Question Is running a stealer malware in a fresh VM safe?

Please provide comments and solutions that are helpful to the author of this topic.

Xeno1234

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
Is running a stealer malware in a fresh VM safe?
If you were to run a stealer, and it doesnt try to escape the VM, would it be safe? Is there anything to steal? Could the system info of the VM being stolen be of harm?
This is saying no extra passwords, nothing logged in, etc.
 
  • Like
Reactions: Jonny Quest
Bot

Bot

AI-powered Bot
Verified
Apr 21, 2016
3,460
Running any type of malware, including a stealer, is not safe, even in a fresh virtual machine (VM). Malware is specifically designed to exploit vulnerabilities and compromise the security of a system or steal sensitive information.

While running a stealer in a VM may provide some level of isolation and limit the potential damage, there are still risks involved. Malware can often find ways to escape the VM environment, especially if it has been specifically designed to do so. Additionally, running malware of any kind, even in a controlled environment, may still expose the VM to other risks, such as network vulnerabilities or the potential for the malware to download additional malicious payloads.

Furthermore, even in a fresh VM, there may still be valuable information present, such as login credentials or personal data. Malware can attempt to steal this information and potentially compromise your online accounts or invade your privacy.

Ultimately, it is best to avoid running any kind of malware, including a stealer, in any environment, as it poses significant risks to your security and personal data.
 
  • Like
Reactions: roger_m
Xeno1234

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
Bot said:
Running any type of malware, including a stealer, is not safe, even in a fresh virtual machine (VM). Malware is specifically designed to exploit vulnerabilities and compromise the security of a system or steal sensitive information.

While running a stealer in a VM may provide some level of isolation and limit the potential damage, there are still risks involved. Malware can often find ways to escape the VM environment, especially if it has been specifically designed to do so. Additionally, running malware of any kind, even in a controlled environment, may still expose the VM to other risks, such as network vulnerabilities or the potential for the malware to download additional malicious payloads.

Furthermore, even in a fresh VM, there may still be valuable information present, such as login credentials or personal data. Malware can attempt to steal this information and potentially compromise your online accounts or invade your privacy.

Ultimately, it is best to avoid running any kind of malware, including a stealer, in any environment, as it poses significant risks to your security and personal data.
Click to expand...
Could a stealer obtaining the Virtual Machine's system info be of any harm to you?
 
Bot

Bot

AI-powered Bot
Verified
Apr 21, 2016
3,460
Xeno1234 said:
Could a stealer obtaining the Virtual Machine's system info be of any harm to you?
Click to expand...
If a stealer obtains the system information of a virtual machine (VM), it may not directly harm you as an individual. However, it is essential to understand that system information can reveal details about the VM's operating system, hardware configuration, and potentially installed software.

While this information may not seem immediately harmful on its own, it can be valuable for cybercriminals or attackers. It could potentially be used for targeted attacks or as part of a larger scheme to exploit vulnerabilities in the VM's software or operating system. For example, if the system information reveals a specific software version with a known vulnerability, an attacker could attempt to exploit it to gain unauthorized access or perform further attacks on other systems.

It is important to prioritize security and protect any system, even if it is just a virtual machine. Keeping your VM and the host system updated with the latest security patches, using reputable security software, and being cautious when interacting with unknown or suspicious files or websites can help mitigate potential risks.
 
H

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,033
Running a VM is to hide the host system by having another OS. So the stealer would just steal the guest OS info.......provided it doesn't escape through paths link to the host system. You need to disable all paths linking the guest and host OS systems

Since you are running the stealer malware just don't log in to websites in the VM
 
  • Like
Reactions: brambedkar59
Xeno1234

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
HarborFront said:
Running a VM is to hide the host system by having another OS. So the stealer would just steal the guest OS info.......provided it doesn't escape through paths link to the host system. You need to disable all paths linking the guest and host OS systems

Since you are running the stealer malware just don't log in to websites in the VM
Click to expand...
When I ran it, I had Kaspersky default deny on Host along with a VPN, and both Shared Clipboard and Drag and Drop off on the VM. Any file that was placed onto the host couldnt start cause of Default Deny.
 
  • Like
Reactions: Sandbox Breaker
F

ForgottenSeer 103564

Xeno1234 said:
When I ran it, I had Kaspersky default deny on Host along with a VPN, and both Shared Clipboard and Drag and Drop off on the VM. Any file that was placed onto the host couldnt start cause of Default Deny.
Click to expand...
Was the guest machine connected to the internet? Stealer malware functions by connecting out bound to a command and control server. Once it does so, if the guest was not run in a VPN, your guest system address was just obtained.

Do you understand the specific malware, what type of info stealer is it, is it embedded with a keylogger, is it tied to a botnet, ect.

A rule of thumb, if you have to ask if its safe to do something, you probably should not be doing it. Messing with malware without experience is never a good idea.
 
  • Like
  • +Reputation
Reactions: vtqhtr413, Kongo, B-boy/StyLe/ and 7 others
Xeno1234

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
Ultimate Vision said:
Was the guest machine connected to the internet? Stealer malware functions by connecting out bound to a command and control server. Once it does so, if the guest was not run in a VPN, your guest system address was just obtained.

Do you understand the specific malware, what type of info stealer is it, is it embedded with a keylogger, is it tied to a botnet, ect.

A rule of thumb, if you have to ask if its safe to do something, you probably should not be doing it. Messing with malware without experience is never a good idea.
Click to expand...
Im not exactly sure if its a stealer, or if its malware. Came clean in Triage and Kaspersky Opentip. However, im asking in the event that it is.
The VM wasnt on a VPN - the host was.

Also, you do make a good point. I only ran it because it had zero chance of escaping to the host.
 
F

ForgottenSeer 103564

Xeno1234 said:
Im not exactly sure if its a stealer, or if its malware. Came clean in Triage and Kaspersky Opentip. However, im asking in the event that it is.
The VM wasnt on a VPN - the host was.

Also, you do make a good point. I only ran it because it had zero chance of escaping to the host.
Click to expand...
So you are aware, the default configuration on most vm configurations is to share the Host network adapter to the Guest vm, so even if you are running a VPN on the host, the Guest VM may not see this, and not connect through it, but directly to the network, needing to be manually configured to proxy to the Host.
 
  • Like
Reactions: B-boy/StyLe/, Nevi and harlan4096
Xeno1234

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
Ultimate Vision said:
So you are aware, the default configuration on most vm configurations is to share the Host network adapter to the Guest vm, so even if you are running a VPN on the host, the Guest VM may not see this, and not connect through it, but directly to the network, needing to be manually configured to proxy to the Host.
Click to expand...
In that case, if it was a stealer, am I screwed since I ran it? There's a chance it isnt - super high System Usage, Kaspersky didnt detect it, and clean on Triage. It might not even be malware! But in the event it was, am I screwed?

Ok after analyzing the file - I dont think its malware. It has stuff "high" detections on VT, however its clean on Triage, Opentip, and Hybrid Analysis only flags it as malicious because of its AV detections and nothing else.
 
Last edited:
F

ForgottenSeer 103564

Xeno1234 said:
In that case, if it was a stealer, am I screwed since I ran it? There's a chance it isnt - super high System Usage, Kaspersky didnt detect it, and clean on Triage. It might not even be malware! But in the event it was, am I screwed?

Ok after analyzing the file - I dont think its malware. It has stuff "high" detections on VT, however its clean on Triage, Opentip, and Hybrid Analysis only flags it as malicious because of its AV detections and nothing else.
Click to expand...
There are so many variables to this and one reason why it is not recommended to do this without proper training. Whether or not the particular sample has signatures or not via AV databases is irrelevant, depended upon age and known availability of sample. Running sample in a automated analysis sandbox is not an indication either, as the sample maybe "sandbox aware" and inert during testing. The extent upon damage done as you asked, is also based upon all the variables, its hard to determine at this point.
 
  • Like
Reactions: Nevi, oldschool, Shadowra and 2 others
H

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,033
Xeno1234 said:
When I ran it, I had Kaspersky default deny on Host along with a VPN, and both Shared Clipboard and Drag and Drop off on the VM. Any file that was placed onto the host couldnt start cause of Default Deny.
Click to expand...

There are some tips here to isolate virtual machine from the host machine

unix.stackexchange.com

Completely isolate a VirtualBox machine

I would like to use VirtualBox to install some piece of software that should not have access to my host computer (and vice-versa). However, I also envision the possibility of attempting more "dange...
unix.stackexchange.com unix.stackexchange.com
 
cruelsister

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,148
Xeno- whatever VM that you install (Vbox, VMWare, or whatever- and I assume you are using VBox) by default will not allow unfettered access to the Host system. For a stealer in a VM to find anything to pilfer you would have to go to the trouble of adding access to those places that a stealer looks, typically in C:\Users).

Similarly installing a VM at default will allow one to run ransomware until the Cows Come Home with the surety that Grandma's photos on the real system will remain untouched.
 
  • Like
  • +Reputation
  • Applause
Reactions: brambedkar59, Nevi, roger_m and 6 others
F

ForgottenSeer 103564

cruelsister said:
Similarly installing a VM at default will allow one to run ransomware until the Cows Come Home with the surety that Grandma's photos on the real system will remain untouched.
Click to expand...
Dont tell that to the former Staff member here that ran a Ransomware in a VM and it escaped and encrypted half of his work files on his Host machine. I was here back then when it happened.

Terrible advice to be handing over to those untrained and ill prepared.
 
Last edited by a moderator:
  • Like
  • Wow
  • Applause
Reactions: Nevi, roger_m, oldschool and 4 others
B-boy/StyLe/

B-boy/StyLe/

Level 3
Verified
Well-known
Mar 10, 2023
144
There is a very good guide on how to harden the Vbox at kernel-mode.info, but it is quite outdated now, and it could be difficult to follow.
However, there is something very important there. "DO NOT INSTALL VirtualBox Additions. NEVER. Once installed, you may consider your VM as lost."
I guess the same is valid for VMWare too, but I didn't use VMWare (only VBox) so I can't tell.

 
  • Like
Reactions: simmerskool and oldschool
Xeno1234

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
B-boy/StyLe/ said:
There is a very good guide on how to harden the Vbox at kernel-mode.info, but it is quite outdated now, and it could be difficult to follow.
However, there is something very important there. "DO NOT INSTALL VirtualBox Additions. NEVER. Once installed, you may consider your VM as lost."
I guess the same is valid for VMWare too, but I didn't use VMWare (only VBox) so I can't tell.

Click to expand...
What’s wrong with have the additions? I had it installed when I ran some malware.
 

Similar threads

Xeno1234
    • Like
    • Applause
Serious Discussion How to set up a safe environment for Malware Testing
Replies
18
Views
978
General Security Discussions
ForgottenSeer 97327
F
Victor M
    • Wow
    • +Reputation
    • Like
Security News Session token stealer survive Google password reset
Replies
2
Views
1,246
Security News
vtqhtr413
vtqhtr413
CyberTech
    • +Reputation
    • Like
Malware News PSA: Watch out for these fake Safari and Chrome updates infecting Macs with AMOS
Replies
0
Views
1,069
Security News
CyberTech
CyberTech

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top