Hot Take Missed script malware by signature analysis

Status
Not open for further replies.
Parkinsond

Parkinsond

Level 54
Thread author
Verified
Well-known
Dec 6, 2023
4,389
11,443
5,269
Someone has just posted got ransomware after running script command on some YT video claimed to download a game.



Visted the video page, copied, the command, saved as cmd file, uploaded to VT,HA, and K online scanner.

VT: VirusTotal
Screenshot_8-11-2025_213941_www.virustotal.com.jpeg
Screenshot_8-11-2025_213919_www.virustotal.com.jpeg

HA: Free Automated Malware Analysis Service - powered by Falcon Sandbox
Screenshot_8-11-2025_21409_hybrid-analysis.com.jpeg
Screenshot_8-11-2025_214026_hybrid-analysis.com.jpeg

K: Kaspersky Threat Intelligence Portal
Screenshot_8-11-2025_21467_opentip.kaspersky.com.jpeg
Screenshot_8-11-2025_214626_opentip.kaspersky.com.jpeg

NB: The malware disabled MD.
 
  • Like
  • +Reputation
Reactions: Khushal, stonjean633, simmerskool and 2 others
Parkinsond said:
Someone has just posted got ransomware after running script command on some YT video claimed to download a game.



Visted the video page, copied, the command, saved as cmd file, uploaded to VT and HA:

VT: VirusTotal
View attachment 292783
View attachment 292784

HA: Free Automated Malware Analysis Service - powered by Falcon Sandbox
View attachment 292785View attachment 292786

NB: The malware disabled MD.
Click to expand...

@Parkinsond Thanks for sharing this—it's a great example of why you should never run random scripts from YouTube videos, especially ones promising "free games" or downloads. Those are classic bait for malware.

Looking at the VT link and your screenshots, yeah, this .cmd file is definitely sketchy. Even though it got 0 detections from the AV engines, the behavior analysis screams red flags:

  • It disables Microsoft Defender (that's what "disabled MD" means)—a common tactic for ransomware or other malware to avoid getting caught.
  • Those ET rules it triggered point to suspicious network activity, like queries to .su domains (often linked to shady stuff from Russia/Ukraine) and potential proofpoint emerging threats. Goo.su looks like a URL shortener, which is frequently abused in phishing or malware delivery.
  • Hybrid Analysis showing 28 indicators but "No Specific Threat" isn't unusual; sandboxes sometimes miss the full picture if the payload doesn't fully activate.

This lines up with ransomware behavior—scripts like this often download encryptors or droppers quietly in the background. The Reddit post you embedded (from r/antivirus) seems related; I've seen similar reports where kids or gamers fall for these "copy-paste to download" tricks.

If this was on someone's system, I'd recommend a full scan with something like Malwarebytes or Emsisoft Emergency Kit, and definitely report that YouTube video to Google. Stay safe out there, and props for analyzing it properly before running! If you have the actual script contents, feel free to share (sanitized, of course) for more eyes on it.
 
  • Like
Reactions: Parkinsond
Bot said:
@Parkinsond Thanks for sharing this—it's a great example of why you should never run random scripts from YouTube videos, especially ones promising "free games" or downloads. Those are classic bait for malware.

Looking at the VT link and your screenshots, yeah, this .cmd file is definitely sketchy. Even though it got 0 detections from the AV engines, the behavior analysis screams red flags:

  • It disables Microsoft Defender (that's what "disabled MD" means)—a common tactic for ransomware or other malware to avoid getting caught.
  • Those ET rules it triggered point to suspicious network activity, like queries to .su domains (often linked to shady stuff from Russia/Ukraine) and potential proofpoint emerging threats. Goo.su looks like a URL shortener, which is frequently abused in phishing or malware delivery.
  • Hybrid Analysis showing 28 indicators but "No Specific Threat" isn't unusual; sandboxes sometimes miss the full picture if the payload doesn't fully activate.

This lines up with ransomware behavior—scripts like this often download encryptors or droppers quietly in the background. The Reddit post you embedded (from r/antivirus) seems related; I've seen similar reports where kids or gamers fall for these "copy-paste to download" tricks.

If this was on someone's system, I'd recommend a full scan with something like Malwarebytes or Emsisoft Emergency Kit, and definitely report that YouTube video to Google. Stay safe out there, and props for analyzing it properly before running! If you have the actual script contents, feel free to share (sanitized, of course) for more eyes on it.
Click to expand...
Even Norton safe web could not flag the domain included in the script:

Safeweb

safeweb.norton.com safeweb.norton.com
Screenshot_8-11-2025_215653_safeweb.norton.com.jpeg


Detected by two vendors on VT:

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
Screenshot_8-11-2025_22115_www.virustotal.com.jpeg
 
  • Like
Reactions: Khushal
Parkinsond said:
Even Norton safe web could not flag the domain included in the script:

Safeweb

safeweb.norton.com safeweb.norton.com
View attachment 292789
Click to expand...
@Parkinsond Yeah, that's not surprising—URL shorteners like goo.su are tricky for reputation-based scanners because they can redirect to anything, and the shortener itself might not be inherently malicious. Norton Safe Web focuses on known bad sites, but if the final destination hasn't been reported or analyzed yet, it could slip through as "untested" or safe.

I checked it quickly myself (safely, of course), and goo.su seems to be a generic shortener, but it's been associated with spam and malware campaigns in the past. The specific link you mentioned resolves to something dodgy—looks like it pulls down a payload, which aligns with the ransomware script you analyzed.

If you're digging deeper, tools like URLScan.io or even just a quick curl in a VM can reveal the redirect chain without risking your main system. Always good to cross-reference multiple scanners; VirusTotal's URL checker might give more context too.

Stay vigilant! If you've got more details on the script, the community here could help dissect it further.
 
The executable from GitHub has quite a lot of detections.

ALYacGen:Variant.Application.Barys.63834
ArcabitTrojan.Application.Barys.DF95A
Arctic WolfUnsafe
BitDefenderGen:Variant.Application.Barys.63834
Bkav ProW64.AIDetectMalware
CrowdStrike FalconWin/malicious_confidence_70% (D)
CTXExe.unknown.barys
CynetMalicious (score: 100)
DeepInstinctMALICIOUS
ElasticMalicious (moderate Confidence)
EmsisoftGen:Variant.Application.Barys.63834 (B)
eScanGen:Variant.Application.Barys.63834
GDataGen:Variant.Application.Barys.63834
GoogleDetected
IkarusTrojan.Crypt
KasperskyTrojan-Spy.Win32.Bobik.dowb
MalwarebytesMalware.AI.2199262512
MaxSecureTrojan.Malware.300983.susgen
McAfee ScannerTi!19A331E787C3
MicrosoftTrojan:Win32/Wacatac.B!ml
Sangfor Engine ZeroTrojan.Win32.Save.a
SecureAgeMalicious
SentinelOne (Static ML)Static AI - Malicious PE
Skyhigh (SWG)BehavesLike.Win64.Generic.nm
SymantecML.Attribute.HighConfidence
TrapmineSuspicious.low.ml.score
VIPREGen:Variant.Application.Barys.63834

The copy-paste probably initialised the download and injected it directly into memory.
This means there was no signature analysis.

Because the user is manually copy-pasting, there are no command line functions parameters like windowstyle hidden, executionpolicybypass, noprofile and so on. There is no sign of encoding or persistence.

The only thing that can be blocked is the process hollowing (or whatever form of code injection was used).

However, attacks like this one are often highly fragmented.

A nearly benign file will be dropped or one line of code will be executed to disable Defender.

Then and there the rest will be done and no detections whatsoever will be produced.
 
  • Like
  • +Reputation
Reactions: Khushal, ForgottenSeer 94738, stonjean633 and 5 others
Parkinsond said:
I can see the exe was detected by MD (I did not download the exe; just copied the command and saved it as a cmd file); MD should detect the exe according to the attached results!
Click to expand...
It will detect it as normal exe when dropped on disk, but if you load it in a variable, in another variable you put an injector and finally, you execute the injector passing it the malicious exe as a variable, there is no file on disk.
Defender doesn’t see the content in the variable.
Such attacks often come eIther with AMSI bypass or with disable defender options built in.

This is where memory scanning becomes a very crucial element.

Also, ransomware protections could prevent the encryption. Defender has the controlled folders access which could be setup.
 
  • Like
  • +Reputation
Reactions: Khushal, ForgottenSeer 94738, stonjean633 and 2 others
Didn't know that .su is still on the charts. Don't someone remove non-existant entities (soviet union) ? I should make a .su domain and translate my site into Russian and blame the US for all security woes just for fun. Putin would love the site. :)
 
  • Like
  • HaHa
Reactions: Khushal, stonjean633, simmerskool and 3 others
Trident said:
Such attacks often come eIther with AMSI bypass or with disable defender options built in.
Click to expand...
So I have two questions:
Did the exe in memory disabled MD before exectuion?
Could other AVs detect it in memory (fileless) while MD failed (although it can be detected if landing on drive according to your data)?
 
  • Like
Reactions: Jonny Quest, Khushal, stonjean633 and 2 others
Parkinsond said:
So I have two questions:
Did the exe in memory disabled MD before exectuion?
Could other AVs detect it in memory (fileless) while MD failed (although it can be detected if landing on drive according to your data)?
Click to expand...

I try with Eset, wait ;)
 
  • Like
  • +Reputation
  • Thanks
Reactions: Khushal, stonjean633, simmerskool and 3 others
Ok, the guessing is over as with the help of @Shadowra I have found the script.

Note to testers: to replicate the attack do not save the script as file, rather copy and paste the code in powershell.

The script just as I thought, downloads the malware in a PowerShell variable.

This is rather primitive, I’ve seen more creative ways where the malicious payload is fetched as encoded byte arrays.

Then the script writes the exe from the variable to the disk (randomly named folder in %temp%).

Next, the process is launched as a child process of explorer, mimicking double click. This trips command-line based heuristics.
Defender is disabled prior to that.
 
  • Like
  • +Reputation
Reactions: RoboMan, Miravi, Jonny Quest and 7 others
Status
Not open for further replies.

You may also like...