 Welcome to Mavanalysis for Hedgehogs. Today I'm sharing my thought process while triaging files on VirusToto. One word of caution here. I'm sharing some verdicts, but those are just initial verdicts, so they're not final verdicts, so they are more like an indicator if it's worth analyzing the file in depth. For instance, if you want to hunt for new malware. If you are a Mavanalist or Mavanalist in training, you shouldn't base your final verdict just on an VirusToto report, especially not on the detection results of other intervirus vendors. Because as Mavanalists you specifically get those samples where the AV detections might be wrong, and just for that reason you shouldn't take this as a 100% final verdict when I say hey this is my verdict, this is my idea, this file is clean. So the use case, I want to hunt new malware, and is it worth looking into that? So for today's video I'm going to use the intelligence account, however most of the things we're gonna go through should be applicable as well if you have a standard VirusToto account or just no VirusToto account. So the reason I'm using this is because I need to find some samples to begin with, so let's start with that. So for that I'm gonna choose samples that are not clearly malicious, but where we have some reason for suspicion because it minimized two of the antivirus engines declared as malicious. So let's see what we get here. And we have some APKs, I don't really want to go through that. So let's start with the first one, we already see here in the overview that it is a zip archive. So I'm gonna open it in a new tab and we have two signatures that is from Kraspecki, not a virus web toolbar Babylon. So this is an indicator when it says not a virus that this is actually PAP, so potentially unwanted software that just putting some toolbar in this case which you may not want in your browser. And what I also notice is this is the very same signature name. The reason is that zone alarm is probably using Kraspecki's engine. So a lot of times certain parts of antivirus products are sold as OEM, so in this case I'm pretty sure that zone alarm is using Kraspecki's engine here. And the result is actually from just one engine and not two. Let's not look at the details, so this will confirm that it's a zip archive. We see some of the names here, nothing special. It just says it's some sort of unlocker. The relations have some interesting links, however none of these are detected as malicious. That seems to be the download location for this particular archive. I'm not sure what my live video is, so this could be just some storage application looks like it. And here because we have an archive it lists all of the files that are contained in that archive and one of the files is password.txt. So what does this tell me? It tells me that most likely the reason that there are just two detections on this archive is that this is password protected. Password protected archives are not unpacked by antivirus scanners. They would take too much time to brute force all of those archives. So it's rather interesting that Kraspecki still has a detection despite just having this as information here. So maybe they try some standard passwords, maybe it's a very easy password that Kraspecki is still able to unpack this archive and put a detection on that. So anyways my verdict is here, this is kind of suspicious but probably just pub and to know more about this we would have to unpack the archive and then scan it again. So that would be the best way of action for this particular sample. Alright so let's go to the next one and again we have something that's probably potentially unwanted software. So in this case I see INNO bundle and if we go to the details tab we see your INNO setup installer. So what does this mean? INNO setup is a legitimate application that allows you to build installers. But since we have here some detection names containing the word INNO it means that INNO setup in this case has been abused to bundle additional software. So also again we see here both of the time the same detection name between those two which is not a coincidence. So yeah in this case very likely that this is just some way where the installer of the software tricks the user into agreeing to additional software that's installed onto their system. So most of the time the way these tricks work is like they try to make it difficult for you to opt out of the installation of additional software. For instance most of the users they will just click on green next button. So you click next, next, next, next until you're done with the installation and they use this laziness and the users don't read everything and they say maybe in the text with that very convoluted text where it describes hey if you click on agree you also agree to install this additional software and then the way to uncheck this is maybe hidden and you have to scroll. So there are some like psychological tricks going on with this. So it's not that interesting I would like to go actually to the next one that's more likely malicious. So let's see this also more looks like pub. Now this is interesting because this says Trojan so let's open this one. And here what I notice is that the detection names are really generic so all of these don't tell us anything about the threat. It's more likely that such detections are false positives because they were generated by I don't know what. So none of these seem to detect a particular threat and Artemis is just actually it's from McAfee a detection module and I wonder why this is coming up with sky high. I have no idea but Artemis is just a generic detection module by McAfee and when you see that McAfee just also means it's a generic signature and Artemis to make things more difficult. Yeah. Artemis is also a malware family but yeah most of the time detection names it doesn't mean anything at all. So what we see here is Vin Ra one of the things that I noticed it was downloaded or submitted a lot. So the number of submissions is huge and this is actually uncommon for malware. So I have my doubts that this is a malware file in this case. But let's see what else we can find out. So this is Vin Ra. We see here some of the names. So here it was a temp file. I don't see anything that's very some in particular Vin Ra archival it's signed it's a valid signature from this one and nothing out of the ordinary here. Now how old is it. I usually take the first submission date as an indicator for how long this has been here also last analysis date 17 hours ago sometimes reanalyzing if this is has been like a few days old reanalyzing it makes sense maybe you get more signatures maybe we should actually do this right now and see if anything in those signatures changes. So nothing has changed unfortunately yeah but first submission date is October it has been that means it has been online for two months already. So this is very very unlikely malicious given how how widespread it is that the detection names are only generic and that's a low detection rate overall and we have a file that's rather old so with malware that old it's usually usually has a higher detection rate especially when it's been on virus total for such a long time. So it means when it has been on virus total submitted two months ago that it was shared with intervirus vendors also signed validly signed that's checked on the relations. So this is just where this file has been seen so it's been on some some interesting shares here. So it's Russian version of VINRA so now you see here execution parents where you have some of them have a high detection rate but knowing that this is just VINRA which is used to extract archives well it makes sense that some of the parents that use VINRA are malicious why not but that doesn't have any impact on the maliciousness of the file that we have here and here we have the bundled files which I find interesting in this case because it seems that the detection rate stems from this here and this but this is just the stop for creating an SFX archive and looking at that we see here a concrete malware name in jred 13 days ago it was analyzed let's reanalyze that's a very good candidate for analyzing it again well it definitely didn't get better so I still have my doubts that this is malicious but it would warrant a detailed analysis of this file in particular now the detection names are all generic except for this one but clam AV is like not the most reliable source of information when it comes to that and ECO says obfuscated batch well that's kind of weird and here we have the verdict corrupt the file is most likely not corrupt we have seen that it kind of works so it's not like it's not like we have a coherent picture here and I don't think I have my doubts that this is malicious but it definitely needs an analysis and and by the way the number of submitters is pretty pretty high I I still don't think this is malicious and anyways let's go to this one ethical encoder 10 that's a little weird the detection in the final name is pretty weird you have a rather high detection rate this is interesting open in a new tab and now this is also interesting you see here the same the very same detection name all over and the reason for that is bit defender bit defender so it's well has license for their engine and all of these products that have the very same detection name share code dot Marta also use bit defender's engine so actually what you see here one two three four five six seven eight times is just bit defender but even those products that have a they're same of us here by the way and even those products that don't use bit defender they say that something with shellcode is going on and here we see Rosena so when you check my pedia for that you will see that's also actually just shellcode so here's my pedia oh there's no description that's too bad but you see something like analysis of file is never yeah and this is also just a shell code signature crowd socials you won't see those I think if you have a free account but they hint to meters ploid and cobalt strike so or cobalt strike stager so and the malware contains configuration which belongs to meters ploid so this is quite likely malicious we see the file type is unknown and that's likely because we have just the shellcode here and that's also why the detection rate is comparably low unknown file types usually cannot be executed so checking the content and yeah that's also not available with a standard account but yeah this looks like just shellcode I'm not sure why it has a .exe extension but anyways this kind of file cannot be executed without anything else that does the execution it's likely that someone unpacked the shellcode and then uploaded it here to get some idea what this is now in the community tab you also see some reference to meter preta stager which is a part of the meter ploid stager so even though if you don't have the crowd socials section here the community messages are filled with bot comments that also tell you some of those rule matches so the verdict for me here yeah not an executable file not run over on its own because it's most likely shellcode and yeah this is most likely also malicious so I'm not gonna use this one it looks like pub again I would like to concentrate more on other files so let's look at the next one it has a pretty weird name teeth and love .exe it doesn't kind of sound like a legitimate application but it has a lot of submitters and again such a high number it's more likely to be a legitimate application than malware especially when the detection rate is at low so let's look into this one teeth and love .exe we see again detection names are just generic so it's not really likely that these are actually detecting the malware in there last analysis date three hours ago and we see our first submission has been in May so I'm pretty sure this is clean however the names look kind of weird this doesn't look legitimate does it my wife's phone the last city what's that my hot wife oh my god this is it's not looking good right it's not striking any confidence that this file is legitimate but let's go on let's see what we what it's we find here execution parents flair on dating sim now that makes me think actually so the behavior tab tells me Lipperen Python that's interesting so it's some sort of Python application but this is referencing Lipperen Python gonna go with that soon but let's check the other things in the behavior tab as well so here it says windows error reporting that means that this application crashed when it was executed in the sandbox and here also the windows error reporting for .exe has been launched to that crash that didn't work that is indicative that this file is actually used together with other pilots but simply because when you check the relations we have like a ton of different execution parents so this is probably just part of a bigger application and doesn't work on its own so with the contents they don't have the contents but there's nothing interesting either except for this the brand python here okay it's time to Google that actually so googling that I land at rent pi.org and this seems to be a visual novel engine so it's a library or framework where you can create games that kind of makes sense so here it's the quick start explain something but rent pi launcher make sure you know how the launcher works we see the very same icon that we also saw on although our application so we know yes this is being used here and now everything falls into place why because we have seen the many different names here and these are actually all just names of different games that were created with this rent pi launcher and all of these games use the launcher so I'm pretty sure that the .exe file here is actually the launcher itself and it's not actually it's containing any of the game specific things so we have so many different names because the application wants the user to click on the launcher and but that's the very same executable for every of these games so that means it's actually a clean file also given the how widespread it is and that this does only have generic malware detection names so let's try to find something malicious for the next one that's concentrate on those that have a low submitters rate so we get more likely new malware that hasn't been detected yet so the first one we see here is called not suspicious which is immediately suspicious again we see here only generic signatures none of those indicate a particular malware family and that makes it likely that these could be false positives but maybe they are also just detecting some unknown malware so far last analysis date three hours ago first submission was today so this is a very new sample and it could have that could explain a low detection rate the only name it's been known as is this one nothing out of the ordinary here you see there is there are two IPs contacted and those are the IPs so you can look them up with who is and see what you find about them now what I find very concerning is this part so it opens a file called the temp x-fill data and that sounds like this is a stealer but everything else does indeed not look that suspicious so I think this is very fishy with the x-fill data the PDB path also rather typical for malware because legitimate applications do not use default names like project one or tests or stuff like that I think this is likely malicious and if you want to find new malware this would be a good candidate to analyze this for potentially new malware let's look at the next one the next one with a low detection rate is this dn player and it's very very low however it says the signatures invalid so we have here a file that has been signed the names do not look suspicious so this is a well a deep layer 9 that seems to be legitimate application however the signature is broken so this file has been manipulated and when you want to analyze this file the thing you should concentrate on is trying to find where what has been manipulated in this file so the best way to do that is to find the original five of the very same file version which is 9062 and then compare this to this very file right here and then you might may find a malicious patch or you may find that someone just did some modifications related to cracking so we don't know yet but this could be a new malware but it's also like not the easiest thing to analyze if you want to find new malware finding the patch in a legitimate application is more tedious because those applications tend to be rather huge with a lot of code that is clean away finding the malicious code there's a little bit more difficult than with plain malware files so here we also see a file report to triage so you could check this see if anything of that is interesting as well let's go to the next one I would actually like to try this here has a weird name it's a DLL we didn't have a DLL yet I think not the virus risk to EME startup so the question is what's that and NIM now so this might be an application that's written in NIM which would fit to it being UPX packed and I want to check what this is so 40 God says it's a potentially unwanted software EME startup so it might just be pop again this is called skin sharp toolkit and the first thing we get is how to remove skin sharp toolkit so this is very very likely just pop so some application you don't want to have on your system because it's doing some risky stuff here here we also see this in the file name so some automated system uploaded this probably this also stems from an automated system so likely this is just pop the embedded URLs hint to buy do and there's no behavior because it's a DLL let's see the community it's contained in the malware bazaar collection okay and that seems that this person analyzed the file and uploaded this to malware bazaar and what we see here is a signature match on zombie boy malware so would be interesting if I were to analyze this one of the things I would do is research what is zombie boy matter see if there's any similarities to this file here and I would also check this and see if the file has been tagged with a family I guess not says family none so what we see here is some yellow signatures that match on this fire and one of them says shellcode the others are not particularly suspicious but shellcode is suspicious the problem I do have with this is that I cannot check why it matches so it could be a bad signature which happens sometimes you have bad signatures that just have a lot of false positives and we don't know if this is the case here rating a signature for shellcode okay that seems to be the rule and it's checking if any of those are at the entry point so yeah I would say like three bytes are not much but then it's specifically at the entry point I would actually check in this case what is at the entry point of this application is this shellcode or is this something else so what's at the entry point so we have here our well entry point to the analysis if you were to find out if this is malicious or not if this is just UPX I think it's probably false positives UPX entry point I mean it could be a somehow patch UPX somehow I doubt it but yeah I would look at that and if it's just a standard UPX entry point then this rule is probably not that good so next let's look at this one has an interesting name that means it has been uploaded by some sandbox system where they use the hash for the file name and here we see rather high detection rate it's also quite big and we have a signature match for exorice so this signature comes from mypedia you can look up exorice on mypedia to find out more about that but that's basically a term for ransomware that uses exor for encryption so can be different families that fall under this umbrella name we see here this is a SFX WinRAR so this is a self-extracting archive built with WinRAR and that means actually we want to unpack this archive so here we don't have any bundled files it means by the sort of doesn't unpack this but the first thing I would do with this file is unpack this and then maybe upload parts of the unpacked files to forest total as well and then see what we find the drop file our NZ brand online launcher so this could also be detected if it's some sort of crack then could be the reason it's being detected as well nothing out of the ordinary here yeah it looks like it's a game launcher which doesn't automatically mean it's clean it just means it's a game launcher most likely and yeah because this is a WinRAR SFX we won't see much checking the strings of the content because it just shows the WinRAR SFX stuff so this won't really help and here we have a collection exorist so this is in the mypedia collection for exorice it's definitely suspicious but we can't say anything because virus so does not able to unpack this raw archive and it might have better detection signatures as well if we have some parts of that unpacked and uploaded again here if you want to learn another analysis from the ground up please check the link in the video description below it contains a coupon link to my udmikros for beginners