Suspicious "game"

[likeastar20]

I want to hear your thoughts on this "game".

VirusTotal

VirusTotal

www.virustotal.com

dca13fc006a3b55756ae0534bd0d37a1b53a219b5d7de236f20b0262f3662659 | Triage

Check this report malware sample dca13fc006a3b55756ae0534bd0d37a1b53a219b5d7de236f20b0262f3662659, with a score of 7 out of 10.

tria.ge

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses

opentip.kaspersky.com

https://intelix.sophos.com/report/ffc0666c79124489b0c68fe6802d4540/dynamic/file

 

[struppigel]

This is from the VT behavior tab:

And ageostealer (dot) wtf has some other suspicious files communicating with it. See also VirusTotal

So from triage I would say it looks like malware.
(I did not analyse this file, I have only 20 minutes right now)

 

[Shadowra]

@Trident detected by Harmony ?

 

[likeastar20]

@Trident detected by Harmony ?

The sample seems to be "broken" on my machine, or I think you need to have Discord installed(?) or something else. When I run it I get some errors but I can still see its spawned processes in task manager and it is connecting to the internet. I have tried Avast, Eset, GData, Kaspersky, Bitdefender and they detect nothing. Only Norton "found" something.

 

[Shadowra]

The sample seems to be "broken" on my machine, or I think you need to have Discord installed(?) or something else. When I run it I get some errors but I can still see its spawned processes in task manager and it is connecting to the internet. I have tried Avast, Eset, GData, Kaspersky, Bitdefender and they detect nothing. Only Norton "found" something.

View attachment 276769


View attachment 276770View attachment 276771

Typical of this type of Trojan, Discord must be installed, as it will steal the account's connection token.

 

[Andrew3000]

Could be a stealer. I can't even open it on my machine (crash)
Suspicious connections to:

 

[Kongo]

Could be a stealer. I can't even open it on my machine (crash)
Suspicious connections to: View attachment 276772View attachment 276773

You could try downloading Discord and create a fake account and see what happens. Looks like a discord token stealer.

 

[Kongo]

The game has been flagged as suspicious:

 

[partha_roy]

The sample seems to be "broken" on my machine, or I think you need to have Discord installed(?) or something else. When I run it I get some errors but I can still see its spawned processes in task manager and it is connecting to the internet. I have tried Avast, Eset, GData, Kaspersky, Bitdefender and they detect nothing. Only Norton "found" something.

View attachment 276769


View attachment 276770View attachment 276771

AVG detects it as suspicious with the hardened mode enabled. I did run it though and saw it create a start-up item, and spawn some processes in the background that definitely looked suspicious

It wouldn't let me open the process explorer for some reason and after I killed the processes from the task manager, the process explorer started right away; ran sfc /scannow right after just to check if anything was corrupted and it said "the requested operation could not be performed".. the dism restore couldn't help either

Definitely malicious in my eyes

 

[struppigel]

It does not just steal discord tokens.
It is an electron package app. Interesting, haven't seen this before.

 

[Kongo]

View attachment 276777
It does not just steal discord tokens.
It is an electron package app. Interesting, haven't seen this before.

Not detected by GData yet. You're enjoying your weekend too much.

 

[Trident]

Not detected by GData yet. You're enjoying your weekend too much.

Of course he is. Someone else will create the signature
Or submit to Bitdefender.

@Trident detected by Harmony ?

Yes Shadowra, it is detected by behavioural blocking as infostealer.win.creal.b

 

[partha_roy]

It's not just stealing information; I am pretty sure that it's designed to impair the system too

 

[likeastar20]

Yes Shadowra, it is detected by behavioural blocking as infostealer.win.creal.b
View attachment 276779View attachment 276780View attachment 276781View attachment 276782View attachment 276783View attachment 276784

Did you get any errors when you ran the sample?

 

[Trident]

Did you get any errors when you ran the sample?

It was terminated very quick and forensic analysis was started. I didn't see any errors. Notice from the report under "File Ops" that it accessed Edge credit card and password databases. At that point it has become suspicious as this is also the last one on the Att&CK Matrix and cleanup has been initiated before it can put anything in the archive. Notice the archive is 0 bytes.

Uuuh someone didn't handle their exceptions with try and catch... shame.

 

[likeastar20]

It was terminated very quick and forensic analysis was started. I didn't see any errors. Notice from the report under "File Ops" that it accessed Edge credit card and password databases. At that point it has become suspicious as this is also the last one on the Att&CK Matrix and cleanup has been initiated before it can put anything in the archive. Notice the archive is 0 bytes.

Try another AV to see if it is detected now. When I tried, no reaction whatsoever from the likes of Kaspersky, Avast, BD, GDATA,ESET(was it because of the errors @Trident?). Many hours have passed since then, it should be detected by now...

 

[Trident]

Try another AV to see if it is detected now. When I tried, no reaction whatsoever from the likes of Kaspersky, Avast, BD, GDATA,ESET(was it because of the errors @Trident?). Many hours have passed since then, it should be detected by now...

This sample is similar to the other one that @Kongo posted. I am not sure why detections haven’t been added, did you guys submit to anyone?
@struppigel can you have a look at this sample and see it it’s just me or they are similar?

Malware Analysis - Supposed "Game" that actually is stealer malware

Hey guys, Just stumbled upon this video and thought why not checking out the file by myself. By now the malware should be at least two months old and still isn't detected by any AV on VirusTotal except ESET. Normally malicious PE files are detected easily by AI-based AV solutions and...

malwaretips.com

 

[struppigel]

Not detected by GData yet. You're enjoying your weekend too much.

Can't do anything about that because I am on vacation and have no access to any system at work. If you are bothered by that, submit it to GDATA or Bitdefender, both will do.

I unpacked the code by now.
You first unpack Nullsoft script with 7z, then from these files extract app-64.7z, then download and install Asar plugin for 7zip and unpack app.asar.
Inside that one is a coreAES.js which contains encrypted data.
I put the code into an online Node JS compiler and replaced the last line with console.log('%s', decrypted) to print the decrypted malware.

I uploaded it to malshare in case anyone is interested.
This is the decrypted JS file: VirusTotal
You will find it on malshare with the same hash.

It is > 3000 lines of code, but here are some interesting parts:

Spoiler: pics

 

[piquiteco]

I want to hear your thoughts on this "game".

MD detects in static analysis how Trojan:Win32/CryptInject!MSR.

 

[likeastar20]

MD detects in static analysis how Trojan:Win32/CryptInject!MSR.

My friend mentioned that he submitted it to Microsoft yesterday, among other vendors. Dr.Web responded to him saying it's corrupted and presents no danger

I was too lazy to submit it myself because the file size is not that small (70mb) and most of the upload sites have a limit (BD 25mb, Avast 50mb, Avira 50mb etc). You probably have to send it directly to their email.