In Verdict Cloud this has been marked clean past human analysis. This demonstrates many characteristics of malware and since upload many other vendors are also alarming it’s an infostealer.
Please review. VirusTotal - File - 8acb40974fb9689ada014e6dcc50be3b94119ea0a31e5c612e589325898224ff
I have forwarded the details to the concern team to look into it
the issue is fixed and the old signature is removed
It’s not unwanted it’s stealer.
I appreciate the fixing of the signature, however…we have a serious problem to discuss here.
You told me Clean. I told you Infostealer. You then told me Unwanted, now you tell me Infostealer after I told you Infostealer after you told me it was clean…see the problem here?
Does XCITIUM believe this file is an infostealer because I’ve insisted it’s an infostealer and XCITIUM agrees? Or has it now been marked as an infostealer pending a human expert re-review internally by XCITIUM…
This also brings into question, if “human expert analysis” decided an infostealer was a clean file…huh? That creates an entirely different risk towards XCITIUM’s core protection model and we really, I mean…you can’t have this happening yknow, you can’t have your analysts just letting infostealers through the pearly gates, that’s kinda what people are hoping to prevent…I guess I’m looking for some context as to
Every click, malware, PUA, clean - it potentially drastically changes an outcome for someone, we must be sure of our decisions.
thank you for your feedback , I will share it to the concern team to look into it.
Please find the update provided by our specialist team on your query -
"we have checked the sample and even though it has a few similar action with PUA and a password stealer, we couldn’t see any actions for collecting and sending the data to a remote host. We will search for more samples and keep them live for further investigations. Thank you. "
Headless Chrome debugging, which is part of the modern way infostealers bypass Chrome 137’s protections
gofile.io for pulling binary to execute
discord.com used for screenshots, file, cred exfil, attacker alerts, all varies
I think there’s some work to be done fellas. Inbox is open if it’s a workforce problem.
I have forwarded your feedback to the backend team to look into it.
