Malware Analysis Sus files(2)

L

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
361
@struppigel @Trident @SeriousHoax @Andrew3000 @Kongo

I helped some guy remove them, and I'm curious what they actually were. for the second file, the .exe got caught by his AV(which is BD), so I can't actually provide it(does not seem to be in quarantine either).
 

Attachments

  • image.png
    image.png
    30.8 KB · Views: 100
  • 4.png
    4.png
    15.2 KB · Views: 107
  • 5.png
    5.png
    15 KB · Views: 103
  • 6.png
    6.png
    17.6 KB · Views: 101
  • 7.png
    7.png
    14.5 KB · Views: 98
  • 8.png
    8.png
    3.3 KB · Views: 102
  • 3.png
    3.png
    21.5 KB · Views: 101
Last edited by a moderator:
  • Like
  • +Reputation
Reactions: Zartarra, Nevi, Andrew3000 and 2 others
L

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
361
Download the zips from Triage as I cannot link the direct upload on the forum

89182337d39268acce8b9843af9c84ca00ba41a394e8ded1426f95d6d63964c3 | Triage

Check this report malware sample 89182337d39268acce8b9843af9c84ca00ba41a394e8ded1426f95d6d63964c3, with a score of 3 out of 10.
tria.ge tria.ge

ec27626fe895f819d7e713e26452947e646e152964f43dfc629aec1b6406c70a | Triage

Check this report malware sample ec27626fe895f819d7e713e26452947e646e152964f43dfc629aec1b6406c70a, with a score of 3 out of 10.
tria.ge tria.ge
 
  • Like
Reactions: Nevi, SeriousHoax and Kongo
struppigel

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Sorry, but I need to register for download. And this happens when I try to register for tria.ge:

1688992893819.png

File is not on VT either. If you upload it there, I can access it.
 
  • Like
  • Sad
Reactions: harlan4096 and Kongo
L

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
361
struppigel said:
Sorry, but I need to register for download. And this happens when I try to register for tria.ge:

View attachment 277018

File is not on VT either. If you upload it there, I can access it.
Click to expand...
I can link the. exe directly from VT, but I don't think the. exe works without the other files in its folder.

Here is the .exe: VirusTotal

here is the zip if you can download it: VirusTotal



As I said, there is no .exe for the lisk file (deleted by BD). But after some digging, it seems it's related to this: "Lisk is an open source blockchain application platform designed to provide developers with a simpler path to blockchain production. It also provides users with a diverse and easy-to-use ecosystem with many applications to explore." I downloaded the installer from a GitHub page, VT report below.



VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

He mentioned that he had no idea what they were or where they came from.
 
Last edited:
  • Like
Reactions: Zartarra, SeriousHoax and Kongo
L

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
361
@struppigel

AgeoStealer malware - static analysis

Ageo (or Space) stealer is info stealer malware distributed as electron based 64bit app and posed as a “free game”.but as we know there’s nothing for free, specially when it comes from an untrusted source or developer. today we’ll perform a static analysis trying to dissect this app.first step...
walidbarakat.github.io walidbarakat.github.io

Off topic, but I just happened to find the above analysis on reddit. Seems like your guide on extracting app.asar was useful? :D
 
  • Like
  • Thanks
Reactions: struppigel and SeriousHoax
struppigel

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
likeastar20 said:
I can link the. exe directly from VT, but I don't think the. exe works without the other files in its folder.

Here is the .exe: VirusTotal

here is the zip if you can download it: VirusTotal



As I said, there is no .exe for the lisk file (deleted by BD). But after some digging, it seems it's related to this: "Lisk is an open source blockchain application platform designed to provide developers with a simpler path to blockchain production. It also provides users with a diverse and easy-to-use ecosystem with many applications to explore." I downloaded the installer from a GitHub page, VT report below.



VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

He mentioned that he had no idea what they were or where they came from.
Click to expand...
The file that I cannot access is 89182337d39268acce8b9843af9c84ca00ba41a394e8ded1426f95d6d63964c3
But yeah, I can check the other sample.
 
  • Like
Reactions: Nevi, simmerskool, silversurfer and 1 other person
SeriousHoax

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,637
I was able to download from Triage but it seems these are not the original exe file as you said BD had already detected and removed that on the system. But @struppigel should be able to investigate as it looks similar to the Electron based malware where the main culprit was hiding in the .asar file as he showed us in his analysis video.
 
  • Like
Reactions: Nevi, simmerskool, silversurfer and 1 other person
struppigel

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
It looks similar to Electron because it is also a Node.js application. But not Electron. It is also correct that the full folder's contents are necessary to run everything. But one could create a standalone executable by creating an SFX with 7zip. If you think this helps you with automatic analysis sandboxes, I can try to create one.

You find the entry point of the application in the package.json. This file mentions first_page.html as main.

1688998304654.png


The malicious code is inside: init/first_page.html
In first_page.html you see obfuscated JavaScript.

1688998159496.png


The application creates a folder in %LOCALAPPDATA%\Leading and saves a lot of data there.
You should delete this folder on your friend's system.

1688998084013.png


1688998382008.png


Looks like adware/spyware to me. The folder is full of affiliate and advertising related data.

Didn't have time to deobfuscate the code yet, it looks a bit nasty, and I do not think it is worth sinking hours into it because it does not seem to be a serious threat. It stems likely from a Potentially Unwanted Software download. Make sure to check the installed programs on the system for PUP.
 
  • Like
  • +Reputation
  • Applause
Reactions: Zartarra, Nevi, upnorth and 6 others
L

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
361
struppigel said:
It looks similar to Electron because it is also a Node.js application. But not Electron. It is also correct that the full folder's contents are necessary to run everything. But one could create a standalone executable by creating an SFX with 7zip. If you think this helps you with automatic analysis sandboxes, I can try to create one.

You find the entry point of the application in the package.json. This file mentions first_page.html as main.

View attachment 277024

The malicious code is inside: init/first_page.html
In first_page.html you see obfuscated JavaScript.

View attachment 277023

The application creates a folder in %LOCALAPPDATA%\Leading and saves a lot of data there.
You should delete this folder on your friend's system.

View attachment 277021

View attachment 277025

Looks like adware/spyware to me. The folder is full of affiliate and advertising related data.

Didn't have time to deobfuscate the code yet, it looks a bit nasty, and I do not think it is worth sinking hours into it because it does not seem to be a serious threat. It stems likely from a Potentially Unwanted Software download. Make sure to check the installed programs on the system for PUP.
Click to expand...
Thanks, this is what I wanted. Is there any relation with "Lisk" zip?(sent it in DM)
 
  • Like
Reactions: SeriousHoax
struppigel

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
likeastar20 said:
Thanks, this is what I wanted. Is there any relation with "Lisk" zip?(sent it in DM)
Click to expand...

The Lisk sample is an Electron application. So you can unpack the app.asar file as shown in the video. The executable seems to be missing, though. It is different JS code than Leading.

Edit: I somehow got to register on Tria.ge now. I uploaded the SFX for leading.exe

85ab31c1d2cf82b72a279ad7ba5b24dac3eadcd91af9ee9e677dbe188cd9f801 | Triage

Check this report malware sample 85ab31c1d2cf82b72a279ad7ba5b24dac3eadcd91af9ee9e677dbe188cd9f801, with a score of 7 out of 10.
tria.ge tria.ge
 
  • Like
  • Thanks
Reactions: Zartarra, Nevi, upnorth and 4 others

Similar threads

ShenguiTurmi
    • Like
    • Thanks
    • +Reputation
Elastic Defend EDR
Replies
10
Views
2,744
Other security for Windows, Mac, Linux
NormanF
N
Trident
    • Like
    • +Reputation
    • Hundred Points
Serious Discussion Harmony Endpoint by Check Point
Replies
677
Views
45,331
Other security for Windows, Mac, Linux
Sandbox Breaker
Sandbox Breaker
M
    • Like
    • Applause
    • +Reputation
Shout-out to our ESET and F-Secure Malware Hub testers :)
Replies
4
Views
1,797
Malware Analysis
TRS-80
TRS-80

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top