Avast does not detect this heuristic RAT?

See: https://urlhaus.abuse.ch/url/211178/
Detection: https://www.virustotal.com/gui/file/e6e2a0f4f64aa78699c8e7e56f33c391d085e655a8a0579f5fa43c42cd580ca7/detection
See: https://www.virustotal.com/gui/file/e6e2a0f4f64aa78699c8e7e56f33c391d085e655a8a0579f5fa43c42cd580ca7/details
Blacklisted site: https://sitecheck.sucuri.net/results/hillsmp.com/a/a.exe

Not being detected here: https://webhint.io/scanner/3d69e535-f9fb-4f00-be09-ee5c84eac4aa
Dr.Web detects a threat:
Checking: -http://hillsmp.com/a/a.exe
Engine version: 7.0.34.11020
Total virus-finding records: 7763862
File size: 500.00 KB
File MD5: 829858ba2b43bbe3dcd1738f96c32110

-http://hillsmp.com/a/a.exe infected with Trojan.Inject3.17831
Unified Layer bluehost abuse, IP blacklisted by 32 websites: https://www.ip-finder.me/50.87.144.152/
2 times reported here: https://www.abuseipdb.com/check/50.87.249.228

Infections can be cleansed with MBAM in combination with Adware Cleaner.
Handy batch file to detect:

PowerShell.exe -Command “Get-FileHash -LiteralPath %1 -Algorithm SHA1”
PowerShell.exe -Command “Get-FileHash -LiteralPath %1 -Algorithm SHA256”
PowerShell.exe -Command “Get-FileHash -LiteralPath %1 -Algorithm MD5” info credits go out to jfkelley.

Analysis Environments
URL
-http://hillsmp.com/a/a.exe
Type
url
MIME
text/plain
SHA256
da29830b3b9c41…f286be088a6b6 Copy SHA256 to clipboard
Available: VMs
Windows 7 32 bit 3/74
Windows 7 32 bit (HWP Support) 3/73
Windows 7 64 bit 5/75
Linux (Ubuntu 16.04, 64 bit) 0/18
Android Static Analysis
Quick Scan 3/3
There are 8 files in the processing queue.


The public findings scanned for at https://www.hybrid-analysis.com/sample/da29830b3b9c414263d0a1cf96bf7ef9ffcc13dffb2d5200abef286be088a6b6
AT VT only Kaspersky’s to flag: https://www.virustotal.com/gui/url/8bcfe7ec16c4ee961d0ffedf100aef3e401365f946bafea2ec7b5aea9f5d8319/detection

Falcon report confirms: https://www.hybrid-analysis.com/sample/da29830b3b9c414263d0a1cf96bf7ef9ffcc13dffb2d5200abef286be088a6b6/5d0e953803883814162af5e9

Suspicious by mutants created

Creates mutants
details
“\Sessions\1\BaseNamedObjects\Local!BrowserEmulation!SharedMemory!Mutex”
“\Sessions\1\BaseNamedObjects\Local\VERMGMTBlockListFileMutex”
“\Sessions\1\BaseNamedObjects\Local\URLBLOCK_FILEMAPSWITCH_MUTEX_3020”
“\Sessions\1\BaseNamedObjects\Local\URLBLOCK_HASHFILESWITCH_MUTEX”
“\Sessions\1\BaseNamedObjects\Local\URLBLOCK_DOWNLOAD_MUTEX”
“\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex”
“\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex”
“\Sessions\1\BaseNamedObjects\IsoScope_bcc_IE_EarlyTabStart_0xf78_Mutex”
“\Sessions\1\BaseNamedObjects\IsoScope_bcc_ConnHashTable<3020>_HashTable_Mutex”
“\Sessions\1\BaseNamedObjects{5312EE61-79E3-4A24-BFE1-132B85B23C3A}”
“\Sessions\1\BaseNamedObjects\IsoScope_bcc_IESQMMUTEX_0_303”
“\Sessions\1\BaseNamedObjects\IsoScope_bcc_IESQMMUTEX_0_331”
“Local\InternetShortcutMutex”
“SmartScreen_ClientId_Mutex”
“Local\VERMGMTBlockListFileMutex”
“{5312EE61-79E3-4A24-BFE1-132B85B23C3A}”
“Local\URLBLOCK_DOWNLOAD_MUTEX”
“IsoScope_bcc_IE_EarlyTabStart_0xf78_Mutex”
“IsoScope_bcc_IESQMMUTEX_0_519”
“IsoScope_bcc_IESQMMUTEX_0_303”
source
Created Mutant
relevance
3/10

Labeled as “GenKryptik.DLIJ”

MITRE ATT&CK™ Techniques Detection Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Service Execution 1 Hooking 1 Hooking 1 Hooking 1 Peripheral Device Discovery 1

Mine was the anonymous comment: heuristic RAT Trojan.Infect

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

[b]Avast mobile[/b] does not detect this heuristic RAT?
Why should it? it is not a android file

File type Win32 EXE
Magic PE32 executable for MS Windows (GUI) Intel 80386 32-bit

AT VT [b]only Kaspersky's[/b] to flag: https://www.virustotal.com/gui/url/8bcfe7ec16c4ee961d0ffedf100aef3e401365f946bafea2ec7b5aea9f5d8319/detection
Not if you refresh scan ............

Hi Pondus,

But is it flagged anyway as PE32 executable for MS Windows (GUI) Intel 80386 32-bit?
Yes, 7 to detect, but strangely there Dr.Web does not flag and the online scanner does.
Why VT does not have this scan result then, see where I got “infected with Trojan.Inject3.17831”?

(There also seems a likewise RAT for the android platform,
as it was mentioned when I went skimming through the results)

But anayway as I checked it, it seemed real, but most flag it as heuristical detection.

polonus

Why VT does not have this scan result then, see where I got "infected with Trojan.Inject3.17831"?
Result is in the first VT link you posted, and is not a android file

This file -http://hillsmp.com/a/a.exe
https://www.virustotal.com/gui/file/e6e2a0f4f64aa78699c8e7e56f33c391d085e655a8a0579f5fa43c42cd580ca7/detection