Author Topic: Executable possibly harmless? (Read 4026 times)

polonus · « **on:** June 17, 2014, 06:54:57 PM »

See: http://app.webinspector.com/public/reports/22604259
File Signature verification Signed file, verified signature
Only flagged by Norman as Kryptik.CCSP: https://www.virustotal.com/nl/file/d87bfda9ac76f7e894bafb75b8eb66447e596abe638683fbb65b82228ea286a2/analysis/1402883702/
Consider also this scan results: http://www.herdprotect.com/hao123inst-brmeitu.exe-5adaa24932aa26ee34e7f04642348a134953ea23.aspx

pol

Pondus · « **Reply #1 on:** June 17, 2014, 07:05:32 PM »

reported. will have answer tomorrow

Left123 · « **Reply #2 on:** June 17, 2014, 09:42:27 PM »

Hey,i found this file which has the same MD5 with the one you posted,it is here
https://www.virustotal.com/nl/file/d87bfda9ac76f7e894bafb75b8eb66447e596abe638683fbb65b82228ea286a2/analysis/1383131752/
It's pretty much the same file but this one is detected 8/47.
Apart from that they share the same original file name which is hao123Inst.exe
You can find more info here http://regrunreanimator.com/newvirus/trojan/hao123inst-exe-2.htm
"The file HAO123INST.EXE is identified as the Trojan Program that is used for stealing bank information and users passwords."
Also Ikarus detects the file as Trojan.Win32.Spy .
It looks like an "evil" thing to me

Michael (alan1998) · « **Reply #3 on:** June 17, 2014, 09:56:44 PM »

Polonus, where did you get the file?

Pondus · « **Reply #4 on:** June 17, 2014, 09:57:22 PM »

@left123 your VT scan is from oktober 2013 ....
And if you see the scan date.... and click the blue link just to the right of it.... what happens then?

Pondus · « **Reply #5 on:** June 17, 2014, 09:59:48 PM »

Quote from: Michael (alan1998) on June 17, 2014, 09:56:44 PM

Polonus, where did you get the file?

The info is there Michael ..... i give you 10min to find it

Michael (alan1998) · « **Reply #6 on:** June 17, 2014, 10:00:26 PM »

Hao123 was linked to a Zeus trojan network once. I wouldn't trust it. Malicious I believe. But can someone post a DL link?

Michael (alan1998) · « **Reply #7 on:** June 17, 2014, 10:01:16 PM »

Quote from: Pondus on June 17, 2014, 09:59:48 PM

Quote from: Michael (alan1998) on June 17, 2014, 09:56:44 PM
Polonus, where did you get the file?
The info is there Michael ..... i give you 10min to find it

Aha! Got it! Now time for malwr.com

Left123 · « **Reply #8 on:** June 17, 2014, 10:10:52 PM »

Quote from: Pondus on June 17, 2014, 09:57:22 PM

@left123 your VT scan is from oktober 2013 ....
And if you see the scan date.... and click the blue link just to the right of it.... what happens then?

It's exactly the same file,they share the same entry point,packer,everything.
So,that could be an old false positive that was fixed recently

Pondus · « **Reply #9 on:** June 17, 2014, 10:18:46 PM »

Quote from: Left123 on June 17, 2014, 10:10:52 PM

Quote from: Pondus on June 17, 2014, 09:57:22 PM
@left123 your VT scan is from oktober 2013 ....
And if you see the scan date.... and click the blue link just to the right of it.... what happens then?
It's exactly the same file,they share the same entry point,packer,everything.
So,that could be an old false positive that was fixed recently

When you click the link it changes to the scan Polonus posted....
impossible to say when it was fixed..... anyway i will have FP confirmation from Norman tomorrow

Left123 · « **Reply #10 on:** June 17, 2014, 10:21:56 PM »

Quote from: Pondus on June 17, 2014, 10:18:46 PM

Quote from: Left123 on June 17, 2014, 10:10:52 PM
Quote from: Pondus on June 17, 2014, 09:57:22 PM
@left123 your VT scan is from oktober 2013 ....
And if you see the scan date.... and click the blue link just to the right of it.... what happens then?
It's exactly the same file,they share the same entry point,packer,everything.
So,that could be an old false positive that was fixed recently
When you click the link it changes to the scan Polonus posted....
impossible to say when it was fixed..... anyway i will have FP confirmation from Norman tomorrow

Ye i saw that,but i am just saying,it's still the same file but now it is detected only by 1 AV,if it is not an fp then i have no idea

Pondus · « **Reply #11 on:** June 18, 2014, 07:08:01 AM »

From Norman lab

Quote

FP Case closed. FP Confirmed

Author Topic: Executable possibly harmless? (Read 4026 times)

polonus

Executable possibly harmless?

Pondus

Re: Executable possibly harmless?

Left123

Re: Executable possibly harmless?

Michael (alan1998)

Re: Executable possibly harmless?

Pondus

Re: Executable possibly harmless?

Pondus

Re: Executable possibly harmless?

Michael (alan1998)

Re: Executable possibly harmless?

Michael (alan1998)

Re: Executable possibly harmless?

Left123

Re: Executable possibly harmless?

Pondus

Re: Executable possibly harmless?

Left123

Re: Executable possibly harmless?

Pondus

Re: Executable possibly harmless?