Malware Analysis Capcut fake stealer

Status
Not open for further replies.
Shadowra

Shadowra

Level 34
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,309
likeastar20 said:
Kaspersky is too good. Another fake game stealer using the same method(app.asar). Downloaded from itch.io, it's actually on the "New & Popular" page. On VT, Kaspersky caught it again :D

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

epsilon | 962c6df0b8ca065bd5df52e06c744c7795867aaacf856798e78cf27fecf3ea9d | Triage

Check this epsilon report malware sample 962c6df0b8ca065bd5df52e06c744c7795867aaacf856798e78cf27fecf3ea9d, with a score of 10 out of 10.
tria.ge tria.ge

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Another one, Avast Miss:
View attachment 277174View attachment 277175

812c1bc73253ea51ba829be98d7c1af22c52fe8308014eca7d0dd6940dd3608c | Triage

Check this report malware sample 812c1bc73253ea51ba829be98d7c1af22c52fe8308014eca7d0dd6940dd3608c, with a score of 7 out of 10.
tria.ge tria.ge

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Quasar, caught by Avast(powershell):
View attachment 277176

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

quasar | 99198643f2b0564539abec2e6e7ca8c7c455e203077b8751a9a8400807ad1ddc | Triage

Check this quasar report malware sample 99198643f2b0564539abec2e6e7ca8c7c455e203077b8751a9a8400807ad1ddc, with a score of 10 out of 10.
tria.ge tria.ge


@SeriousHoax @silversurfer
Click to expand...

Kaspersky : 3/3
DeepInstinct : 2/3 ( the discord Trojan passed without reaction, one was recognized by the AI and another was blocked from behaving)
F-Secure : 1/3

Capture d’écran 2023-07-15 123404.png


Exploit PowerShell blocked (Medieval Cracked.exe)
Capture d’écran 2023-07-15 123444.png

Capture d’écran 2023-07-15 123517.png

SUD to Avira
 
  • Like
  • +Reputation
Reactions: Nevi, roger_m, piquiteco and 9 others
L

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
361
itch.io is a mess. seems easier to get infected there than on a piracy site. on the new & popular page there are currently two "games" that are the epsilon stealer. I reported the page(which hosts TBMSetup) to itch.io yesterday, but it still seems to be up.


-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1."RabbitCheecks":

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

epsilon | d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb | Triage

Check this epsilon report malware sample d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb, with a score of 10 out of 10.
tria.ge tria.ge

2.PNG

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2."TBMSetup" (this is the sample from yesterday, not taken down by itch.io):

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

epsilon | 55a53bc3effd29452d1582cee94f4541123b3c34a3d69cfc0a7db93570b884d8 | Triage

Check this epsilon report malware sample 55a53bc3effd29452d1582cee94f4541123b3c34a3d69cfc0a7db93570b884d8, with a score of 10 out of 10.
tria.ge tria.ge

1.PNG
 
Last edited:
  • Like
  • +Reputation
Reactions: piquiteco, Nevi, Kongo and 3 others
Andrew3000

Andrew3000

Level 11
Verified
Top Poster
Malware Hunter
Well-known
Feb 8, 2016
516
likeastar20 said:
itch.io is a mess. seems easier to get infected there than on a piracy site. on the new & popular page there are currently two "games" that are the epsilon stealer. I reported the page(which hosts TBMSetup) to itch.io yesterday, but it still seems to be up.


-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1."RabbitCheecks":

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

epsilon | d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb | Triage

Check this epsilon report malware sample d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb, with a score of 10 out of 10.
tria.ge tria.ge

View attachment 277216

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2."TBMSetup" (this is the sample from yesterday, not taken down by itch.io):

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

epsilon | 55a53bc3effd29452d1582cee94f4541123b3c34a3d69cfc0a7db93570b884d8 | Triage

Check this epsilon report malware sample 55a53bc3effd29452d1582cee94f4541123b3c34a3d69cfc0a7db93570b884d8, with a score of 10 out of 10.
tria.ge tria.ge

View attachment 277215
Click to expand...
Both detected by Harmony and Kaspersky PDM
 
  • Like
  • +Reputation
  • Applause
Reactions: simmerskool, Nevi, piquiteco and 5 others
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,737
Andrew3000 said:
How are the policies configured?
Click to expand...
Anti-Bot configured on hold:
Anti-malware: disabled size limit and disabled skip scanning of archives and non-executables.
URL filtering: enabled for all apps
Scripts scanning in web pages enabled
All detections configured on “prevent” (low-confidence as well).
Experimental Machine Learning Models: not enabled
Early Availability: not enrolled
Firewall: Disabled blocking of IPV6 traffic; enabled Hotspot usage; Remote Desktop Security on standard; Disabled Truted Zone; Disabled logging of cleanup rule
Application Control:
App Scan performed on C:/
Rules configured by folder to terminate the following completely:
  • Cmd
  • PowerShell
  • Conhost
  • Openconsole
  • Wscript
  • Cscript
Disabled internet connectivity for majority of the LOLBins here: LOLBAS
 
  • Like
  • Thanks
  • +Reputation
Reactions: simmerskool, Nevi, piquiteco and 3 others
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
likeastar20 said:
1."RabbitCheecks":
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2."TBMSetup"
Click to expand...
2023-07-16_11-05-20.png


2023-07-16_11-00-53.png


:rolleyes:
 
  • Like
  • Wow
Reactions: simmerskool, Nevi, piquiteco and 3 others
Shadowra

Shadowra

Level 34
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,309
likeastar20 said:
itch.io is a mess. seems easier to get infected there than on a piracy site. on the new & popular page there are currently two "games" that are the epsilon stealer. I reported the page(which hosts TBMSetup) to itch.io yesterday, but it still seems to be up.


-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1."RabbitCheecks":

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

epsilon | d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb | Triage

Check this epsilon report malware sample d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb, with a score of 10 out of 10.
tria.ge tria.ge

View attachment 277216

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2."TBMSetup" (this is the sample from yesterday, not taken down by itch.io):

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

epsilon | 55a53bc3effd29452d1582cee94f4541123b3c34a3d69cfc0a7db93570b884d8 | Triage

Check this epsilon report malware sample 55a53bc3effd29452d1582cee94f4541123b3c34a3d69cfc0a7db93570b884d8, with a score of 10 out of 10.
tria.ge tria.ge

View attachment 277215
Click to expand...

Kaspersky :
1) detected UDS:Trojan-PWS.Win32.Disco
2) detected PDM:Trojan.Win32.Generic
 
  • Like
  • +Reputation
Reactions: simmerskool, Nevi, piquiteco and 5 others
SeriousHoax

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,635
"RabbitCheecks.exe" stole data with no reaction from Bitdefender TS.
bd1.png
The other one "TBMSetup" had no reaction from BD either, but don't know if it stole. The first one don't delete remnants from temp but the second one deletes everything I think and I wasn't quick enough to see it.
 
Last edited:
  • +Reputation
  • Like
Reactions: simmerskool, Nevi, piquiteco and 5 others
Shadowra

Shadowra

Level 34
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,309
  • Like
Reactions: simmerskool, Nevi, piquiteco and 3 others
Status
Not open for further replies.

Similar threads

Sandbox Breaker
    • Like
    • +Reputation
    • Applause
Malware Analysis Mystic Stealer Bypassing Sandboxes
Replies
50
Views
2,807
Malware Analysis Archive
Trident
Trident
L
    • Like
    • Wow
  • Locked
Bitdefender support fail
Replies
18
Views
1,121
Malware Analysis Archive
likeastar20
L
Xeno1234
    • Like
Malware Analysis Evasive Stealer or Broken Sample?
Replies
12
Views
967
Malware Analysis
struppigel
struppigel

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top