Number Of Samples
1
Verified Malware Samples
Yes, this only contains malware
Threat Analysis report
https://www.hybrid-analysis.com/sample/7cd0b571f7bd17cda34227942f0b84e9de588be04c8c9a65ff9673280ab13336?environmentId=100
Online-scanners results
https://www.virustotal.com/#/file/7cd0b571f7bd17cda34227942f0b84e9de588be04c8c9a65ff9673280ab13336/detection
New Malware Samples (less than 10 days old)
Yes

Der.Reisende

Level 37
Content Creator
AV-Tester Advanced
Verified
Joined
Dec 27, 2014
Messages
2,664
Operating System
Windows 10
Antivirus
Tencent
#2
Containment: Shadow Defender v1.4.0.680
Guest/OS: Win10 Home v1809 (Build 17763.194)
Product: Tencent PC Manager v12.3.26595.901 (Tencent Cloud Protection engine + Bitdefender Local Antivirus Engine) + WiseVector v1.2.9.0
Static (On-demand scan): 0/1
Dynamic (On execution): 1/1
Total: 1/1
SUD: not needed, Auto-SUD by TCPM BB
VPN: Windscribe v1.83 b18
System Status: clean
Files encrypted: no
update.png
static.png
Tencent PC Manager Global:
Realtime protection mode: Expert mode (Prompt upon detecting suspect actions)
File system protection level: High (monitor all file operations)
Action on threat detection: Choose action manually
Download Protection: Security prompt on dangerous files only
Skype.exe drops and runs ajhnln.exe, which gets instantly intercepted and autoquarantined by TCPM BB. Triggered cmd.exe gets intercepted by TCPM BB as well. No further malicious traces, no AutoRuns. Untouched source file deleted before firing off 2nd_opinion scans. HIT.
run1.png run1_1.png
PE.png TCP_PE.png autorun.png files.png 2o.png NPE_detail.png
Norton Power Eraser (NPE) entries: Baidu registry entries belong to TPCM installation. The registry hijack for "openas\command" appears once an inital installation of TCPM has been in-app upgraded. It's safe.
 

Daniel Hidalgo

Level 33
AV-Tester Advanced
Verified
Joined
Mar 17, 2015
Messages
2,261
Operating System
Windows 10
Antivirus
Kaspersky
#3
Containment: VMware® Workstation Pro 14.1.1 build-7528167 & Shadow Defender 1.4.0.672
Guest/OS: Windows 8.1 HOME build 9600 x64 bits
Product: ESET Internet Security 2019 V. 12.0.31.0 (Custom Settings)
Static (On-demand scan): 1/1
Dynamic (On execution)(Bonus Test): 0/1
Total: 1/1
SUD: NO
VPN: Avira Phatom VPN v. 2.18.1.30309
System Status: CLEAN
Files encrypted: NONE
Bonus Test
System Status: INFECTED
Files encrypted: NONE
In the analysis, only some options for scanning were modified
Caputra de configuracion 1.png Caputra de configuracion 2.png Caputra de configuracion 3.png Caputra de configuracion 4.png Caputra de configuracion 5.png
1545776507910.png
1545776663263.png
Bonus Test
Disable Real Time Protection
1545776752769.png
Sample Skype.exe MISS
Process Skype.exe, ajhnln.exe, cmd.exe, conhost.exe
Connections No connections used
the subprocess remains active without the intervention of ESET


1545776851392.png
Remove Samples Folder
Run CCleaner
Process Explorer: INFECTED (the ajhnln.exe process remains active)
Autoruns: INFECTED (create a malicious entry in the system)
1545777448963.png
Clean
upload_2018-3-17_12-57-54.png
 

omidomi

Level 64
AV-Tester Advanced
Verified
Joined
Apr 5, 2014
Messages
5,373
Operating System
Windows 8.1
Antivirus
Kaspersky
#4
Containment :Virtual Box 5.2.22
Guest/OS : Windows 7 Ultimate 86X
Product: WebRoot IS (9.0.24.37) - Default Setting
Static(On-demand scan): 0/1
Dynamic(On execution) : 1/1
Total : 1/1
SUD : 1
VPN: Security Kiss Tunnel 0.3.2
File encrypted: No
Second Opinion Scanners: Clean
System Final Status:Infected,Live malware in Memory!
lets run sample,Blocked
PE reported Infected:

Autorun reported safe:

Zemana(full,custom) & HMP & NPE reported safe:

thanks for the sample
 

harlan4096

Moderator
MalwareTips Team
AV-Tester Advanced
Verified
Joined
Apr 28, 2015
Messages
4,194
Operating System
Windows 10
Antivirus
Kaspersky
#5
Containment: VMWare WorkStation Pro 15.0.2-10952284 (running over Windows 10 Pro x64 Build 1809-17763)
Guest/OS: Windows 10 Pro x64 Build 1809-17763
Product: KFA2019 19.0.0.1088d / VPN: Kaspersky Secure Connection
Default Settings + PUP/PUA/Adware -> Enabled + Scan (On Demand) -> High Level

Static/Contextual Scan: 1 / 1 - Total: 1 / 1 - SUD: N/A
1 by UDS (Urgent Detection System)
Files Encrypted: No - System Final Status: Clean

Dynamic BB Bonus Test: 1 / 1 (Disabled modules: File AV + KSN)
1 by Dangerous Application Behaviour (PDM:Trojan)
Files Encrypted: No - Second Opinion Scanners: All Clean - System Final Status: Clean

Location: Almería (Spain) CET
Samples Pack Posted: 25/12/2018 06:00pm
Static Test Started: 25/12/2018 06:08pm
Dynamic Test Started: 25/12/2018 06:19pm

U.png

ST.png

* (Hit) Skype.exe: detected/deleted upon execution by Dangerous/Suspicious Application Behaviour (PDM:Trojan).

1.png TRUSTED.png

_____________________________________________________________________

After testing samples dynamically I ran AutoRuns and Comodo AutoRuns:

AR.png

Warning: All original samples from the extracted folder were deleted manually before run Second Opinion Scanners, except those who are still active running on system and/or are referred in a registry key in Windows AutoRuns sections.

ZAM (Full System Scan + C:\ProgramData + C:\...\<user account>\AppData\) HMP MWB -> All Clean, System Clean :

SOS.png

Thanks to @Der.Reisende !
__________

MWHub Monthly Statistics & Reports