VirusTotal reports some detections in etwpackage1.58.zip

Question

VirusTotal reports some detections in etwpackage1.58.zip

naks110 opened this issue a year ago · comments

https://www.virustotal.com/gui/file/e9b723d24ba5435b0185526e1185d42064f7a3c6832820e73a75cf7c10bb4518/detection

Please mitigate these detections:

Google: Detected
Ikarus: Trojan.Win32.Swrort

1-Matches rule Floxif Trojan by Ariel Millahuel at SOC Prime Threat Detection Marketplace
2-Matches rule Password Protected Compressed File Extraction Via 7Zip by Nasreddine Bencherchali (Nextron Systems) at Sigma Integrated Rule Set (GitHub)
3-Matches rule Creation of an Executable by an Executable by frack113 at Sigma Integrated Rule Set (GitHub)

Bruce Dawson · Answer 1 · Fri Jun 16 2023 05:14:10 GMT+0800 (China Standard Time)

This change removes one of the files:

c5c14ff

I'm not convinced that the reports are real so, absent more information, this is all that I will be doing.

Nakshatra Nag · Answer 2 · Fri Jun 16 2023 18:36:26 GMT+0800 (China Standard Time)

checked the new version, same detections:
https://www.virustotal.com/graph/03bd38b3aaa13dd15c48b884d240e36cc7e22f9e996985edf83eb0707756ab72

red files indicate detection:
e4629333dec7d596ba57bedd6e7bd0b2ab1a8638c83d0ea63832313e40cb682b
ETWProviders.dll (1 detection- secureage/apex)

214b00ec64d6999957554828b86d0232f92860a6358ae5c6ad5b48a825dde361
DelayedCreateProcess.exe
Google -Detected, Ikarus -Trojan.Win32.Swrort

Bruce Dawson · Answer 3 · Sat Jun 17 2023 00:24:17 GMT+0800 (China Standard Time)

I'm not convinced the reports are real. In particular note that the detections aren't really "the same" because before ETWEventDemo_deb64.exe was flagged as malicious and that file doesn't even exist anymore. Meanwhile ETWProviders.dll was "fine" before but is now suspicious but when I compared the disassemblies between the two versions I saw few differences and none that looked plausibly malicious.

I think these are false positives. Absent more information it's not even clear that there is anything that I can do.

Nakshatra Nag · Answer 4 · Sat Jun 17 2023 14:08:14 GMT+0800 (China Standard Time)

Hmm, apologies. I meant same "crowsourced sigma rules".
Floxif Trojan
This Trojan can change legitimate files into infected files. Then the infected files act as a backdoor, giving the threat actor control over the machine (Malwarebytes)
SOC Prime Threat Detection Marketplace - Ariel Millahuel
Context for the matching events
EventID:11
ProcessId:6352
TargetFilename:C:\Users\george\AppData\Local\Temp\et3j0mdf.c3h\etwpackage\bin\symsrv.dll
RuleName:DLL
CreationUtcTime:1686914585
UtcTime:1686914585
ProcessGuid:{C784477D-4618-648C-BA0A-000000004A00}
Image:C:\Windows\SysWOW64\7za.exe

Detection rule:
logsource:
product: windows
service: sysmon
detection:
selection1:
EventID: 11
TargetFilename|contains:
- fzshellext.dll
- \AppData\Local\Temp\conres.dll
- \System\symsrv.dll
- symsrv.dll
condition: selection1
fields:

TargetFilename
Details
falsepositives:
none
level: high

Thanks though for looking into it & quickly making releases.

Bruce Dawson · Answer 5 · Sun Jun 18 2023 06:18:04 GMT+0800 (China Standard Time)

If any of these detections are accurate then it's a very serious problem, especially since it implies that the machine where I am doing these builds is infected with something. Whether it's Floxif Trojan or anything.

But, I am skeptical about these reports. And, VirusTotal's reports are not the slightest bit clear about what the information means or how to validate it. That's why I feel like I have no choice but to ignore these.

I can't tell what the latest comment is saying. Did something patch symsrv.dll to make it malicious? If so, what?

Aleksandar Dimitrov · Answer 6 · Wed Sep 27 2023 15:37:52 GMT+0800 (China Standard Time)

@randomascii
I am not sure this is the place, but I didn't want to create a new issue.
Running the UIForETW & collecting a trace works fine.
The issue with me happens when I try to open the created etl trace, the wpa app crashes on startup with following WEV log:

Application: wpa.exe
CoreCLR Version: 4.700.22.16002
.NET Core Version:
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.FileLoadException: Could not load file or assembly 'Microsoft.Performance.XPerfPlugIn.Extensions, Version=11.2.0.0, Culture=neutral, PublicKeyToken=null'. Operation did not complete successfully because the file contains a virus or potentially unwanted software. (0x800700E1)
File name: 'Microsoft.Performance.XPerfPlugIn.Extensions, Version=11.2.0.0, Culture=neutral, PublicKeyToken=null'
at Microsoft.Performance.Analyzer.Program.Main(String[] args)

Bear in mind this is a company machine and as such there is a virus defense setup which I cannot disable easily.

Bruce Dawson · Answer 7 · Wed Sep 27 2023 23:41:12 GMT+0800 (China Standard Time)

You're seeing a WPA issue rather than a UIforETW issue. It looks like some sort of install problem so I would try resolving it yourself because it is likely that others cannot help you. You could always move the traces to another machine - they don't need to be resolved on the machine they are recorded on. Even a VM could work.

For further discussion please open a new issue rather than repurposing an unrelated issue.