Question Analyzing SCR file

Please provide comments and solutions that are helpful to the author of this topic.

Sandbox Breaker

Level 9
Well-known
Jan 6, 2022
436
1692987247883.png

Microsoft Threat Experts confirm malicious and posted signature.

1692987332206.png

Xcitium Analysts still pending in que.
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
661
levelcomputer.exe is a cabinet file. After unpacking it with 7zip you will get 2 files ca 90 MB each, one is the 32 bit and the other the 64 bit variant of a similar .NET assembly.

64 bit: VirusTotal
32 bit: VirusTotal

I continued mainly with the 32 bit version. It downloads encrypted data from this URL and decodes it: VirusTotal

nextdownload.png


It performs process injection by running itself as a child process and injecting the payload there. I unpacked the payload and uploaded it here: VirusTotal

It is indeed LummaStealer. One of our analysts already worked on that malware family, hence we have a proper detection name here. It also sets the user agent TeslaBrowser/5.5 for its requests which is mentioned in this article about LummaStealer


1692989387149.png
 
Last edited:

Sandbox Breaker

Level 9
Well-known
Jan 6, 2022
436
levelcomputer.exe is a cabinet file. After unpacking it with 7zip you will get 2 files ca 90 MB each, one is the 32 bit and the other the 64 bit variant of a similar .NET assembly.

64 bit: VirusTotal
32 bit: VirusTotal

I continued with the 32 bit version. It downloads encrypted data from this URL and decodes it: VirusTotal

It performs process injection by running itself as a child process and injecting the payload there. I unpacked the payload and uploaded it here: VirusTotal

It is indeed LummaStealer. One of our analysts already worked on that sample, hence we have a proper detection name here. It also sets the user agent TeslaBrowser/5.5 for its requests which is mentioned in this article about LummaStealer


View attachment 278122
I swear I aspire to be like you @struppigel
 

Yseurk

Level 1
Thread author
Aug 28, 2022
10
First of all guys I'm amazed about the help provided and your knowledge !

I'm currently working as a sysadmin sharing my time with cybersecurity tasks, spending my free time on hacking forums, trying to learn as much as I can (offensive and defensive). I'm planning to work as a SOC Analyst for 2024. But malware analysis is definitely a field I want to dive into in my free time.

Ow, and by the way I'm french so I'll probably have few questions about some words I didn't get. And pardon my English

@Sandbox Breaker@ :
- "File shows no GUI which further indacated their MO to stay hidden" > what "MO" stands for ?
- "Unique Code" > that means that the malware is new / not already known ?

Thanks for the tools shared ! I added some I didn't have yet (especially Xcitium, Intelix, Hatching)

- "Sophos ML Broken by this sample. Reputation is known but high TTD (Time to detect)." What do you mean by "Reputation is known but
high TTD" ?

How did you submitted the file to "Microsoft Threat Expert" ? Is it through the Microsoft Defender portal related to Microsoft 365 ?
I'm familiar with Microsoft 365, got the MS-500 and the interface makes me think of it.

- "Ok so here is Microsoft Deep Analysis(SAND BOX). Still waiting on their Human Analyst." > You mean that when a file is submitted and is not
known by the tool, there is a human analysis after that ?

- "Xcitium Broken but waiting on their Human Analysts also." > What do you mean by "Broken" ? I saw you used it before for Sophos ML,
does that mean "Xcitium doesn't work" ?


@struppigel@ :

"DnSpy does not work here because it cannot open .NETCore App singlefiles. You can open it with ILSpy, though." > Got it ! I'm adding this tool to my list :)

"The more interesting part will be the downloaded file. The levelcomputer.zip is 192 MB in size, so VT is not fond of it. I am gonna check if I can remove some bloat to share the file."
As far as I know VT can accept file up to 700Mb, what do you mean that it will not be fond of it ?
What do you mean by "Removing some bloat" ? I only know the term "Bloatware", however I know a method that consists of adding useless data to a payload in order to make it bigger and less trivial to analyze it, is it what you are talking about ?

@Xeno1234@ :

- "Original file is also UDS, so I guess it wasn’t detected by Scanner at all." > What do you mean by "UDS" ? I know FUD that makes a malware not recognizable

- "We do truely love System Watcher." > What is "System Watcher" ?
 

Xeno1234

Level 14
Jun 12, 2023
684
First of all guys I'm amazed about the help provided and your knowledge !

I'm currently working as a sysadmin sharing my time with cybersecurity tasks, spending my free time on hacking forums, trying to learn as much as I can (offensive and defensive). I'm planning to work as a SOC Analyst for 2024. But malware analysis is definitely a field I want to dive into in my free time.

Ow, and by the way I'm french so I'll probably have few questions about some words I didn't get. And pardon my English

@Sandbox Breaker@ :
- "File shows no GUI which further indacated their MO to stay hidden" > what "MO" stands for ?
- "Unique Code" > that means that the malware is new / not already known ?

Thanks for the tools shared ! I added some I didn't have yet (especially Xcitium, Intelix, Hatching)

- "Sophos ML Broken by this sample. Reputation is known but high TTD (Time to detect)." What do you mean by "Reputation is known but
high TTD" ?

How did you submitted the file to "Microsoft Threat Expert" ? Is it through the Microsoft Defender portal related to Microsoft 365 ?
I'm familiar with Microsoft 365, got the MS-500 and the interface makes me think of it.

- "Ok so here is Microsoft Deep Analysis(SAND BOX). Still waiting on their Human Analyst." > You mean that when a file is submitted and is not
known by the tool, there is a human analysis after that ?

- "Xcitium Broken but waiting on their Human Analysts also." > What do you mean by "Broken" ? I saw you used it before for Sophos ML,
does that mean "Xcitium doesn't work" ?


@struppigel@ :

"DnSpy does not work here because it cannot open .NETCore App singlefiles. You can open it with ILSpy, though." > Got it ! I'm adding this tool to my list :)

"The more interesting part will be the downloaded file. The levelcomputer.zip is 192 MB in size, so VT is not fond of it. I am gonna check if I can remove some bloat to share the file."
As far as I know VT can accept file up to 700Mb, what do you mean that it will not be fond of it ?
What do you mean by "Removing some bloat" ? I only know the term "Bloatware", however I know a method that consists of adding useless data to a payload in order to make it bigger and less trivial to analyze it, is it what you are talking about ?

@Xeno1234@ :

- "Original file is also UDS, so I guess it wasn’t detected by Scanner at all." > What do you mean by "UDS" ? I know FUD that makes a malware not recognizable

- "We do truely love System Watcher." > What is "System Watcher" ?
UDS Is a Kaspersky Detection via Cloud Protection which states a file was detected via other means such as Behavioral Blocking rather than Scanner
System Watcher is Kaspersky's Behavior Blocker which uses Deep ML and Signatures.
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
661
@struppigel@ :

"DnSpy does not work here because it cannot open .NETCore App singlefiles. You can open it with ILSpy, though." > Got it ! I'm adding this tool to my list :)

"The more interesting part will be the downloaded file. The levelcomputer.zip is 192 MB in size, so VT is not fond of it. I am gonna check if I can remove some bloat to share the file."
As far as I know VT can accept file up to 700Mb, what do you mean that it will not be fond of it ?
What do you mean by "Removing some bloat" ? I only know the term "Bloatware", however I know a method that consists of adding useless data to a payload in order to make it bigger and less trivial to analyze it, is it what you are talking about ?

Yes, that was what I meant. There is no reason those files need to be that big. Since automatic analysis systems often have a file size limit, some malware deliberately adds junk/bloat to be above that limit. Most of the time I can remove those junk bytes and create a smaller version of the same file. In this case I did not see an obvious way to remove the bloat because it is more integrated with the file.
 

Sandbox Breaker

Level 9
Well-known
Jan 6, 2022
436
Yes, that was what I meant. There is no reason those files need to be that big. Since automatic analysis systems often have a file size limit, some malware deliberately adds junk/bloat to be above that limit. Most of the time I can remove those junk bytes and create a smaller version of the same file. In this case I did not see an obvious way to remove the bloat because it is more integrated with the file.
Machines will never replace the Analyst. This is proof of that. So many "systems" were fooled by this long and encryption execution chain that it took Analyst's to un cloak this.
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,073
Machines will never replace the Analyst. This is proof of that. So many "systems" were fooled by this long and encryption execution chain that it took Analyst's to un cloak this.
"never" is perhaps too strong. I think this is like chess and Go, soon enough Ai will out-think us in all areas. :unsure: (must be true, look at all the billions being spent on Ai...)
 

oldschool

Level 82
Verified
Top Poster
Well-known
Mar 29, 2018
7,147
I think this is like chess and Go, soon enough Ai will out-think us in all areas. :unsure:
Computing isn't thinking. One of many reasons is that creativity is part of the thinking process. Computing can employ randomness but not creativity. The example of driver-less cars is relevant here because a big problem is how the AI car responds to emergencies, stopping and clogging up access for emergency vehicles. San Francisco is a living nightmare of a lab experiment, and has warned other cities' leaders of the danger they pose.

The randomness of AI is what has most of us laughing. Just look at some of pure crap AI spits out, eg. just look at @Bot 's posts here on the forum.
(must be true, look at all the billions being spent on Ai...)
Irrelevant.
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,073
Computing isn't thinking. One of many reasons is that creativity is part of the thinking process. Computing can employ randomness but not creativity. The example of driver-less cars is relevant here because a big problem is how the AI car responds to emergencies, stopping and clogging up access for emergency vehicles. San Francisco is a living nightmare of a lab experiment, and has warned other cities' leaders of the danger they pose.

The randomness of AI is what has most of us laughing. Just look at some of pure crap AI spits out, eg. just look at @Bot 's posts here on the forum.

Irrelevant.
sure, but "never" is a long time. We can chat about this again in + 5 years. :ROFLMAO:
a computer scientist (UK) recently wrote something re distinction (non-distinction) people & machines, "both are just collection of atoms..." (paraphrase)
 
  • Like
Reactions: oldschool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top