VirusTotal welcomes SecneurX to the multi-sandbox project. This new behavioral analysis platform is helping provide additional details on Windows executables, Office documents, and Android APKs.
In their own words:
SecneurX Advanced Malware Analysis (SnX) platform provides visibility and context into advanced threats with its extensive malware analysis & detection capabilities. The analysis platform is based on a unique architecture that emulates an enterprise environment for analyzing the most evasive and concealed malware. It performs both static and dynamic behavior analysis of different file types (.doc, .pdf, .msg, .eml, .xlsx, .exe, .ppt, .csv, .apk etc.) and generates a detailed report describing the malware behavior. Extracted Indicators of compromise (IOCs) and human-readable behavior reports can be used to augment existing intelligence data and help to give "context" about IPs, domains, URLs, Registry, Process activity, file names, and hashes.
Let's take a deeper look at some interesting samples showcasing SecneurX capabilities:
This EXE is a crypto mining worm that uses exploits to steal credentials and spreads laterally to other machines in the network. It communicates with its CNC and transfers its malicious binary through SMB protocol to other machines on the local network.
Click on the full report icon, to see the SecneurX detailed report.
A few interesting points in the full report are highlighted:
VirusTotal enterprise customers may search other samples on VirusTotal that use this firewall command you can use the behaviour_processes file search modifier in a query similar to:
behaviour_processes:"netsh firewall add portopening tcp 65533 DNSd"
An example searching for scheduled tasks:
behaviour_processes:"schtasks /create /ru system"
This email message contains an attached password-protected XLS spreadsheet which when triggered launches a Living of the Land attack using an obfuscated PowerShell script to download a second-stage attack payload. SecneurX extracts and executes them
Within the process tree we can see powershell commands to create a TLS connection, You can search VirusTotal to find other samples using this technique with a query like behaviour_processes:"System.Net.SecurityProtocolType" and behaviour_processes:powershell
We welcome this new addition to VirusTotal, SecneurX will help put the spotlight on malware. Happy hunting.