Upload the sample to any cloud storage site and download it thru AnyRun. But Free Accounts have only 5 minutes max per session. Doubt it will download it within that timeframe
Last edited:
How do I test large samples with anyrun?
- Thread starter Studynxx
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
How likely is the malware hidden in torrented apps to have anti-VM tampering built in? I know state actors do this, but that's an entirely different level than some god knows what ransomware or infostealer that might be hidden in these regular app downloads
Malware hidden in torrented apps is highly likely to have anti-VM tampering built in. While state-sponsored attacks are more advanced, anti-VM techniques have become standard practice for a wide range of cybercriminals. This is because virtual machines and sandboxes are commonly used by security researchers to analyze malicious code, and malware that can detect these environments can terminate itself or alter its behavior to evade detection. The code for these techniques is not secret and is readily available, making it easy for even less sophisticated attackers to incorporate them into their malware to avoid analysis and improve its effectiveness.
All it takes is a few system calls and a few if/if not/ switch case statements. Pretty much any malware has anti-VM/anti-debug logics. Again, these environments like any.run and so on take extra care to avoid this sort of evasions. But an environment set up at home is not resistant.
OK so should I run them on my 2nd laptop connected to a 4G connection? Shut off from the rest of my network, with Kaspersky enabled, to know for sure?
Ok but how you will track any changes? Read previous @Divergent posts, you’ve been advised to monitor traffic with wireshark.
If malware, the truth will be in the traffic.
Yeah that's true. But do I understand correctly that in the VM, Wireshark wouldn't even catch anything because the malware is asleep?
Yeah. That depends on the code. You see programming (specially on C++ or .Net) offers so many options… you never know what’s in the malware.
For example, it may add event listeners to check for keyboard and mouse activity. You just executed the sample, you are expected to still be on the PC.
It can be checking installed software list, when software was installed, if real system, then you should have a number of software installed. It can check for recent documents, number of documents, browser history, system boot dates, CPU count, RAM, bios name, drivers and so on.
It can be implementing long sleeps, playing with time, it may be waiting till tomorrow 1 PM (example) to activate, through the addition of registry entries or schedules tasks.
That’s why you were advised by @Divergent to perform static and dynamic analysis. But static analysis is not easy for beginners to do…
Isn't Virus Total behavior analysis good enough tho?
Also wouldn't Kaspersky catch the malicious network traffic (attempts)?
This is not a safe or effective alternative to a properly configured virtual machine. Data exfiltration is still a possibility running on a 4G connection, this is a significant risk. If the malware is designed to exfiltrate data or communicate with a command-and-control (C2) server, the 4G connection provides a direct route for it to do so. This could lead to a compromise of personal data or the launching of a botnet/DDoS attack. The malware could also use the internet connection to download a more dangerous second-stage payload.
The suggestion of using a 4G network might give a false sense of security, but in reality, it provides the malware with a crucial lifeline to the internet, allowing it to fulfill its malicious purpose.
This reinforces why the best and safest practice is to perform malware analysis in a completely isolated environment, such as a virtual machine with the network adapter disabled. This way, you can observe the malware's behavior without the risk of it doing any real-world damage.
Okay but I normally just re-deploy a clean image on the 2nd laptop once done analyzing, and I don't have anything personal on that laptop, nor am I connected to any of my accounts.
For security reasons, it is not recommended to allow malware to connect to the internet, because of the possibility that it may spread or attack others. That’s how professional malware analysis works. Now you already executed this sample, it’s too late
You should analyse before you execute.
What you are doing now is, the rain already stopped yesterday and you are taking an umbrella now. You should have taken it yesterday this umbrella.
Now, you can use some aggressive tools like Norton Power Eraser or McAfee Stinger (highest GTI sensitivity) to scan for damage. If they find anything remove it, if not… then maybe there is nothing.
I can't see nothing malicious on WireShark tbh.For security reasons, it is not recommended to allow malware to connect to the internet, because of the possibility that it may spread or attack others. That’s how professional malware analysis works. Now you already executed this sample, it’s too late
You should analyse before you execute.
What you are doing now is, the rain already stopped yesterday and you are taking an umbrella now. You should have taken it yesterday.
Now, you can use some aggressive tools like Norton Power Eraser or McAfee Stinger (highest GTI sensitivity) to scan for damage. If they find anything remove it, if not… then maybe there is nothing.
Well maybe there is nothing, it might as well be a benign sample. We don’t know cuz again, all files need to be analysed. It is possible that there is a single dll modified to include malicious activity or maybe there is nothing. That’s the risk with cracked/hacked/attacked applications. You never know what’s there.
Here, Kaspersky didn’t detect anything, so I would say relax.
But yeah. Safe habits are needed.
Have you ever noticed malware from trusted torrent sites? I'm unsure if I'm allowed to name the site in question, but the uploader is trusted by many, has been doing this for years. Nobody in the comments is saying anything about malware either. And realistically, how likely would malwarebytes or kaspersky stop it in its tracks?
Yes. When I was a kid, a SpyHunter repack on torrents contained W32.Sality.A. The security software I was using at that time was Norton 2009 and it was detecting virus-infected files every second. I reinstalled Windows and not sure what I opened, it activated again, and again every 3 seconds Norton was detecting 50 viruses.
Recently, I found fake TPB sites which just pushed infostealers (very large) as malware.
Again, Kaspersky here did not detect anything. But cracked and attacked applications always carry a risk.
If OP usually download files in Torrent Sites, beware of Double Extensions.
This is one of the trickiest way you can trigger a malware. Something posing as a zip,jpg,pdf,mp4,mp3 or whatever file but the real extension is likely a .exe
Make sure to show file extensions under folder option in windows. And always scan before opening or take a second opinion.
This is one of the trickiest way you can trigger a malware. Something posing as a zip,jpg,pdf,mp4,mp3 or whatever file but the real extension is likely a .exe
Make sure to show file extensions under folder option in windows. And always scan before opening or take a second opinion.
How likely is the sample to be clean if Kaspersky didn't find anything?
You may also like...
-
Paid vs Free Antivirus in 2026: What are you using, and is it worth paying for?- Started by Bot
- Replies: 96
-
-
What does Kaspersky's default deny/zero trust mode do and how to set it properly?
- Started by nonamebob567
- Replies: 1
-
Analysis of system protection against active online malware – July 2025- Started by Adrian Ścibor
- Replies: 165
-
