Suspicious "game"

Status
Not open for further replies.

likeastar20

Level 9
Thread author
Verified
Mar 24, 2016
423
I want to hear your thoughts on this "game".





 
Last edited by a moderator:

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
This is from the VT behavior tab:
1688205032938.png


And ageostealer (dot) wtf has some other suspicious files communicating with it. See also VirusTotal

1688205285759.png


So from triage I would say it looks like malware.
(I did not analyse this file, I have only 20 minutes right now)
 

likeastar20

Level 9
Thread author
Verified
Mar 24, 2016
423
@Trident detected by Harmony ? :)
The sample seems to be "broken" on my machine, or I think you need to have Discord installed(?) or something else. When I run it I get some errors but I can still see its spawned processes in task manager and it is connecting to the internet. I have tried Avast, Eset, GData, Kaspersky, Bitdefender and they detect nothing. Only Norton "found" something.

ah.PNG



asasdasd.PNG
qwerqwer.PNG
 

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,616
The sample seems to be "broken" on my machine, or I think you need to have Discord installed(?) or something else. When I run it I get some errors but I can still see its spawned processes in task manager and it is connecting to the internet. I have tried Avast, Eset, GData, Kaspersky, Bitdefender and they detect nothing. Only Norton "found" something.

View attachment 276769


View attachment 276770View attachment 276771
Typical of this type of Trojan, Discord must be installed, as it will steal the account's connection token.
 

partha_roy

Level 3
Well-known
Oct 16, 2022
126
The sample seems to be "broken" on my machine, or I think you need to have Discord installed(?) or something else. When I run it I get some errors but I can still see its spawned processes in task manager and it is connecting to the internet. I have tried Avast, Eset, GData, Kaspersky, Bitdefender and they detect nothing. Only Norton "found" something.

View attachment 276769


View attachment 276770View attachment 276771
AVG detects it as suspicious with the hardened mode enabled. I did run it though and saw it create a start-up item, and spawn some processes in the background that definitely looked suspicious

It wouldn't let me open the process explorer for some reason and after I killed the processes from the task manager, the process explorer started right away; ran sfc /scannow right after just to check if anything was corrupted and it said "the requested operation could not be performed".. the dism restore couldn't help either

Definitely malicious in my eyes
 

partha_roy

Level 3
Well-known
Oct 16, 2022
126
It's not just stealing information; I am pretty sure that it's designed to impair the system too
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Did you get any errors when you ran the sample?
It was terminated very quick and forensic analysis was started. I didn't see any errors. Notice from the report under "File Ops" that it accessed Edge credit card and password databases. At that point it has become suspicious as this is also the last one on the Att&CK Matrix and cleanup has been initiated before it can put anything in the archive. Notice the archive is 0 bytes.

Uuuh someone didn't handle their exceptions with try and catch... shame.
 

likeastar20

Level 9
Thread author
Verified
Mar 24, 2016
423
It was terminated very quick and forensic analysis was started. I didn't see any errors. Notice from the report under "File Ops" that it accessed Edge credit card and password databases. At that point it has become suspicious as this is also the last one on the Att&CK Matrix and cleanup has been initiated before it can put anything in the archive. Notice the archive is 0 bytes.
Try another AV to see if it is detected now. When I tried, no reaction whatsoever from the likes of Kaspersky, Avast, BD, GDATA,ESET(was it because of the errors @Trident?). Many hours have passed since then, it should be detected by now...
 
Last edited:

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Try another AV to see if it is detected now. When I tried, no reaction whatsoever from the likes of Kaspersky, Avast, BD, GDATA,ESET(was it because of the errors @Trident?). Many hours have passed since then, it should be detected by now...
This sample is similar to the other one that @Kongo posted. I am not sure why detections haven’t been added, did you guys submit to anyone?
@struppigel can you have a look at this sample and see it it’s just me or they are similar?
 

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
Not detected by GData yet. You're enjoying your weekend too much. 👀
Can't do anything about that because I am on vacation and have no access to any system at work. If you are bothered by that, submit it to GDATA or Bitdefender, both will do.

I unpacked the code by now.
You first unpack Nullsoft script with 7z, then from these files extract app-64.7z, then download and install Asar plugin for 7zip and unpack app.asar.
Inside that one is a coreAES.js which contains encrypted data.
I put the code into an online Node JS compiler and replaced the last line with console.log('%s', decrypted) to print the decrypted malware.

I uploaded it to malshare in case anyone is interested.
This is the decrypted JS file: VirusTotal
You will find it on malshare with the same hash.

It is > 3000 lines of code, but here are some interesting parts:

1688231497505.png


1688231441087.png


1688231249189.png

1688231388415.png
 
Last edited:

likeastar20

Level 9
Thread author
Verified
Mar 24, 2016
423
MD detects in static analysis how Trojan:Win32/CryptInject!MSR. :)
My friend mentioned that he submitted it to Microsoft yesterday, among other vendors. Dr.Web responded to him saying it's corrupted and presents no danger
Screenshot_20230701_203624_Gmail.jpeg


I was too lazy to submit it myself because the file size is not that small (70mb) and most of the upload sites have a limit (BD 25mb, Avast 50mb, Avira 50mb etc). You probably have to send it directly to their email.
 
Last edited by a moderator:
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top