Malware Analysis Evasive Sample - Bypassed MS

[Sandbox Breaker]

Signed sample pretending to be TeamViewer. It is a password stealer. As a DFIR Specialist it's easy to me. After submitting the sample to Microsoft... They said the file was clean. File has been in the wild for a week now. Welcome to the current state of insecurity. Happy hunting! VirusTotal

 

[SeriousHoax]

It doesn't run on my VM. Maybe because of the reason triage mentioned:

Checks computer location settings​

Looks up country code configured in the registry, likely geofence.

Maybe @struppigel can analyze the sample.

 

[silversurfer]

Confirmed here on my VM (Windows 10 x64) sample doesn't run at all.
We can see more details about evasive... Latest two re-analyzes of this sample are from my user account on Hybrid Analysis:
Free Automated Malware Analysis Service - powered by Falcon Sandbox

Evasive

• Contains ability to check if a debugger is running
• Contains ability to terminate a process
• Input file contains API references not part of its Import Address Table (IAT)
• Possibly checks for the presence of a forensics/monitoring tool

 

[Trident]

On my system (physical system) it didn’t run either.

 

[struppigel]

A "Teamviewer" with only 200 KB size that has also been uploaded as "Prison.Architect.The.Sunset.Update.Incl.A...exe" is clearly not legit.

I found an area that is XOR encoded with 0x1D, you can literally see the XOR key in the hex editor

After decoding it looks like this

The decoded portion contains a JS script, some additional strings and ZIP archive. The archive seems to be a Chrome extension with the ID jdejdmchbgaciegdmifmnkopbdbfhcfb

Strings related to Chrome extension installation.

The manifest of the Chrome extension just names itself "Apps" and shows the author's email address as sg(dot)guru1030(at)gmail(dot)com:

That extension hijacks search results, redirects them to searchesmia(dot)com (the following image shows content.js):

In sum it is clearly malware (not PUP, because there is not a shred of something useful).
So far it is also not really dangerous, more annoying. There might be more going on, e.g., the ShellExecuteW could be a point for more examination, but this is already enough to declare it malware.
If Microsoft declared this as clean, they did an obvious mistake.

 

[Sandbox Breaker]

Search the file in Xcitium Cloud Verdict. Their Human analyst was also wrong and claimed it's clean.

@struppigel
Was this a good catch? I praise your skills. I'm almost at your level soon haha. Nice job

 

[Sandbox Breaker]

Another note on this sample, the signer of the certificate is a company that incorporated recently also. Very suspect.

 

[brambedkar59]

The manifest of the Chrome extension just names itself "Apps" and shows the author's email address as sg(dot)guru1030(at)gmail(dot)com:

If you search for that email address, you get a CV for a person with his actual physical address, his github, live account etc. Is the email for the person who created malware or just using a fake identity, is that common? Asking mods if I can link to that pdf in here?
Sorry for barging in. I know nothing about malware analysis, but I find this topic interesting.

Edit: Also someone on reddit had that same extension (id -jdejdmchbgaciegdmifmnkopbdbfhcfb ) installed.

 

[harlan4096]

Confirmed here on my VM (Windows 10 x64) sample doesn't run at all.
We can see more details about evasive... Latest two re-analyzes of this sample are from my user account on Hybrid Analysis:
Free Automated Malware Analysis Service - powered by Falcon Sandbox

Same here, tried with VM + KPremium (default settings) 21.13, ran for 2 seconds and auto terminated, moved to Low Restricted (Digitally Signed But Not Approved), currently already detected as Adware.

 

[Sandbox Breaker]

Recently I've been using 4+ different sandbox solutions to my workload on analysing suspect files. It's becoming common to see samples break sandboxes and also now getting listed as clean. How good are these analysts anyways.

Xcitium Cloud Verdict

Scan Files Online using Comodo File Verdict Service that runs tens of different methods to analyze a file and display the detailed results in seconds

verdict.xcitium.com

Look and see the file is claimed clean by their analyst! Microsoft and Xcitium!! Same sample

Spoiler

 

[Shadowra]

I'd like to test it myself, but I can't download the sample....

 

[Sandbox Breaker]

Use hybrid analysis, anyrun or triage. They let you download the file.

Also take a look how I objected their Human verdict. That was a day ago. They still haven't noticed.

 

[cruelsister]

There are now a bunch of them masquerading as various things, but all essentially the same file.

Didn't notice any VM awareness nor extended sleep times; also didn't run on my sacrificial system. Also note that the certificate is still viewed as honky-dory:

CF contains thhese files anyway even though the cert is seemingly fine as the application itself has not been vetted by them.

 

[Trident]

Didn't notice any VM awareness nor extended sleep times; also didn't run on my sacrificial system.

On my sacrificial system Check Point is deployed and that runs a process clearly having “forensics” in the name. A lot of malware that I am trying to test just terminates. I thought this sample is from the same “dough”.

 

[Shadowra]

Use hybrid analysis, anyrun or triage. They let you download the file.

Also take a look how I objected their Human verdict. That was a day ago. They still haven't noticed.
View attachment 275884

I made it.
Detected by DeepInstinct as a PUP.
On my VM, I couldn't launch it (it closes 2 seconds later).

 

[Kongo]

I made it.
Detected by DeepInstinct as a PUP.
On my VM, I couldn't launch it (it closes 2 seconds later).

Same here