Xcitium Valkyrie/Comodo Valkyrie Verdicts

[Nikola Milanovic]

Static Analysis Overall Verdict-Highly Suspicious

The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger Advanced File Analysis System | Valkyrie

 

[Bot]

Thanks for sharing this. It's indeed a serious issue if the raw data size is valued illegal, as it could potentially crash the disassembler/debugger. The link provided leads to an advanced file analysis system which could be helpful in further investigating this issue.

 

[rashmi]

If MalwareTips was under my control, I'd definitely start charging @Nikola Milanovic a subscription fee for turning it into a Valkyrie screenshot gallery!

 

[Trident]

If MalwareTips was under my control, I'd definitely start charging @Nikola Milanovic a subscription fee for turning it into a Valkyrie screenshot gallery!

Nothing wrong with the gallery but a bit of text, context, explanation won’t hurt… so we know what we are looking at and why.

 

[Nikola Milanovic]

Static Analysis Overall Verdict- Highly Suspicious

Based on the sections entropy check! file is possibly packed

Header Checksum is zero!

Optional Header NumberOfRvaAndSizes field is valued illegal

Advanced File Analysis System | Valkyrie

Scan Files Online using Comodo File Verdict Service that runs tens of different methods to analyze a file and display the detailed results in seconds

valkyrie.comodo.com

 

[Nikola Milanovic]

Machine Learning Analysis Completed
The uploaded file looks like a malicious file
Header Checksum is zero!
The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger

Advanced File Analysis System | Valkyrie

Scan Files Online using Comodo File Verdict Service that runs tens of different methods to analyze a file and display the detailed results in seconds

valkyrie.comodo.com

 

[Kongo]

Nothing wrong with the gallery but a bit of text, context, explanation won’t hurt… so we know what we are looking at and why.

he definitely took your advice

 

[simmerskool]

I had used valkyrie in the past and created a new account in December 2024 and my notes show successfully activated, and I am showing I have an api key. I went to login today and I get popup "invalid login credentials" -- so it basically useless.

EDIT semi-correction: the valkyrie link posted above did not work for me as stated, but then I took a closer look at my account and it uses a different URL to login, and it did log me in at

Valkyrie Verdict

KNow what is safe, and what is malware with Valkyrie Verdict - your free analysis service for files and websites.

verdict.valkyrie.comodo.com

so there are more than one valkyrie? I am not using (paying for) xcitium so I can understand some sort of lockout but then why name them both vlakyrie??

EDIT2 so at the valkyrie that I am logged into, I entered the sha256 for new version of popular app and valkyrie said Please supply a valid SHA256...

 

[Nikola Milanovic]

I had used valkyrie in the past and created a new account in December 2024 and my notes show successfully activated, and I am showing I have an api key. I went to login today and I get popup "invalid login credentials" -- so it basically useless.

EDIT semi-correction: the valkyrie link posted above did not work for me as stated, but then I took a closer look at my account and it uses a different URL to login, and it did log me in at

Valkyrie Verdict

KNow what is safe, and what is malware with Valkyrie Verdict - your free analysis service for files and websites.

verdict.valkyrie.comodo.com

so there are more than one valkyrie? I am not using (paying for) xcitium so I can understand some sort of lockout but then why name them both vlakyrie??

EDIT2 so at the valkyrie that I am logged into, I entered the sha256 for new version of popular app and valkyrie said Please supply a valid SHA256...

Yes there are 2 Valkyrie websites one is Valkyrie Verdict and one is Valkyrie Comodo Valkyrie Customer Login | Advanced File Analysis System

 

[Nikola Milanovic]

Dynamic Analysis Completed

 

[Nikola Milanovic]

Malware
Static Analysis Overall Verdict-Highly Suspicious

Header Checksum is zero!

Advanced File Analysis System | Valkyrie

Scan Files Online using Comodo File Verdict Service that runs tens of different methods to analyze a file and display the detailed results in seconds

valkyrie.comodo.com

 

[Nikola Milanovic]

Spoiler: Header Checksum is zero!

Static Analysis Overall Verdict-Highly Suspicious
The Internet checksum, also called the IPv4 header checksum is a checksum used in version 4 of the Internet Protocol (IPv4) to detect corruption in the header of IPv4 packets

 

[Nikola Milanovic]

Spoiler: Dynamic Analysis Highly Suspicious

Advanced File Analysis System | Valkyrie

Scan Files Online using Comodo File Verdict Service that runs tens of different methods to analyze a file and display the detailed results in seconds

valkyrie.comodo.com

SUSPICIOUS BEHAVIORS
Opens a file in a system directory
Uses a function clandestinely
Has no visible windows Behavioral Information​ QueryFilePath​ LowerChar​ CreateMutex​ OpenMutex​ WriteFile​ ReadFile​ LoadLibrary​ OpenRegistryKey​ QueryProcessAddress​

 

[Trident]

Spoiler: Header Checksum is zero!

View attachment 288440

Static Analysis Overall Verdict-Highly Suspicious
The Internet checksum, also called the IPv4 header checksum is a checksum used in version 4 of the Internet Protocol (IPv4) to detect corruption in the header of IPv4 packets

What IPV4 packets? This is the executable file Header. The checksum being zero, whilst unusual, is not necessarily a sign of suspicious/malicious intent. A checksum for executable files is not mandatory, it is only mandatory for drivers (sys files). Hence the compiler/linker may have decided not to embed it and the checksum of <nothing> is 0. Or the file could have been damaged, including but not limited to damage by malware disinfection system. The file could have been tampered with for one reason or another.

Just this alone is not enough to conclude the file is malicious.

 

[Trident]

Spoiler: Dynamic Analysis Highly Suspicious

View attachment 288444

Advanced File Analysis System | Valkyrie

Scan Files Online using Comodo File Verdict Service that runs tens of different methods to analyze a file and display the detailed results in seconds

valkyrie.comodo.com

SUSPICIOUS BEHAVIORS
Opens a file in a system directory
Uses a function clandestinely
Has no visible windows Behavioral Information​ QueryFilePath​ LowerChar​ CreateMutex​ OpenMutex​ WriteFile​ ReadFile​ LoadLibrary​ OpenRegistryKey​ QueryProcessAddress​

This file was seen on VirusTotal more than 10 years ago and has a detection of 53/70.

The program doesn't exhibit malicious behaviour, it promises to break mail.ru passwords. The underlying C&Cs are long dead and the program will not work at all. It wasn't detected through dynamic analysis, it was detected via signature that Comodo should have created very long time ago.

VirusTotal

VirusTotal

www.virustotal.com

 

[Nikola Milanovic]

This file was seen on VirusTotal more than 10 years ago and has a detection of 53/70.

The program doesn't exhibit malicious behaviour, it promises to break mail.ru passwords. The underlying C&Cs are long dead and the program will not work at all. It wasn't detected through dynamic analysis, it was detected via signature that Comodo should have created very long time ago.

VirusTotal

VirusTotal

www.virustotal.com

It is detected by Dynamic Analysis as Highly Suspicious(Xcitiums way of saying that is Malicious)

 

[Trident]

It is detected by Dynamic Analysis as Highly Suspicious(Xcitiums way of saying that is Malicious)

The dynamic analysis identified 3 behaviours, none of which is a clear sign of malicious intent.

Opens a file in a system directory
Uses a function clandestinely
Has no visible windows

Opens a file in system directory — the file is C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config (from the report).
This file contains system defaults, assembly binding rules, remote channels and cryptography settings amongst others. The file was just read and not modified.
Plenty of .net-based applications have valid reasons to read machine defaults.
In addition, the execution flow might contain variables that require the .net framework to read this file, so it may not be the application itself using this information — it could just be side effect of the programmer’s logic.

Uses a function CLANDESTINELY.
There is no information what exactly is used clandestinely. Unable to comment here.

Has no visible window:
This could be a sign of a threat, specifically when file is downloaded from the web. However, the file contains strings like “Установка” (installation in Russian), “Далее” (which means next) and so on. The file is designed to have a visible window, it’s just Comodo emulation was unable to fully cover virtual artefacts and the program terminated.
The program is also 12 years old and as stated earlier, will not work anymore.

All in all, very little, almost no behaviour was observed during Comodo emulation process to conclude whether or not the program is malicious in an efficient and accurate way. The program merely detected emulation and exited, which is typical for cracks, hacking tools, password brute-forcing tools and so on, as well as for malware. It is also typical for some fully legit packing tools and install builders.