Question Is running a stealer malware in a fresh VM safe?

Please provide comments and solutions that are helpful to the author of this topic.

Xeno1234

Level 14
Thread author
Jun 12, 2023
684
Is running a stealer malware in a fresh VM safe?
If you were to run a stealer, and it doesnt try to escape the VM, would it be safe? Is there anything to steal? Could the system info of the VM being stolen be of harm?
This is saying no extra passwords, nothing logged in, etc.
 
  • Like
Reactions: Jonny Quest

Bot

AI-powered Bot
Apr 21, 2016
3,652
Running any type of malware, including a stealer, is not safe, even in a fresh virtual machine (VM). Malware is specifically designed to exploit vulnerabilities and compromise the security of a system or steal sensitive information.

While running a stealer in a VM may provide some level of isolation and limit the potential damage, there are still risks involved. Malware can often find ways to escape the VM environment, especially if it has been specifically designed to do so. Additionally, running malware of any kind, even in a controlled environment, may still expose the VM to other risks, such as network vulnerabilities or the potential for the malware to download additional malicious payloads.

Furthermore, even in a fresh VM, there may still be valuable information present, such as login credentials or personal data. Malware can attempt to steal this information and potentially compromise your online accounts or invade your privacy.

Ultimately, it is best to avoid running any kind of malware, including a stealer, in any environment, as it poses significant risks to your security and personal data.
 
  • Like
Reactions: roger_m

Xeno1234

Level 14
Thread author
Jun 12, 2023
684
Running any type of malware, including a stealer, is not safe, even in a fresh virtual machine (VM). Malware is specifically designed to exploit vulnerabilities and compromise the security of a system or steal sensitive information.

While running a stealer in a VM may provide some level of isolation and limit the potential damage, there are still risks involved. Malware can often find ways to escape the VM environment, especially if it has been specifically designed to do so. Additionally, running malware of any kind, even in a controlled environment, may still expose the VM to other risks, such as network vulnerabilities or the potential for the malware to download additional malicious payloads.

Furthermore, even in a fresh VM, there may still be valuable information present, such as login credentials or personal data. Malware can attempt to steal this information and potentially compromise your online accounts or invade your privacy.

Ultimately, it is best to avoid running any kind of malware, including a stealer, in any environment, as it poses significant risks to your security and personal data.
Could a stealer obtaining the Virtual Machine's system info be of any harm to you?
 

Bot

AI-powered Bot
Apr 21, 2016
3,652
Could a stealer obtaining the Virtual Machine's system info be of any harm to you?
If a stealer obtains the system information of a virtual machine (VM), it may not directly harm you as an individual. However, it is essential to understand that system information can reveal details about the VM's operating system, hardware configuration, and potentially installed software.

While this information may not seem immediately harmful on its own, it can be valuable for cybercriminals or attackers. It could potentially be used for targeted attacks or as part of a larger scheme to exploit vulnerabilities in the VM's software or operating system. For example, if the system information reveals a specific software version with a known vulnerability, an attacker could attempt to exploit it to gain unauthorized access or perform further attacks on other systems.

It is important to prioritize security and protect any system, even if it is just a virtual machine. Keeping your VM and the host system updated with the latest security patches, using reputable security software, and being cautious when interacting with unknown or suspicious files or websites can help mitigate potential risks.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,047
Running a VM is to hide the host system by having another OS. So the stealer would just steal the guest OS info.......provided it doesn't escape through paths link to the host system. You need to disable all paths linking the guest and host OS systems

Since you are running the stealer malware just don't log in to websites in the VM
 
  • Like
Reactions: brambedkar59

Xeno1234

Level 14
Thread author
Jun 12, 2023
684
Running a VM is to hide the host system by having another OS. So the stealer would just steal the guest OS info.......provided it doesn't escape through paths link to the host system. You need to disable all paths linking the guest and host OS systems

Since you are running the stealer malware just don't log in to websites in the VM
When I ran it, I had Kaspersky default deny on Host along with a VPN, and both Shared Clipboard and Drag and Drop off on the VM. Any file that was placed onto the host couldnt start cause of Default Deny.
 
  • Like
Reactions: Sandbox Breaker
F

ForgottenSeer 103564

When I ran it, I had Kaspersky default deny on Host along with a VPN, and both Shared Clipboard and Drag and Drop off on the VM. Any file that was placed onto the host couldnt start cause of Default Deny.
Was the guest machine connected to the internet? Stealer malware functions by connecting out bound to a command and control server. Once it does so, if the guest was not run in a VPN, your guest system address was just obtained.

Do you understand the specific malware, what type of info stealer is it, is it embedded with a keylogger, is it tied to a botnet, ect.

A rule of thumb, if you have to ask if its safe to do something, you probably should not be doing it. Messing with malware without experience is never a good idea.
 

Xeno1234

Level 14
Thread author
Jun 12, 2023
684
Was the guest machine connected to the internet? Stealer malware functions by connecting out bound to a command and control server. Once it does so, if the guest was not run in a VPN, your guest system address was just obtained.

Do you understand the specific malware, what type of info stealer is it, is it embedded with a keylogger, is it tied to a botnet, ect.

A rule of thumb, if you have to ask if its safe to do something, you probably should not be doing it. Messing with malware without experience is never a good idea.
Im not exactly sure if its a stealer, or if its malware. Came clean in Triage and Kaspersky Opentip. However, im asking in the event that it is.
The VM wasnt on a VPN - the host was.

Also, you do make a good point. I only ran it because it had zero chance of escaping to the host.
 
F

ForgottenSeer 103564

Im not exactly sure if its a stealer, or if its malware. Came clean in Triage and Kaspersky Opentip. However, im asking in the event that it is.
The VM wasnt on a VPN - the host was.

Also, you do make a good point. I only ran it because it had zero chance of escaping to the host.
So you are aware, the default configuration on most vm configurations is to share the Host network adapter to the Guest vm, so even if you are running a VPN on the host, the Guest VM may not see this, and not connect through it, but directly to the network, needing to be manually configured to proxy to the Host.
 

Xeno1234

Level 14
Thread author
Jun 12, 2023
684
So you are aware, the default configuration on most vm configurations is to share the Host network adapter to the Guest vm, so even if you are running a VPN on the host, the Guest VM may not see this, and not connect through it, but directly to the network, needing to be manually configured to proxy to the Host.
In that case, if it was a stealer, am I screwed since I ran it? There's a chance it isnt - super high System Usage, Kaspersky didnt detect it, and clean on Triage. It might not even be malware! But in the event it was, am I screwed?

Ok after analyzing the file - I dont think its malware. It has stuff "high" detections on VT, however its clean on Triage, Opentip, and Hybrid Analysis only flags it as malicious because of its AV detections and nothing else.
 
Last edited:
F

ForgottenSeer 103564

In that case, if it was a stealer, am I screwed since I ran it? There's a chance it isnt - super high System Usage, Kaspersky didnt detect it, and clean on Triage. It might not even be malware! But in the event it was, am I screwed?

Ok after analyzing the file - I dont think its malware. It has stuff "high" detections on VT, however its clean on Triage, Opentip, and Hybrid Analysis only flags it as malicious because of its AV detections and nothing else.
There are so many variables to this and one reason why it is not recommended to do this without proper training. Whether or not the particular sample has signatures or not via AV databases is irrelevant, depended upon age and known availability of sample. Running sample in a automated analysis sandbox is not an indication either, as the sample maybe "sandbox aware" and inert during testing. The extent upon damage done as you asked, is also based upon all the variables, its hard to determine at this point.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,047
When I ran it, I had Kaspersky default deny on Host along with a VPN, and both Shared Clipboard and Drag and Drop off on the VM. Any file that was placed onto the host couldnt start cause of Default Deny.

There are some tips here to isolate virtual machine from the host machine

 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,165
Xeno- whatever VM that you install (Vbox, VMWare, or whatever- and I assume you are using VBox) by default will not allow unfettered access to the Host system. For a stealer in a VM to find anything to pilfer you would have to go to the trouble of adding access to those places that a stealer looks, typically in C:\Users).

Similarly installing a VM at default will allow one to run ransomware until the Cows Come Home with the surety that Grandma's photos on the real system will remain untouched.
 
F

ForgottenSeer 103564

Similarly installing a VM at default will allow one to run ransomware until the Cows Come Home with the surety that Grandma's photos on the real system will remain untouched.
Dont tell that to the former Staff member here that ran a Ransomware in a VM and it escaped and encrypted half of his work files on his Host machine. I was here back then when it happened.

Terrible advice to be handing over to those untrained and ill prepared.
 
Last edited by a moderator:

B-boy/StyLe/

Level 3
Verified
Well-known
Mar 10, 2023
146
There is a very good guide on how to harden the Vbox at kernel-mode.info, but it is quite outdated now, and it could be difficult to follow.
However, there is something very important there. "DO NOT INSTALL VirtualBox Additions. NEVER. Once installed, you may consider your VM as lost."
I guess the same is valid for VMWare too, but I didn't use VMWare (only VBox) so I can't tell.

 

Xeno1234

Level 14
Thread author
Jun 12, 2023
684
There is a very good guide on how to harden the Vbox at kernel-mode.info, but it is quite outdated now, and it could be difficult to follow.
However, there is something very important there. "DO NOT INSTALL VirtualBox Additions. NEVER. Once installed, you may consider your VM as lost."
I guess the same is valid for VMWare too, but I didn't use VMWare (only VBox) so I can't tell.

What’s wrong with have the additions? I had it installed when I ran some malware.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top