Malware Analysis Capcut fake stealer

Status
Not open for further replies.

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
374
There is a new stealer that masquerades as an app called Capcut. As of time of writing, the only detection on VT is from Kaspersky. I tested the sample with BD, no reaction. (@silversurfer @SeriousHoax @RansomwareRemediation).



Not detected by Avast.


asdfasdf.PNGhhh.PNGnpe.PNGavast.PNG
 
Last edited:

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
374
Just tried as quick test only in VMware Pro v.17 (Win 10 x64), this sample does still run with outbound connection, no reaction from BD Free at least so far...

View attachment 277089
I have not yet sent the sample directly to any AV vendor. I wanted to see who would detect it first with their behavior modules. If I send it to BD for example, I expect the sample to be detected in about 2-3H...
 

Trident

Level 29
Verified
Top Poster
Well-known
Feb 7, 2023
1,812
Harmony Endpoint with Sophos, the file is detected by threat emulation upon download.
I switched emulation off and executed the file, there is no detection.
There is also no node.js or anything suspicious running.

Edit:
The file relies on openconsole.exe which under my policy is blocked. The sample can't work properly.
1689151244154.png
 
Last edited:

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,166
K and Sophos will now detect both the original file and the triple sized thrown off daughter (actually even Defender is now aware). The spawned Visual Studio modules is also never a good thing. But once again an Outbound alerting Firewall would have noticed a connection out to Command, an Amazon addy also used in Olden Times by Darkside.
 
Last edited:

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,458
There is a new stealer that masquerades as an app called Capcut.
Was reported about 2 months ago here:


Even back in 2020 the Indian government wasn't happy about the official app.
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,420

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,671
Re-test this sample, this time BD Free does detect a part... but the source sample remained undetected for now ;)

View attachment 277103
I submitted this one to BD today in the morning before this stealer sample was shared here. Didn't notice that it was used in this one also. I saw a different malware using it yesterday. I asked BD to add atleast a PUP detection for it kind of similar to Kaspersky and they did it. Though Kaspersky's signature is "not-a-virus....." for this one which means Kaspersky on default settings would not notify (only if you open the K UI) or even stop execution of it. I don't know the details but the file can be used for legal purpose also.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top