Once it’s on VT you can send them the hash. Explain that it is infostealer. Dr Web is wrong, the sample is quite functional. It is packed with some rubbish modules that I don’t believe serve any purpose to avoid transmission to clouds and emulators. Because it’s modules and not just repetitive bytes, compression doesn’t really make it smaller. Only build.exe is functional and malicious.
This sample is similar to the other one that @Kongo posted. I am not sure why detections haven’t been added, did you guys submit to anyone?
@struppigel can you have a look at this sample and see it it’s just me or they are similar?
Malware Analysis - Supposed "Game" that actually is stealer malware
Hey guys, Just stumbled upon this video and thought why not checking out the file by myself. By now the malware should be at least two months old and still isn't detected by any AV on VirusTotal except ESET. Normally malicious PE files are detected easily by AI-based AV solutions and...malwaretips.com
Believing that they worked on the same file, I would disagree with Dr. Web's assessment. The file did cause corruptions on my system; things were just dandy before I had executed it
The host contacted was also something starting with bby and on VT relations it wasn’t an innocent one so you are right. The final payload is different but distribution and packaging are similar. I believe under company name, both cursed.exe (from the other sample) and build.exe from this sample have “evil” but I have no access now to check.
Impressive display by Harmony
Don’t worry, I was just kidding
So that must be why Microsoft must have looked at it and added it to their subscriptions. Thank your friend for me, it helps others. Strange that Dr.Web says the file is corrupted and offers no danger. Explain to them what is stealer malware, maybe it is news to them who knows. I downloaded the sample here, the BD does not detect it, it is packaged and has Build.exe file I did not run it because it was on my physical machine, but most AVs will not detect it by analyzing statically, maybe some AVs only when running. @struppigel looked deeper and according to him there are about 3000 lines of code and he left an interesting spoiler in post #18
And therein lies the problem, they create this malware to remain undetectable by security products, as there is a limit to the size of samples that can be sent to these companies to analyze, making it difficult to communicate with them.
I am not a professional analyst (my job does not involve writing protections, I just use whatever is already created). It took me a second to open the open the file with 7z and see the build.exe. This is a very common default name that rat and infostealer builders assign to the compiled agent and the button to initiate the process is frequently labelled "build". Then I noticed vulkan modules and other files which make no sense being used in conjunction with infostealer, so there you go, this is your binary padding (T1027.001). In general, if I have 1k files and one executable, I will always first look at the exe.
That one remained under the radar because it is probably not very prevalent. Otherwise telemetry will cause various signatures and behavioural blocking profiles to be created plus the hosts will be added to denylists. Once this distribution method with Electron Package is well covered, they will move on to another one.
Good angle you have to explain things, this that your job doesn't involve writing protections, imagine if it did, but I understood it perfectly. Btw take back what I said about ZA in another post. Long story short @Shadowra posted that day the CheckPoint Harmony vs DeepInstinct Endpoint test and I was curious why ZoneAlarm Extreme Security NextGen didn't detect that day stealer malware from that @Kongo post. Harmony is not home product I checked, but can be used with home product also I checked, product is not even also I checked, but has threat emulation like ZA. So I installed ZA just for curiosity and did a scan in the .exe file and then extracted the packaged file, did not detect anything, so far all clean, in the static analysis no problem, I ran exe after a 1 minute or 2 two, ZA neutralized the attack blocked malware stealer, I checked in the quarantine were several files removed by ZA. I checked in the firewall if there were any blocked connections or any logs in ZA, and there was nothing, I believe ZA neutralized and cut the snake head off right away. I wonder if it was you who had contact with the CheckPoint people, or did they make some improvement in the product, some update before that? To be honest I don't know, only that this time I saw ZA in action, blocked and removed the malware. I confess that after that I ended up liking the product. There are things that you have to leave the taste aside, in this scenario what prevails is the effectiveness, every AV can fail, sometimes for some it can be glaring the failure of an AV.
So that must be why Microsoft must have looked at it and added it to their subscriptions. Thank your friend for me, it helps others. Strange that Dr.Web says the file is corrupted and offers no danger. Explain to them what is stealer malware, maybe it is news to them who knows. I downloaded the sample here, the BD does not detect it, it is packaged and has Build.exe file I did not run it because it was on my physical machine, but most AVs will not detect it by analyzing statically, maybe some AVs only when running. @struppigel looked deeper and according to him there are about 3000 lines of code and he left an interesting spoiler in post #18
And therein lies the problem, they create this malware to remain undetectable by security products, as there is a limit to the size of samples that can be sent to these companies to analyze, making it difficult to communicate with them.
It tried to access the Edge repository on my testing system with harmony, I got no Chrome either. Most likely Kaspersky has observed telemetry and now behavioural detections are created. If it reports suspicious hashes, it is possible that an analyst has pulled the file from VT. Who knows what tools Kaspersky provides to analysts, maybe they are able to describe a sequence of malicious actions very quick, if not fully automated.
I used KES 12 and i only had Brave installed.
Could you please run the sfc /scannow and check?I ran crazydown and for me it had no effect, no detection by Bitdefender AV, no suspicious connections, just two processes running from build.exe that I kept monitoring and then it created some temporary files in the temp folder and they were the same files as the packaged crazydown.exe. I don't have Discord, but I do have edge and chrome. I was disappointed to expect something else from the malware.
Final results clean machine, tested on physical machine, nothing unusual if stolen or infected then hitched a ride with some Windows process and sent it to web, good luck to the one who stole it.
Kaspersky and Cloud KSN is amazing they respond quickly, the other competitors take time to respond.
