Weird Results for this File

Sandbox Breaker

Sandbox Breaker

Level 9
Thread author
Verified
Well-known
Jan 6, 2022
435

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
1691693869891.png

Not Signed


verdict.xcitium.com

Xcitium Cloud Verdict

Scan Files Online using Comodo File Verdict Service that runs tens of different methods to analyze a file and display the detailed results in seconds
verdict.xcitium.com verdict.xcitium.com
1691694045165.png

Signed and Trusted?

GPT Says its Emotet.
1691694105519.png


Just wanted to post this...

File can be downloaded on triage.
 
Last edited:
  • Like
  • +Reputation
Reactions: struppigel, [correlate], Nevi and 6 others
cruelsister

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,149
Just a thought- the dropboxupdate.exe connections out to their server (162.125.8.20 and 162.125.3.13) has been classed as suspicious by some for a couple of years, probably (but not certainly) due to Emotet at one time hijacking DropBox to spread.
 
  • Like
Reactions: piquiteco, vtqhtr413, [correlate] and 4 others
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Where exact does this specific file come from/found = source?
DropboxUpdateSetup.exe 1.3.761.1
Click to expand...

Some of the data is a bit weird. The certificate looks manipulated:

2023-08-12_10-49-56.png


but that does not automatic means, malicious. One have to compare it with a original " update " file from Dropbox main site. I was actually able to find the exact same version number that also have zero flags on VT, and where VT shows the signature correct/valid:

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

2023-08-12_11-03-32.png


Same version number, but different Hash values. Even the compile date on these 2 files is exact the same, so that's weird. But the first submissions dates are different. Lets see what the original file from Dropbox url shows with the signature:

2023-08-12_11-13-45.png



2023-08-12_11-32-01.png


2023-08-12_11-32-25.png


PE Header and the Overlay Hash is different. Also got some " appended " data.
 
  • +Reputation
  • Like
  • Applause
Reactions: roger_m, simmerskool, brambedkar59 and 4 others
struppigel

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
This is exactly the same issue as with the Glasswire download we also analysed. Dropbox is also one of those vendors who save data in the certificate, so that the certificate is not broken.

It is not VirusTotal that is weird but Microsoft Windows being weird in allowing manipulated certificates as valid unless you opt-out.

And the reason for allowing it is, well, companies like Dropbox abusing this vulnerability in legit installers. Why? Imagine you download something from a dropbox link but have no dropbox installed. How will it know what you wanted to download without putting this information into the installer somehow? That is why. They cannot sign the installer for each and every download and they do not want to use non-signed ones. So they inject the data into the certificate instead.

@upnorth was completely correct here in his assessment and despite the manipulation the file is clean. VT is also correct.
 
Last edited:
  • +Reputation
  • Like
  • Thanks
Reactions: roger_m, Kongo, simmerskool and 3 others
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
  • Like
Reactions: simmerskool and harlan4096

Similar threads

Sandbox Breaker
    • Like
    • HaHa
Malware Analysis Malware/PUA listed as clean (again)
Replies
39
Views
1,662
Malware Analysis Archive
partha_roy
partha_roy
Sandbox Breaker
    • Like
    • +Reputation
Signed Sample - Very Suspect
Replies
5
Views
783
Malware Analysis Archive
harlan4096
harlan4096
A
    • Like
    • Thanks
    • +Reputation
Advice Request Glasswire's SHA-256 hash doesn't match the one listed on their website
Replies
28
Views
2,192
Malware Analysis
Trident
Trident

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top