Evasive Sample

likeastar20 · Jul 4, 2023

Evasive sample that doesn't want to run on my VM and BD GZ Sandbox

VirusTotal

www.virustotal.com

1c7dfa1e4b1ab71105b75c8a75af52317e901f7160e28765303da7f7988fa8da | Triage

Check this report malware sample 1c7dfa1e4b1ab71105b75c8a75af52317e901f7160e28765303da7f7988fa8da, with a score of 6 out of 10.

tria.ge

https://www.unpac.me/results/87040529-7090-4f4b-a83c-99cd0ea9b1bf#/

Free Automated Malware Analysis Service - powered by Falcon Sandbox

Intelix UI

Can you take a look @struppigel?
Is it detected by Harmony emulation @Trident @Andrew3000 ?

Trident · Jul 4, 2023

This sample checks system temperature, hard disks free space, storage manufacturer information. It also checks keyboard input (this may be keylogging logics but it may also act as event listener to detect user activity). When you execute a malware sample, seconds after it you are expected to be active on the system.
It also reads software policies.

All in all, a lot of work has been put to evade VMs and sandboxes. For such samples, I recommend that you use hybrid analysis or Joe Sandbox as these “issues” are handled there.

I’ll test Harmony shortly.

Andrew3000 · Jul 4, 2023

likeastar20 said:
Evasive sample that doesn't want to run on my VM and BD GZ Sandbox

VirusTotal

VirusTotal

www.virustotal.com

1c7dfa1e4b1ab71105b75c8a75af52317e901f7160e28765303da7f7988fa8da | Triage

Check this report malware sample 1c7dfa1e4b1ab71105b75c8a75af52317e901f7160e28765303da7f7988fa8da, with a score of 6 out of 10.

tria.ge

https://www.unpac.me/results/87040529-7090-4f4b-a83c-99cd0ea9b1bf#/

Free Automated Malware Analysis Service - powered by Falcon Sandbox

Intelix UI

Can you take a look @struppigel?
Is it detected by Harmony emulation @Trident @Andrew3000 ?

Yes is detected by file reputation

Harmony Endpoint Forensics Analysis: Overview

64a3d51b8cd57a2808cb20dc--superlative-crepe-fab517.netlify.app

Trident · Jul 4, 2023

This is once again, bbystealer (discord stealer) in Electron Package. Third malware sample now posted like that. Not sure how and where it was obtained.
Thanks to @struppigel I now know where to look. I looked and boom. Brunxdk is the developer nickname. Seems like their skills are getting an upgrade.

likeastar20 · Jul 4, 2023

Trident said:
This is once again, bbystealer (discord stealer) in Electron Package. Third malware sample now posted like that. Not sure how and where it was obtained.
Thanks to @struppigel I now know where to look. I looked and boom. Brunxdk is the developer nickname. Seems like their skills are getting an upgrade.
View attachment 276882

The guy does not know how he got it. But apparently Windows Defender detected it.

Trident · Jul 4, 2023

likeastar20 said:
The guy does not know how he got it. But apparently Windows Defender detected it.

Yeah, Defender detects it for sure. I know that already. Knowledgeable person told me. The developer is on vacation. Once they are back, detections may start disappearing again. We’ll see.

likeastar20 · Jul 6, 2023

@Trident @struppigel found another one while looking through itch.io

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses

opentip.kaspersky.com

epsilon | fb888cb52b9acd732b3a8cd1e0928cdd86dbc4a8de01f1d48e41fce153e3b0c4 | Triage

Check this epsilon report malware sample fb888cb52b9acd732b3a8cd1e0928cdd86dbc4a8de01f1d48e41fce153e3b0c4, with a score of 10 out of 10.

tria.ge

Intelix Portal

intelix.sophos.com

VirusTotal

www.virustotal.com

upnorth · Jul 6, 2023

likeastar20 said:
Intelix Portal

intelix.sophos.com

And again, I would personal discharge that sample and move on to the next. I'm not a fan of these constant error messages.

Trident · Jul 6, 2023

With or without error messages, the sample is working.

SeriousHoax · Jul 6, 2023

The sample is fine. No error and it's working perfectly. I was able to collect the zip containing the stolen data. It gets deleted very quickly from the temp after sending to attackers. It also opens a fake game window in the meantime.
No detection from ESET.

Edit: Added the fake game window.

likeastar20 · Jul 6, 2023

@Trident EPSILON is a different stealer?

Trident · Jul 6, 2023

likeastar20 said:
@Trident EPSILON is a different stealer?

BBY (also known as Doenerium in Turkey) is a large operation that has started in 2021 and the attacker now even provides hosting services.
It is possible that different attackers have studied how the malware is packed and have taken inspiration.

piquiteco · Jul 6, 2023

SeriousHoax said:
I was able to collect the zip containing the stolen data.

Worse that it steals, I tested with another sample see the result, a sample the ZA removed and the other sample the ZA was not able to detect, as the file is 60MB exceeds the limit of emulation, I am also a dry ear and do not know how to increase the limit of threat emulation, it seems that only in Harmony that has these advanced settings, then passed smoothly in ZA. Now I know that this type of Malware very few AVs will detect it.

For those who save Chrome passwords and leave accounts logged into the browser is very dangerous this type of Malware.

Search

Evasive Sample

likeastar20

Level 8

VirusTotal

1c7dfa1e4b1ab71105b75c8a75af52317e901f7160e28765303da7f7988fa8da | Triage

Trident

Level 28

Andrew3000

Level 11

VirusTotal

1c7dfa1e4b1ab71105b75c8a75af52317e901f7160e28765303da7f7988fa8da | Triage

Harmony Endpoint Forensics Analysis: Overview

Trident

Level 28

likeastar20

Level 8

Trident

Level 28

likeastar20

Level 8

Kaspersky Threat Intelligence Portal

epsilon | fb888cb52b9acd732b3a8cd1e0928cdd86dbc4a8de01f1d48e41fce153e3b0c4 | Triage

Intelix Portal

VirusTotal

upnorth

Moderator

Intelix Portal

Trident

Level 28

SeriousHoax

Level 47

likeastar20

Level 8

Trident

Level 28

piquiteco

Level 14

Similar threads