Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
The peculiarity of EXE malware testing.
Message
<blockquote data-quote="Andy Ful" data-source="post: 1000627" data-attributes="member: 32260"><p>Today I analyzed the sample posted to me by [USER=78686]@SeriousHoax[/USER].</p><p>The sample "220816-z6jahaebgl_pw_infected.zip" is a password-protected ZIP archive that contains the EXE payload.</p><p>It is an interesting example for this thread:</p><ol> <li data-xf-list-type="ol">The ZIP sample is detected by Microsoft Defender via BAFS (when downloaded from the URL or OneDrive). The detection is: Script/Ulthar.A!ml</li> <li data-xf-list-type="ol">This ZIP sample is not detected by AVs on VirusTotal (including Microsoft Defender).</li> <li data-xf-list-type="ol">The EXE file embedded in the ZIP sample is not detected by Microsoft Defender (I could also execute it on the computer with Microsoft Defender).</li> </ol><p>[ATTACH=full]268772[/ATTACH]</p><p></p><p></p><p>[ATTACH=full]268773[/ATTACH]</p><p></p><p>This example shows that Microsoft Defender can sometimes block the attack in the wild when the initial malware is an archive from the Internet, and fail in the test with an EXE payload used in this attack. Such EXE files can increase an <strong>"EXE test error"</strong> for Microsoft Defender. We cannot expect in all cases, that when Defender can block the attack in the wild, it can also block all EXE payloads that are going to be used in this attack.</p><p></p><p>This example also shows that the Defender protection (default settings) is not comprehensive but rather very practical and focused on web threats. As we can see from VirusTotal, some popular AVs can detect the EXE payload that was missed by Defender, so they will not fail in the EXE test.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1000627, member: 32260"] Today I analyzed the sample posted to me by [USER=78686]@SeriousHoax[/USER]. The sample "220816-z6jahaebgl_pw_infected.zip" is a password-protected ZIP archive that contains the EXE payload. It is an interesting example for this thread: [LIST=1] [*]The ZIP sample is detected by Microsoft Defender via BAFS (when downloaded from the URL or OneDrive). The detection is: Script/Ulthar.A!ml [*]This ZIP sample is not detected by AVs on VirusTotal (including Microsoft Defender). [*]The EXE file embedded in the ZIP sample is not detected by Microsoft Defender (I could also execute it on the computer with Microsoft Defender). [/LIST] [ATTACH type="full" alt="1661639042811.png"]268772[/ATTACH] [ATTACH type="full" alt="1661639861216.png"]268773[/ATTACH] This example shows that Microsoft Defender can sometimes block the attack in the wild when the initial malware is an archive from the Internet, and fail in the test with an EXE payload used in this attack. Such EXE files can increase an [B]"EXE test error"[/B] for Microsoft Defender. We cannot expect in all cases, that when Defender can block the attack in the wild, it can also block all EXE payloads that are going to be used in this attack. This example also shows that the Defender protection (default settings) is not comprehensive but rather very practical and focused on web threats. As we can see from VirusTotal, some popular AVs can detect the EXE payload that was missed by Defender, so they will not fail in the EXE test. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
