Malware Analysis Capcut fake stealer

Status
Not open for further replies.

Razza

Level 4
Verified
Well-known
Aug 12, 2014
163
Not a question related to this sample, quite often with samples posted here and other sources I follow I've noticed Kaspersky is normally quite quick at detecting it other thing I've noticed Bitdefender seem to be a bit slow at adding new detections compared to the past.
 

Xeno1234

Level 14
Jun 12, 2023
684
Not a question related to this sample, quite often with samples posted here and other sources I follow I've noticed Kaspersky is normally quite quick at detecting it other thing I've noticed Bitdefender seem to be a bit slow at adding new detections compared to the past.
Kaspersky gets it with its behavioral detection, which then feeds into KSN as UDS:______. Bitdefender misses it without signatures.
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,169
Not a question related to this sample, quite often with samples posted here and other sources I follow I've noticed Kaspersky is normally quite quick at detecting it other thing I've noticed Bitdefender seem to be a bit slow at adding new detections compared to the past.
Aside from behavioral detection, Kaspersky is pretty much at the top in writing defnitions against malware. They to this both re-actively (once a malicious file is in the Wild) as well as proactively with a division dedicated to discovering and monitoring DarkWeb groups that are writing new malware.
 

Xeno1234

Level 14
Jun 12, 2023
684
Aside from behavioral detection, Kaspersky is pretty much at the top in writing defnitions against malware. They to this both re-actively (once a malicious file is in the Wild) as well as proactively with a division dedicated to discovering and monitoring DarkWeb groups that are writing new malware.
Their behavioral detection also tops all other home AV's and some business products. It only looses out when you compare it to other products like Checkpoint Harmony, or other EDRs, which probably use part of Kaspersky such as threat intelligence or their engine to increase effectiveness, and things topping Kaspersky are VERY FEW.
 
Last edited:

SeriousHoax

Level 48
Verified
Top Poster
Well-known
Mar 16, 2019
3,716
Another Avast miss on my end, detected by Kaspersky :unsure:


Bitdefender Free:
1689253913082.png
 

Shadowra

Level 35
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,409
Another Avast miss on my end, detected by Kaspersky :unsure:



I quickly deployed a KTS on my VM (sorry, it's not in English, but in my native language)

Kaspersky blocked it on launch - dodgy KSN.

Capture d’écran 2023-07-13 152042.png

Capture d’écran 2023-07-13 152100.png

Capture d’écran 2023-07-13 152118.png
 

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
380
Look above, Kaspersky detects it well.
Kaspersky is too good. Another fake game stealer using the same method(app.asar). Downloaded from itch.io, it's actually on the "New & Popular" page. On VT, Kaspersky caught it again :D



-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Another one, Avast Miss:
1.PNG
23423423.PNG



-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Quasar, caught by Avast(powershell):
1234.PNG




@SeriousHoax @silversurfer
 
Last edited:

SeriousHoax

Level 48
Verified
Top Poster
Well-known
Mar 16, 2019
3,716
Kaspersky is too good. Another fake game stealer using the same method(app.asar). Downloaded from itch.io, it's actually on the "New & Popular" page. On VT, Kaspersky caught it again :D



-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Another one, Avast Miss:
View attachment 277174View attachment 277175



-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Quasar, caught by Avast(powershell):
View attachment 277176




@SeriousHoax @silversurfer
Medieval Cracked.exe was detected by ESET and Bitdefender TS.
ESET had two detection via Command Line Scanner, one via AMSI.
Bitdefender Total Security blocked via its Command Line Scanner. FYI, BD Free doesn't have Command Line Scanner. So I can't tell if BD Free can detected it.
e1.pnge2.pnge3.png
bd0.png
I hid the malicious code in the screenshots on purpose.

ESET missed, Snake_v1.exe.

Snake_v1.exe was caught by Bitdefender's Behavior Blocker and a malicious C2 was also blocked prior to that.
bd1.pngbd2.pngbd3.png
Microsoft Defender missed both Medieval Cracked.exe & Snake_v1.exe. Medieval Cracked.exe turned off MD's Cloud Protection, Auto sample submission and also added several file formats to its exclusions. So the malware could do anything it wanted.
md1.pngmd2.png
Later, I manually turned all protection on and removed the exclusions. Then when I clicked on a malicious file running on memory, MD woke up and detected a Backdoor and removed files related to it like scheduled tasks. But this detection doesn't matter. So failure for MD.
md3.png
TBMSetup (1).exe was missed by all of MD, ESET and BD. I can't tell if it was able to steal data.
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,541
My test with Bitdefender Free is still in progress... I will add details step by step ;)


TBMSetup (1).exe => BD "Online Threat Prevention" blocked this URL:

TB#2.png


Medieval Cracked.exe => BD "Advanced Threat Defense" blocked/detected malicious behavior:

MC#1.png MC#2.png


Snake_v1.exe => BD "Advanced Threat Defense" blocked/detected malicious behavior:

SK#1.png SK#2.png


Bitdefender Quarantine: two files spawned/dropped by Medieval...exe & Snake...exe

Q#1.png
 
Last edited:

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
380
Medieval Cracked.exe was detected by ESET and Bitdefender TS.
ESET had two detection via Command Line Scanner, one via AMSI.
Bitdefender Total Security blocked via its Command Line Scanner. FYI, BD Free doesn't have Command Line Scanner. So I can't tell if BD Free can detected it.
View attachment 277183View attachment 277184View attachment 277185
View attachment 277179
I hid the malicious code in the screenshots on purpose.

ESET missed, Snake_v1.exe.

Snake_v1.exe was caught by Bitdefender's Behavior Blocker and a malicious C2 was also blocked prior to that.
View attachment 277180View attachment 277181View attachment 277182
Microsoft Defender missed both Medieval Cracked.exe & Snake_v1.exe. Medieval Cracked.exe turned off MD's Cloud Protection, Auto sample submission and also added several file formats to its exclusions. So the malware could do anything it wanted.
View attachment 277186View attachment 277187
Later, I manually turned all protection on and removed the exclusions. Then when I clicked on a malicious file running on memory, MD woke up and detected a Backdoor and removed files related to it like scheduled tasks. But this detection doesn't matter. So failure for MD.
View attachment 277188
TBMSetup (1).exe was missed by all of MD, ESET and BD. I can't tell if it was able to steal data.
Great insight, thanks!
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top