Malware Analysis Capcut fake stealer

Status
Not open for further replies.

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,630
Kaspersky is too good. Another fake game stealer using the same method(app.asar). Downloaded from itch.io, it's actually on the "New & Popular" page. On VT, Kaspersky caught it again :D



-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Another one, Avast Miss:
View attachment 277174View attachment 277175



-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Quasar, caught by Avast(powershell):
View attachment 277176




@SeriousHoax @silversurfer

Kaspersky : 3/3
DeepInstinct : 2/3 ( the discord Trojan passed without reaction, one was recognized by the AI and another was blocked from behaving)
F-Secure : 1/3

Capture d’écran 2023-07-15 123404.png


Exploit PowerShell blocked (Medieval Cracked.exe)
Capture d’écran 2023-07-15 123444.png

Capture d’écran 2023-07-15 123517.png

SUD to Avira
 

likeastar20

Level 9
Thread author
Verified
Mar 24, 2016
423
itch.io is a mess. seems easier to get infected there than on a piracy site. on the new & popular page there are currently two "games" that are the epsilon stealer. I reported the page(which hosts TBMSetup) to itch.io yesterday, but it still seems to be up.


-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1."RabbitCheecks":

2.PNG

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2."TBMSetup" (this is the sample from yesterday, not taken down by itch.io):

1.PNG
 
Last edited:

Andrew3000

Level 11
Verified
Top Poster
Malware Hunter
Well-known
Feb 8, 2016
537
itch.io is a mess. seems easier to get infected there than on a piracy site. on the new & popular page there are currently two "games" that are the epsilon stealer. I reported the page(which hosts TBMSetup) to itch.io yesterday, but it still seems to be up.


-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1."RabbitCheecks":

View attachment 277216

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2."TBMSetup" (this is the sample from yesterday, not taken down by itch.io):

View attachment 277215
Both detected by Harmony and Kaspersky PDM
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
How are the policies configured?
Anti-Bot configured on hold:
Anti-malware: disabled size limit and disabled skip scanning of archives and non-executables.
URL filtering: enabled for all apps
Scripts scanning in web pages enabled
All detections configured on “prevent” (low-confidence as well).
Experimental Machine Learning Models: not enabled
Early Availability: not enrolled
Firewall: Disabled blocking of IPV6 traffic; enabled Hotspot usage; Remote Desktop Security on standard; Disabled Truted Zone; Disabled logging of cleanup rule
Application Control:
App Scan performed on C:/
Rules configured by folder to terminate the following completely:
  • Cmd
  • PowerShell
  • Conhost
  • Openconsole
  • Wscript
  • Cscript
Disabled internet connectivity for majority of the LOLBins here: LOLBAS
 

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
1."RabbitCheecks":
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2."TBMSetup"
2023-07-16_11-05-20.png


2023-07-16_11-00-53.png


:rolleyes:
 

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,630
itch.io is a mess. seems easier to get infected there than on a piracy site. on the new & popular page there are currently two "games" that are the epsilon stealer. I reported the page(which hosts TBMSetup) to itch.io yesterday, but it still seems to be up.


-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1."RabbitCheecks":

View attachment 277216

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2."TBMSetup" (this is the sample from yesterday, not taken down by itch.io):

View attachment 277215

Kaspersky :
1) detected UDS:Trojan-PWS.Win32.Disco
2) detected PDM:Trojan.Win32.Generic
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,867
"RabbitCheecks.exe" stole data with no reaction from Bitdefender TS.
bd1.png
The other one "TBMSetup" had no reaction from BD either, but don't know if it stole. The first one don't delete remnants from temp but the second one deletes everything I think and I wasn't quick enough to see it.
 
Last edited:

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,630
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top