Suspicious "game"

Status
Not open for further replies.

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,351
You probably have to send it directly to their email
Once it’s on VT you can send them the hash. Explain that it is infostealer. Dr Web is wrong, the sample is quite functional. It is packed with some rubbish modules that I don’t believe serve any purpose to avoid transmission to clouds and emulators. Because it’s modules and not just repetitive bytes, compression doesn’t really make it smaller. Only build.exe is functional and malicious.
 
Last edited:

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
This sample is similar to the other one that @Kongo posted. I am not sure why detections haven’t been added, did you guys submit to anyone?
@struppigel can you have a look at this sample and see it it’s just me or they are similar?

The file is also an Electron Package App, hence you see similar behavior and files written. But JS code inside looks different. I did not deobfuscate it yet, but the strings of the obfuscated JS mention bbystealer, which you will find as open source on Github.
 

partha_roy

Level 3
Well-known
Oct 16, 2022
122
My friend mentioned that he submitted it to Microsoft yesterday, among other vendors. Dr.Web responded to him saying it's corrupted and presents no danger View attachment 276795I was too lazy to submit it myself because the file size is not that small (70mb) and most of the upload sites have a limit (BD 25mb, Avast 50mb, Avira 50mb etc). You probably have to send it directly to their email.
Believing that they worked on the same file, I would disagree with Dr. Web's assessment. The file did cause corruptions on my system; things were just dandy before I had executed it
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,351
bbystealer
The host contacted was also something starting with bby and on VT relations it wasn’t an innocent one so you are right. The final payload is different but distribution and packaging are similar. I believe under company name, both cursed.exe (from the other sample) and build.exe from this sample have “evil” but I have no access now to check.

But also, if Check Point classification is accurate, this should be Ayhuuu Creal Stealer, also derived from GitHub.
 
Last edited:

likeastar20

Level 9
Thread author
Verified
Mar 24, 2016
419
The host contacted was also something starting with bby and on VT relations it wasn’t an innocent one so you are right. The final payload is different but distribution and packaging are similar. I believe under company name, both cursed.exe (from the other sample) and build.exe from this sample have “evil” but I have no access now to check.

But also, if Check Point classification is accurate, this should be Ayhuuu Creal Stealer, also derived from GitHub.
Impressive display by Harmony 👍
 

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,584
Can't do anything about that because I am on vacation and have no access to any system at work. If you are bothered by that, submit it to GDATA or Bitdefender, both will do.

I unpacked the code by now.
You first unpack Nullsoft script with 7z, then from these files extract app-64.7z, then download and install Asar plugin for 7zip and unpack app.asar.
Inside that one is a coreAES.js which contains encrypted data.
I put the code into an online Node JS compiler and replaced the last line with console.log('%s', decrypted) to print the decrypted malware.

I uploaded it to malshare in case anyone is interested.
This is the decrypted JS file: VirusTotal
You will find it on malshare with the same hash.

It is > 3000 lines of code, but here are some interesting parts:

Don’t worry, I was just kidding :D
 

piquiteco

Level 14
Oct 16, 2022
624
My friend mentioned that he submitted it to Microsoft yesterday, among other vendors. Dr.Web responded to him saying it's corrupted and presents no danger
So that must be why Microsoft must have looked at it and added it to their subscriptions. Thank your friend for me, it helps others. Strange that Dr.Web says the file is corrupted and offers no danger. Explain to them what is stealer malware, maybe it is news to them who knows. I downloaded the sample here, the BD does not detect it, it is packaged and has Build.exe file I did not run it because it was on my physical machine, but most AVs will not detect it by analyzing statically, maybe some AVs only when running. @struppigel looked deeper and according to him there are about 3000 lines of code and he left an interesting spoiler in post #18 (y)
I was too lazy to submit it myself because the file size is not that small (70mb) and most of the upload sites have a limit (BD 25mb, Avast 50mb, Avira 50mb etc). You probably have to send it directly to their email.
And therein lies the problem, they create this malware to remain undetectable by security products, as there is a limit to the size of samples that can be sent to these companies to analyze, making it difficult to communicate with them. :rolleyes:
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,351
Strange that Dr.Web says the file is corrupted and offers no danger.
I am not a professional analyst (my job does not involve writing protections, I just use whatever is already created). It took me a second to open the open the file with 7z and see the build.exe. This is a very common default name that rat and infostealer builders assign to the compiled agent and the button to initiate the process is frequently labelled "build". Then I noticed vulkan modules and other files which make no sense being used in conjunction with infostealer, so there you go, this is your binary padding (T1027.001). In general, if I have 1k files and one executable, I will always first look at the exe.
It must've been some very junior analyst at Dr. Web looking at that sample.
Also, throwing an error doesn't mean anything, I've seen cases where scripts throw errors, it looks like they didn't execute, but then you have the code successfully injected.

And therein lies the problem, they create this malware to remain undetectable by security products, as there is a limit to the size of samples that can be sent to these companies to analyze, making it difficult to communicate with them.
That one remained under the radar because it is probably not very prevalent. Otherwise telemetry will cause various signatures and behavioural blocking profiles to be created plus the hosts will be added to denylists. Once this distribution method with Electron Package is well covered, they will move on to another one.
 

Xeno1234

Level 14
Jun 12, 2023
684
Suprised Opentip didnt pick up on this, however behavioral detection probably gets it I cant really test it though
also looking deeper into it Opentip recieved the errors, so it may have not actually done its thing
 
Last edited:

piquiteco

Level 14
Oct 16, 2022
624
I am not a professional analyst (my job does not involve writing protections, I just use whatever is already created). It took me a second to open the open the file with 7z and see the build.exe. This is a very common default name that rat and infostealer builders assign to the compiled agent and the button to initiate the process is frequently labelled "build". Then I noticed vulkan modules and other files which make no sense being used in conjunction with infostealer, so there you go, this is your binary padding (T1027.001). In general, if I have 1k files and one executable, I will always first look at the exe.
It must've been some very junior analyst at Dr. Web looking at that sample.
Also, throwing an error doesn't mean anything, I've seen cases where scripts throw errors, it looks like they didn't execute, but then you have the code successfully injected.
Good angle you have to explain things, this that your job doesn't involve writing protections, imagine if it did, but I understood it perfectly. Btw take back what I said about ZA in another post. Long story short @Shadowra posted that day the CheckPoint Harmony vs DeepInstinct Endpoint test and I was curious why ZoneAlarm Extreme Security NextGen didn't detect that day stealer malware from that @Kongo post. Harmony is not home product I checked, but can be used with home product also I checked, product is not even also I checked, but has threat emulation like ZA. So I installed ZA just for curiosity and did a scan in the .exe file and then extracted the packaged file, did not detect anything, so far all clean, in the static analysis no problem, I ran exe after a 1 minute or 2 two, ZA neutralized the attack blocked malware stealer, I checked in the quarantine were several files removed by ZA. I checked in the firewall if there were any blocked connections or any logs in ZA, and there was nothing, I believe ZA neutralized and cut the snake head off right away. I wonder if it was you who had contact with the CheckPoint people, or did they make some improvement in the product, some update before that? To be honest I don't know, only that this time I saw ZA in action, blocked and removed the malware. I confess that after that I ended up liking the product. There are things that you have to leave the taste aside, in this scenario what prevails is the effectiveness, every AV can fail, sometimes for some it can be glaring the failure of an AV. ;)
 

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
So that must be why Microsoft must have looked at it and added it to their subscriptions. Thank your friend for me, it helps others. Strange that Dr.Web says the file is corrupted and offers no danger. Explain to them what is stealer malware, maybe it is news to them who knows. I downloaded the sample here, the BD does not detect it, it is packaged and has Build.exe file I did not run it because it was on my physical machine, but most AVs will not detect it by analyzing statically, maybe some AVs only when running. @struppigel looked deeper and according to him there are about 3000 lines of code and he left an interesting spoiler in post #18 (y)

And therein lies the problem, they create this malware to remain undetectable by security products, as there is a limit to the size of samples that can be sent to these companies to analyze, making it difficult to communicate with them. :rolleyes:

The verdict is wrong but I can kind of understand why this happens. I have 8 years experience. It took me >2 hours to figure out where the malicious code is because the sample has so much legit stuff inside and because this is the very first time I saw an Electron Package App. There is not much information about reversing this kind of packaging. Once you know where to find the code, it is really easy and a matter of 10 minutes. But this is not a common way to ship malware, so most people will not know how to unpack it. The very reason this sample was interesting for me was the fact that this is something new.

Just like Trident I looked at build.exe but this file is huge and it is not where the malware code is. It is just the execution environment here. You can easily get lost in this for hours trying to find the actual malware code.

So the most likely thing that happened here: Analyst did not have enough time to figure out the verdict, so they had to come up with something. Seeing the 0 detection rate and the error message, they probably thought "corrupted" is the easiest way out.
I know how I thought as a rookie analyst. When I saw 0 zero detections on Virustotal, I was immediately biased towards thinking this is clean.
The issue is, as a malware analyst you are the one supposed to be fixing those and you actually should not give any attention to detection rates

Also, as long as a sample can execute even one instruction of code, it is not corrupted, no matter how many error messages appear there. Corruption means the OS has no idea what to do with the file because the file format is broken. But error messages in samples are not a reason. They can appear because of the environment, e.g. some files are missing that would be required to run it, or the error messages are there because malware deliberately puts them there.
 

likeastar20

Level 9
Thread author
Verified
Mar 24, 2016
419
Kaspersky:

Event: Malicious object detected
Application: build
User:
User type: Initiator
Component: Behavior Detection
Result description: Detected
Type: Trojan
Name: PDM:Trojan.Win32.Generic
Threat level: High
Object type: Process
Object path: C:\Users\testman\AppData\Local\Temp\2Rtpajh6uGscAPxgRNqlD7VdBiq
Object name: build.exe
Reason: Behavior analysis
Databases release date: Yesterday, 7/1/2023 2:26:00 PM
SHA256: FF20400A7E7C164D6B03B2BBC1D757E828A69CADD9CAE5FDF3B9C9CA54EACF5A
MD5: A43B7CF2EA7D3C29C3E5F380CE3106BE
 

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,897
I tried yesterday the sample in 2 different VMs (VMWare Pro + Windows 10), one with Kaspersky Premium 21.13a and the other with KES 11 (not the last 12 version), and in none got any detection... in both cases I got several scripts' execution warning errors, but I kept malware running for a while... it's true that in none of the systems I have installed Chrome nor Discord apps.
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,351
I tried yesterday the sample in 2 different VMs (VMWare Pro + Windows 10), one with Kaspersky Premium 21.13a and the other with KES 11 (not the last 12 version), and in none got any detection... in both cases I got several scripts' execution warning errors, but I kept malware running for a while... it's true that in none of the systems I have installed Chrome nor Discord apps.
It tried to access the Edge repository on my testing system with harmony, I got no Chrome either. Most likely Kaspersky has observed telemetry and now behavioural detections are created. If it reports suspicious hashes, it is possible that an analyst has pulled the file from VT. Who knows what tools Kaspersky provides to analysts, maybe they are able to describe a sequence of malicious actions very quick, if not fully automated.
 

likeastar20

Level 9
Thread author
Verified
Mar 24, 2016
419
I tried yesterday the sample in 2 different VMs (VMWare Pro + Windows 10), one with Kaspersky Premium 21.13a and the other with KES 11 (not the last 12 version), and in none got any detection... in both cases I got several scripts' execution warning errors, but I kept malware running for a while... it's true that in none of the systems I have installed Chrome nor Discord apps.
I used KES 12 and i only had Brave installed.
 

piquiteco

Level 14
Oct 16, 2022
624
I ran crazydown and for me it had no effect, no detection by Bitdefender AV, no suspicious connections, just two processes running from build.exe that I kept monitoring and then it created some temporary files in the temp folder and they were the same files as the packaged crazydown.exe. I don't have Discord, but I do have edge and chrome. I was disappointed to expect something else from the malware. 😞
1688286153204.png
1688286348002.png
Final results clean machine, tested on physical machine, nothing unusual if stolen or infected then hitched a ride with some Windows process and sent it to web, good luck to the one who stole it. 😌
1688286724093.png

1688287001045.png
 

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,897
Hello,

New malicious software was found in the attached file.
Trojan-PSW.Win32.DiscoStealer.ah
Its detection will be included in the next update.
Thank you for your help.

Best regards,
Igor, Malware Analyst, Kaspersky
39A/3 Leningradskoe Shosse, Moscow, 125212, Russia Tel./Fax: + 7 (495) 797 8700 Kaspersky Cyber Security Solutions for Home and Business | Kaspersky Securelist | Kaspersky’s threat research and reports
Kaspersky Threat Intelligence Portal - get insights about suspicious files, hashes, URLs, IP addresses or domain names
Already untrusted in KSN:

1688288747250.png
 

partha_roy

Level 3
Well-known
Oct 16, 2022
122
I ran crazydown and for me it had no effect, no detection by Bitdefender AV, no suspicious connections, just two processes running from build.exe that I kept monitoring and then it created some temporary files in the temp folder and they were the same files as the packaged crazydown.exe. I don't have Discord, but I do have edge and chrome. I was disappointed to expect something else from the malware. 😞
Final results clean machine, tested on physical machine, nothing unusual if stolen or infected then hitched a ride with some Windows process and sent it to web, good luck to the one who stole it. 😌
Could you please run the sfc /scannow and check?
 
Last edited:
  • Like
Reactions: piquiteco
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top