This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Ryan_St__Germai
Collaborator
‎2019-03-08 05:13 PM

False Negative with Threat Emulation

Hey guys,

I just saw a Tweet regarding a ransomware payload with a low Ant-Virus detection rate. I grabbed a copy of it and ran the sample through the sandblast analysis website. The result is coming back as clean. 

App.any.run shows obvious malicious behavior: LockerGoga.exe (MD5: 16BCC3B7F32C41E7C7222BF37FE39FE6) - Interactive analysis - ANY.RUN 

Tweet:MalwareHunterTeam on Twitter: "Let me present you, in 2019 March, a signed LockerGoga ransomware sam... 

MD5: 16bcc3b7f32c41e7c7222bf37fe39fe6
SHA1: a25bc5442c86bdeb0dec6583f0e80e241745fb73
Just wanted to give a heads up in case the system is in fact not detecting this as malicious. 
0 Kudos
Reply
4 Replies
Mark_Mitchell
Advisor
‎2019-03-09 12:33 AM

Hi Ryan,

Thanks for the heads up. Have you also raised it with TAC? 

Regards

Mark

Reply
PhoneBoy
Admin
Admin
‎2019-03-10 03:17 AM

I'll have someone in our Threat Operations team have a look at it.

Reply
PhoneBoy
Admin
Admin
‎2019-03-10 04:27 AM

Looks like we're properly detecting this both with Threat Emulation and AV.

If you're still seeing it not detected, please engage with our TAC. 

Reply
Maciej_Maczka
Contributor
‎2019-03-13 02:41 AM

Hi,

 

I noticed that Threat Emulation website does not give the same result as appliance  does (with default settings).

I had few cases where Sanblast Network said: malware, but result from website was opposite.

 

MMM

0 Kudos
Reply