Friday, January 28, 2022

, , , ,

VirusTotal Multisandbox += SecneurX

VirusTotal welcomes SecneurX to the multi-sandbox project. This new behavioral analysis platform is helping provide additional details on Windows executables, Office documents, and Android APKs.

In their own words:

SecneurX Advanced Malware Analysis (SnX) platform provides visibility and context into advanced threats with its extensive malware analysis & detection capabilities. The analysis platform is based on a unique architecture that emulates an enterprise environment for analyzing the most evasive and concealed malware. It performs both static and dynamic behavior analysis of different file types (.doc, .pdf, .msg, .eml, .xlsx, .exe, .ppt, .csv, .apk etc.) and generates a detailed report describing the malware behavior. Extracted Indicators of compromise (IOCs) and human-readable behavior reports can be used to augment existing intelligence data and help to give "context" about IPs, domains, URLs, Registry, Process activity, file names, and hashes.

On VirusTotal you can find the SecneurX reports on the Behavior tab:

Let's take a deeper look at some interesting samples showcasing SecneurX capabilities:

EXE file which spreads via SMB protocol


This EXE is a crypto mining worm that uses exploits to steal credentials and spreads laterally to other machines in the network. It communicates with its CNC and transfers its malicious binary through SMB protocol to other machines on the local network.

Click on the full report icon, to see the SecneurX detailed report.
A few interesting points in the full report are highlighted:

VirusTotal enterprise customers may search other samples on VirusTotal that use this firewall command you can use the behaviour_processes file search modifier in a query similar to:

behaviour_processes:"netsh firewall add portopening tcp 65533 DNSd"

An example searching for scheduled tasks:

behaviour_processes:"schtasks /create /ru system"

Email with attached password-protected XLS spreadsheet which launches PowerShell

This email message contains an attached password-protected XLS spreadsheet which when triggered launches a Living of the Land attack using an obfuscated PowerShell script to download a second-stage attack payload. SecneurX extracts and executes them

Within the process tree we can see powershell commands to create a TLS connection, You can search VirusTotal to find other samples using this technique with a query like behaviour_processes:"System.Net.SecurityProtocolType" and behaviour_processes:powershell

Android App (APK) with multi-stage payload downloader showing Joker malware behavior

The APK: 1e2c99c68390baefa7d9eba4a429f9b009aa4ade281909831fa2c50a944ae5ab downloads malicious payload via HTTP. In this VT-Graph view we can investigate how it is related to other malware samples.

Excel spreadsheet abusing the legacy equation editor to execute a custom payload

This excel spreadsheet exploits Office’s legacy equation editor to download a remote artifact and execute it

We welcome this new addition to VirusTotal, SecneurX will help put the spotlight on malware. Happy hunting.


Post a Comment