Malware Analysis Capcut fake stealer

Status
Not open for further replies.
Shadowra

Shadowra

Level 31
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,049
likeastar20 said:
Kaspersky is too good. Another fake game stealer using the same method(app.asar). Downloaded from itch.io, it's actually on the "New & Popular" page. On VT, Kaspersky caught it again :D

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

Triage | 962c6df0b8ca065bd5df52e06c744c7795867aaacf856798e78cf27fecf3ea9d

Check this malware sample report @ 962c6df0b8ca065bd5df52e06c744c7795867aaacf856798e78cf27fecf3ea9d, with a score of 0 out of 10.
tria.ge tria.ge

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Another one, Avast Miss:
View attachment 277174View attachment 277175

Triage | 812c1bc73253ea51ba829be98d7c1af22c52fe8308014eca7d0dd6940dd3608c

Check this malware sample report @ 812c1bc73253ea51ba829be98d7c1af22c52fe8308014eca7d0dd6940dd3608c, with a score of 0 out of 10.
tria.ge tria.ge

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Quasar, caught by Avast(powershell):
View attachment 277176

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

Triage | 99198643f2b0564539abec2e6e7ca8c7c455e203077b8751a9a8400807ad1ddc

Check this malware sample report @ 99198643f2b0564539abec2e6e7ca8c7c455e203077b8751a9a8400807ad1ddc, with a score of 0 out of 10.
tria.ge tria.ge


@SeriousHoax @silversurfer
Click to expand...

Kaspersky : 3/3
DeepInstinct : 2/3 ( the discord Trojan passed without reaction, one was recognized by the AI and another was blocked from behaving)
F-Secure : 1/3

Capture d’écran 2023-07-15 123404.png


Exploit PowerShell blocked (Medieval Cracked.exe)
Capture d’écran 2023-07-15 123444.png

Capture d’écran 2023-07-15 123517.png

SUD to Avira
 
  • Like
  • +Reputation
Reactions: Nevi, roger_m, piquiteco and 9 others
L

likeastar20

Level 7
Thread author
Verified
Mar 24, 2016
330
itch.io is a mess. seems easier to get infected there than on a piracy site. on the new & popular page there are currently two "games" that are the epsilon stealer. I reported the page(which hosts TBMSetup) to itch.io yesterday, but it still seems to be up.


-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1."RabbitCheecks":

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

Triage | d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb

Check this malware sample report @ d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb, with a score of 0 out of 10.
tria.ge tria.ge

2.PNG

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2."TBMSetup" (this is the sample from yesterday, not taken down by itch.io):

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

Triage | 55a53bc3effd29452d1582cee94f4541123b3c34a3d69cfc0a7db93570b884d8

Check this malware sample report @ 55a53bc3effd29452d1582cee94f4541123b3c34a3d69cfc0a7db93570b884d8, with a score of 0 out of 10.
tria.ge tria.ge

1.PNG
 
Last edited:
  • Like
  • +Reputation
Reactions: piquiteco, Nevi, Kongo and 3 others
Andrew3000

Andrew3000

Level 11
Verified
Top Poster
Malware Hunter
Well-known
Feb 8, 2016
513
likeastar20 said:
itch.io is a mess. seems easier to get infected there than on a piracy site. on the new & popular page there are currently two "games" that are the epsilon stealer. I reported the page(which hosts TBMSetup) to itch.io yesterday, but it still seems to be up.


-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1."RabbitCheecks":

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

Triage | d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb

Check this malware sample report @ d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb, with a score of 0 out of 10.
tria.ge tria.ge

View attachment 277216

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2."TBMSetup" (this is the sample from yesterday, not taken down by itch.io):

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

Triage | 55a53bc3effd29452d1582cee94f4541123b3c34a3d69cfc0a7db93570b884d8

Check this malware sample report @ 55a53bc3effd29452d1582cee94f4541123b3c34a3d69cfc0a7db93570b884d8, with a score of 0 out of 10.
tria.ge tria.ge

View attachment 277215
Click to expand...
Both detected by Harmony and Kaspersky PDM
 
  • Like
  • +Reputation
  • Applause
Reactions: simmerskool, Nevi, piquiteco and 5 others
Trident

Trident

Level 26
Verified
Well-known
Feb 7, 2023
1,508
Andrew3000 said:
How are the policies configured?
Click to expand...
Anti-Bot configured on hold:
Anti-malware: disabled size limit and disabled skip scanning of archives and non-executables.
URL filtering: enabled for all apps
Scripts scanning in web pages enabled
All detections configured on “prevent” (low-confidence as well).
Experimental Machine Learning Models: not enabled
Early Availability: not enrolled
Firewall: Disabled blocking of IPV6 traffic; enabled Hotspot usage; Remote Desktop Security on standard; Disabled Truted Zone; Disabled logging of cleanup rule
Application Control:
App Scan performed on C:/
Rules configured by folder to terminate the following completely:
  • Cmd
  • PowerShell
  • Conhost
  • Openconsole
  • Wscript
  • Cscript
Disabled internet connectivity for majority of the LOLBins here: LOLBAS
 
  • Like
  • Thanks
  • +Reputation
Reactions: simmerskool, Nevi, piquiteco and 3 others
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,430
likeastar20 said:
1."RabbitCheecks":
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2."TBMSetup"
Click to expand...
2023-07-16_11-05-20.png


2023-07-16_11-00-53.png


:rolleyes:
 
  • Like
  • Wow
Reactions: simmerskool, Nevi, piquiteco and 3 others
Shadowra

Shadowra

Level 31
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,049
likeastar20 said:
itch.io is a mess. seems easier to get infected there than on a piracy site. on the new & popular page there are currently two "games" that are the epsilon stealer. I reported the page(which hosts TBMSetup) to itch.io yesterday, but it still seems to be up.


-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1."RabbitCheecks":

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

Triage | d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb

Check this malware sample report @ d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb, with a score of 0 out of 10.
tria.ge tria.ge

View attachment 277216

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2."TBMSetup" (this is the sample from yesterday, not taken down by itch.io):

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

Triage | 55a53bc3effd29452d1582cee94f4541123b3c34a3d69cfc0a7db93570b884d8

Check this malware sample report @ 55a53bc3effd29452d1582cee94f4541123b3c34a3d69cfc0a7db93570b884d8, with a score of 0 out of 10.
tria.ge tria.ge

View attachment 277215
Click to expand...

Kaspersky :
1) detected UDS:Trojan-PWS.Win32.Disco
2) detected PDM:Trojan.Win32.Generic
 
  • Like
  • +Reputation
Reactions: simmerskool, Nevi, piquiteco and 5 others
SeriousHoax

SeriousHoax

Level 46
Verified
Top Poster
Well-known
Mar 16, 2019
3,543
"RabbitCheecks.exe" stole data with no reaction from Bitdefender TS.
bd1.png
The other one "TBMSetup" had no reaction from BD either, but don't know if it stole. The first one don't delete remnants from temp but the second one deletes everything I think and I wasn't quick enough to see it.
 
Last edited:
  • +Reputation
  • Like
Reactions: simmerskool, Nevi, piquiteco and 5 others
Shadowra

Shadowra

Level 31
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,049
  • Like
Reactions: simmerskool, Nevi, piquiteco and 3 others
Status
Not open for further replies.

Similar threads

Sandbox Breaker
    • Like
    • +Reputation
    • Applause
Malware Analysis Mystic Stealer Bypassing Sandboxes
Replies
50
Views
2,046
Malware Analysis Archive
Trident
Trident
L
    • Like
    • Wow
  • Locked
Bitdefender support fail
Replies
18
Views
894
Malware Analysis Archive
likeastar20
L
Xeno1234
    • Like
Malware Analysis Evasive Stealer or Broken Sample?
Replies
12
Views
741
Malware Analysis
struppigel
struppigel

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top