Buster_BSA wrote:The sample is not sent. BSA sends the MD5 here:In this case - no problem :) So please disregard my p.1, but p.2.
http://www.virustotal.com/search.html
A forum for reverse engineering, OS internals and malware analysis
But you still didn´t tell me if the new feature is working. ;)
Beta 4:
https://www.yousendit.com/download/MEtT ... N0JjR0E9PQ
I fixed a bug and also added the chance of retrieving malware information of dropped (win32) files.
https://www.yousendit.com/download/MEtT ... N0JjR0E9PQ
I fixed a bug and also added the chance of retrieving malware information of dropped (win32) files.
Released Buster Sandbox Analyzer 1.32.
Changes:
+ Added a feature to include av identifications from VirusTotal on reports
+ Improved “Automated Setup” feature
Changes:
+ Added a feature to include av identifications from VirusTotal on reports
+ Improved “Automated Setup” feature
Question to developer - could you please respond?
The question touches upon investigation of Qimiral sample. The network log includes the following lines:
So how can it be explained: according to log it is TCP connections and they are associated with malware file, is it false?
The question touches upon investigation of Qimiral sample. The network log includes the following lines:
OUT,TCP - HTTP,10.0.2.15,64.12.96.129:80,C:\Documents and Settings\User\Desktop\Piggy.exeAccording to Anubis logs there is no inbound connections.
IN,TCP - HTTP,64.12.96.129:80,10.0.2.15,C:\Documents and Settings\User\Desktop\Piggy.exe
IN,TCP - HTTP,198.78.212.126:80,10.0.2.15,C:\Documents and Settings\User\Desktop\Piggy.exe
IN,TCP - HTTP,213.248.111.235:80,10.0.2.15,C:\Documents and Settings\User\Desktop\Piggy.exe
IN,TCP - HTTP,195.12.231.10:80,10.0.2.15,C:\Documents and Settings\User\Desktop\Piggy.exe
So how can it be explained: according to log it is TCP connections and they are associated with malware file, is it false?
gjf wrote:Question to developer - could you please respond?In the Anubis report you can see:
The question touches upon investigation of Qimiral sample. The network log includes the following lines:OUT,TCP - HTTP,10.0.2.15,64.12.96.129:80,C:\Documents and Settings\User\Desktop\Piggy.exeAccording to Anubis logs there is no inbound connections.
IN,TCP - HTTP,64.12.96.129:80,10.0.2.15,C:\Documents and Settings\User\Desktop\Piggy.exe
IN,TCP - HTTP,198.78.212.126:80,10.0.2.15,C:\Documents and Settings\User\Desktop\Piggy.exe
IN,TCP - HTTP,213.248.111.235:80,10.0.2.15,C:\Documents and Settings\User\Desktop\Piggy.exe
IN,TCP - HTTP,195.12.231.10:80,10.0.2.15,C:\Documents and Settings\User\Desktop\Piggy.exe
So how can it be explained: according to log it is TCP connections and they are associated with malware file, is it false?
" HTTP Conversations:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
From ANUBIS:1038 to 64.12.164.247:80 - [ http://www.icq.com ]
Request: [ GET /people/566539612 ], Response: [ 200 "OK" ]"
I don´t know why Anubis does not report inbound traffic, but it´s logic to think that if you send a GET to http://www.icq.com you will receive a reply, will not you? In fact you will receive this page:
http://www.icq.com/people/566539612
Also I can comment that BSA does not "invent" traffic; BSA just uses WinPCap to watch traffic and capture packets.
Therefore I think you should ask Anubis developers why their analyzer doesn´t report inbound traffic. In my opinion BSA is working fine and Anubis is missing information.
Even more... you can check at "Viewer > View Packets" the packets that were transfered. I´m pretty sure you will find the page: http://www.icq.com/people/566539612
Yes, I can agree with you concerning 64.12.96.129 - actually it is icq.com, but 198.78.212.126:80, 213.248.111.235:80 and 195.12.231.10:80....
Possibly these hosts belongs to icq.com, possibly it is just banners or ads, but anyway thay have no index page.
Thanks for quick reply.
Possibly these hosts belongs to icq.com, possibly it is just banners or ads, but anyway thay have no index page.
Thanks for quick reply.