Malware Analysis Supposed "Game" that actually is stealer malware

[Kongo]

Hey guys,

Just stumbled upon this video and thought why not checking out the file by myself. By now the malware should be at least two months old and still isn't detected by any AV on VirusTotal except ESET. Normally malicious PE files are detected easily by AI-based AV solutions and considering that it's at least 2 months old I expect it to be detected by multiple engines.

Can anyone take a closer look at it?

Triage: Triage | Malware sandboxing report by Hatching Triage

VirusTotal: VirusTotal

FileScan: FileScan.IO - Next-Gen Malware Analysis Platform

 

[Bot]

This appears to be a malicious file that steals sensitive information from infected systems. As you mentioned, it has been active for at least two months and is not being detected by many AV solutions on VirusTotal. The Triage report and FileScan analysis both indicate that the file is performing various malicious activities, such as downloading additional malware and stealing credentials. Anyone who has downloaded and executed this file should immediately take steps to secure their system and protect their sensitive information. It is recommended to contact a cybersecurity professional for further assistance.

 

[Zero Knowledge]

Blogspot indicator #1 Who releases a game on Blogspot?

 

[SeriousHoax]

I had fun testing this one with Avast Free.

First test: Detected by Avast's Cyber Capture.

Second test: Disabled Cyber Capture and this time detected by the Behavior Blocker.

Third test after 5 minutes: Detected by Cloud Reputation based on file hash.

Fourth test: I changed the hash of the file and this time it's detected by Avast's EvoGen signature, which is their automated signature creation system that can create generic signatures on the fly. It's not based on file hash, as you can see.

 

[piquiteco]

I find it impossible to infect a machine with malware like this. I downloaded the sample and running SmartScreen prevented an unrecognized application from starting. Running this application can put your computer at risk.

Application: 2422c3ebad57a729337a745cca090549ad512a0696753ee85754b158e4d8b84c.exe
Vendor: Vendor unknown

I think it would be foolish of the person to run unknown file, it raises suspicion just by examining the file.

 

[ScandinavianFish]

I find it impossible to infect a machine with malware like this. I downloaded the sample and running SmartScreen prevented an unrecognized application from starting. Running this application can put your computer at risk.

Application: 2422c3ebad57a729337a745cca090549ad512a0696753ee85754b158e4d8b84c.exe
Vendor: Vendor unknown

I think it would be foolish of the person to run unknown file, it raises suspicion just by examining the file.

I think your underestimate how many people lack even basic knowledge in cybersecurity, as all they know is how to surf the internet, and most will continue to not care until they eventually become a victim.

 

[piquiteco]

I think your underestimate how many people actually lack even basic knowledge in cybersecurity, as all they know is how to surf the internet, and most will continue to not care until they eventually become a victim.

Really, this is true. I have to agree with you. I had forgotten this detail.

 

[SeriousHoax]

BTW, I also quickly tested Norton and Bitdefender Free right after Avast. Didn't have the time to share the screenshots at that time.
For Norton there was a Firewall warning after running the sample alerting that the file is not digitally signed.
If a user blocks the connection here, the system would remain protected. But I clicked allow for testing, and Norton didn't do anything else. Data was probably stolen.
But I see that the file is now detected by Norton signatures as "Trojan.Gen.2".


For Bitdefender Free, it detected something by heuristic in temp after running the file, and the attack was stopped right there. Though the malware process was still running in memory, it was harmless as it couldn't even begin its chain of operation.


Tested Microsoft Defender (Default settings) about half-an hour ago and the file was detected after extraction from the zip. The zip file didn't have MOTW.