New sample of Rogue AV?

Hi there,

I was testing Sandboxie in my machine, and as the search process was evolving, I've reached the especif domain: 100webspace.

Some windows warnings, the same bullshit as usual, then I was readed to download this specific file:

A9installer_77025301.exe.

Virustotal Link:~Link removed per Policy. - Ron~ EDIT: Thx.

While running on demand, neither NOD32 (as expected) or Malwarebytes were able to catch it.

 

And?

Since you obviously found something quite new, why not report it to where it matters? That would be the vendors themselves

 

Wow microsoft and sophos was the only detection. That sucks. please send samples to other vendors

 

Lordpake,

I thought I was on the right place. Isn't it the subforum where you can post your experiences with other anti-malware software?

Sandboxie kept my OS secure and I wish to share my first good impressions on this software.

Please, report to the MODs if you feel bothered, so they can do their jobs.

Best Regards.

 

As far as I am concerned its always nice to see how well sandboxie holds up and yet nothing new about AV or 100webspaces.A very good place to land on for security testing.

 

These rogues are constantly morphing so as to be undetectable.

You could post any new threats at the "Newest Rogue Threats" section of Malwarebyte's Forum

Have an A9 installer in my collection and MBAM flags it.
Files Infected:
c:\Users\administrator\Desktop\a9installer_77052204.exe (Trojan.FakeAlert) -> No action taken.

 

Thank you, Franklin.

Kinda nice of you to give me an explanation on the right place to post, instead of being rude or sarcastic. I appreciate that.

I will report this thread to de MODs so they can close it, if they wish to.

I didn't post it with bad intentions.

 

I think that even if the installer might not be flagged by MBAM that the heuristics may kick in at an attemted install?

Oh and best if you mung or remove your link to Virus Total as they're not allowed, meaning change the http to hxxp so as it's not live.

Dunno if munged links are allowed either?

 

did you send the file to the other main av vendors?

 

Not yet, but I would like to. I send it to NOD32 only. If there are other e-mails that I can send the samples, just let me know.

 

for Avira submit here

 

Or here virus_malware@avira.com

 

Many:
https://www.wilderssecurity.com/showthread.php?t=132843

 

I didn't try to be sarcastic or rude

Like already said, there's nothing strange that signature-based (blacklist) software let something by, and sandboxie contains it. Both are doing their jobs, it's just that for new pests the signatures usually are lacking. Hence it is important for all of us to submit samples around It's the responsible thing to do.


There's a thread about where to post malware samples.

https://www.wilderssecurity.com/showthread.php?t=132843

 

Well, despite the name of the file that I've downloaded, when sended to VirusTotal, it recognizes its name differently.

I've decide also to run the file in the sandbox. Allowed firewall to receive installation packet, then:

- Zemana kindly pointed every single action of it;
- NOD32 recognized it as XpAntivirus and send it to quarantine.

Although I'm a noobie at this matter, I've got some questions:

- The fact that NOD32 acessed the file in the sandboxie, it means that the opposite way was also possible (the sandboxed environment reach the "outter" environment)?

 

Done.

 

did you submit to anyothers at the thread with all main vendors?

 

In simple words, AV can access the sandbox for scanning, but stuff inside the sandbox can't escape. No worries there

 

If NOD32 were sandboxed then NOD32 quarantine will be also sandboxed but NOD32 was not running sandboxed so malware appear in real quarantine... very simple
Every action made by sandboxed application (and its children) will be sandboxed, every action that is made by non-sandboxed application will be real

 

Avira and NOD32 only. Awaiting contacts to send it to other vendors.

 

Thanks for the explanation.

As I've said before, I'm newbie at this questions.

Also took a few print screens about the infection. If there are reasons to post it, just let me know.

 

Sample sent to the following list:

v3sos@ahnlab.com; virus@arcabit.com; virus@avast.com; virus@grisoft.cz; virus@avira.com; virus_submission@bitdefender.com; virus@ca.com; vms@drweb.com; submit@emsisoft.com; esafe.virus@eAladdin.com; samples@eset.com; submit@ewido.net; submitvirus@fortinet.com; viruslab@f-prot.com; samples@f-secure.com; hauri98@hauri.co.kr; analyse@ikarus.at; newvirus@kaspersky.com; vsample@avertlabs.com; avsubmit@submit.microsoft.com; analysis@norman.no; virussamples@pandasoftware.com; viruslab@quickheal.com; samples@sophos.com; avsubmit@symantec.com; virus_doctor@trendmicro.com; newvirus@unasoft.com.ua; newvirus@anti-virus.by; virus@virusbuster.hu

-----------------------


Also, Avira feedback.

"Welcome back, Mr Edward!

We received the following archive files:
File ID Filename Size (Byte) Result
25156099 sample.rar 68.94 KB OK

A listing of files contained inside archives alongside their results can be found below:
File ID Filename Size (Byte) Result
25156100 A9installer_77025301.exe 149 KB MALWARE


Please find a detailed report concerning each individual sample below:
Filename Result
A9installer_77025301.exe MALWARE

The file 'A9installer_77025301.exe' has been determined to be 'MALWARE'. Our analysts named the threat TR/FraudPack.akv. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection is added to our virus definition file (VDF) starting with version 7.00.07.21."