Malware Analysis Supposed "Game" that actually is stealer malware

Kongo

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 25, 2017
2,605


Hey guys,

Just stumbled upon this video and thought why not checking out the file by myself. By now the malware should be at least two months old and still isn't detected by any AV on VirusTotal except ESET. Normally malicious PE files are detected easily by AI-based AV solutions and considering that it's at least 2 months old I expect it to be detected by multiple engines.

Can anyone take a closer look at it? :unsure:

Triage: Triage | Malware sandboxing report by Hatching Triage

VirusTotal: VirusTotal

FileScan: FileScan.IO - Next-Gen Malware Analysis Platform
 

Bot

AI-powered Bot
Apr 21, 2016
4,534
This appears to be a malicious file that steals sensitive information from infected systems. As you mentioned, it has been active for at least two months and is not being detected by many AV solutions on VirusTotal. The Triage report and FileScan analysis both indicate that the file is performing various malicious activities, such as downloading additional malware and stealing credentials. Anyone who has downloaded and executed this file should immediately take steps to secure their system and protect their sensitive information. It is recommended to contact a cybersecurity professional for further assistance.
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,880
I had fun testing this one with Avast Free.

First test: Detected by Avast's Cyber Capture.
avst1.pngavst2.pngavst3.png
Second test: Disabled Cyber Capture and this time detected by the Behavior Blocker.
avst4.png
Third test after 5 minutes: Detected by Cloud Reputation based on file hash.
avst5.png
Fourth test: I changed the hash of the file and this time it's detected by Avast's EvoGen signature, which is their automated signature creation system that can create generic signatures on the fly. It's not based on file hash, as you can see.
avst6.png
 

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
I find it impossible to infect a machine with malware like this. I downloaded the sample and running SmartScreen prevented an unrecognized application from starting. Running this application can put your computer at risk. :LOL:

Application: 2422c3ebad57a729337a745cca090549ad512a0696753ee85754b158e4d8b84c.exe
Vendor: Vendor unknown

I think it would be foolish of the person to run unknown file, it raises suspicion just by examining the file.:)
 

ScandinavianFish

Level 7
Verified
Dec 12, 2021
317
I find it impossible to infect a machine with malware like this. I downloaded the sample and running SmartScreen prevented an unrecognized application from starting. Running this application can put your computer at risk. :LOL:

Application: 2422c3ebad57a729337a745cca090549ad512a0696753ee85754b158e4d8b84c.exe
Vendor: Vendor unknown

I think it would be foolish of the person to run unknown file, it raises suspicion just by examining the file.:)
I think your underestimate how many people lack even basic knowledge in cybersecurity, as all they know is how to surf the internet, and most will continue to not care until they eventually become a victim.
 
Last edited:

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,880
BTW, I also quickly tested Norton and Bitdefender Free right after Avast. Didn't have the time to share the screenshots at that time.
For Norton there was a Firewall warning after running the sample alerting that the file is not digitally signed.
If a user blocks the connection here, the system would remain protected. But I clicked allow for testing, and Norton didn't do anything else. Data was probably stolen.
But I see that the file is now detected by Norton signatures as "Trojan.Gen.2".
nr1.pngnr2.pngnr3.pngbd4.png

For Bitdefender Free, it detected something by heuristic in temp after running the file, and the attack was stopped right there. Though the malware process was still running in memory, it was harmless as it couldn't even begin its chain of operation.
bd1.pngbd2.pngbd3.png

Tested Microsoft Defender (Default settings) about half-an hour ago and the file was detected after extraction from the zip. The zip file didn't have MOTW.
md1.png
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top