What is Reddit's opinion of
Hybrid-Analysis.com?
From 3.5 billion Reddit comments
100 reviews of this app found across Reddit:
I think the author doesn't understand what hybrid-analysis is doing when you send it a javascript file.
If you look at the analysis details, their virtual machine is starting up a copy of WScript.exe to interpret the javascript code. The analysis is then based on watching the WScript process to see what is accessed. This means that whatever WScript does by default will show up in the report, and as it turns out, every item the author has marked as a concern is just the default behavior when starting up the script engine.
This can be verified by analyzing a dummy javascript file and seeing what it reports. My upload of
function(hello, world) { } wasn't large enough for it to trip the heuristic of finding shellcode, but pretty much every other item was hit. Blindly trusting automated analysis can lead you down incorrect paths.
Also, does it seem likely that the government has coerced cloudflare in to hosting a backdoored version of a javascript library? Furthermore, does it seem likely that they would burn a zeroday exploit against a javascript engine allowing a sandbox escape strong enough to even run shellcode in the first place?
Sorry for hijacking your comment but I just wanted to warn people really quick that in the chat on the clip a guy is spamming some suspicious links.
This is his profile: https://overrustlelogs.net/stalk?channel=pokelawls&nick=amokachi3
One of the links ending in "w4k" is one of the first messages in the clip chat, please be careful to not click it.
Update: I had it scanned here: https://www.hybrid-analysis.com/sample/f86b43be34db7118460b78b6b4764393f2ff15dd8743bb18af6167e0f764115e/5be9f3737ca3e101ce45a1d5
Doesn't look too bad, probably just an attempt to generate some ad revenue.
Communicated with those same two domains from the forum post (gubuh.com and goquc.com) and it turned out to be a RAT/NJRAT :Z
Evo ako nekog zanima, attached fajlovi su identični, oba su sa r00 ekstenzijom koju otvara WinRAR ako je instaliran, ali su kompresovani ACE arhiverom koji je stari format i često se koristi da se izbegne AntiVirus jer ga retko šta otvara, i ja sam se namučih da ga na linuxu otvorim mamicu mu.
Kad se otvori nema PDFa nego SCR fajl, znači Windows Screensaver, koji se često koristi za trojance, backdoor, malware, itd. Ako se pokrene pravi neko sranje, analizom na virustotal, većina antivirusa bi ga našlo i sprečilo pokretanje:
i detaljnija analiza ovde https://www.hybrid-analysis.com/sample/53bb3b98296181baf4827da2c066e94ff596beb80df895b5040447abf54dd375
čini mi se da krade kredencijale za sve i svašta, ali ne provaljujem još šta radi dalje sa njima, verovatno ih šalje negde.
It's absolutely a malicious file. Here is the link so the sandbox report for the executable linked inside the js file.
Interesting. So I'm testing this and how hasn't this been brought up already unless y'all are disabling Windows Defender. Testing on a virgin W10 Pro MSDN image from 2015 and look, W.Defender signature from mid 2015 detects this instantly when I mounted the iso. No fucken way this is running on W10 systems unless every single person is disabling defender fully + smart screen.
Oh boi naughty naughty. Here is a analysis of it. https://www.hybrid-analysis.com/sample/1a891a43dc2049b7684b98c6f941e9e90282b355b5e250d1dd3ae84f06eedb30/5b405c067ca3e11dda7d3305
kheprisetup appears to be dropped by various installers (possibly from questionable download sites...):
File-Cat.Goes.Fishing.v11.13.2019_31819.msi
Mario-Superstar-Baseball_8212.msi
Mari.7z_25622.msi
DUSK.v1.7.24.rar_10788.msi
Spotify_56798.msi
If only one software picked it up on Virustotal, then it's very very very unlikely to an actual virus. It's a false positive in that case.
In general, if it's not detected as a virus, it would at least be detected to be a encrypted/compressed exe, which is mostly flagged as suspicious or generic.
If you want an even more in depth analysis than VirusTotal, try hybrid-analysis , although most of its technical.
Here you can see an extended report from the infected file: https://www.hybrid-analysis.com/sample/e4a57be9a6e1f7d8c6e9cf8eecc04ee51624e6d0874932a667f2cdbafb61d222?environmentId=120#special-strings
Connects to:
47.104.134.234:3333
Login string:
{"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"WmtVJYtVVhRhK3dgnerGn5Ufu8CAwUvcgPQM6EbX9sdAEDXRW2sV3pifsaYqmKNW48C8EUbAEUqr8JeXkRkwR9WA135TuuR2U","pass":"x","agent":"bdcam/4.1.1371 (Windows NT 6.1) libuv/1.15.0 gcc/7.3.0"}}
Surprise Ransomware. Se instala via TeamViewer.
​
Win 10 detects it as "Pua" thats not a virus just a "Possibly unwanted Application"
Consider uploading the pdf to https://www.virustotal.com/ or https://www.hybrid-analysis.com/. These sites will analyze the file for you or run the file in a sandbox to determine if the file contains malicious indicators or has been flagged by AV products.
Absolutely, i used dynamic analysis provided by an online sandbox called Hybrid Analysis. It will take an executable and run it in a virtual environment and watch what it does and simulate a basic user. It will then spit a report out. Here is the report that i used to provide this advice. It might not make the most sense to you but i'd be happy to go into a little more detail if you would like?
Honestly I don't know much about the network side of things. We have 2 network guys and 3 systems guys (I'm one of those), and I handle mostly the servers and clients. Pretty sure we are doing port mirroring for our domain controllers for Microsoft's Advanced Threat Analytics (ATA), but it wasn't ATA that alerted us to the virus. We have a lot of things in place to detect intrusion, and what got us to notice was Configuration Manager (Endpoint Protection) alerting us that it found a virus, and our IDS appliance notified us about that PC reaching out to botnets. For forensics we were looking at our Websense appliance for where it was going, and our Juniper firewall as to what went in/out based on packet sniffing. We use Splunk to aggregate all of our logs for easier searching, and I used the Event Viewer on the local machine to figure out timestamps of when everything occurred. I then used a website online to analyze the virus (https://www.hybrid-analysis.com/) and then read thru the virus's code to determine what it was trying to do. We as a team spent about 2-3 hours on it where network was figuring out where it went, systems locked down 2016 macros from internet originating documents in a GPO rolled out thru an emergency change, I did as much forensics as I could, and our help desk reimaged the PC.
Eeeyup. Their "sources" are literally just snapshot of DAO (which is at https://github.com/slockit/, not /slockdao/).
Fuck if I know what "Ethereum-Computer-v2.0.1-Win64-Portable.exe" actually does and I don't have a spare Win VM to test it, but I can see a 400Kb NSIS installer inside named "chrome.exe", which is already promising.
ETA: Yeah, this is released by the same guys who released definitely-not-malicious-u-guys BitcoinWisdom*s*/Tools, not to be confused with BitcoinWisdom price tracker - compare and (nothing to) contrast. That one is already smashed by Github, but you can find some totes-not-a-bot random user recommending it in a deleted thread on /r/bitcoin.
Direi un buon reminder di controllare sempre la lista dei file contenuti in un torrent quando viene aggiunto o mentre sta scaricando (i comuni client torrent dovrebbe mostrare una finestra prima di aggiungere un torrent che dopo aver ottenuto i metadati mostra anche la lista dei file). In ogni caso ho trovato un po' di auto-analisi online del file di cui parli se ti può interessare. Palesemente un malware di qualche tipo, decodarlo e decompilarlo sembra un'idea divertente, mandami pure link al file o al sito dove lo hai ottenuto in PM se hai voglia.
Should the zip come from a torrent website or is a targeted malware attack the malware inside could be zero day which will not be detected by most anti-malware software. I would recommend https://www.hybrid-analysis.com for the super sketchy files.
You can setup your own cuckoo sandbox or sent them to the websites below http://docs.cuckoosandbox.org/en/latest/installation/host/configuration/
https://malwr.com/ or i prefer https://www.hybrid-analysis.com/
Simplex installers have also done this for many years. I was a KAT mod for several years and simplex installers were reported a lot, especially if the game was popular. It's just unpacking the game files and playing some music. It vaguely acts like a trojan dropper and a handful of AVs slap a generic detection on it out of precaution.
You can see everything it's doing here on Hybrid. Which isn't much, mostly just normal .net installer stuff.
McAfee is shit and should never be used.
If you have Windows 10,windows defender works as good if not better than most Anti-virus software.
If you have a file or program that you're skeptical about and want to see if it's malicious or not I personally recommend https://www.hybrid-analysis.com .
It runs the files through multiple anti-virus engines and also runs a deep analysis to see what exactly it does from which you can also draw your conclusions(like if you get a calculator app and it shows that it accesses your photo and video files then you now something is up,even if it shows up as a clean file).
It's a bit early in the morning for me to bother deciphering it all, but there are references to an MSIE 6.0 user agent, http headers, and what looks like an attempt to invoke ActiveX or WSH objects.
It's almost definitely an older malware script. Looks like it may be making the rounds again. I found a similar script on pastebin.com from 2016
And various references to exploit toolkit analysis results:
I do it as part of my general SOC/IDS duties. For the most part I leave it to the EmergingThreats team.
I also have a subscription to this service, which is an automated sandbox:
https://www.hybrid-analysis.com/
The big trend to be aware of is fileless malware, particularly malware that is written in a scripting language like PowerShell. Windows 10 is 'immune' to traditional packed executable malware, as it has native binary whitelisting built in. This is actually easier to reverse if you can get a sample, as you can just look at the scripting language. Deobfuscation is a simple manner of replacing an exec call with a print.
Another big trend to watch out for is "Next-Generation" endpoint security, like Cylance, CrowdStrike and FireEye HX.
Credit to @PhysicalDrive0: https://twitter.com/PhysicalDrive0/status/742097969529430020
EDIT: Hybrid-analysis: https://www.hybrid-analysis.com/sample/15c237f6b74af2588b07912bf18e2734594251787871c9638104e4bf5de46589?environmentId=100
EDIT: Comodo, obviously. Not Komodo. No coffee yet this morning.
Submit it here, it will tell you what the "virus" is doing, and whats suspicious.
https://www.hybrid-analysis.com/
Here actually, I already did it, you can click falcon sandbox report:
The only weird thing I notice is this:
"msiexec.exe" touched "K:" "msiexec.exe" touched "L:" "msiexec.exe" touched "M:" "msiexec.exe" touched "N:" "msiexec.exe" touched "O:" "msiexec.exe" touched "P:" "msiexec.exe" touched "Q:" "msiexec.exe" touched "R:" "msiexec.exe" touched "S:" "msiexec.exe" touched "T:" "msiexec.exe" touched "U:" "msiexec.exe" touched "V:" "msiexec.exe" touched "W:"
I'm gonna go against basically everyone else and say that your idea is the right way to test your defenses, just not in production. Build an isolated lab environment and test with recent samples of malware.
As for where to get the samples... Depends on what you want, but I'd start by creating free accounts at https://www.hybrid-analysis.com and https://app.any.run. They're both free/paid malware sandbox tools that let you download samples that are shared publicly. Although they try to tag samples as known malware families, the automation isn't perfect at it so you'll want to crosscheck the file hashes with virus total or just a plain Google search to get an idea of exactly what it is (or go through reverse engineering it yourselves, but that's effort...).
Then you throw those samples at the tools/appliances in your lab environment and assess your general effectiveness.
If you want to get info on samples of non-commodity malware, you'll want to get your security programs plugged into one of many private threat intel sharing communities, or become a customer of a threat intel vendor (something like flashpoint, intel471, fireeye's isight... Etc). Bit of a can of worms on sharing and handling that kind of info, though.
Source: been doing this type of thing for a living for over a decade now.
You don’t do malware analysis on bare metal.
This is what you want.
https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html
There’s also totally online sandboxes.
Looks like it's been seen before - https://www.hybrid-analysis.com/sample/d790d0e2355203cbb220ddcfb1cc6a7f3a23badf0779a4de8388c0e6db4d1891?environmentId=300
​
Agreed with other posters- likely coinmining malware. I would figure out how they got in and rebuild this box
Hey /u/compupheonix,
Thanks for the love of Hybrid Analysis.
Payload Security was acquired by CrowdStrike in 2017, and since then we've fully integrated it into our platform while continuing to expand the offering. Today you can purchase Hybrid Analysis on prem, private cloud or a module as part of our endpoint protection suite. In March we rolled out a feature that would only be possible with HA, our Indicator Graph that allows investigators to visualize and manipulate IOCs in real time as they apply to detections. Pretty cool stuff.
We are always publishing material on twitter Hybrid Analysis, and we recommend checking in on our favorite the report of the day here.
Regards,
Brad@CS
If you have the original file, throw it up to something like https://www.hybrid-analysis.com. It does a decent job of telling you what it's trying to do. Outside of that, best practices like making sure all your systems have MS17-010, locking down open shares, don't allow authenticated users to have full control, should help prevent propagation. Like others have said, setting PowerShell to restricted doesn't stop it. Enabling PowerShell logging as appropriate to your environment is better.
Where did you get the file?
HA and VT show the source file is clean (unless they updated it)
Assuming NO confidential info in the doc, which sounds like is the case. VT would be a good place to start, but a full sandbox run would be better, it would help in getting a list of IOCs as most will get you a list of artifacts, reg modifications, and network communications.
https://www.hybrid-analysis.com for non-interaction OR https://any.run for interaction while sandboxing.
Or hell, throw the word doc in both and while your waiting for hybrid-analysis to process the file, play with it in any.run!
They all look nearly the same. They say "Please enable editing mode to view included docs" which makes you enable macros, thus activates the dropper which pulls down malware. The interesting piece to this email is the malware not the way it looks.
also here's the hybrid link for you to view the doc: https://www.hybrid-analysis.com/sample/9cedcbdc96fa0bd258292b573c1476a311e5317918f33e6a2f39de4929abd823?environmentId=100
https://www.hybrid-analysis.com/
Other sites similar
http://alternativeto.net/software/virustotal/
To see if the files match a hash of some sort. You can also check websites too
Be aware if you are dealing with potential confidential items in docs, be careful uploading them to any website. Also another thing to note is bad actors also use these sites so if you are being targeted, you could be tipping them off.
Honestly having helpdesk identify if something is malicious seems to be above their pay grade in most environments (as they are just basic support). That would be something you forward to your security team to have them evaluate further.
Update: I have been able replicate this on another machine (Win 7 x64 bit, latest Google Chrome and ESET Smart Security 9.0.318.0). I have also established this is affecting NRL, Sportsfan.com.au and even SkyNews that all use the malicious SWF file for their players.
Quick analysis on the file (As suggested by /u/voltagex) reveals it as "suspicious" - https://www.hybrid-analysis.com/sample/0ddce123294cb42167fe6fba6c0ef4609d328571177f63972ecec89048ebe600?environmentId=2
I am doing further analysis as I believe it is a carrier for something else. Yet to be confirmed.
I have filled out a Security issue form with Telstra, as well as posting to their Telstra 24/7 FB page.
Hopefully, they can replicate this, fix it and maybe give me free shit ;)
I have updated the imgur album with the new findings
OMG that's scary and i just realized its on the Mega thread
​
BTW here is a better VirusTotal link I use it a lot Here (it also has a sandbox environment option)
It's a known Trojan. You should be able to remove it with any good anti-malware product like Malwarebytes.
Its simply warning you windows doesnt regonize it, and its safe
Free Automated Malware Analysis Service - powered by Falcon Sandbox (hybrid-analysis.com)
There's a lot of possible misconceptions in your post, and youve mentioned being in a hurry which is doubly concerning. I would heavily caution you vs messing with viruses at all. If it's a file, upload it to https://www.virustotal.com/gui/. It's unlikely you are going to know if its a virus more than all the professional av products. If it's a url, put it into something like https://www.hybrid-analysis.com/ and let the sandbox tell you what it finds first. You can put the file into hybrid also for sandboxing.
Assuming the only vector you are worried about is the wifi router (which again is probably wrong), You would have one small level of protection, as long as the vpn does not allow local network access while you are connected. You should also be sure the vm has no saved credentials or active sessions to the router. And your router should definitely not have a default password.
However, there is nothing stopping some theoretical virus from stopping your vpn and then connecting to your router or other machines on the network. If I was writing malware with the goal of taking over home routers (something I've actually done), or attempting to do any network related infecting, killing a vpn process first would be a pretty obvious feature.
I don't think you can get a virus from simply viewing a message any more than you can get your account stolen by replying to a comment - that is, maybe it's possible by exploiting security holes in the platform you're dealing with (as covered a while back with the Logan story a while back), but in conventional cases, no.
As far as 8ch.net, it looks like another 4chan knockoff, so I doubt it actually has any malware on it. For good measure, though, I ran a hybrid-analysis, and although a scan from two years ago marked it as suspicious, the results I got just now say the site's clean.
tl;dr You should be fine =)
Another great site is Hybrid Analysis, it scans anything you send it with virustotal and a few different scanning programs and also runs the program In a virtual machine to rule out any false negatives that could get through antivirus programs
remember virustotal! upload your maybe virus, and see how many virusscanners detect it. its pretty fast.
For more in-depth information about your file, and a sandbox execution, check Hybrid-Analysis. same principe, upload file, and see what happens. this one has a lot more toggles, and takes much, much longer.
script is fine and I am assuming the exe is just python + all the libraries it needs but im too lazy to take it apart.
here is the exe:
"Crowdstrike Falcon" says clean, MetaDefender has a 3% multi scan analysis, and Virustotal says 9%. Hybrid Analysis gave it a 97/100 for a threat score, and labels it as adware.
Keep in mind, if you pull the report now. The Sandbox report, kicks back some malicious file hashes. So yeah, I'd say not a legit site.
Report link (again, Note the Sandbox report): https://www.hybrid-analysis.com/sample/3c10e5bd2a4c7a1c08eb52592dadfe9c56f61fae19ae6ebc6d912ae168b25d5d
I can gladly/highly recommend: https://www.hybrid-analysis.com/
You can tweak it how you like and it uses Virustotal too. It tests all sort of malicious activities of programs, files etc.
The Sandbox even makes a screenshot of the Desktop+The uploaded Data so you can see what it does ^^
I've noticed that a lot of the time, you will see those sites appear as safe on Virus Total because the site itself does not really do anything. It just houses a file that may be malicious. Try firing that link through a sandbox environment like Any.Run, Hybrid-Analysis, or something similar.
Any.Run will allow you to interact with the site and give you a report in the end. It showed malicious activity, but I had to push it through Chrome on that sandbox, the IE is finicky.
Edit: Hybrid-Analysis - https://www.hybrid-analysis.com/sample/5b053efdb4c4a54e24130953bbfaa4e353010ae61b0d3a546941680021d6edb3/5cd9883b0388383c970c7c93
Don't get fooled guys!
OP needs to explaing https://www.hybrid-analysis.com/sample/711660ee0848ed31ad6f75b92bd572bef5deeeb6feaa167d39a7823637763889
I agree with you. Probably the attacker doesn't know scripting very well.
EDIT: I found an analysis March 2018 https://www.hybrid-analysis.com/sample/c6629e06567a8a20b29795438109bad32fb2b7fcd8b2cc2c6d4cc1ef58980893?environmentId=300
Searching the IP address, comes up with a few things. Here's a malware analysis. https://www.hybrid-analysis.com/sample/38e55be994d84af68e4714a38949a27f1fda78de6c9f0034339a5133fc9e919f?environmentId=100
You can see it queries http://195.22.126.117/miner/monero.txt
The pool it's set to connect to uses the IP address 213.32.29.143, which appears to belong to nanopool.
Of course, they could ban the workers, but they'll just pop up at a different place or start a pool themselves. The amount they're making is enough to afford that for sure.
So it is a decompression tool. Still I would not allow that file on my PC because I don't trust CorePack 100%. Last year when I reported something shady they replied me "can't you handle a little mining?". If game won't work then I will download "uncompressed" files. ;-) Norton AV Crap - There are many haters and somehow Norton always wins independent AV Test Labs' awards. Anyway thanks for reply. Peace. :-)
Edit: Malicious Indicators https://www.hybrid-analysis.com/sample/f990a39fc5988156108c6bf3d47a7c0a27ffa4f410e4604642acfcadd74d94e6?environmentId=100
Seems to be clean.
I also opened it up in a local computer with Wireshark and there were no call backs to an external web address. I also ran it thru 3 antiviruses including Virus Total and came back clean.
Should be OK to use.
OK, I tried sysmon in a sandbox, run the exe then it running in the background don't nothing. Finally I found this a site called hybrid-analysis, and here is the report.
hohe Gewässer = eine Analogie auf Software-Piraterie
Ein Link zu was? Der Malware? Berichten?
Wenn du Google selbst bemühst, wirst du mit Sicherheit auch fündig. Gute Stichwörte wären bitcoin, miner und malware
2 things:
1st: It modifies browsers, many AV vendors will hit on things that simply modify browser behavior, particularly with IE. You can thank BEEF for that.
2nd: Often it vendors will hit on low quality adware or things with bad "habits". Looks like this binary may have both, as it reaches out to IPs associated with bad, as well as the fact that it has traits in common with the common bullshit they see (i.e. Ask Toolbar, etc).
Try submitting to hybrid analysis, it will try to open and launch the payload in their VM environment, and you can usually see any secondary payloads that are downloaded and executed.
The place that you are downloading that from isn't the official source, only 7 is supported.
Haven't installed it in a VM to see for myself but based on this I'm pretty confident it's riddled with malware.
First to ID which specific ransomware it is:
https://id-ransomware.malwarehunterteam.com/
Then see if the source of the virus is still around. Then if so - upload it to https://www.hybrid-analysis.com/ which tells you EXACTLY where every file goes. Usually it starts in temp - drops another file in %appdata% and finally residing in C:\programdata.
What kind of analysis were you looking for? A detailed reversing by an individual or just curious as to what it does? www.hybrid-analysis.com has a really good sandbox for automated analysis. I dropped your file there: https://www.hybrid-analysis.com/sample/af04432264e472ac02577d8b9547d3d1d868029900fe3cae4954f6cbf95a2944?environmentId=1
I gotta admit, that is something I haven't seen before through any online free utility, and could potentially be pretty cool. I also like the fact that it uses Windows 7. I'm still wondering though why the callout domain (which was truncated in the network signature) said it was found in the strings, but wasn't listed in any of the "extracted strings"...
It handled a zbot sample I sent it pretty nicely I'd say, even if some of the info appeared to be a little off. Definitely enough information to start looking for IOC's on the network: https://www.hybrid-analysis.com/sample/54e38b846908e66bdf7c919ba19f5cd0ffc263b247c9b868ebaf8931af57a57a/
It would be nice if sample downloads were available through "public" reports, and even nicer if memory dumps were available.
I honestly don't know how to read any of that... if you happen to be interested and read let me know if you read anything bad
Also try https://www.hybrid-analysis.com/. Let it complete the last analysis. It could take 15-30mn. The last analysis will be a serious behavior look. But again with Kaspersky watching all the time you will be fine.
Submit the PDF to virustotal and https://www.hybrid-analysis.com/. It should tell you if there is something nefarious. The .scr could be the payload and the PDF the trigger. But if you have Kaspersky real time it should intercept it. You’re like fine. But upload the PDF for analysis before being sure.
Hi there, if you think you know what file started your trouble, you can load it on one of two analysis sites: https://www.virustotal.com/gui/
https://www.hybrid-analysis.com/ That should inform you of the found virus. Virustotal works fast. The sample is checked by 60 antiviruses. Second one can take 5-20mn for analysis but it’s very thorough. Good luck!
No, i just launch BRAVE in private mode with TOR. I didn't have time to click anywhere, Bitdefender already prompted that warning. I ran the web site through virustotal and https://www.hybrid-analysis.com/ but no hit. Is Bitdefender being overzealous and prevented an autoupdate ? False negative is usually not Bitdefender doing though...
BRAVE is pretty locked up, all shields up, no scripts allowed, no nothing so it may be coming from BRAVE itself, which is even more unusual...
Rather than run/analyse the malware in your own virtual machine, I recommend using one of the many free, online resources available. Virus Total, Hybrid Analysis, and other such resources are invaluable and will keep your system much safer than if you run the malware in your own virtual machines. If you insist on using your own stuff, make certain that both the VM and the host are offline, off all other networks, and have nothing that you care about.
Also, more and more malware is being made using trivially decompilable languages, so things like dotPeek are actually starting to become more useful than the disassemblers that I had to use when I started. My recommendation is to start with something written in .NET, C#, javascript (there is a lot of that running around), java, etc., and then move into more of the C and assembly malware.
If you want/need a rundown of some of the online tools or see dotPeek in action against some malware from a recent campaign, here's a video that may be of interest/use.
Not OP. Serious question. What makes you say that?
Hybrid-Analysis, VirusTotal, urlscan.io, and Palo Alto URL filtering database all indicate the URL is clean.
it said this: https://www.hybrid-analysis.com/sample/926054972b69870b7343f60adb81962e134fa09092bf329ab81b82c32fc0265e for hybrid analysis, I have given viustotal results already
So, guess I am safe??
The probability to be boobytrapped is very high. But it also happen that anti-viruses do not like the code generating serial or writing the serial in your registry. The only fair advice I can give you, while staying in this Reddit rules, is to load the exe file in https://www.hybrid-analysis.com/. Give it 15mn to analyze the thing and make your own opinion. But you know the risks, so it’s your call to use it or not. Good luck.
You’re not give us much to work from. I have no clue what a hacked client in your situation. Anyway, load whatever installer you downloaded onto https://www.hybrid-analysis.com/. You’ll have an idea of what it is.
I don't know if this counts as something happening, but when I looked again in the old PC, I saw that I downloaded and installed a shady CPU thermometer just 11 days before someone used my email address to register to that crypto site. I'd like to think someone just mistakenly used my email (like theirs were spelled close to mine), but that would mean the confirmation email should have been stuck in my inbox since they can't delete it without accessing my email, but there's no trace of that and it is unlikely I accidentally deleted it since I neglect to delete emails often. I ran the CPU thermometer installation executable on VirusTotal and Hybrid Analysis and the results are below if you're willing to take a gander:
Probably not by itself. Meaning that If an infected file was uploaded onto Google drive, it would take you to open it again on the new machine to be infected. But you can work around that with a good antivirus installed on your new pc (bitdefender/Kaspersky). You can also upload suspect files onto www.virustotal.com or https://www.hybrid-analysis.com to be sure, but it’s one file by one file, could be long. I’d limit that to .exe files. Good luck. Note: I really hope you have 2FA on your Google account. This is a lifesaver!!
you can retrace your steps from the browser history and download it again. But be sure to have Kaspersky running when you do that, just to be safe. Uploading that file onto virustotal should reassure you or confirm something serious. You’ll know. You can also use the site https://www.hybrid-analysis.com/. It’s a little more advanced than virustotal. Good luck.
Also try https://www.hybrid-analysis.com/ But honestly don’t try cracked/pirated games. You’re almost certain to fuck your pc up. It’s not worth it. Instead buy legit cheap licenses on g2a.com and similar sites: you’d be downloading games from Steam/Epic/Origin. It would be 100% safe as legit.
Yes you absolutely can get infected. There are methods you can put in place like blocking automatic downloading, not running JS by default etc, but there are methods.
There are sites that can scan a specific domain for the the presence of malware and even sandbox a connection to the domain to see what happens.
https://www.hybrid-analysis.com/ and https://urlscan.io/ are two of my favorites.
If you want a manual way of checking you can even launch a VM with a web proxy enabled like burp suite or fiddler, and view all the activity that happens when you connect to the url.
I’ve got a big serious hack in 2011 but recovered after taking the pc offline and using a Linux boot dvd to change all my passwords. Thank god my Gmail was central and had 2FA so I got it all back. I get an alert once or twice a months for dangerous websites in bitdefender. Cylance does some overzealous quarantines on steam games or very recent updates once every 2-3 months. Anything new I install or non Manual updates I check on virustotal or https://www.hybrid-analysis.com/ I keep everything updated on my pc. And I get any games from Steam/Origin/Epic/gamepass pc.
Hello,
This is the "Is this app/program/service/website/safe" section of the thread.
Please post your questions as a reply to this message, along with other information which may be helpful in asking or answering your question.
REMINDERS:
Before asking about a file or a website, upload it to the VirusTotal and/or Hybrid Analysis and share the link to the report in your post.
Do not share just a screenshot. In order for folks to answer your question, you need to share the actual URL so they can visit it and examine and interpret the results for you.
Do not ask about random filenames. In other words, no questions asking whether a file named
abc123.sysorabc456.exeis safe. File names are completely arbitrary and can be randomized, so no one knows.Do not post direct links to a file or a website if you think they are malicious. Instead, "defang" the URL by breaking it up using braces around periods. For example:
www.example.comshould be typed aswww[.]example[.]comto prevent it from being accidentally clicked on. We don't want to get infected, either.
Do not assume just because a program or website is popular with you or your friends that other people are familiar with it. Provide some context in your question, as well as basic information about your device, such as brand, model, operating system, etc.
Regards,
Aryeh Goretsky
I ran TL through Hybrid Analysis first time i downloaded it years back and it didn’t pick up any sort of malware nor never have i received a malware notif from my anti virus
Note: Some anti virus softwares detect crack or pirated games as malware which ofc is false positive . That or you downloaded off a fake website which included malware
Stay away from anti-virus/anti-malware software if you're looking to keep the bloat down. Just use common sense when you're downloading stuff and wanting to visit shady sites or seeing shady pop ups.
If you NEED to download something you are unsure off, just use something like VirusTotal or Hybrid Analysis to scan the applications or installers you want to use.
Although if you're still worried and insist on using anti-virus/anti-malware, then I'd recommend BitDefender. I used it for a couple of years and liked it. The subscription I used also came from mobile phone coverage so it had a lot of useful features like GPS location tracking and app locking. It also does disk clean up and auto defragmenting which is nice, but not really an important point.
You can do both of those things with built in Windows utilities: "Disk Cleanup" and "Defragment and Optimize Drives"
Looks like a false positive to me. I even ran Crowdstrike and some other tools on it and looked at the source code and it all looks fine to me.
https://www.hybrid-analysis.com/search?query=yt-dlp.exe
The top result is the most recent binary version from github. If you click on the top result you will see the list of items that it found to be malicious, suspicious, or just informative.
Suspicious Indicators Anti-Reverse Engineering PE file has unusual entropy sections
Environment Awareness Possibly tries to evade analysis by sleeping many times
External Systems Found an IP/URL artifact that was identified as malicious by at least one reputation engine
General Found a potential E-Mail address in binary/memory
Network Related Found potential IP address in binary/memory
Unusual Characteristics Imports suspicious APIs Input file contains API references not part of its Import Address Table (IAT)
Yogadns have Suspicious Indicators Anti-Reverse Engineering PE file has unusual entropy sections Environment Awareness Possibly tries to evade analysis by sleeping many times External Systems Found an IP/URL artifact that was identified as malicious by at least one reputation engine General Found a potential E-Mail address in binary/memory Unusual Characteristics Imports suspicious APIs Input file contains API references not part of its Import Address Table (IAT)
likely a strain of a malicious program as implied by the name “java_edg”
DO NOT OPEN LINK. Post link reported to mods.
Website in link: https://www.bsocialplus.com/post/ukraine-s-evacuation-plane-hijacked-in-afghanistan-taken-to-iran-what-you-need-to-know
Malware loaded: https://iclickcdn (DOT) com/tag.min.js <- DO NOT GO TO
Malware Report: https://www.hybrid-analysis.com/sample/be6d0ba1f245239ea5bc132127dafee52e6d7dee83bc0c52b3b6d446235be71d/5ffd88c5272f3f6ed03fe3bd
The scary part is this is a pretty well known translator.exe for a game, and tens of thousands of people have used it. I myself like to make sure things are 100% safe before using them, and it's scary to think of how many people have fallen victim to what this potentially could be. What type of malware does this seem like according to the results? Also the even scarier part is I scanned using bitdefender+malwarebytes both while this exe was opened and unopened, and even those couldn't detect anything
https://www.hybrid-analysis.com/sample/33aa53bb27ee095f72bbfb206be36d4dc74a0baa7db0246a60221b0f953a11ab/60b0d93bd00a952d386ed103 it has anti-VM and other shit too checked it on virustotal and with my antivirus.Still not sure if its false positive
The link takes you to a credential harvesting website that wants to steal your details... as per https://www.hybrid-analysis.com/sample/107ee158df5abcedef0426fed7ab6954c06f3f12ac387f73934697ad2686b6dc
Yes, you were, I can see the VT logs. Here's something interesting: The compilation date is 2017-08-05 however there are transactions to that same wallet from 2017-04-26.
So this is an older version of the same malware or the programmer mined using his machine for testing.
So I searched were this hash was used before and https://www.virustotal.com/gui/file/e70e429aa051017432921f4cdf2b8492c5cff9465ffdc3aabad2a865ecd2b326/behavior
Compiled at 2017-08-01, it's probably the second version
And according to this report on 2017-10-19 https://www.hybrid-analysis.com/sample/e70e429aa051017432921f4cdf2b8492c5cff9465ffdc3aabad2a865ecd2b326?environmentId=100
it had an AV Detection of 73%.
So I'd assume there are other versions of the same malware but got detected and they didn't bother to create a new wallet.
Does anyone know how to search for behavior on VT?
Did you find this in the wild? Was it running?
Seems malicious. Just ran it through HybridAnalysis here. VirusTotal reports only 1%, and urlscan CLEAN, but Falcon Sandbox throws up warnings all over the place.
I think we downloaded the same software lol, mine was called SEBlite which stands for safe examination browser, did weird things to my system and was marked as malicious on hybrid-analysis still I’m going to have to keep it till Monday and then it’s gone
Hey, I'm trying to get it right now, it says on the website itself
" CCMaker was labeled as: W32.Troj.Agent with Threat Score: 100/100 by Hybrid Analysis (reported by anonymous6423). Use VirusTotal to make a full, authoritative scan and use it at your own risk. "
Doesn't that mean they're admitting themselves that it does contain malware?
Avast/AVG are the same AV, so count that as one meaningless generic detection. The other two are fairly common to see in VT results. Basically all I'm seeing are likely false positives, with no suspicious behaviour.
If you want to possibly know more, upload that file to Hybrid Analysis and post the results link.
It does not look very positive. I would not use it . Has some bad IOC ( indicators of compromise)