Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Fake Malwarebytes MBAE Malware


M_Haggis
 Share

Recommended Posts

Hello,

 

I sent this to the support email last week and was requested to post this here. Mainly wanted to let you know someone is signing malware in your name. Let me know if twitter is the faster route for next time.

 

________

 

Was investigating a macro embedded in Word doc, and during the investigation it dropped a file with MalwareBytes name on it.

 

Word Doc:

db2f6ce0ec34bcc41dbd059eac48da81

https://www.virustotal.com/en/file/1246e7b7f517fc6db01b0b0c68dbcf314047aeed9bf86f0c27a95bba980761d8/analysis/

17/56

 

sample (signed Malwarebytes)

faba4086351f50c3f88dbf2eb8d60996

VT:

https://www.virustotal.com/en/file/d0b5f2f63382d378c358a1711a34a206c717917118ce2855ea6deccb0148550e/analysis/1416963569/

31/56

(5/56 when I first reported it)

 

post-178973-0-37062600-1417371534_thumb.

 

Let me know if there is anything else I can provide. 

Link to post
Share on other sites

Thank you...

 

From the Virus Total Report URL you provided, MBAM detects this as "Trojan.Inject".
 
It is an unsigned binary.  Using the Malwarebytes' name in the binary is notable but not too important.  The subject of the post "MalwareBytes MBAE Signed Malware" is misleading.  It is not a "signed malware".  To be considered a signed binary it would have to include a Publisher's Certificate.

 

In this case, certain binary fields; "LegalCopyright", "FileDescription", "CompanyName" and "ProductName" have English text that is using "Malwarebytes".  However that does not make it a "signed" binary. 
 
If it was truly a signed malware and the binary's Publisher's Certificate indicated "Malwarebytes" in some form or fashion then it would be a different case.

Link to post
Share on other sites

  • Staff

Welcome to the forum and thanks for posting.

 

I've edited the thread title to make it clearer that the malware is NOT digitally signed by Malwarebytes.

 

What you're seeing is very typical of malware. They use known big vendor brand names in the PE resource (FileDescription, CompanyName, etc.) to try to avoid certain heuristics. But as David well pointed out this is far from a "signature" which is typically a concept used for digital signatures.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.