Evasive Sample

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
359
Evasive sample that doesn't want to run on my VM and BD GZ Sandbox




Free Automated Malware Analysis Service - powered by Falcon Sandbox

Intelix UI



Can you take a look @struppigel?
Is it detected by Harmony emulation @Trident @Andrew3000 ?
 
Last edited:

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,691
This sample checks system temperature, hard disks free space, storage manufacturer information. It also checks keyboard input (this may be keylogging logics but it may also act as event listener to detect user activity). When you execute a malware sample, seconds after it you are expected to be active on the system.
It also reads software policies.

All in all, a lot of work has been put to evade VMs and sandboxes. For such samples, I recommend that you use hybrid analysis or Joe Sandbox as these “issues” are handled there.

I’ll test Harmony shortly.
 

Andrew3000

Level 11
Verified
Top Poster
Malware Hunter
Well-known
Feb 8, 2016
516
Evasive sample that doesn't want to run on my VM and BD GZ Sandbox




Free Automated Malware Analysis Service - powered by Falcon Sandbox

Intelix UI



Can you take a look @struppigel?
Is it detected by Harmony emulation @Trident @Andrew3000 ?
Yes is detected by file reputation

 

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,691
This is once again, bbystealer (discord stealer) in Electron Package. Third malware sample now posted like that. Not sure how and where it was obtained.
Thanks to @struppigel I now know where to look. I looked and boom. Brunxdk is the developer nickname. Seems like their skills are getting an upgrade.
Екранна снимка (60).png
 

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
359
This is once again, bbystealer (discord stealer) in Electron Package. Third malware sample now posted like that. Not sure how and where it was obtained.
Thanks to @struppigel I now know where to look. I looked and boom. Brunxdk is the developer nickname. Seems like their skills are getting an upgrade.
View attachment 276882
The guy does not know how he got it. But apparently Windows Defender detected it.
 

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
359
@Trident @struppigel found another one while looking through itch.io





1.PNG
 
Last edited:

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,630
The sample is fine. No error and it's working perfectly. I was able to collect the zip containing the stolen data. It gets deleted very quickly from the temp after sending to attackers. It also opens a fake game window in the meantime.
No detection from ESET.
ev2.gif
1.png
Edit: Added the fake game window.
 
Last edited:

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,691
@Trident EPSILON is a different stealer?
BBY (also known as Doenerium in Turkey) is a large operation that has started in 2021 and the attacker now even provides hosting services.
It is possible that different attackers have studied how the malware is packed and have taken inspiration.
 
Last edited by a moderator:

piquiteco

Level 14
Oct 16, 2022
626
I was able to collect the zip containing the stolen data.
Worse that it steals, I tested with another sample see the result, a sample the ZA removed and the other sample the ZA was not able to detect, as the file is 60MB exceeds the limit of emulation, I am also a dry ear and do not know how to increase the limit of threat emulation, it seems that only in Harmony that has these advanced settings, then passed smoothly in ZA. Now I know that this type of Malware very few AVs will detect it. ⚠️For those who save Chrome passwords and leave accounts logged into the browser is very dangerous this type of Malware. :cautious:
1688700274021.png

1688699023852.png
1688700144685.png
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top