Evasive Sample

L

likeastar20

Level 9
Thread author
Verified
Forum Veteran
Mar 24, 2016
418
1,729
768
România
Evasive sample that doesn't want to run on my VM and BD GZ Sandbox

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

1c7dfa1e4b1ab71105b75c8a75af52317e901f7160e28765303da7f7988fa8da | Triage

Check this report malware sample 1c7dfa1e4b1ab71105b75c8a75af52317e901f7160e28765303da7f7988fa8da, with a score of 6 out of 10.
tria.ge tria.ge


Free Automated Malware Analysis Service - powered by Falcon Sandbox

Intelix UI



Can you take a look @struppigel?
Is it detected by Harmony emulation @Trident @Andrew3000 ?
 
Last edited:
  • Like
  • +Reputation
Reactions: Zartarra, Kongo, roger_m and 5 others
This sample checks system temperature, hard disks free space, storage manufacturer information. It also checks keyboard input (this may be keylogging logics but it may also act as event listener to detect user activity). When you execute a malware sample, seconds after it you are expected to be active on the system.
It also reads software policies.

All in all, a lot of work has been put to evade VMs and sandboxes. For such samples, I recommend that you use hybrid analysis or Joe Sandbox as these “issues” are handled there.

I’ll test Harmony shortly.
 
  • Like
  • +Reputation
Reactions: Jonny Quest, piquiteco, kev7 and 7 others
likeastar20 said:
Evasive sample that doesn't want to run on my VM and BD GZ Sandbox

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

1c7dfa1e4b1ab71105b75c8a75af52317e901f7160e28765303da7f7988fa8da | Triage

Check this report malware sample 1c7dfa1e4b1ab71105b75c8a75af52317e901f7160e28765303da7f7988fa8da, with a score of 6 out of 10.
tria.ge tria.ge


Free Automated Malware Analysis Service - powered by Falcon Sandbox

Intelix UI



Can you take a look @struppigel?
Is it detected by Harmony emulation @Trident @Andrew3000 ?
Click to expand...
Yes is detected by file reputation

Harmony Endpoint Forensics Analysis: Overview

64a3d51b8cd57a2808cb20dc--superlative-crepe-fab517.netlify.app 64a3d51b8cd57a2808cb20dc--superlative-crepe-fab517.netlify.app
 
  • Like
Reactions: Nevi, piquiteco, Kongo and 4 others
This is once again, bbystealer (discord stealer) in Electron Package. Third malware sample now posted like that. Not sure how and where it was obtained.
Thanks to @struppigel I now know where to look. I looked and boom. Brunxdk is the developer nickname. Seems like their skills are getting an upgrade.
Екранна снимка (60).png
 
  • Like
  • Wow
Reactions: Jonny Quest, Nevi, piquiteco and 4 others
Trident said:
This is once again, bbystealer (discord stealer) in Electron Package. Third malware sample now posted like that. Not sure how and where it was obtained.
Thanks to @struppigel I now know where to look. I looked and boom. Brunxdk is the developer nickname. Seems like their skills are getting an upgrade.
View attachment 276882
Click to expand...
The guy does not know how he got it. But apparently Windows Defender detected it.
 
  • Like
Reactions: Nevi, Dave Russo, Kongo and 3 others
likeastar20 said:
The guy does not know how he got it. But apparently Windows Defender detected it.
Click to expand...
Yeah, Defender detects it for sure. I know that already. Knowledgeable person told me. The developer is on vacation. Once they are back, detections may start disappearing again. We’ll see.
 
Last edited:
  • Like
  • +Reputation
Reactions: Nevi, piquiteco, Dave Russo and 4 others
@Trident @struppigel found another one while looking through itch.io

opentip.kaspersky.com

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses
opentip.kaspersky.com opentip.kaspersky.com

epsilon | fb888cb52b9acd732b3a8cd1e0928cdd86dbc4a8de01f1d48e41fce153e3b0c4 | Triage

Check this epsilon report malware sample fb888cb52b9acd732b3a8cd1e0928cdd86dbc4a8de01f1d48e41fce153e3b0c4, with a score of 10 out of 10.
tria.ge tria.ge

Intelix Portal

intelix.sophos.com intelix.sophos.com

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

1.PNG
 
Last edited:
  • Like
  • +Reputation
Reactions: Zartarra, piquiteco, Kongo and 2 others
The sample is fine. No error and it's working perfectly. I was able to collect the zip containing the stolen data. It gets deleted very quickly from the temp after sending to attackers. It also opens a fake game window in the meantime.
No detection from ESET.
ev2.gif
1.png
Edit: Added the fake game window.
 
Last edited:
  • Like
  • +Reputation
  • Wow
Reactions: NightVision, Zartarra, piquiteco and 6 others
likeastar20 said:
@Trident EPSILON is a different stealer?
Click to expand...
BBY (also known as Doenerium in Turkey) is a large operation that has started in 2021 and the attacker now even provides hosting services.
It is possible that different attackers have studied how the malware is packed and have taken inspiration.
 
Last edited by a moderator:
  • Like
  • Thanks
Reactions: Nevi, piquiteco, SeriousHoax and 4 others
SeriousHoax said:
I was able to collect the zip containing the stolen data.
Click to expand...
Worse that it steals, I tested with another sample see the result, a sample the ZA removed and the other sample the ZA was not able to detect, as the file is 60MB exceeds the limit of emulation, I am also a dry ear and do not know how to increase the limit of threat emulation, it seems that only in Harmony that has these advanced settings, then passed smoothly in ZA. Now I know that this type of Malware very few AVs will detect it. ⚠️For those who save Chrome passwords and leave accounts logged into the browser is very dangerous this type of Malware. :cautious:
1688700274021.png

1688699023852.png
1688700144685.png
 
  • Like
  • +Reputation
Reactions: Zartarra, Nevi, SeriousHoax and 1 other person
You must log in or register to reply here.

You may also like...