Author Topic: PIF extention files.  (Read 34727 times)

Offline GrDukeMalden

  • Newbie
  • *
  • Posts: 33
  • Kudos +3/-1
PIF extention files.
« on: June 12, 2021, 04:22:03 AM »
So I follow an account on twitter that goes by the name MalwareHunterTeam @malwrhunterteam . Just yesterday, they posted a file hash of a PIF extension file that was malware and hardly anything detected it. For more than 24 hours a grand total of 1 on virustotal detected it as malware. Last night it was only 3.

If S.A.P.'s whitelisting/blocking component doesn't currently stop PIF extension files, it should from now on.

If the devs want to examine it here's the file hash: 8c6e507be687fd725cf66f3a4d405a43fc575a275024a5ed164e90b873fe447c
I'm uncertain as to what the rules are about posting the results of virustotal scans, so I'll just give you the hash to it.

Thankyou for your time.

- Grand Duke Malden
« Last Edit: June 15, 2021, 04:43:09 AM by GrDukeMalden »
VPN(Paid)
VoodooSheild(Paid)
SecureAPlus(Paid,Pro)
SandboxiePlus (By Xanasoft)
I fiddle with whitelisting software.

Offline Clem

  • SecureAPlus Helpdesk Engineer
  • Jr. Member
  • *
  • Posts: 52
  • Kudos +0/-0
Re: PIF extention files.
« Reply #1 on: June 14, 2021, 09:46:05 AM »
Thank you for updating us, we will direct this to the team to take a look.

Offline GrDukeMalden

  • Newbie
  • *
  • Posts: 33
  • Kudos +3/-1
Re: PIF extention files.
« Reply #2 on: June 15, 2021, 04:43:43 AM »
I messed up when I copypasted the file hash, I have corrected the mistake now
VPN(Paid)
VoodooSheild(Paid)
SecureAPlus(Paid,Pro)
SandboxiePlus (By Xanasoft)
I fiddle with whitelisting software.

Offline Clem

  • SecureAPlus Helpdesk Engineer
  • Jr. Member
  • *
  • Posts: 52
  • Kudos +0/-0
Re: PIF extention files.
« Reply #3 on: June 15, 2021, 11:27:07 AM »
I messed up when I copypasted the file hash, I have corrected the mistake now

Thanks for the update.

Our developer mentioned .PIF is an older format for shortcut files.
Since it is a shortcut, it should eventually point to an executable or script to run.

Since SecureAPlus doesn't block shortcuts. The malware in .PIF file could be running something (e.g. powershell with certain parameter), but since only the hash is provided, it is difficult to analyze more.

The most important is whether SecureAPlus blocks the execution caused by this .PIF file.
For example, if it is running powershell with a suspicious parameter most likely it will get blocked (the powershell will get blocked, but not the .PIF file).

Offline GrDukeMalden

  • Newbie
  • *
  • Posts: 33
  • Kudos +3/-1
Re: PIF extention files.
« Reply #4 on: August 26, 2021, 02:36:19 AM »
Quote
but since only the hash is provided, it is difficult to analyze more.

You might be able to download a sample as well as a whole bunch of other information about the file from https://analyze.intezer.com/

If you pay for a premium they let you download samples and they also let you download several different kinds of files for their "vaccine" They generate Yara, OpenIOC, STIX and STIX2 rules for people to program into their antivirus products to make generic detection rules.

VPN(Paid)
VoodooSheild(Paid)
SecureAPlus(Paid,Pro)
SandboxiePlus (By Xanasoft)
I fiddle with whitelisting software.