Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

False Negative with Threat Emulation

Hey guys,

I just saw a Tweet regarding a ransomware payload with a low Ant-Virus detection rate. I grabbed a copy of it and ran the sample through the sandblast analysis website. The result is coming back as clean. 

App.any.run shows obvious malicious behavior: LockerGoga.exe (MD5: 16BCC3B7F32C41E7C7222BF37FE39FE6) - Interactive analysis - ANY.RUN 

Tweet:MalwareHunterTeam on Twitter: "Let me present you, in 2019 March, a signed LockerGoga ransomware sam... 

MD5: 16bcc3b7f32c41e7c7222bf37fe39fe6
SHA1: a25bc5442c86bdeb0dec6583f0e80e241745fb73
Just wanted to give a heads up in case the system is in fact not detecting this as malicious. 
0 Kudos
4 Replies
Highlighted

Hi Ryan,

Thanks for the heads up. Have you also raised it with TAC? 

Regards

Mark

Highlighted
Admin
Admin

I'll have someone in our Threat Operations team have a look at it.

Highlighted
Admin
Admin

Looks like we're properly detecting this both with Threat Emulation and AV.

If you're still seeing it not detected, please engage with our TAC. 

Highlighted

Hi,

 

I noticed that Threat Emulation website does not give the same result as appliance  does (with default settings).

I had few cases where Sanblast Network said: malware, but result from website was opposite.

 

MMM

0 Kudos