Malware Analysis Capcut fake stealer

Shadowra · Jul 15, 2023

likeastar20 said:
Kaspersky is too good. Another fake game stealer using the same method(app.asar). Downloaded from itch.io, it's actually on the "New & Popular" page. On VT, Kaspersky caught it again

VirusTotal

VirusTotal

www.virustotal.com

epsilon | 962c6df0b8ca065bd5df52e06c744c7795867aaacf856798e78cf27fecf3ea9d | Triage

Check this epsilon report malware sample 962c6df0b8ca065bd5df52e06c744c7795867aaacf856798e78cf27fecf3ea9d, with a score of 10 out of 10.

tria.ge

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Another one, Avast Miss:
View attachment 277174 View attachment 277175

812c1bc73253ea51ba829be98d7c1af22c52fe8308014eca7d0dd6940dd3608c | Triage

Check this report malware sample 812c1bc73253ea51ba829be98d7c1af22c52fe8308014eca7d0dd6940dd3608c, with a score of 7 out of 10.

tria.ge

VirusTotal

VirusTotal

www.virustotal.com

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Quasar, caught by Avast(powershell):
View attachment 277176

VirusTotal

VirusTotal

www.virustotal.com

quasar | 99198643f2b0564539abec2e6e7ca8c7c455e203077b8751a9a8400807ad1ddc | Triage

Check this quasar report malware sample 99198643f2b0564539abec2e6e7ca8c7c455e203077b8751a9a8400807ad1ddc, with a score of 10 out of 10.

tria.ge

@SeriousHoax @silversurfer

Kaspersky : 3/3
DeepInstinct : 2/3 ( the discord Trojan passed without reaction, one was recognized by the AI and another was blocked from behaving)
F-Secure : 1/3

Exploit PowerShell blocked (Medieval Cracked.exe)

SUD to Avira

Xeno1234 · Jul 15, 2023

Dang im glad to use Kaspersky

Andrew3000 · Jul 15, 2023

Trident said:
Blocked by my policy as well.

View attachment 277136

How are the policies configured?

likeastar20 · Jul 16, 2023

itch.io is a mess. seems easier to get infected there than on a piracy site. on the new & popular page there are currently two "games" that are the epsilon stealer. I reported the page(which hosts TBMSetup) to itch.io yesterday, but it still seems to be up.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1."RabbitCheecks":

VirusTotal

www.virustotal.com

epsilon | d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb | Triage

Check this epsilon report malware sample d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb, with a score of 10 out of 10.

tria.ge

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2."TBMSetup" (this is the sample from yesterday, not taken down by itch.io):

VirusTotal

www.virustotal.com

epsilon | 55a53bc3effd29452d1582cee94f4541123b3c34a3d69cfc0a7db93570b884d8 | Triage

Check this epsilon report malware sample 55a53bc3effd29452d1582cee94f4541123b3c34a3d69cfc0a7db93570b884d8, with a score of 10 out of 10.

tria.ge

Andrew3000 · Jul 16, 2023

likeastar20 said:
itch.io is a mess. seems easier to get infected there than on a piracy site. on the new & popular page there are currently two "games" that are the epsilon stealer. I reported the page(which hosts TBMSetup) to itch.io yesterday, but it still seems to be up.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1."RabbitCheecks":

VirusTotal

VirusTotal

www.virustotal.com

epsilon | d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb | Triage

Check this epsilon report malware sample d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb, with a score of 10 out of 10.

tria.ge

View attachment 277216

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2."TBMSetup" (this is the sample from yesterday, not taken down by itch.io):

VirusTotal

VirusTotal

www.virustotal.com

epsilon | 55a53bc3effd29452d1582cee94f4541123b3c34a3d69cfc0a7db93570b884d8 | Triage

Check this epsilon report malware sample 55a53bc3effd29452d1582cee94f4541123b3c34a3d69cfc0a7db93570b884d8, with a score of 10 out of 10.

tria.ge

View attachment 277215

Both detected by Harmony and Kaspersky PDM

Trident · Jul 16, 2023

Andrew3000 said:
How are the policies configured?

Anti-Bot configured on hold:
Anti-malware: disabled size limit and disabled skip scanning of archives and non-executables.
URL filtering: enabled for all apps
Scripts scanning in web pages enabled
All detections configured on “prevent” (low-confidence as well).
Experimental Machine Learning Models: not enabled
Early Availability: not enrolled
Firewall: Disabled blocking of IPV6 traffic; enabled Hotspot usage; Remote Desktop Security on standard; Disabled Truted Zone; Disabled logging of cleanup rule
Application Control:
App Scan performed on C:/
Rules configured by folder to terminate the following completely:

Cmd
PowerShell
Conhost
Openconsole
Wscript
Cscript

Disabled internet connectivity for majority of the LOLBins here: LOLBAS

upnorth · Jul 16, 2023

likeastar20 said:
1."RabbitCheecks":
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2."TBMSetup"

Trident · Jul 16, 2023

upnorth said:
View attachment 277218

View attachment 277217

I did not have any of these errors and I found an archive in temp that contained browser (Edge) data. That’s with all defences disabled.
This error is something with your environment.

Shadowra · Jul 16, 2023

likeastar20 said:
itch.io is a mess. seems easier to get infected there than on a piracy site. on the new & popular page there are currently two "games" that are the epsilon stealer. I reported the page(which hosts TBMSetup) to itch.io yesterday, but it still seems to be up.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1."RabbitCheecks":

VirusTotal

VirusTotal

www.virustotal.com

epsilon | d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb | Triage

Check this epsilon report malware sample d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb, with a score of 10 out of 10.

tria.ge

View attachment 277216

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2."TBMSetup" (this is the sample from yesterday, not taken down by itch.io):

VirusTotal

VirusTotal

www.virustotal.com

epsilon | 55a53bc3effd29452d1582cee94f4541123b3c34a3d69cfc0a7db93570b884d8 | Triage

Check this epsilon report malware sample 55a53bc3effd29452d1582cee94f4541123b3c34a3d69cfc0a7db93570b884d8, with a score of 10 out of 10.

tria.ge

View attachment 277215

Kaspersky :
1) detected UDS:Trojan-PWS.Win32.Disco
2) detected PDM:Trojan.Win32.Generic

SeriousHoax · Jul 16, 2023

"RabbitCheecks.exe" stole data with no reaction from Bitdefender TS.

The other one "TBMSetup" had no reaction from BD either, but don't know if it stole. The first one don't delete remnants from temp but the second one deletes everything I think and I wasn't quick enough to see it.

Xeno1234 · Jul 16, 2023

Shadowra said:
Kaspersky :
1) detected UDS:Trojan-PWS.Win32.Disco
2) detected PDM:Trojan.Win32.Generic

Kaspersky really has good stealer detection tbh

Trident · Jul 16, 2023

Xeno1234 said:
Kaspersky really has good stealer detection tbh

They were detected by Harmony behavioural analysis as well.

Xeno1234 · Jul 16, 2023

Trident said:
They were detected by Harmony behavioural analysis as well.

What makes Harmony so good aswell is that it has both Kaspersky and their own.

Trident · Jul 16, 2023

Xeno1234 said:
What makes Harmony so good aswell is that it has both Kaspersky and their own.

Yeah, but I am using E2 version with Sophos.

SeriousHoax · Jul 16, 2023

Here's one more. Same Epsilon stealer with a different file name and hash.

VirusTotal

www.virustotal.com

epsilon | 67f86d940e8e8eb73c09c9b37bef9248ed7e0ee0ec317fc118678ad44f69a63e | Triage

Check this epsilon report malware sample 67f86d940e8e8eb73c09c9b37bef9248ed7e0ee0ec317fc118678ad44f69a63e, with a score of 10 out of 10.

tria.ge

Shadowra · Jul 16, 2023

SeriousHoax said:
Here's one more. Same Epsilon stealer with a different file name and hash.

VirusTotal

VirusTotal

www.virustotal.com

epsilon | 67f86d940e8e8eb73c09c9b37bef9248ed7e0ee0ec317fc118678ad44f69a63e | Triage

Check this epsilon report malware sample 67f86d940e8e8eb73c09c9b37bef9248ed7e0ee0ec317fc118678ad44f69a63e, with a score of 10 out of 10.

tria.ge

According to Kaspersky, it's another Discord's password stealer

Xeno1234 · Jul 16, 2023

Kaspersky's gotten all of these lol dang

Xeno1234 · Jul 16, 2023

Trident said:
Yeah, but I am using E2 version with Sophos.

I use the Kaspersky version just cause it has better detection and is still light

SeriousHoax · Jul 16, 2023

Shadowra said:
According to Kaspersky, it's another Discord's password stealer

Yeah, same thing. It's not needed to test this one. I just shared here to show that there are so many of these spreading around. AV vendors need to find a way to detect this. Looks like most of them aren't even aware of these stealers.

Xeno1234 · Jul 16, 2023

SeriousHoax said:
Yeah, same thing. It's not needed to test this one. I just shared here to show that there are so many of these spreading around. AV vendors need to find a way to detect this. Looks like most of them aren't even aware of these stealers.

But ofc Kaspersky and Harmony gets it without any other help lol

Malware Analysis Capcut fake stealer

Level 40

Level 14

Level 11

Level 9

Level 11

From Hawk Eye

Level 68

From Hawk Eye

Level 40

Level 55

Level 14

From Hawk Eye

Level 14

From Hawk Eye

Level 55

Level 40

Level 14

Level 14

Level 55

Level 14

You may also like...