Malware Analysis Capcut fake stealer

Status
Not open for further replies.
Razza

Razza

Level 4
Verified
Well-known
Aug 12, 2014
163
Not a question related to this sample, quite often with samples posted here and other sources I follow I've noticed Kaspersky is normally quite quick at detecting it other thing I've noticed Bitdefender seem to be a bit slow at adding new detections compared to the past.
 
  • Like
Reactions: piquiteco, [correlate], Nevi and 2 others
Xeno1234

Xeno1234

Level 14
Jun 12, 2023
699
Razza said:
Not a question related to this sample, quite often with samples posted here and other sources I follow I've noticed Kaspersky is normally quite quick at detecting it other thing I've noticed Bitdefender seem to be a bit slow at adding new detections compared to the past.
Click to expand...
Kaspersky gets it with its behavioral detection, which then feeds into KSN as UDS:______. Bitdefender misses it without signatures.
 
  • Like
Reactions: piquiteco, [correlate], Razza and 2 others
cruelsister

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,148
Razza said:
Not a question related to this sample, quite often with samples posted here and other sources I follow I've noticed Kaspersky is normally quite quick at detecting it other thing I've noticed Bitdefender seem to be a bit slow at adding new detections compared to the past.
Click to expand...
Aside from behavioral detection, Kaspersky is pretty much at the top in writing defnitions against malware. They to this both re-actively (once a malicious file is in the Wild) as well as proactively with a division dedicated to discovering and monitoring DarkWeb groups that are writing new malware.
 
  • Like
  • +Reputation
  • Applause
Reactions: piquiteco, [correlate], simmerskool and 7 others
Xeno1234

Xeno1234

Level 14
Jun 12, 2023
699
cruelsister said:
Aside from behavioral detection, Kaspersky is pretty much at the top in writing defnitions against malware. They to this both re-actively (once a malicious file is in the Wild) as well as proactively with a division dedicated to discovering and monitoring DarkWeb groups that are writing new malware.
Click to expand...
Their behavioral detection also tops all other home AV's and some business products. It only looses out when you compare it to other products like Checkpoint Harmony, or other EDRs, which probably use part of Kaspersky such as threat intelligence or their engine to increase effectiveness, and things topping Kaspersky are VERY FEW.
 
Last edited:
  • Like
Reactions: roger_m and [correlate]
SeriousHoax

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,635
likeastar20 said:
Another Avast miss on my end, detected by Kaspersky :unsure:

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

strela | 6ef79b0d87df8031acaa5f7302001fca22f908619f1c887ce70539050c3235ce | Triage

Check this strela report malware sample 6ef79b0d87df8031acaa5f7302001fca22f908619f1c887ce70539050c3235ce, with a score of 10 out of 10.
tria.ge tria.ge
Click to expand...
Bitdefender Free:
1689253913082.png
 
  • Like
  • +Reputation
  • Applause
Reactions: Zartarra, oldschool, Nevi and 7 others
Shadowra

Shadowra

Level 34
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,309
likeastar20 said:
Another Avast miss on my end, detected by Kaspersky :unsure:

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

strela | 6ef79b0d87df8031acaa5f7302001fca22f908619f1c887ce70539050c3235ce | Triage

Check this strela report malware sample 6ef79b0d87df8031acaa5f7302001fca22f908619f1c887ce70539050c3235ce, with a score of 10 out of 10.
tria.ge tria.ge
Click to expand...

I quickly deployed a KTS on my VM (sorry, it's not in English, but in my native language)

Kaspersky blocked it on launch - dodgy KSN.

Capture d’écran 2023-07-13 152042.png

Capture d’écran 2023-07-13 152100.png

Capture d’écran 2023-07-13 152118.png
 
  • +Reputation
  • Like
Reactions: Zartarra, oldschool, Nevi and 6 others
L

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
361
Shadowra said:
Look above, Kaspersky detects it well.
Click to expand...
Kaspersky is too good. Another fake game stealer using the same method(app.asar). Downloaded from itch.io, it's actually on the "New & Popular" page. On VT, Kaspersky caught it again :D

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

epsilon | 962c6df0b8ca065bd5df52e06c744c7795867aaacf856798e78cf27fecf3ea9d | Triage

Check this epsilon report malware sample 962c6df0b8ca065bd5df52e06c744c7795867aaacf856798e78cf27fecf3ea9d, with a score of 10 out of 10.
tria.ge tria.ge

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Another one, Avast Miss:
1.PNG
23423423.PNG

812c1bc73253ea51ba829be98d7c1af22c52fe8308014eca7d0dd6940dd3608c | Triage

Check this report malware sample 812c1bc73253ea51ba829be98d7c1af22c52fe8308014eca7d0dd6940dd3608c, with a score of 7 out of 10.
tria.ge tria.ge

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Quasar, caught by Avast(powershell):
1234.PNG

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

quasar | 99198643f2b0564539abec2e6e7ca8c7c455e203077b8751a9a8400807ad1ddc | Triage

Check this quasar report malware sample 99198643f2b0564539abec2e6e7ca8c7c455e203077b8751a9a8400807ad1ddc, with a score of 10 out of 10.
tria.ge tria.ge


@SeriousHoax @silversurfer
 
Last edited:
  • Like
  • +Reputation
  • Wow
Reactions: piquiteco, Zartarra, oldschool and 7 others
SeriousHoax

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,635
likeastar20 said:
Kaspersky is too good. Another fake game stealer using the same method(app.asar). Downloaded from itch.io, it's actually on the "New & Popular" page. On VT, Kaspersky caught it again :D

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

epsilon | 962c6df0b8ca065bd5df52e06c744c7795867aaacf856798e78cf27fecf3ea9d | Triage

Check this epsilon report malware sample 962c6df0b8ca065bd5df52e06c744c7795867aaacf856798e78cf27fecf3ea9d, with a score of 10 out of 10.
tria.ge tria.ge

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Another one, Avast Miss:
View attachment 277174View attachment 277175

812c1bc73253ea51ba829be98d7c1af22c52fe8308014eca7d0dd6940dd3608c | Triage

Check this report malware sample 812c1bc73253ea51ba829be98d7c1af22c52fe8308014eca7d0dd6940dd3608c, with a score of 7 out of 10.
tria.ge tria.ge

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Quasar, caught by Avast(powershell):
View attachment 277176

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

quasar | 99198643f2b0564539abec2e6e7ca8c7c455e203077b8751a9a8400807ad1ddc | Triage

Check this quasar report malware sample 99198643f2b0564539abec2e6e7ca8c7c455e203077b8751a9a8400807ad1ddc, with a score of 10 out of 10.
tria.ge tria.ge


@SeriousHoax @silversurfer
Click to expand...
Medieval Cracked.exe was detected by ESET and Bitdefender TS.
ESET had two detection via Command Line Scanner, one via AMSI.
Bitdefender Total Security blocked via its Command Line Scanner. FYI, BD Free doesn't have Command Line Scanner. So I can't tell if BD Free can detected it.
e1.pnge2.pnge3.png
bd0.png
I hid the malicious code in the screenshots on purpose.

ESET missed, Snake_v1.exe.

Snake_v1.exe was caught by Bitdefender's Behavior Blocker and a malicious C2 was also blocked prior to that.
bd1.pngbd2.pngbd3.png
Microsoft Defender missed both Medieval Cracked.exe & Snake_v1.exe. Medieval Cracked.exe turned off MD's Cloud Protection, Auto sample submission and also added several file formats to its exclusions. So the malware could do anything it wanted.
md1.pngmd2.png
Later, I manually turned all protection on and removed the exclusions. Then when I clicked on a malicious file running on memory, MD woke up and detected a Backdoor and removed files related to it like scheduled tasks. But this detection doesn't matter. So failure for MD.
md3.png
TBMSetup (1).exe was missed by all of MD, ESET and BD. I can't tell if it was able to steal data.
 
  • Like
  • +Reputation
Reactions: Nevi, piquiteco, Zartarra and 8 others
silversurfer

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,178
My test with Bitdefender Free is still in progress... I will add details step by step ;)


TBMSetup (1).exe => BD "Online Threat Prevention" blocked this URL:

TB#2.png


Medieval Cracked.exe => BD "Advanced Threat Defense" blocked/detected malicious behavior:

MC#1.png MC#2.png


Snake_v1.exe => BD "Advanced Threat Defense" blocked/detected malicious behavior:

SK#1.png SK#2.png


Bitdefender Quarantine: two files spawned/dropped by Medieval...exe & Snake...exe

Q#1.png
 
Last edited:
  • +Reputation
  • Like
Reactions: Nevi, piquiteco, Zartarra and 8 others
L

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
361
SeriousHoax said:
Medieval Cracked.exe was detected by ESET and Bitdefender TS.
ESET had two detection via Command Line Scanner, one via AMSI.
Bitdefender Total Security blocked via its Command Line Scanner. FYI, BD Free doesn't have Command Line Scanner. So I can't tell if BD Free can detected it.
View attachment 277183View attachment 277184View attachment 277185
View attachment 277179
I hid the malicious code in the screenshots on purpose.

ESET missed, Snake_v1.exe.

Snake_v1.exe was caught by Bitdefender's Behavior Blocker and a malicious C2 was also blocked prior to that.
View attachment 277180View attachment 277181View attachment 277182
Microsoft Defender missed both Medieval Cracked.exe & Snake_v1.exe. Medieval Cracked.exe turned off MD's Cloud Protection, Auto sample submission and also added several file formats to its exclusions. So the malware could do anything it wanted.
View attachment 277186View attachment 277187
Later, I manually turned all protection on and removed the exclusions. Then when I clicked on a malicious file running on memory, MD woke up and detected a Backdoor and removed files related to it like scheduled tasks. But this detection doesn't matter. So failure for MD.
View attachment 277188
TBMSetup (1).exe was missed by all of MD, ESET and BD. I can't tell if it was able to steal data.
Click to expand...
Great insight, thanks!
 
  • Like
Reactions: Nevi, piquiteco, oldschool and 4 others
Status
Not open for further replies.

Similar threads

Sandbox Breaker
    • Like
    • +Reputation
    • Applause
Malware Analysis Mystic Stealer Bypassing Sandboxes
Replies
50
Views
2,807
Malware Analysis Archive
Trident
Trident
L
    • Like
    • Wow
  • Locked
Bitdefender support fail
Replies
18
Views
1,121
Malware Analysis Archive
likeastar20
L
Xeno1234
    • Like
Malware Analysis Evasive Stealer or Broken Sample?
Replies
12
Views
967
Malware Analysis
struppigel
struppigel

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top