Author Topic: File is Suspicious but Zip Encrypted...  (Read 474 times)

0 Members and 1 Guest are viewing this topic.

Offline KDibble

  • Full Member
  • ***
  • Posts: 152
File is Suspicious but Zip Encrypted...
« on: August 14, 2019, 03:55:26 PM »
The provenance of this file is highly suspicious, so I uploaded it to VirusTotal:

https://www.virustotal.com/gui/file/9b23239b9ab9104fe0865e309ba760ea407a867576d40a031d703b4d3530cd59/detection

VirusTotal finds nothing but appears to identify it as zip encrypted.

When avast! encounters such a file it will report "password protected" and reveal nothing.

I have a purported PWD for the file. Is there an online analyzer that will accept that PWD and look at what's inside?

Thanks.


Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36301
Re: File is Suspicious but Zip Encrypted...
« Reply #1 on: August 14, 2019, 04:31:20 PM »
it can not be scanned if password protected, that is the hole idea with password protecting, only those that has the password can look inside

some online scanners can unpack and scan password protected Archives IF the password is "virus" or "infected"


If you have the password you can unpack and upload to VT what is inside the zip Archive





“Ah beer. The cause of and the solution to all of life’s problems.”

"Operator! Give me the number for 911!"

Offline KDibble

  • Full Member
  • ***
  • Posts: 152
Re: File is Suspicious but Zip Encrypted...
« Reply #2 on: August 14, 2019, 05:12:45 PM »
If you have the password you can unpack and upload to VT what is inside the zip Archive

What if it's a self-executing file though?

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36301
Re: File is Suspicious but Zip Encrypted...
« Reply #3 on: August 14, 2019, 06:10:03 PM »
If you have the password you can unpack and upload to VT what is inside the zip Archive

What if it's a self-executing file though?
I think the file must have a .exe file extension and not .zip to be self-extracting .... or?


Did you get this in mail?
Was it a mail you expected to receive?
May be password protected to avoid mailserver antivirus detection




“Ah beer. The cause of and the solution to all of life’s problems.”

"Operator! Give me the number for 911!"

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36301
Re: File is Suspicious but Zip Encrypted...
« Reply #4 on: August 14, 2019, 07:35:26 PM »
Scan result .... file is infected
https://www.virustotal.com/gui/file/fe35a60355f26b8205dc659ebc3e4f8ced047ab6ff70b976cc48fb607bb744a6/detection

A downloader, guessing it will download and run ransomware


“Ah beer. The cause of and the solution to all of life’s problems.”

"Operator! Give me the number for 911!"

Offline KDibble

  • Full Member
  • ***
  • Posts: 152
Re: File is Suspicious but Zip Encrypted...
« Reply #5 on: August 14, 2019, 07:38:20 PM »
Thank you so much for all your help.

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36301
Re: File is Suspicious but Zip Encrypted...
« Reply #6 on: August 14, 2019, 07:42:02 PM »
New at VT today   First Submission   2019-08-14 12:38:47


Seems to contact this URL  zvaleriefs96.com/  to download the payload

URL is blacklisted and taken down so no payload to find
https://www.virustotal.com/gui/url/f129f831ce78e2ce1e042f32184674c93374c4c9b88e68cce99a7d6ae91629c4/detection


Thanks to: David H. Lipman   for analysis



« Last Edit: August 14, 2019, 08:56:09 PM by Pondus »
“Ah beer. The cause of and the solution to all of life’s problems.”

"Operator! Give me the number for 911!"

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 61837
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: File is Suspicious but Zip Encrypted...
« Reply #7 on: August 15, 2019, 05:37:28 AM »
Scan result .... file is infected
https://www.virustotal.com/gui/file/fe35a60355f26b8205dc659ebc3e4f8ced047ab6ff70b976cc48fb607bb744a6/detection

A downloader, guessing it will download and run ransomware
Avast detects it now.
W8.1 [x64] - Avast PremSec 19.9.2394.B#1 - CC 5.63 - EEK - Firefox ESR 68.3 [NS/AOS/uBO/PB] - Thunderbird 68.3 [EM] - ACP/ASL.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0