Signed Sample - Very Suspect

Sandbox Breaker - DFIR

Sandbox Breaker - DFIR

Level 12
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
538
1,723
1,069
Inside a sandbox.

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
1687361294578.png


Xcitium says clean: Cloud Verdict Customer Login | Xcitium Cloud Verdict

Triage Says Suspect: Triage | Malware sandboxing report by Hatching Triage

Kaspersky Sandbox says clean: Kaspersky Threat Intelligence Portal

Sophos Intelix says clean or suspicious: Intelix UI

Listed as a trusted vendor with Comodo:
1687361530523.png


What do you guys think. Im going with suspect/malicious.
 
  • Like
  • +Reputation
Reactions: Zartarra, Kongo, ForgottenSeer 94738 and 2 others
False positive, seems to be some weird and low-quality bootstrap downloading one of their secure browsers.
www.testsys.com

ITS - Create, Deliver, and Manage Tests

AI-powered assessment solutions built for security, reliability, and flexibility so test owners can reach candidates anytime, anywhere.
www.testsys.com www.testsys.com

It can look a bit suspicious due to the fact that it's packed with UPX, signed by Comodo CA and probably not too frequently seen.
 
  • Like
  • +Reputation
Reactions: Kongo, ForgottenSeer 94738, struppigel and 4 others
Trident said:
False positive, seems to be some weird and low-quality bootstrap downloading one of their secure browsers.
www.testsys.com

ITS - Create, Deliver, and Manage Tests

AI-powered assessment solutions built for security, reliability, and flexibility so test owners can reach candidates anytime, anywhere.
www.testsys.com www.testsys.com

It can look a bit suspicious due to the fact that it's packed with UPX, signed by Comodo CA and probably not too frequently seen.
Click to expand...
Good. I was wondering what the hell was happening. The trusted vendor through me off.
 
  • Like
Reactions: Kongo, ForgottenSeer 94738, simmerskool and 1 other person
Trident said:
It is mainly used to lock down the systems during tests and exams it seems. It can't download the browser because authorization is required.
Click to expand...
I was thinking that it was some sort of exam anticheat also before but didn't have enough to confirm. I was theorizing a compromised certificate. Plus their website is trash lol.
 
  • Like
Reactions: Kongo, ForgottenSeer 94738, simmerskool and 1 other person
  • Like
Reactions: Dave Russo, upnorth, Trident and 3 others
You must log in or register to reply here.

You may also like...