Malware Analysis Capcut fake stealer

Status
Not open for further replies.
L

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
361
There is a new stealer that masquerades as an app called Capcut. As of time of writing, the only detection on VT is from Kaspersky. I tested the sample with BD, no reaction. (@silversurfer @SeriousHoax @RansomwareRemediation).

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

9832647d56bce277c025944ca38095da9942add7aa235893785a3d8e86eaa4ed | Triage

Check this report malware sample 9832647d56bce277c025944ca38095da9942add7aa235893785a3d8e86eaa4ed, with a score of 7 out of 10.
tria.ge tria.ge

Not detected by Avast.


asdfasdf.PNGhhh.PNGnpe.PNGavast.PNG
 
Last edited:
  • Like
  • +Reputation
Reactions: Sunshine-boy, Zartarra, oldschool and 12 others
L

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
361
silversurfer said:
Just tried as quick test only in VMware Pro v.17 (Win 10 x64), this sample does still run with outbound connection, no reaction from BD Free at least so far...

View attachment 277089
Click to expand...
I have not yet sent the sample directly to any AV vendor. I wanted to see who would detect it first with their behavior modules. If I send it to BD for example, I expect the sample to be detected in about 2-3H...
 
  • Like
  • Hundred Points
Reactions: piquiteco, brambedkar59, vtqhtr413 and 5 others
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,737
Harmony Endpoint with Sophos, the file is detected by threat emulation upon download.
I switched emulation off and executed the file, there is no detection.
There is also no node.js or anything suspicious running.

Edit:
The file relies on openconsole.exe which under my policy is blocked. The sample can't work properly.
1689151244154.png
 
Last edited:
  • Like
  • +Reputation
  • Wow
Reactions: Zartarra, oldschool, plat and 9 others
cruelsister

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,148
K and Sophos will now detect both the original file and the triple sized thrown off daughter (actually even Defender is now aware). The spawned Visual Studio modules is also never a good thing. But once again an Outbound alerting Firewall would have noticed a connection out to Command, an Amazon addy also used in Olden Times by Darkside.
 
Last edited:
  • Like
  • Applause
Reactions: plat, piquiteco, Nevi and 6 others
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
likeastar20 said:
There is a new stealer that masquerades as an app called Capcut.
Click to expand...
Was reported about 2 months ago here:

malwaretips.com

Cloned CapCut websites push information stealing malware

A new malware distribution campaign is underway impersonating the CapCut video editing tool to push various malware strains to unsuspecting victims. CapCut is ByteDance's official video editor and maker for TikTok, supporting music mixing, color filters, animation, slow-mo effects...
malwaretips.com malwaretips.com

Even back in 2020 the Indian government wasn't happy about the official app.
malwaretips.com

India Government bans more Chinese apps (updated)

According to an early report from News18, the Government of India released an order on Friday that banned 47 more apps with Chinese connections. These apps are said to be functional clones of the apps that were banned earlier. The list of the newly banned app includes TikTok Lite, Helo Lite...
malwaretips.com malwaretips.com
 
  • Like
  • +Reputation
  • Applause
Reactions: oldschool, plat, piquiteco and 10 others
silversurfer

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,178
  • +Reputation
  • Like
  • HaHa
Reactions: oldschool, piquiteco, Nevi and 8 others
SeriousHoax

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,636
silversurfer said:
Re-test this sample, this time BD Free does detect a part... but the source sample remained undetected for now ;)

View attachment 277103
Click to expand...
I submitted this one to BD today in the morning before this stealer sample was shared here. Didn't notice that it was used in this one also. I saw a different malware using it yesterday. I asked BD to add atleast a PUP detection for it kind of similar to Kaspersky and they did it. Though Kaspersky's signature is "not-a-virus....." for this one which means Kaspersky on default settings would not notify (only if you open the K UI) or even stop execution of it. I don't know the details but the file can be used for legal purpose also.
 
  • Like
  • +Reputation
Reactions: oldschool, piquiteco, Nevi and 6 others
Status
Not open for further replies.

Similar threads

Sandbox Breaker
    • Like
    • +Reputation
    • Applause
Malware Analysis Mystic Stealer Bypassing Sandboxes
Replies
50
Views
2,807
Malware Analysis Archive
Trident
Trident
L
    • Like
    • Wow
  • Locked
Bitdefender support fail
Replies
18
Views
1,121
Malware Analysis Archive
likeastar20
L
Xeno1234
    • Like
Malware Analysis Evasive Stealer or Broken Sample?
Replies
12
Views
967
Malware Analysis
struppigel
struppigel

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top