Thank you for the post but I am still have concerns if you look at the report the mitre score is through the roof and it's showing hooking into other parts of the system.
The avast whitelist program is useless any script kid with $50 can buy a full encrypted virus that won't be detected by avast and by 99.5% of the AV's on virustotal.
Can you further explain the following information as you did not post the source code to your application in the crypto space being open is key and hybrid-analysis is very rarely wrong.
Spyware Found a string that may be used as part of an injection method
Persistence Writes data to a remote process
Fingerprint
Queries process information
Queries sensitive IE security settings
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
Reads the active computer name
Reads the cryptographic machine GUID
Evasive
Marks file for deletion
Tries to sleep for a long time (more than two minutes)
Queries sensitive IE security settings
Registry Access
The analysis extracted a file that was identified as malicious
1/94 Antivirus vendors marked dropped file "BitTabSetup2.1b.2.tmp" as malicious (classified as "W32.Neshta.D")
https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Neshta-A/detailed-analysis.aspx
[b]System Security
[/b]
Contains ability to elevate privileges
[email protected] at 15503-5232-00409408
[b]Modifies proxy settings[/b]
"BitTab.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"BitTab.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
Queries sensitive IE security settings
"BitTab.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
I suspect this is dropping some form of spyware onto the machine the bounce back for one of them is the following..
https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Neshta-A/detailed-analysis.aspxthere is also anti-sandbox and anti-debugger works in there which lead me to believe this has something more packed inside.
The detection in the report's are not just from taskkill but from bittab and the tmp file's it's creating.
Thank you for your sincere concern. As you know, the file is 'packed' by installer and compressed with LZMA algorithm. It is 'self extracting' file that generates '.tmp' temporary file for essential procedure as a InnoSetup solution. We do not know how to interpret [Code:] and it seems to be very simplified.
Our answer is following:
Before explanation,
* BitTab's 'bar' and 'box' widgets are 'Internet Explorer Browser' based which means while running BitTab.exe, interactions with Internet Explorer and related process and dlls are required and it's not a suspicious at all.
* BitTab uses, of course, Windows APIs for detecting monitor size to dock the bar, for making the app 'run at start' by modifying registry(it's really a common thing.), for generating shortcut links, for detecting time zone and language of OS, for updating exchanges info from the internet(downloading), for checking whether it is a latest version(accessing internet), for making a Window semi-transparent or topmost, for disabling clicking sound of innate Internet Explorer by using native DLLs and so on..
* your mention "hybrid-analysis is very rarely wrong." seems to need reference because there are official and well-known softwares (but not corporation scale ) which reported to be Suspicious, meaning false-positive also seems prevalent.
- PuTTy:
https://www.hybrid-analysis.com/sample/2034e4697dd92f942d93288c7ccb4ef32985f180e955e7b5d9e29f8fb48139fe- CrystalDiskMark :
https://www.hybrid-analysis.com/sample/cc6c578a386db391f88df4acbf0217c17e00a2f5158392716ce3ad23993dd449- CCleaner :
https://www.hybrid-analysis.com/sample/ea2b0fe19acc526f8c634fe933f63b7f2a1911a27a74dc2d87a5ea6ac4a8f2b31. Terminates other processes using tskill/taskkill
Process "taskkill.exe" with commandline "/f /im "BitTab.exe"" (Show Process)
relevance 9/10
=> Hybrid-analysis considered it as a KEY(or Core) relevance because it took 9 out of 10 score for declare it as a malware.
However, as
answered above fairly clearly, "taskkill.exe" is a 'native' Microsoft Windows application for various uses and we only utilize it to terminate 'our app: bittab.exe' for force update to newer version of BitTab.exe
2. External Systems
1/37 Antivirus vendors marked sample as malicious (2% detection rate)
relevance 8/10
=> It also responsible for 8/10 score. We think it is due to 'heuristic scanning' feature
which means Anti-virus did NOT clearly analyze the file but rather 'suspect' it because of 'taskkill' or something like that maybe..
unfortunately, we could not track which anti-virus engine reported it as a virus. If we would know, we will send report to them for 'precise scrutinization' and we do expect a positive answer.
as we and you mentioned above,
we have report for 'perfectly clean' result. https://www.virustotal.com/gui/file/d24057f9965dcf819c4c8e55b461f1231e8a6916f3fc081c6dcae646a5f624f5/detectionIf you cannot believe because of '$50 solution' thing, we would provide more information if you want and if available.
We think it could partially answers this 'external systems' analysis. Also, please note that VirusTotal consists of 71 engines while Hybrid-analysis consists of 37 engines.
3. The analysis extracted a file that was identified as malicious
1/94 Antivirus vendors marked dropped file "BitTabSetup2.1b.2.tmp" as malicious (classified as "W32.Neshta.D" with 1% detection rate)
1/94 Antivirus vendors marked spawned process "BitTabSetup2.1b.2.tmp" (PID: 2876) as malicious (classified as "W32.Neshta.D" with 1% detection rate)
relevance 10/10
=> this is a difficult part because we don't know any about such malware and never related to it. For the technical things, Sophos says "When W32/Neshta-A is installed the following files are created:\svchost.com" but BitTab never do it.
Also,
if that 'W32.Neshta.D' is detected in only single engine while other anti-viruses didn't, it can also be interpreted as false-positive for that one engine. That engine went wrong or other tens of engines were failed to detect an already reported threat. Which one would you think is more convincible and possible explanation?You provided the link
https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Neshta-A/detailed-analysis.aspx and
none of them are being executed by neither installer nor BitTab.exe itself. It says "The file directx.sys in the Windows folder is updated with the path of the last infected file to be run." but we even don't know what directx.sys is for.
4. Installation/Persistance
Allocates virtual memory in a remote process
"BitTabSetup2.1b.2.tmp" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer"
"BitTabSetup2.1b.2.tmp" allocated memory in "%PUBLIC%\Desktop\BitTab.lnk"
relevance 7/10
=> Our setup program makes Shortcut icon to Desktop and access to Explorer registry for disable 'clicking' sound in Windows7 (you know the sound)
5. Writes data to a remote process
"BitTabSetup2.1b.2.exe" wrote 1500 bytes to a remote process "%TEMP%\is-E7TPH.tmp\BitTabSetup2.1b.2.tmp" (Handle: 204)
"BitTabSetup2.1b.2.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-E7TPH.tmp\BitTabSetup2.1b.2.tmp" (Handle: 204)
"BitTabSetup2.1b.2.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-E7TPH.tmp\BitTabSetup2.1b.2.tmp" (Handle: 204)
"BitTabSetup2.1b.2.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-E7TPH.tmp\BitTabSetup2.1b.2.tmp" (Handle: 204)
"BitTabSetup2.1b.2.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-E7TPH.tmp\BitTabSetup2.1b.2.tmp" (Handle: 204)
"BitTabSetup2.1b.2.tmp" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\taskkill.exe" (Handle: 528)
"BitTabSetup2.1b.2.tmp" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\taskkill.exe" (Handle: 528)
"BitTabSetup2.1b.2.tmp" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\taskkill.exe" (Handle: 528)
"BitTabSetup2.1b.2.tmp" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\taskkill.exe" (Handle: 528)
"BitTabSetup2.1b.2.tmp" wrote 32 bytes to a remote process "C:\Program Files (x86)\BitTab\BitTab.exe" (Handle: 732)
"BitTabSetup2.1b.2.tmp" wrote 52 bytes to a remote process "C:\Program Files (x86)\BitTab\BitTab.exe" (Handle: 732)
"BitTabSetup2.1b.2.tmp" wrote 4 bytes to a remote process "C:\Program Files (x86)\BitTab\BitTab.exe" (Handle: 732)
"BitTabSetup2.1b.2.tmp" wrote 8 bytes to a remote process "C:\Program Files (x86)\BitTab\BitTab.exe" (Handle: 732)
relevance 6/10
=> okay. this is the same thing. make a temporary file for installing and use taskkill.exe to terminate running 'bittab.exe' if exists. and overwrite bittab.exe to newer one.
6. Checks for a resource fork (ADS) file
"BitTab.exe" checked file "C:"
relevance 5/10
=> as you can see in
https://en.wikipedia.org/wiki/NTFS#Alternate_data_streams_(ADS) it is not a malicious behavior.
"Very small ADS (named "Zone.Identifier") are added by Internet Explorer ... the local shell would then require user confirmation before opening them."
This is a familiar thing. After the first download from internet, you have to confirm for running. And it is more strict if the file is not a 'world wide popular' one like this small software.
7. Contains ability to reboot/shutdown the operating system
[email protected] (Show Stream)
[email protected] (Show Stream)
[email protected] from BitTabSetup2.1b.2.tmp (PID: 2876) (Show Stream)
relevance 5/10
=> okay.. this installer has ability to 'reboot' if core file like BitTab.exe cannot be updated this time. This is a common way for any other installers.
Honestly, we don't understand why this 'ability' takes 5/10 malicious behavior score.
8. Contains native function calls
[email protected] from BitTabSetup2.1b.2.tmp (PID: 2876) (Show Stream)
[email protected] from BitTabSetup2.1b.2.tmp (PID: 2876) (Show Stream)
relevance 5/10
=> Here is a link what NTDLL.DLL is
https://en.wikipedia.org/wiki/Microsoft_Windows_library_files#NTDLL.DLLWe think this NTDLL report is related to Windows Explorer.
This is a long answer and we put efforts to explain in detail that this is false-positive. We hope our explanation could answer your questions.
If any other exists, please let us know.
As you mentioned. being opened in such a cryptocurrency environment is nice and that is why we are answering things. But it might be understandable that this kind of software can also be not open-sourced. Plus, you probably agree that those kinds of tools are 'tools', not a responsible judge.
And we do hope this long and technical text would rather not make scary.