Xcitium Valkyrie/Comodo Valkyrie Verdicts

Nikola Milanovic

Nikola Milanovic

Level 6
Thread author
Verified
Oct 17, 2023
285
440
477
1746057987535.png
Static Analysis Overall Verdict-Highly Suspicious
1746058025132.png
The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger
Advanced File Analysis System | Valkyrie
 
Last edited by a moderator:
Thanks for sharing this. It's indeed a serious issue if the raw data size is valued illegal, as it could potentially crash the disassembler/debugger. The link provided leads to an advanced file analysis system which could be helpful in further investigating this issue.
 
1746100244171.png
Static Analysis Overall Verdict- Highly Suspicious
1746100276339.png
Based on the sections entropy check! file is possibly packed
Header Checksum is zero!
Optional Header NumberOfRvaAndSizes field is valued illegal
valkyrie.comodo.com

Advanced File Analysis System | Valkyrie

Scan Files Online using Comodo File Verdict Service that runs tens of different methods to analyze a file and display the detailed results in seconds
valkyrie.comodo.com valkyrie.comodo.com
 
Last edited by a moderator:
1746100562238.png
Machine Learning Analysis Completed
The uploaded file looks like a malicious file
Header Checksum is zero!
The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger
Click to expand...
valkyrie.comodo.com

Advanced File Analysis System | Valkyrie

Scan Files Online using Comodo File Verdict Service that runs tens of different methods to analyze a file and display the detailed results in seconds
valkyrie.comodo.com valkyrie.comodo.com
 
Last edited by a moderator:
  • Like
Reactions: simmerskool
I had used valkyrie in the past and created a new account in December 2024 and my notes show successfully activated, and I am showing I have an api key. I went to login today and I get popup "invalid login credentials" -- so it basically useless.

EDIT semi-correction: the valkyrie link posted above did not work for me as stated, but then I took a closer look at my account and it uses a different URL to login, and it did log me in at
verdict.valkyrie.comodo.com

Valkyrie Verdict

KNow what is safe, and what is malware with Valkyrie Verdict - your free analysis service for files and websites.
verdict.valkyrie.comodo.com verdict.valkyrie.comodo.com

so there are more than one valkyrie? I am not using (paying for) xcitium so I can understand some sort of lockout but then why name them both vlakyrie?? :rolleyes:

EDIT2 so at the valkyrie that I am logged into, I entered the sha256 for new version of popular app and valkyrie said Please supply a valid SHA256... :rolleyes:o_O
 
Last edited:
  • +Reputation
  • Like
Reactions: rashmi and Trident
simmerskool said:
I had used valkyrie in the past and created a new account in December 2024 and my notes show successfully activated, and I am showing I have an api key. I went to login today and I get popup "invalid login credentials" -- so it basically useless.

EDIT semi-correction: the valkyrie link posted above did not work for me as stated, but then I took a closer look at my account and it uses a different URL to login, and it did log me in at
verdict.valkyrie.comodo.com

Valkyrie Verdict

KNow what is safe, and what is malware with Valkyrie Verdict - your free analysis service for files and websites.
verdict.valkyrie.comodo.com verdict.valkyrie.comodo.com

so there are more than one valkyrie? I am not using (paying for) xcitium so I can understand some sort of lockout but then why name them both vlakyrie?? :rolleyes:

EDIT2 so at the valkyrie that I am logged into, I entered the sha256 for new version of popular app and valkyrie said Please supply a valid SHA256... :rolleyes:o_O
Click to expand...
Yes there are 2 Valkyrie websites one is Valkyrie Verdict and one is Valkyrie Comodo Valkyrie Customer Login | Advanced File Analysis System
 
  • Thanks
Reactions: simmerskool
1746204899092.png
Malware
Static Analysis Overall Verdict-Highly Suspicious
1746204931751.png

Header Checksum is zero!
valkyrie.comodo.com

Advanced File Analysis System | Valkyrie

Scan Files Online using Comodo File Verdict Service that runs tens of different methods to analyze a file and display the detailed results in seconds
valkyrie.comodo.com valkyrie.comodo.com
 
Last edited by a moderator:
1746369587720.png
Static Analysis Overall Verdict-Highly Suspicious
The Internet checksum, also called the IPv4 header checksum is a checksum used in version 4 of the Internet Protocol (IPv4) to detect corruption in the header of IPv4 packets
 
  • Like
  • HaHa
Reactions: Trident and simmerskool
1746398796736.png
valkyrie.comodo.com

Advanced File Analysis System | Valkyrie

Scan Files Online using Comodo File Verdict Service that runs tens of different methods to analyze a file and display the detailed results in seconds
valkyrie.comodo.com valkyrie.comodo.com
SUSPICIOUS BEHAVIORS
Opens a file in a system directory
Uses a function clandestinely
Has no visible windows

Behavioral Information​

QueryFilePath

LowerChar

CreateMutex

OpenMutex

WriteFile

ReadFile

LoadLibrary

OpenRegistryKey

QueryProcessAddress



 
Nikola Milanovic said:
View attachment 288440
Static Analysis Overall Verdict-Highly Suspicious
The Internet checksum, also called the IPv4 header checksum is a checksum used in version 4 of the Internet Protocol (IPv4) to detect corruption in the header of IPv4 packets
Click to expand...
What IPV4 packets? This is the executable file Header. The checksum being zero, whilst unusual, is not necessarily a sign of suspicious/malicious intent. A checksum for executable files is not mandatory, it is only mandatory for drivers (sys files). Hence the compiler/linker may have decided not to embed it and the checksum of <nothing> is 0. Or the file could have been damaged, including but not limited to damage by malware disinfection system. The file could have been tampered with for one reason or another.

Just this alone is not enough to conclude the file is malicious.
 
Last edited:
  • +Reputation
  • Hundred Points
Reactions: roger_m, silversurfer, oldschool and 1 other person
Nikola Milanovic said:
View attachment 288444
valkyrie.comodo.com

Advanced File Analysis System | Valkyrie

Scan Files Online using Comodo File Verdict Service that runs tens of different methods to analyze a file and display the detailed results in seconds
valkyrie.comodo.com valkyrie.comodo.com
SUSPICIOUS BEHAVIORS
Opens a file in a system directory
Uses a function clandestinely
Has no visible windows

Behavioral Information​

QueryFilePath

LowerChar

CreateMutex

OpenMutex

WriteFile

ReadFile

LoadLibrary

OpenRegistryKey

QueryProcessAddress

Click to expand...
This file was seen on VirusTotal more than 10 years ago and has a detection of 53/70.

The program doesn't exhibit malicious behaviour, it promises to break mail.ru passwords. The underlying C&Cs are long dead and the program will not work at all. It wasn't detected through dynamic analysis, it was detected via signature that Comodo should have created very long time ago.

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
 
Last edited:
  • +Reputation
  • Like
Reactions: roger_m, silversurfer, oldschool and 1 other person
Trident said:
This file was seen on VirusTotal more than 10 years ago and has a detection of 53/70.

The program doesn't exhibit malicious behaviour, it promises to break mail.ru passwords. The underlying C&Cs are long dead and the program will not work at all. It wasn't detected through dynamic analysis, it was detected via signature that Comodo should have created very long time ago.

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
Click to expand...
It is detected by Dynamic Analysis as Highly Suspicious(Xcitiums way of saying that is Malicious)
 
Nikola Milanovic said:
It is detected by Dynamic Analysis as Highly Suspicious(Xcitiums way of saying that is Malicious)
Click to expand...
The dynamic analysis identified 3 behaviours, none of which is a clear sign of malicious intent.

Opens a file in a system directory
Uses a function clandestinely
Has no visible windows

Opens a file in system directory — the file is C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config (from the report).
This file contains system defaults, assembly binding rules, remote channels and cryptography settings amongst others. The file was just read and not modified.
Plenty of .net-based applications have valid reasons to read machine defaults.
In addition, the execution flow might contain variables that require the .net framework to read this file, so it may not be the application itself using this information — it could just be side effect of the programmer’s logic.

Uses a function CLANDESTINELY.
There is no information what exactly is used clandestinely. Unable to comment here.

Has no visible window:
This could be a sign of a threat, specifically when file is downloaded from the web. However, the file contains strings like “Установка” (installation in Russian), “Далее” (which means next) and so on. The file is designed to have a visible window, it’s just Comodo emulation was unable to fully cover virtual artefacts and the program terminated.
The program is also 12 years old and as stated earlier, will not work anymore.

All in all, very little, almost no behaviour was observed during Comodo emulation process to conclude whether or not the program is malicious in an efficient and accurate way. The program merely detected emulation and exited, which is typical for cracks, hacking tools, password brute-forcing tools and so on, as well as for malware. It is also typical for some fully legit packing tools and install builders.
 
Last edited:
  • +Reputation
Reactions: roger_m, simmerskool and Vitali Ortzi

You may also like...