Malware Analysis Capcut fake stealer

Status
Not open for further replies.
H

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,033
SeriousHoax said:
"RabbitCheecks.exe" stole data with no reaction from Bitdefender TS.
View attachment 277219
The other one "TBMSetup" had no reaction from BD either, but don't know if it stole. The first one don't delete remnants from temp but the second one deletes everything I think and I wasn't quick enough to see it.
Click to expand...

BTS just updated its threat engine to v7.94981. Can you check whether it still detects?
 
Last edited:
  • Like
Reactions: Trident
L

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
361
Last edited by a moderator:
  • Like
Reactions: Nevi, SeriousHoax, Kongo and 1 other person
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,737
likeastar20 said:
EDIT1: @Trident should I create a thread somewhere where i/we can share new samples? Malware Hub seems dead...
Click to expand...
But the malwarehub had controlled access and these samples are out in the open… not sure if it’s a good idea to share them like that… better keep them here, it’s more concealed.
 
  • Like
Reactions: Nevi, Kongo and likeastar20
SeriousHoax

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,635
likeastar20 said:
#stealer

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

9f37c8ca3285ea528cbf2327e3da9d46faa9426f47d7d843e9c4d3a0a57ee046 | Triage

Check this report malware sample 9f37c8ca3285ea528cbf2327e3da9d46faa9426f47d7d843e9c4d3a0a57ee046, with a score of 8 out of 10.
tria.ge tria.ge
Click to expand...
This one is a Ransomware. Detected by MD and ESET's LiveGuard. If LiveGuard is not available, then it can't detect or stop encryption. But now it's known to ESET cloud due to the LiveGuard's verdict so will be detected on all ESET systems.
 
  • Like
  • +Reputation
Reactions: piquiteco, Kongo, harlan4096 and 2 others
silversurfer

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,178
Some hours ago, I just decided to re-analyze (longer runtime, etc.) on Hybrid:
The analysis extracted a known ransomware file
Click to expand...
Source: https://www.hybrid-analysis.com/sam...d843e9c4d3a0a57ee046/64b782a0587dc92c0202b299

I would try to test this sample in VMware 17 Pro against Bitdefender Free. If still undetected on static... I will add details and screenshots later ;)

At the time of my test, BD has no signatures, static: 0/1 - dynamic: 1*/1

Sample immediately blocked without removal this time 🤷‍♂️ I tried to execute this sample again for several times but keep blocked only even after 10 minutes. No files encrypted!

new#1.png
 
Last edited:
  • Like
  • Applause
Reactions: piquiteco, Trident, likeastar20 and 3 others
SeriousHoax

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,635
silversurfer said:
Some hours ago, I just decided to re-analyze (longer runtime, etc.) on Hybrid:

Source: https://www.hybrid-analysis.com/sam...d843e9c4d3a0a57ee046/64b782a0587dc92c0202b299

I would try to test this sample in VMware 17 Pro against Bitdefender Free. If still undetected on static... I will add details and screenshots later ;)

At the time of my test, BD has no signatures, static: 0/1 - dynamic: 1*/1

Sample immediately blocked without removal this time 🤷‍♂️ I tried to execute this sample again for several times but keep blocked only even after 10 minutes. No files encrypted!

View attachment 277301
Click to expand...
I had the same behavior on BDTS. Blocked but not removed :unsure:
likeastar20 said:
What has it encrypted?
Click to expand...
Image files, doc files, zip files, etc.
 
  • Like
  • +Reputation
Reactions: simmerskool, piquiteco, Trident and 2 others
silversurfer

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,178
Update for my test with Bitdefender Free: VM was in suspended mode, I tried to check again, finally BD removed this sample to quarantine, detection named: Trojan.GenericKD...

q#1.png

Note: This will be my last post for testing samples, we all have to respect the new rules:
malwaretips.com

By Staff - Malware Analysis Forum Rules

Malware Analysis Forum Rules A) Sample and URL sharing Always make sure to keep things safe No direct download links to suspicious or malicious samples are allowed, you can instead post hashes, virustotal links, or links to automatic sandbox analysis services like any.run, hybrid-analysis...
malwaretips.com malwaretips.com
 
  • Like
  • +Reputation
Reactions: simmerskool, Kongo, piquiteco and 3 others
Status
Not open for further replies.

Similar threads

Sandbox Breaker
    • Like
    • +Reputation
    • Applause
Malware Analysis Mystic Stealer Bypassing Sandboxes
Replies
50
Views
2,807
Malware Analysis Archive
Trident
Trident
L
    • Like
    • Wow
  • Locked
Bitdefender support fail
Replies
18
Views
1,121
Malware Analysis Archive
likeastar20
L
Xeno1234
    • Like
Malware Analysis Evasive Stealer or Broken Sample?
Replies
12
Views
967
Malware Analysis
struppigel
struppigel

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top