I uploaded the file to any.run and it seems like it downloads and executes a RAT. OP if you are reading this check for C:\Users*yourusername*\avrt\assignedaccessproviderevents.exe.exe also run a Windows Defender and MalwareBytes scan just to make sure :)
Also don't ask why I opened Chrome in the middle of the sim lol
Er... you should seriously look into that and see if cmd isn't executing malicious code. Living off the Land viruses are definitely the new rage. In fact, emotet Ultra Popular Malware at the moment hops through cmd.exe first to launch powershell. Honestly, I'd check C:/Windows/Prefetch/) and see if Powershell didn't get fired recently
Yes, it's a false positive. The detected file is a benign Google terms and conditions file. Sandbox video: WDATP_File_Sample_eec6ebcbd8f725cfbd38240197f6b8e03d9d6139.zip (MD5: B60660A86741F5B932B53441C9D81829) - Interactive analysis - ANY.RUN
de-obfuscating may require some time and skills. mostly likely these macros call in powershell to do the job. so i would enable powershell script block logging on a vm that is not hooked to the network or hooked up but isolated. and i would run the the word doc and enable the content. let it run for a while then goto windows event viewer look for powershell log. it will be fully de-obuscated and you will see exactly what is it trying to do. if you need to actually execute the whole malware sample , i would do that in https://app.any.run/
Depends what you want to do. There are a lot of little niches in the security industry.
If you want to do what the above poster is describing you could get your feet wet by looking at public malware submissions on a site like AnyRun (https://app.any.run/submissions) and trying to identify trends of what malware commonly does. That site is a public sandbox where researchers will submit suspected malware samples for analysis so that you don't have to download and run the samples on your own computer. I think you have to sign up with your email to use it though.
It can be kind of a pain in the ass to get used to the interface but it's essentially just telling you what the malware process is doing and providing details on specific actions it's taking.
I'd recommend paying more attention to the "processes" view presented on the right side of the screen rather than the Windows view. There's a cool "ATT&CK matrix" button on the there that will give context on general behavior the sandbox identifies in the malware and why it's important. It's not 100% accurate but it'll be a good resource starting out. You can also click on the different process boxes for a "more info" popup that gives a lot of information about specific activity.
If the terminology of the site is confusing, a lot of it is just general IT knowledge so you should be able to google your way out of stuff like "what is the process lsass.exe" or "what is a registry value".
Anyway, I'd just mess around on that site and eventually you'll do enough random googling that you find other cool resources to use and sort of branch out and follow your curiosities wherever they take you.
Something not too different happened to me:
I posted on a NSFW subreddit (no need to open my profile, it was a another account). Then got a follower with one post in a weird subreddit that had a copy of my post but linked to a weird url that had a partial to my account username. Didn't click it, moved on.
Some other day I posted again on that subreddit and someone mentioned my username (the app also notifies you of that) and it was another throwaway account with only one post that had my username mentioned and linked to that same weird url.
So I decided to investigate:
This site was under cloudflare, the dnsname was those free shitty ones and the record had little usefull info
Googled and found thousands of reddit accounts that had mentions using the same logic, all done within 24 hours and for users that had posted on that subreddit
Said, fuck it and decided to open it on app.any.run and saved the page to analyze
It was a copy of my posts and then had the location (got it based on the IP the page request came from) the device and little more and said something on the lines:
Hey I recognize you, you're from "etc, etc". Yeah, you should send me BTC to this address or you're fucked.
Reported that to reddit (they took all those accounts and mentions down pretty fast) and cloudflare(which did not respond).
And that was it. Wonder if it's anything like that.
Yes, but they need to be "fresh", not days old to make the tests worthwhile IMHO. The recent public submissions are a good place to hunt. Or you can try Scumware.
I did some tests recently and Quad9 won overall, although Norton (yes, Norton) did respectably. I hope to repeat the tests soon, adding Neustar Free Recursive DNS and now CleanBrowsing. OpenDNS, at least the free one, sucked, barely worth bothering with.
sorry to hear this happened to you, i ran it on any.run and it shows most of everything it does (you might want to start doing this before opening random executables)
Semi-related, but weird that I was just checking threat history on any.run (malware investigation service)
Someone uploaded a "nitro generator" and it was just a remote access trojan just a little while ago.
https://app.any.run/tasks/fff7e90a-5765-4f5f-a2e1-fecabe3bd475/
This shows all the stuff that was done to the virtual system. It's nasty stuff.
Anyways, what I'm getting at is don't go to ANY website that ANYONE says will give you free ANYTHING. Period. Sometimes it's a drive-by, sometimes it's to get you to run some program. 100% of the time it's fake and you'll probably end up getting a virus.
It redirects to hxxps://blog[.]goggle[.]com
It looks benign based on app any run, but virustotal flags it as a bad URL for two AV engines:
Here's what it looks like using app any run (public task):
https://app.any.run/tasks/a025e488-3b38-456e-9004-a8d67f914fec
I wouldn't worry about it too much on accidental clicks but wouldn't actively go there.
I think that VirusTotal is enough additional verification given the sketchiness of the site. I also did try to run it through <code>app.any.run</code> first but couldn't due to file size. My goal isn't to provide "proof" - it's to illustrate that it would be a really bad idea to try and use it, regardless of how shitty an AV VirusTotal is.
Just remember that any.run is pretty public - since you linked to the VT results I can search the hash and find it: https://app.any.run/tasks/18b9d15e-e9e4-4377-9bd9-00d271c85038
Unlikely you care about who gets this - but just a reminder about uploading sensitive data to public services, VT is the same way.
Looks like it returns a 404 page for now: https://app.any.run/tasks/ac74018a-55e7-4b25-8673-991622a66350
Once upon a time it probably dropped a Zeus package. Looks like VT has known about it for a few years at least: https://www.virustotal.com/#/file/7cc79432ea8ef9c1f7eb89e8f90985f00b6916fa938156f3ce42643d5878933c/details
You can go to https://app.any.run/ upload it, open it, view connections, etc.
If you'd like for someone here to verify it, share the link to the upload from app.any.run so we can check it out. Safer there than sharing here. If you share here, it'll probably get removed.
BOTH LINKS ARE COMING BACK MALICIOUS.
don't believe me here's the proof -- it's a sandbox I am a Cyber security ape. also -- I only ran one link but the other is similar.
https://app.any.run/tasks/7715640d-1bc5-4812-b216-0b739ac50d2c
Sandboxes are great for checking them out first.
Here's a report on this one. It pops up other websites. Now, if it didn't do this behavior before, someone got in and created a few popups. I saw a trojan and a few escalations of privileges tried.
https://app.any.run/tasks/ba76c547-8bfa-44f2-b0da-f515e1f30aca/
​
App.any is free to use to test out stuff, just remember it is PUBLIC, so others will be able to see what you are testing. So don't include stuff like PII.
The new tools / newer version of the tools make everything much much easier. But reversing malware hasn't really changed much, Windows and PE file format are still basically the same. Ida Pro + x64dbg + PEStudio + Detect It Easy + app.any.run and you're basically unstoppable
Its a site, https://app.any.run/#register, you need to sign up, but it should be pretty straight forward from there, just click on New Task then copy and paste the url you downloaded the file from
Here is a scan of the infected Brave Browser: https://app.any.run/tasks/4fe2ec60-23f0-4c41-94e2-5d59904aca4e
It sends data to Hong Kong!
https://app.any.run/ - Interactive online malware analysis service for dynamic and static research of most types of threats using any environments. Replaces a set of tools for research.
Very likely a FP. But I've seen benign files be flagged by 20-ish AV. Reason being machinelearning going bonkers because, as i had it explained to me by a vendor, "it doesn't look like a normal program", another vendor couldn't even explain why as ML is a black box with no clue how it makes decisions - which is a failure when it comes to ML.
My advice would be an interactive sandbox like App.Any.Run and a dozen yara rules to see if you can find anything malicious at all. Do not rely on AV/ML alone.
Synapse X is not a virus if it were millions of people wouldn't have purchased the exploit and it wouldn't be advertised like free irl money from the IRS on v3rm. The dude in the video is also a clueless twink that knows nothing about computers because he tried to run it in a WinRar and thought it was a virus when ofc a program that adds files cannot add files to an existing WinRar because it is not extracted into a Windows folder. He also has no idea what he's looking at and also used app.any.run to test the exploit didn't even try and use an actual VMWare environment to test the process with ProcessHacker to truly see if there was any viruses.
Note: Synapse is flagged as a false positive for it's obfusaction and it's been around for many years
This is an online service that allows you, for free, to run a program in a Windows 7 32 bit environment for 60 seconds. The major caveat is your test runs are public. It has great features, such as file access and network access logs.
My Company got a TON of these over the weekend.
They seem to be fairly common. When we tried to analyze in a sandbox (app.any.run) we couldnt get the page to load.
It looks like this is going to be the new hot thing for a while, I was already able to create a email security filter for it.
Yea that looks like an absolute mess.
From the various names it appears to pretend to be amtemu.v0.9.2.win-painter (the old Adobe patcher), and it does drop the legitimate amtemu, but along with a batch file that makes some very weird changes to the hosts file, hides some temp files, and tries to open a dead site.
If you're interested in those dropped files - https://app.any.run/tasks/5cadd56f-3b77-4f23-b3a3-6e8ce6cb900a
As far as I can see, it isn't actually malicious (or at least not anymore that it can't access that site), but there are much better, safer ways to get Adobe products.
thank you very much! windows defender smart screen flags it as malicious. but virustotal and any.run reports seem to be okay:
https://app.any.run/tasks/cdcaeef0-dd28-47f9-9769-f1bf9b682427
https://www.virustotal.com/gui/file/f2b7d1ba65a996571e2f624f5cdf668d85eeece410db611c48ab793aefafb45f
Am from Tines, thanks for the shout out!
There's a ton of stuff you can do around this OP. As several folks have said you can use an automation platform, and that'll allow you to do things like check the hash against VT before/instead of uploading it. You can also do things like upload to other sandboxes privately (VMRay, App.any.run, hybrid analysis, Joe Sandbox etc.) and check the EML for DMARC, DKIM, SPF, look for CEO fraud etc. too. Happy to go deeper on it!
That's usually in reference to simple keygens that just generate keys for you to type into the software, so they don't need to be on your host system to work. Keygens that drop a crack can also be run in a sandbox, you'd just then need to copy said crack over to your host system.
Keygens which patch files, or which are required to make some change to your system in order to enable activation, can't just be run in a sandbox or VM, but at the very least you can try running in a secure environment first to see if something drastic happens (e.g. ransomware).
You can use something like any.run to run files even more securely and have them analysed at the same time.
app.any.run and virustotal.com both good trusted its clearly malware you cant tell it brain.exe cannot say its safe by just playing it for 1day or even 10 years you cant tell some malware(TLAUNCHER IS SPYWARE) is sneaky SPYWARE is clearly sneaky well reading ur Dxdialog(its just report of errors) is safe but there bringing that info to there servers so its clearly spying on you
The problem with Virustotal is that it will flag falsely a fuck ton.
IF you really are worried, try installing it a Sandbox or through a virtual Sandbox -https://app.any.run/
It will let you know if any malicious activity is being ran.
Submit the EXe file to a online sandbox enviroment that has tools made for it and then see if it executes any malware, https://app.any.run/ offers this.
You need an account to run the test and if you want to run the test on a windows version other than 7 you need a subscription.
But it does its deed. Then to add more time than 60 seconds it gives you, you can press a buttom in the upper right corner.
And as for virus total. It works, i guess? but yeah it shouldnt be fully trusted.
Any.run reports a malicious connection behind this link. Be careful with watching. AnyRun report link: https://app.any.run/tasks/5fe90566-6ebe-47d3-a32b-e2ffa9b634ef
So you probably shouldn't post potential malicious links on Reddit. The proper thing to do would be to defang the link and post it as I did below. This looks to just be an ad for a book. I'm not seeing anything malicious.
https://app.any.run/tasks/883e6a79-9fa1-4277-afd1-bac1912177e3
The link is sketchy and forwards to a protonmail black friday campaign, I assume to the one that was shown in PMs customers inbox:
https://app.any.run/tasks/bd2978b5-9a2d-423d-b9b0-bae9c1c261de
What I think happened here: A protonmail user took the black friday campaign link, which was shown in the inbox, and created an external affiliate link with it.
"no porn"
literally the second post on my feed is a camgirl ad calling me daddy with an owo and hashtag twexit qanon. I'm close to clicking.
btw, if you find strange links and don't want to click them, there's always https://app.any.run/
It's not as good as something like app.any.run or virtual box. I never tested it the Windows 10 Virtual Machine so I can't say from experience but, personally I wouldn't try it.
Personally, I never even use a real time Antivirus. I always scan each new file with Malware Bytes. If you ever think you have a virus just run a scan with that. If you ever want to test a file I personally suggest hybrid-analysis.com or maybe if you would like to try the app yourself you can use app.any.run
In terms of "Did I download malware or unwanted software" You should run a scan with with the suggestions I made to figure out if you did or not
https://app.any.run/tasks/af540820-59fb-46b5-97c6-841cefcc9f36#
In the Attack view it even lists 2 manual executions by user, and on the tree too, so that 2nd execution was definitely there, not that it changed much
Just ran virus total, all of it said showed up "undetected" except for Symantec Mobile Insight, the result for that one is "unable to process file type"
app.any.run doesn't let me select the option for windows 10 or the 64 bit. It ran it but it just showed the file wasn't compatible with windows 7
Old run of the same keygen (nothing suspicious) - https://app.any.run/tasks/1d8453ea-b469-4cab-8cff-26b0a4379f21/
Couldn't find one for the repack
Old run of the same keygen (nothing suspicious) - https://app.any.run/tasks/1d8453ea-b469-4cab-8cff-26b0a4379f21/
Couldn't find one for the repack
Why is that tool flagged as a trojan by 10 antiviruses on virustotal?
Edit: also https://app.any.run/tasks/054f72e1-e742-4edb-afc8-dd81a9f48b10/
If the hash is the same, then the file is the same. That's how hashes work. What you're likely experiencing is the executable's anti-vm or anti-debugging capabilities.
Rename the .bin file as a .dll extension and run it from a physical host.
Read more here under "May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)" and see the file actually executing here.
Just because it works well doesn’t mean it’s safe. You won’t notice if it’s doing things in the background. I didn’t spend much time looking into it but on the surface it’s making some suspect connections when running. So I would certainly be careful. It would be worth inspecting the actual packets it’s sending out to see. You can see under the network > connections tab where it’s reaching to: https://app.any.run/tasks/b0fe4e83-48fe-4090-ae9a-71321a5af8ff/
Honestly with sandboxes like https://app.any.run/ and automated unpackers a real malware analyst is only needed for relatively unique malware. The tools available today are amazing and can take care of most run of the mill stuff. RE isn't just a skill it's more like a state of mind for approaching problems and solving them, so it's 100% still worth learning and can be really fun.
I would definitely recommend making an account on this site so you can download this file and many other samples by using the filter feature they have available. But here is the link to the file where I got this sample from:
https://app.any.run/tasks/4078f683-181d-4ca4-ba0b-c233f47cfaf8/
You are correct. I ran it in any.run (link here) and it appears that the program doesn't change the computer except for a few temporary files. It's a dummy program. As for how my family member got it, I have no idea, and probably will never know (he's old, won't remember). If he payed money, I'm sure he would have said something to me since I'm the "tech guy". Probably downloaded it by mistake, somehow got onto his desktop.
Even though antivirus software firmly grasp this file as malicious and suspicious, does not mean the file is non-sterilized.
GitHub repo maker really needs to make a description about what this exe does.
This is like that program that my dad uses to sterilize email for some unknown reason.
Risky at best, why would you need an external program -besides an AV- to sterilize a file is beyond me.
A website I recently came across that looked interesting is https://app.any.run/
I haven't tested it but it looks cool. It appears to sandbox and run your uploaded file and tell you what is happening
I personally wouldn't recommend it being on prem just to cut out any possible interaction with the production network. You could potentially look into a free/paid service such as app.any.run to submit samples and interact with them in real time (I believe paid keeps your submissions 'hidden'). Otherwise I would go the route of a completely separate network for malware analysis.
For a better way of showing how the malware works with the community, you could upload the file to https://app.any.run When you upload the file, it will make a link that you could send to anybody to see what the malware does like what it changes, what files, and it would also say what IPs it connects to.
That works. I took a quick look at it and it doesn't actually seem to be malicious.
Take a look: https://app.any.run/tasks/da3b5acf-f7df-4b5e-9117-3efde524ba34
No outbound HTTP requests. No bizzare child processes. No odd registry adds.
It claims to be malicious because it drops the file Setup.exe three times but nothing actually happens so it's a false positive.
You can use a different browser to download it. Firefox of IE should work. Edge might not since it's built on chromium.
So VirusTotal doesn't flag anything at all in the downloader.exe, can't say for whatever it might download.
I loaded the downloader.exe into Any.run but didn't get very far. It asked for elevation then immediately asked for a product key. I tried 1111-1111-1111-1111 and AAAA-AAAA-AAAA-AAAA but it didn't accept those "download keys" and has some form of validation. (I wasn't about to stick a legit key in there...) It did not appear to do anything sketchy with the filesystem in the 60s that the VM was up.
Definitely report that seller and request a refund immediately however, this is extremely sketchy.
You should ONLY download MS Office directly from Microsoft. The Download page for 2010 and earlier is here: https://www.microsoft.com/en-us/software-download/office
The link results in a 404 page not found error, hence my remark
EDIT: if you remove the backslashes it works, so this is this correct link.