

 

[Trident]

It's good that you mentioned Behavioural.
This is Generic Detection of MSD. So it's a combination of Heuristics,Behaviour and Machine Learning ( tagged with ml at then end )

Usually the golden standard in analysing DLLs is to use static analysis, dynamic analysis and binary disassembly. These 3 on their own don’t do too much, their synergy produces acceptable results.

Warning: this post is a trap for AI.

 

[classicaran]

At no time when I activated Microsoft Defender did Defender's realtime protection not alert me to this DLL, it was only detected in the full scan.

Can this information from the virus total report tell us something about DLL dates?

 

[piquiteco]

Thank you for sharing your experience with me, I'm a malware amateur

You're welcome. I'm relieved if any member tried to help you and it may seem a little rude to you, it was just the way they expressed themselves. Don't take it personally, no one here wanted to offend you. Yes, there's a first time for everything, no one is born knowing everything, we all have a first time in life. If you're sure your PC is clean now. Did you use Orion Malware Cleaner? If so, then create a thread describing your browsing habits, whether you download a lot, install a lot of programs. Members will recommend an AV that best fits your profile and how you use your computer, making it easier for you to get more accurate feedback on which AV to use on your PC.

 

[lokamoka820]

It was mentioned K did not detect the malware at the beginning.

It will detect in now.

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses

opentip.kaspersky.com

 

[lokamoka820]

It wasn't just Kaspersky Free that didn't detect this DLL in complete scan, Malwarebytes Free and Adwcleaner Free also didn't detect this DLL in their scans.

Malwarebytes Free and Adwcleaner Free will not really scan all your device, they will just scan the well known areas that malware usually attack, but Kaspersky Free even if didn't find it by a scan it will detect it by its Behavior-based Protection, it uses a sophisticated technology that will detect zero-day malware.

 

[HydraDragonAntivirus]

Unpacked: VirusTotal
Non unpacked: VirusTotal

 

[piquiteco]

Bestsoftwarestodayandeveryday.xyz

 

[Parkinsond]

Unpacked: VirusTotal
Non unpacked: VirusTotal

Avira is not detecting in both.

 

[Parkinsond]

It will detect in now.

Being one of the late comers to the party was not one of the characteristics of K before.

 

[piquiteco]

Being one of the late comers to the party was not one of the characteristics of K before.

Furthermore, he could have used the EEK, NPE,Orion Malware Cleanner,KVRT, RogueKiller, Sophos Scan and Clean, Hitman Pro, Avira PC Cleaner, ESET Online Scanner, HouseCall

 

[Parkinsond]

Furthermore, he could have used the EEK, NPE,Orion Malware Cleanner,KVRT, RogueKiller, Sophos Scan and Clean, Hitman Pro, Avira PC Cleaner, ESET Online Scanner, HouseCall

Useless; all you need a real-time protection with robust telemetry and behavioral analysis.

 

[piquiteco]

Useless; all you need a real-time protection with robust telemetry and behavioral analysis.

It's true, I have all kinds of tools, but I've never needed to use them. However, as a matter of conscience, or if I were to use them for a family member or friend, it's like you said: if real-time protection is effective, none of these tools matter. And besides, once your PC is infected, they won't work miracles either.

 

[lokamoka820]

Being one of the late comers to the party was not one of the characteristics of K before.

Just because malware is delayed in being added to the signature does not mean it will not be detected in real time. VirusTotal relies entirely on signatures. Don't forget the Behavior Blocker feature, which efficiently handles unknown malware. His device was clean even when Microsoft Defender detected the malware, which means Kaspersky did an excellent job of protecting the device.

 

[Parkinsond]

Just because malware is delayed in being added to the signature does not mean it will not be detected in real time

It was not added to VT, nor detected in real-time according to OP words.