Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Xcitium Valkyrie/Comodo Valkyrie Verdicts
Message
<blockquote data-quote="Trident" data-source="post: 1124808" data-attributes="member: 99014"><p>The dynamic analysis identified 3 behaviours, none of which is a clear sign of malicious intent.</p><p></p><table style='width: 100%'><tr><td>Opens a file in a system directory</td><td></td></tr><tr><td>Uses a function clandestinely</td><td></td></tr><tr><td>Has no visible windows</td><td></td></tr></table><p></p><p>Opens a file in system directory — the file is <strong>C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config</strong> (from the report).</p><p>This file contains system defaults, assembly binding rules, remote channels and cryptography settings amongst others. The file was just read and not modified.</p><p>Plenty of .net-based applications have valid reasons to read machine defaults.</p><p>In addition, the execution flow might contain variables that require the .net framework to read this file, so it may not be the application itself using this information — it could just be side effect of the programmer’s logic.</p><p></p><p>Uses a function <strong>CLANDESTINELY</strong>.</p><p>There is no information what exactly is used clandestinely. Unable to comment here.</p><p></p><p><strong>Has no visible window:</strong></p><p>This could be a sign of a threat, specifically when file is downloaded from the web. However, the file contains strings like “Установка” (installation in Russian), “Далее” (which means next) and so on. The file is designed to <strong>have</strong> a visible window, it’s just Comodo emulation was unable to fully cover virtual artefacts and the program terminated.</p><p>The program is also 12 years old and as stated earlier, will not work anymore.</p><p></p><p>All in all, very little, almost no behaviour was observed during Comodo emulation process to conclude whether or not the program is malicious in an efficient and accurate way. The program merely detected emulation and exited, which is typical for cracks, hacking tools, password brute-forcing tools and so on, as well as for malware. It is also typical for some fully legit packing tools and install builders.</p></blockquote><p></p>
[QUOTE="Trident, post: 1124808, member: 99014"] The dynamic analysis identified 3 behaviours, none of which is a clear sign of malicious intent. [TABLE] [TR] [TD]Opens a file in a system directory[/TD] [TD][/TD] [/TR] [TR] [TD]Uses a function clandestinely[/TD] [TD][/TD] [/TR] [TR] [TD]Has no visible windows[/TD] [TD][/TD] [/TR] [/TABLE] Opens a file in system directory — the file is [B]C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config[/B] (from the report). This file contains system defaults, assembly binding rules, remote channels and cryptography settings amongst others. The file was just read and not modified. Plenty of .net-based applications have valid reasons to read machine defaults. In addition, the execution flow might contain variables that require the .net framework to read this file, so it may not be the application itself using this information — it could just be side effect of the programmer’s logic. Uses a function [B]CLANDESTINELY[/B]. There is no information what exactly is used clandestinely. Unable to comment here. [B]Has no visible window:[/B] This could be a sign of a threat, specifically when file is downloaded from the web. However, the file contains strings like “Установка” (installation in Russian), “Далее” (which means next) and so on. The file is designed to [B]have[/B] a visible window, it’s just Comodo emulation was unable to fully cover virtual artefacts and the program terminated. The program is also 12 years old and as stated earlier, will not work anymore. All in all, very little, almost no behaviour was observed during Comodo emulation process to conclude whether or not the program is malicious in an efficient and accurate way. The program merely detected emulation and exited, which is typical for cracks, hacking tools, password brute-forcing tools and so on, as well as for malware. It is also typical for some fully legit packing tools and install builders. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
