Posts: 0
Threads: 0
Joined: Jul 2017
Reputation:
0
Level: inf []
Total Points: inf
Rank nan / 1
100% to upload Level
Activity inf / 1
99% to upload your Rank
Experience nan
100% to upload Experience
Points: 50
|
Quote:mothered Wrote:
Quote:TheMinister Wrote:thank you mothered for reply i am sorry i had internet problems i couldn't reply
All good, no problem whatsoever.
Quote:TheMinister Wrote:is there a kind of sandbox tool that run the program and gives you a list of files and registry files that are Opened/excuted from the .exe like the behavior of virustotal example inside a sandbox ?
A tool named [To see links please register here] does the job well.
You can read about It [To see links please register here] .
i personally use Sandboxie because i can't run VMs
|
Posts: 0
Threads: 0
Joined: Feb 2022
Reputation:
0
Level: inf []
Total Points: inf
Rank nan / 1
100% to upload Level
Activity inf / 1
99% to upload your Rank
Experience nan
100% to upload Experience
Points: 50
|
Quote:(09-23-2020, 09:21 PM)TheMinister Wrote: [To see links please register here]
Quote: (09-23-2020, 04:59 PM)mothered Wrote: [To see links please register here]
Quote: (09-23-2020, 01:00 PM)TheMinister Wrote: [To see links please register here] i appreciate the info thank you very much.
You're most welcome.
When you have time, I'd be Interested to read how the tool performs.
ill notify you when i add the BSA and use it, i am currently focused on unity engine and same time learning c++
Thank you, no rush whatsoever.
|
Posts: 0
Threads: 0
Joined: Feb 2019
Reputation:
0
Level: inf []
Total Points: inf
Rank nan / 1
100% to upload Level
Activity inf / 1
99% to upload your Rank
Experience nan
100% to upload Experience
Points: 50
|
Quote:(09-23-2020, 12:30 PM)mothered Wrote: [To see links please register here]
Quote: (09-23-2020, 11:51 AM)TheMinister Wrote: [To see links please register here] thank you mothered for reply i am sorry i had internet problems i couldn't reply
All good, no problem whatsoever.
Quote:(09-23-2020, 11:51 AM)TheMinister Wrote: [To see links please register here] is there a kind of sandbox tool that run the program and gives you a list of files and registry files that are Opened/excuted from the .exe like the behavior of virustotal example inside a sandbox ?
A tool named ]Buster Sandbox Analyzer does the job well.
You can read about It here.
Well the installer obviously is infected :
Hidden Content
You must [To see links please register here] or [To see links please register here] to view this content.
And when I run the executable it looks almost clean (I'm not used to those reports) :
Hidden Content
You must [To see links please register here] or [To see links please register here] to view this content.
I didn't go further yet, but despite that it seems to work as expected.
EDIT : Replaced Report.txt with Analysis.txt, much more concise
|
Posts: 0
Threads: 0
Joined: Jun 2019
Reputation:
0
Level: inf []
Total Points: inf
Rank nan / 1
100% to upload Level
Activity inf / 1
99% to upload your Rank
Experience nan
100% to upload Experience
Points: 50
|
Quote:(10-03-2020, 09:31 PM)fritz Wrote: [To see links please register here]
Quote: (09-23-2020, 12:30 PM)mothered Wrote: [To see links please register here]
Quote: (09-23-2020, 11:51 AM)TheMinister Wrote: [To see links please register here] thank you mothered for reply i am sorry i had internet problems i couldn't reply
All good, no problem whatsoever.
Quote:(09-23-2020, 11:51 AM)TheMinister Wrote: [To see links please register here] is there a kind of sandbox tool that run the program and gives you a list of files and registry files that are Opened/excuted from the .exe like the behavior of virustotal example inside a sandbox ?
A tool named ]Buster Sandbox Analyzer does the job well.
You can read about It here.
Well the installer obviously is infected :
Hidden Content
You must [To see links please register here] or [To see links please register here] to view this content.
And when I run the executable it looks almost clean (I'm not used to those reports) :
Hidden Content
You must [To see links please register here] or [To see links please register here] to view this content.
I didn't go further yet, but despite that it seems to work as expected.
EDIT : Replaced Report.txt with Analysis.txt, much more concise
In your view, do you believe the file contains any form of malicious Intent?
|
Posts: 0
Threads: 0
Joined: Mar 2022
Reputation:
0
Level: inf []
Total Points: inf
Rank nan / 1
100% to upload Level
Activity inf / 1
99% to upload your Rank
Experience nan
100% to upload Experience
Points: 50
|
Quote:(10-04-2020, 02:05 AM)mothered Wrote: [To see links please register here]
Quote: (10-03-2020, 09:31 PM)fritz Wrote: [To see links please register here]
Quote: (09-23-2020, 12:30 PM)mothered Wrote: [To see links please register here] All good, no problem whatsoever.
A tool named ]Buster Sandbox Analyzer does the job well.
You can read about It here.
Well the installer obviously is infected :
Hidden Content
You must [To see links please register here] or [To see links please register here] to view this content.
And when I run the executable it looks almost clean (I'm not used to those reports) :
Hidden Content
You must [To see links please register here] or [To see links please register here] to view this content.
I didn't go further yet, but despite that it seems to work as expected.
EDIT : Replaced Report.txt with Analysis.txt, much more concise
In your view, do you believe the file contains any form of malicious Intent?
I'd say the installer has been corrupted, specially seeing those :
Hidden Content
You must [To see links please register here] or [To see links please register here] to view this content.
Plus there are definitively some weird DNS calls :
Hidden Content
You must [To see links please register here] or [To see links please register here] to view this content.
But maybe I could change something in the config to get more info about those queries (or just use wireshark)
The program itself looks quite safe though, but that could depend on functionalities. I'm pretty sure the first time I analysed it there was also a query to Mju-49682.portmap.io
EDIT : Oh and thank you mothered for suggesting BSA, really like this tool !
|
Posts: 0
Threads: 0
Joined: Feb 2019
Reputation:
0
Level: inf []
Total Points: inf
Rank nan / 1
100% to upload Level
Activity inf / 1
99% to upload your Rank
Experience nan
100% to upload Experience
Points: 50
|
Quote:(10-04-2020, 02:20 AM)fritz Wrote: [To see links please register here] The program itself looks quite safe though, but that could depend on functionalities. I'm pretty sure the first time I analysed it there was also a query to Mju-49682.portmap.io
It seems Inconclusive at this stage.
Thanks for your analysis.
Quote:(10-04-2020, 02:20 AM)fritz Wrote: [To see links please register here] Oh and thank you mothered for suggesting BSA, really like this tool !
You're most welcome.
|
Posts: 0
Threads: 0
Joined: Feb 2017
Reputation:
0
Level: inf []
Total Points: inf
Rank nan / 1
100% to upload Level
Activity inf / 1
99% to upload your Rank
Experience nan
100% to upload Experience
Points: 50
|
Quote:(10-04-2020, 02:27 AM)mothered Wrote: [To see links please register here]
Quote: (10-04-2020, 02:20 AM)fritz Wrote: [To see links please register here] The program itself looks quite safe though, but that could depend on functionalities. I'm pretty sure the first time I analysed it there was also a query to Mju-49682.portmap.io
It seems Inconclusive at this stage.
Thanks for your analysis.
Yes of course I wouldn't recommend at all to use it, for sure not outside of a VM, imo it's more likely there are some other surprises.
But maybe they're obvious and we can find a workaround (if the program worth it)
|
Posts: 0
Threads: 0
Joined: May 2019
Reputation:
0
Level: inf []
Total Points: inf
Rank nan / 1
100% to upload Level
Activity inf / 1
99% to upload your Rank
Experience nan
100% to upload Experience
Points: 50
|
Quote:(10-04-2020, 02:32 AM)fritz Wrote: [To see links please register here] Yes of course I wouldn't recommend at all to use it, for sure not outside of a VM, imo it's more likely there are some other surprises.
Absolutely.
Every tool of this nature, should be executed In a controlled environment. I never use my main Host/physical machine, regardless of the contributor.
|
Posts: 0
Threads: 0
Joined: Jul 2017
Reputation:
0
Level: inf []
Total Points: inf
Rank nan / 1
100% to upload Level
Activity inf / 1
99% to upload your Rank
Experience nan
100% to upload Experience
Points: 50
|
Quote:(10-04-2020, 02:27 AM)mothered Wrote: [To see links please register here]
Quote: (10-04-2020, 02:20 AM)fritz Wrote: [To see links please register here] The program itself looks quite safe though, but that could depend on functionalities. I'm pretty sure the first time I analysed it there was also a query to Mju-49682.portmap.io
It seems Inconclusive at this stage.
Thanks for your analysis.
Quote:(10-04-2020, 02:20 AM)fritz Wrote: [To see links please register here] Oh and thank you mothered for suggesting BSA, really like this tool !
You're most welcome.
the application is a self extractor, it contains the application however its behind like 3 exes, the installer isn't corrupted but is just a obfuscated .NET application.
the report @ [To see links please register here] gave shows 2 lists, one with the extracted files while the other (i think) is about the registry calls. the first one shows the 3 malicious apps & the actual application files.
@ [To see links please register here] even though opening the application (even in a controlled environment) helps, try to not load malwares at all since we don't really know what can be in them beforehand
|
Posts: 0
Threads: 0
Joined: Apr 2019
Reputation:
0
Level: inf []
Total Points: inf
Rank nan / 1
100% to upload Level
Activity inf / 1
99% to upload your Rank
Experience nan
100% to upload Experience
Points: 50
|
Quote:(10-04-2020, 12:26 PM)miso Wrote: [To see links please register here] the application is a self extractor, it contains the application however its behind like 3 exes, the installer isn't corrupted but is just a obfuscated .NET application.
the report @[To see links please register here] gave shows 2 lists, one with the extracted files while the other (i think) is about the registry calls. the first one shows the 3 malicious apps & the actual application files.
Sorry if I wasn't very clear, the first list is the installer analysis and the second one is the app itself (just launched it, not using any feature).
Quote:(10-04-2020, 12:26 PM)miso Wrote: [To see links please register here] @[To see links please register here] even though opening the application (even in a controlled environment) helps, try to not load malwares at all since we don't really know what can be in them beforehand
Thanks but no worry, I don't mind taking some risks for the sake of curiosity.
|
|