Question Steamunlocked malware?

Please provide comments and solutions that are helpful to the author of this topic.

SeriousHoax

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,637
Xeno1234 said:
UDS is a behavior based detection.
Click to expand...
It's not actually. It's mainly used for cloud-based early blacklisting which can be both automated and manual. It can automatically be derived from behavior blocking & ML models metadata, big data analysis but can be totally unrelated also. There were cases when even Kaspersky analyst manually created UDS signatures for samples I sent to them.
eg:
1693504813809.png
 
  • +Reputation
  • Like
Reactions: oldschool, likeastar20 and Sandbox Breaker
Xeno1234

Xeno1234

Level 14
Jun 12, 2023
699
SeriousHoax said:
It's not actually. It's mainly used for cloud-based early blacklisting which can be both automated and manual. It can automatically be derived from behavior blocking & ML models metadata, big data analysis but can be totally unrelated also. There were cases when even Kaspersky analyst manually created UDS signatures for samples I sent to them.
eg:
View attachment 278331
Click to expand...
PDF’s always have weird detections, I see them have heuristic detections when it’s a signature. Anyways, the object was detected via automatic methods as opentip says it’s a Behavioral Stream Signature detection.


I believe according to their website and other people I’ve asked, UDS is a cloud based detection when malware is detected via other methods. For files like these, Ive never seen a UDS Signature, only automated detections.
 
Last edited:
  • Like
Reactions: oldschool
Xeno1234

Xeno1234

Level 14
Jun 12, 2023
699
Sandbox Breaker said:
I've seen a PDF trigger PDM.Exploit. but that's their ML catching an adobe exploit.
Click to expand...
Yes, completely possible for that to happen. I’ve never seen a signature have a UDS detection besides documents, and the one that they sent. Majority of the times it’s a automatic system in which PDM systems pickup an object, sending it to processing in KSN then creating a preventative cloud detection for the file.
 
  • Like
Reactions: oldschool
cartaphilus

cartaphilus

Level 5
Mar 17, 2023
202
Xeno1234 said:
Well, in that case, it definitely is evasive, bypassing Opentip, Intellix, and a lot of human researchers.

I myself don’t know how to code, nor really know how malware works, but how could it bypass human researchers?

Also, which file was it? I checked the opentip link someone sent and it’s currently listed as clean on Opentip with 1,000 users.
Click to expand...
Because no human actually took a look?

Maybe that company runs a triaged system?
I. E.
If only single file is received then direct to internal sandbox that's more sensitive than the public one. If the sandbox says Clean then inform the user that it's clean. Meanwhile flag the file for review with importance LOW

If more than 1 user but less than x reports it then perform the same as above but set importance to Normal

If major IT corporation or more than x users report it then inform the users to standby while the file is analyzed then flag the file with High Importance Requires Human in the loop
 
Xeno1234

Xeno1234

Level 14
Jun 12, 2023
699
cartaphilus said:
Because no human actually took a look?

Maybe that company runs a triaged system?
I. E.
If only single file is received then direct to internal sandbox that's more sensitive than the public one. If the sandbox says Clean then inform the user that it's clean. Meanwhile flag the file for review with importance LOW

If more than 1 user but less than x reports it then perform the same as above but set importance to Normal

If major IT corporation or more than x users report it then inform the users to standby while the file is analyzed then flag the file with High Importance Requires Human in the loop
Click to expand...
Ahh, didnt know thats how it works.
 
cartaphilus

cartaphilus

Level 5
Mar 17, 2023
202
Xeno1234 said:
Ahh, didnt know thats how it works.
Click to expand...
For us we think we are the most important people and our submissions should take priority. But for the person receiving your file they don't know you from a panicking old lady that saw a naked dude suddenly jump on her screen and being a good US bible belt evangelist she could not stand for such lude behavior from her computer! So she sent her whole download folder to the antivirus company for them to analyze. :)

AV corporations receive thousands of emails daily with suspicious attachments. Only fraction of them are actually suspicious. But yet it's their duty to look at them all. So what to they do? They let the machines do the dirty work. Prime example: Stutnex was in the wild and part of the detection cloud for months. Before a curious analyst received an infected laptop and lo and behold Stutnex was one of the infections. Only then they decided to escalate and analyze and bam multi million dollar sabotage software was busted.
 
Last edited:
  • Applause
Reactions: oldschool
struppigel

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Hello there. I have not much time this weekend. But just from checking this file vs the original version's entry point, it is clearly patched. The patched code is unreadable because it manipulates the stack pointer. The original NvStTest in contrast is clearly readable. This patch alone is reason enough to declare it as malware because it is a modification that has nothing to do there and the file hasn't been signed by the publisher. @SkeletalDemise is very spot on with observations and analysis.

Entry point of clean NvStTest:

mainfun_clean.png


Entry point of manipulated NvStTest (cannot be decompiled):

mainfun_mal.png


BinDiff of both files

bindiff.png


Diff for both files of PortEx, black byteplot on the left means same code/data. It is mostly the code near the entry point and some resources and the (missing) certificate that have been changed.

diff_portex.png


If this was a legitimate software update, you would expect something different:
  1. not only entry point code changes
  2. certificate would be there
  3. code would be readable
  4. many functions with small differences due to recompilation (this file was not recompiled, some of the sections even have the same hash)

likeastar20 said:
EDIT2: interesting https://www.unpac.me/results/8758e177-d928-4c49-ac6e-ca1b2fb9f0a7

View attachment 278309
Click to expand...

This blacksoul rule detects msvcp140.dll. I would not take it seriously.
 
Last edited:
  • +Reputation
  • Thanks
Reactions: Gandalf_The_Grey, brambedkar59, harlan4096 and 4 others

Similar threads

L
    • Applause
    • Like
    • +Reputation
VileRAT malware analysis
Replies
2
Views
381
Malware Analysis
Sandbox Breaker
Sandbox Breaker
L
    • Like
    • +Reputation
Malware Analysis Tricky adware or malicious ?
Replies
10
Views
937
Malware Analysis
likeastar20
L
R
    • +Reputation
    • Wow
    • Like
Ghacks.net website delivering malware via fake browser update messages
Replies
30
Views
2,873
Malware Analysis
TairikuOkami
TairikuOkami

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top